RSS Security

❌ About FreshRSS
There are new articles available, click to refresh the page.
Before yesterdayGeneral Security News

Al Jazeera detected and blocked disruptive cyberattacks

11 June 2021 at 10:08

Qatari government-funded international Arabic news channel Al Jazeera announced to have blocked a series of disruptive cyberattacks aimed at its news publishing platform.

Qatari government-funded international Arabic news channel Al Jazeera announced to have blocked this week a series of cyberattacks that attempted to disrupt and take over some components of its news publishing platform.

“Al Jazeera Media Network was subjected to a series of cyber hacking attempts to penetrate some of its platforms and websites this week.” reads the press release published by Al Jazeera.

“Between June 5 and 8, 2021, Al Jazeera websites and platforms experienced continued electronic attacks aimed at accessing, disrupting, and controlling some of the news platforms. The peak of these  attacks took place on Sunday evening, June 6, prior to the screening of an episode of the documentary strand ‘Ma Khafia Atham’ (What is Hidden is Greater) entitled “In the Grip of the Resistance” on Al Jazeera Channel.”

The series of attacks was observed between June 5 and 8, 2021, with a peak of these on Sunday evening, June 6.

Al-Jazeera added that its service provider was able to detect the attacks and stop the hacking attempts.

Al Jazeera condemns these cyber attacks and affirms its right to pursue legal recourse against the perpetrators. Such attacks only increase Al Jazeera’s resolve to continue its bold and exemplary journalism.

“Al Jazeera’s service provider was able to monitor and fend off all the hacking attacks and prevent them from achieving their goal.” concludes the press release. “Al Jazeera condemns these cyber attacks and affirms its right to pursue legal recourse against the perpetrators. Such attacks only increase Al Jazeera’s resolve to continue its bold and exemplary journalism.”

In December 2020, researchers from Citizen Lab reported that at least 36 employees of the Qatari news channel were targeted in a cyber espionage campaign leveraging a zero-click iOS zero-day vulnerability to hack their iPhones.

The attackers used an exploit chain named Kismet that was part of the arsenal of the controversial Pegasus spyware that is sold by the surveillance firm NSO Group.

In June 2017, the Qatari news channel announced that all its systems were under a large-scale cyber attack. The news was spread in a statement released on social media by the broadcaster. The media reported that some viewers in the region were not able to receive the signal of the television.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking)

The post Al Jazeera detected and blocked disruptive cyberattacks appeared first on Security Affairs.

Mysterious custom malware used to steal 1.2TB of data from million PCs

11 June 2021 at 12:17

Experts spotted a new mysterious malware that was used to collect a huge amount of data, including sensitive files, credentials, and cookies.

Researchers from NordLocker have discovered an unsecured database containing 1.2-terabyte of stolen data. Threat actors used custom malware to steal data from 3.2 million Windows systems between 2018 and 2020. The database includes 6.6 million files and 26 million credentials, 11 million unique email addresses, and 2 billion web login cookies, researchers pointed out that 22% of the web login cookies were still valid at the time of the discovery of the archive.

Cookies are a precious source of intelligence about victims’ habits and could be abused to access the person’s online accounts of the victims. 

NordLocker experts speculate the malware campaign leveraged tainted Adobe Photoshop versions, pirated games, and Windows cracking tools.

“This is a Trojan-type malware that was transmitted via email and illegal software. The software includes illegal Adobe Photoshop 2018, a Windows cracking tool, and several cracked games.” reads the report published by NordLocker. “The data was collected from 3.25 million computers. The malware stole nearly 26 million login credentials holding 1.1 million unique email addresses, 2 billion+ cookies, and 6.6 million files.”

The experts pointed out that custom malware used to amass such kind of data is very cheap, easy to find online and customizable. Multiple posts on the Dark Web advertise similar malware that is available for as little as $100.

Nearly 26 million login credentials (emails, login credentials) were stolen from almost a million websites, the data were categorized into 12 different groups based on the type of website.

The 26 million login credentials held 1.1 million unique email addresses, NordLocker found, for an array of different apps and services. These included logins for social media, online games, online marketplaces, job-search sites, consumer electronics, financial services, email services, and more.

Most of the stolen files (50%+) were text files, some of them containing software logs, passwords, personal notes, and other sensitive information. More than 1 million images have been stolen by the malware, including 696,000 .png and 224,000 .jpg files. Experts found over 650,000 Word documents and .pdf files in the archive.

custom malware

The database was discovered because a hacker group accidentally revealed its location. Experts promptly notified the cloud provider hosting the database and the data were already added to the popular data breach notification service HaveIBeenPwned to allow people to check if their data have been exposed.

The top 10 targeted apps are as follows:

  1. Google Chrome (19.4 million entries)
  2. Mozilla FireFox (3.3 million entries)
  3. Opera (2 million entries)
  4. Internet Explorer/Microsoft Edge (1.3 million entries)
  5. Chromium (1 million entries)
  6. CocCoc (451,962 entries)
  7. Outlook (111,732 entries)
  8. Yandex Browser (79,530 entries)
  9. Torch (57,427 entries)
  10. Thunderbird (42,057 entries)

How to protect your data from such kind of malware? Below a list of tips recommended by the expets:

  • Install an antivirus software;
  • Practice proper cyber hygiene;
  • Use strong passwords;
  • Download software from trusted sources;
  • Block third-party cookies;
  • Regularly clean cookies;
  • Encrypt your data;
  • Store files on an encrypted cloud;
  • Use multi-factor authentication.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, custom malware)

The post Mysterious custom malware used to steal 1.2TB of data from million PCs appeared first on Security Affairs.

Mozilla Says Google's New Ad Tech—FLoC—Doesn't Protect User Privacy

11 June 2021 at 13:14
Google's upcoming plans to replace third-party cookies with a less invasive ad targeted mechanism have a number of issues that could defeat its privacy objectives and allow for significant linkability of user behavior, possibly even identifying individual users. "FLoC is premised on a compelling idea: enable ad targeting without exposing users to risk," said Eric Rescorla, author of TLS standard

Italy announced its Cybersecurity Agency

11 June 2021 at 17:42

Italy announced the creation of the national cybersecurity agency, a move aimed at increase the level of cyber security of its infrastructure

The Italian government has announced the creation of a new agency focused on cybersecurity, Prime Minister Mario Draghi provided its strong commitment to the creation of the agency that is tasked to protect the country and its infrastructure from cyber threats.

The news was announced yesterday, the new agency was approved during a cabinet meeting and represents an important step in the process of enhancing the resilience of the country to cyber threats and improve the information sharing on cyber threats with EU members and western allies.

[The new agency] will “protect national interests and the resilience of services and essential functions of the State from cyber threats,” read a statement released by the Italian government.

Draghi already expressed concerns about the cyber security posture of the country and urged the adoption of countermeasures against cyber threats.

“We need to strengthen ourselves, we need to strengthen ourselves a lot, especially in terms of cybersecurity, all of us, at national level and at EU level… because the level of [Russian] interference both with spies and with manipulation of the web has become truly alarming,” Draghi said at the end of May following a European Union summit.

The new Italian cybersecurity agency will develop and implement cyber strategies to prevent, monitor, detect and mitigate cyber attacks, and increase the level of cyber security of the country’ infrastructures.

The cybersecurity agency will initially employ 300 experts, it will also include the national Computer Security Incident Response Team (CSIRT) and will be tasked to launch the National Centre for the Validation and Certification (CVCN).

The agency, which according to media reports will employ around 300 people, will be controlled by Draghi and his security services advisor Franco Gabrielli.

Draghi is introducing important changes in the structure of the national intelligence, in May he named Elisabetta Belloni, a career diplomat, to lead Italy’s secret services agency DIS.

Who will be the head of the new cyber agency?

According to Italian media, Roberto Baldoni, acting currently as Deputy Director General at Presidency of Ministry Council of Italy in charge of National Cybersecurity, is a possible candidate along with Nunzia Ciardi, the head of the internet police.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cybersecurity agency)

The post Italy announced its Cybersecurity Agency appeared first on Security Affairs.

CEO-Level Guide to Prevent Data Hacking Technologies & Incidents

11 June 2021 at 19:26

The current era, where all data is digital, the threats of fraud, breach and data sprawl are more of a reality than ever.

In these times, organizations not only take a hit because of the breached data and cyber threats, but also are heavily fined under global privacy regulations. These privacy regulations are in place to encourage security operations within organizations to protect their data from malicious intent.

Not only on a monetary level but the damage this does to a company’s reputation can negatively affect the organization’s capacity to continue business with suppliers and clients due to a lack of trust. This leaves uncertainty and a possible collapse within the organization. Shareholders are now demanding that the information security should be dealt with by the upper management and CEOs should be held accountable for the data  security measures.

Given all these points, this article will talk about five most important things any CEO should know regarding their organization’s data security.

1. Know the scope of your data inventory

The first step towards security is knowing what kind of data is present within your system. The first step towards this is to create a comprehensive data inventory of the company’s data. The next step is to organize this data into data sets that clearly define content, licenses and sources of data, as well as other information regarding the data.

It is important to remember that outdated softwares and hardware components leave a backdoor threat into your system for hackers just as new additions present unknown vulnerabilities. To curb this risk, the CEO must implement an IT asset management policy that can be used as a guide in future company audits. This makes follow ups with the IT team more to the point and stays away from vague answers.

2. Know the data inventory chain

A CEO does not need to know every technical detail that goes into his system, but it is crucial that he/she knows how to direct the ones who are charged with this responsibility. In order to do that, there needs to be a working data inventory policy. Once this inventory is compiled the following questions should be addressed:

  • What data do you store?
  • Where in the system is it stored?
  • Who has access and levels of sharing?
  • Why do you need certain data?

Organizations store critical data such as IPs (Intellectual property) and PII within their system. This data should be clearly identified because if exposed, they provide the easiest route for hackers into the company’s database. This makes it paramount that the critical data is securely stored, preferably in segmented storage in a trusted network with restricted access.

3. How well is your system protection implemented?

A CEO should be well-versed with how the IT team is securing the data within the organization.Ask pertinent questions from your IT team to reinforce the efficacy of the measures taken and how prepared your organization is for hostile incidents.

The problem here lies with the constant evolution of attacks and hackers, which is why the CEO should have a proactive approach rather than a reactive approach. This means ongoing evaluation of internal security capacity with the goal of updating wherever and whenever necessary.

Gerard Stokes says, “One worrying thing for any CEO is that it generally takes about 200 days from breach to discovery and a further 60 days after to mitigate the invasion fully. That is practically nine months the company’s crucial data is in unauthorized hands!’’

A CEO should plan ahead to mitigate any risks before they even occur. This means being active 24/7, using only trusted resources for your business needs and outsource data to trusted partners.

4. Audit your security systems

A major step towards a reliable security system is the continuous testing of the system’s efficacy. Following are some key points that a CEO must take into account when running a internal system audit

  • A CEO should ask for regular network reports, to assess the information collected in normal usage to isolate and deal with anomalies that could be pointers to a potential threat. These reports can help you understand internal functions of the business which can lead to better management decisions
  • Out of data softwares and hardwares can be prone to breach. Make sure your hardware and software assets are operating within the recommended lifecycle.
  • Frequently review your asset inventory to monitor what needs to be decommissioned.
  • Upgrade your hardware and network software to achieve efficient operation with current software versions.
  • Ask your employees to use a VPN, antivirus and other necessary tools to ensure digital privacy.
  • Implement alternative measures to act as a cushion against sudden attacks and possible disruption. 
  • Train employees on the proper use of resources to avoid unintended security breaches.

5. Assess your risk exposure

Cyberwarfare is an inevitable truth and a CEO must be prepared beforehand in order to mitigate the damage. Implementing a preemptive approach towards security is advised but there should also be a contingency plan should the organization be met with an attack. A CEO can focus on the following points when preparing a cybersecurity risk assessment.

  • Itemize likely cyber threats to your company in regard to the type of business activities engaged in. 
  • Analyze vulnerabilities in both internal and external systems. 
  • Evaluate the likelihood of a breach and quantify the damage.
  • Stay prepared with continuous assessment of threat vectors to preempt hostile invasion.


No data is safe from a cyberattack. In the digital era, a cyberattack is an eventuality rather than a possibility. In these times, it is important for senior decision makers to implement preemptive measures to mitigate the threat as much as possible, as well as contingency plans in case the organization is met with a cyberattack. You can not prevent your organization from a cyberattack, but  you can save it from a devastating end. A CEO should be the torch bearer in this fight against cyber threats and protect their organization from a catastrophic result.

About the author: Anas Baig

With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley based company – He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber threats)

The post CEO-Level Guide to Prevent Data Hacking Technologies & Incidents appeared first on Security Affairs.

Avaddon ransomware gang shuts down their operations and releases decryption keys

11 June 2021 at 22:12

The Avaddon ransomware gang has shut down its operations and released the decryption keys to allow victims to recover their files for free.

Good news for the victims of the Avaddon ransomware gang, the cybercrime group has shut down its operations and provided the decryption keys to BleepingComputer website.

The group has also shut down its servers and deleted profiles on hacking forums, they also shut down their leak site.

This morning, BleepingComputer received a message from a source that was pretending to be the FBI that included a password and a link to a password-protected ZIP archive.

BleepingComputer shared the decryption keys with the security firm Emsisoft, which has released in the past free decryptors for multiple pieces of ransomware.

PSA: Avaddon appears to have shut down and released 2934 private keys of victims. A public Emsisoft decryption tool is coming soon. Do not pay. If you are a victim and want to know if your files can be decrypted, please reach out to [email protected] Thanks.

— Fabian Wosar (@fwosar) June 11, 2021

The security company already develop a free decryptor for the victims of the Avaddon ransomware.

“The Avaddon ransomware encrypts victim’s files using AES-256 and RSA-2048, and appends a random extension.” states Emsisoft.

We've just released a decryptor for #Avaddon #ransomware.

— Emsisoft (@emsisoft) June 11, 2021

The decryptor allows the victims of the Avaddon ransomware to decrypt their files for free. The ransomware gang was active since June 2020, it was delivering its threat via malspam campaigns.

In the aftermath of the closing of the operation of Darkside gang, the Avaddon gang made the headlines by targeting multiple organizations in collaboration with the Conti gang.

“Furthermore, ransomware negotiation firms and incident responders saw a mad rush by Avaddon over the past few days to finalize ransom payments from existing unpaid victims Coveware CEO Bill Siegel has told BleepingComputer that Avaddon’s average ransom demand was around $600k.” reported BleepingComputer. “However, over the past few days, Avaddon has been pressuring victims to pay and accepting the last counteroffer without any push back, which Siegel states is abnormal.”

In May, the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) warned of an ongoing Avaddon ransomware campaign targeting organizations worldwide in multiple industries, including government, finance, energy, manufacturing, and healthcare.

The alert published by the ACSC provides a list of countries under attack which includes the US, UK, Germany, France, China, Italy Brazil, India, UAE, France, and Spain.

Avaddon targets list

“The Australian Cyber Security Centre (ACSC) is aware an ongoing ransomware campaign utilising the Avaddon Ransomware malware. This campaign is actively targeting Australian organisations in a variety of sectors.” reads the alert published by ACSC. “The ACSC is aware of several instances where the Avaddon ransomware has directly impacted organisations within Australia.”

This advisory includes details about Techniques, Tools, and Procedures (TTPs) associated with the Avaddon group.

Experts speculate that the group was not completely retired, instead they are rebranding their operations.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Avaddon ransomware gang shuts down their operations and releases decryption keys appeared first on Security Affairs.

Yesterday — 12 June 2021General Security News

CVE-2021-3560 flaw in polkit auth system service affects most of Linux distros

12 June 2021 at 12:02

An authentication bypass flaw in the polkit auth system service used on most Linux distros can allow to get a root shell.

An authentication bypass vulnerability in the polkit auth system service, tracked as CVE-2021-3560, which is used on most Linux distros can allow an unprivileged attacker to get a root shell.

“A flaw was found in polkit. When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process.” reads the description published by the security advisory. “The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.”

polkit is an application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes, it is installed by default on several Linux distributions.

The vulnerability was introduced in version 0.113 seven years ago (commit bfa5036) and was fixed on June 3 after its recent disclosure by security researcher Kevin Backhouse.

Every Linux system using a vulnerable polkit version is potentially exposed to cyber attacks exploiting the CVE-2021-3560 flaw.

Backhouse published a video PoC of an attack exploiting this vulnerability demonstrating that it is easy to trigger.

“The vulnerability enables an unprivileged local user to get a root shell on the system. It’s easy to exploit with a few standard command line tools, as you can see in this short video.” wrote the expert in a blog post.

The researcher published the following table containing the list of currently vulnerable distros:

Distribution Vulnerable?
RHEL 8 Yes
Fedora 20 (or earlier) No
Fedora 21 (or later) Yes
Debian 10 (“buster”) No
Debian testing (“bullseye”) Yes
Ubuntu 18.04 No
Ubuntu 20.04 Yes

“CVE-2021-3560 enables an unprivileged local attacker to gain root privileges. It’s very simple and quick to exploit, so it’s important that you update your Linux installations as soon as possible. Any system that has polkit version 0.113 (or later) installed is vulnerable.” conlcudes the researcher.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, polkit)

The post CVE-2021-3560 flaw in polkit auth system service affects most of Linux distros appeared first on Security Affairs.

Volkswagen discloses data breach, 3.3 million customers impacted

12 June 2021 at 13:39

Volkswagen America discloses a data breach at a third-party vendor that exposed the personal details of more than 3.3 million of its customers.

Volkswagen America discloses a data breach suffered by a third-party vendor used by the car vendor for sales and marketing purposes. The security breach affected a subsidiary Audi and authorized dealers in the U.S. and Canada and exposed the personal details of more than 3.3 million Volkswagen customers, most of which were owners of Audi cars.

According to a letter sent by the company to the Maine Attorney General and reported by TechCrunch, the subsidiary company left customer data spanning 2014 to 2019 unsecured online between August 2019 and May 2021.

Volkswagen learned of the data breach on March 10 and immediately launched an investigation in the case with the help of external consultants and notified law enforcement.

“The investigation confirmed in early May 2021 that a third party obtained limited personal information received from or about United States and Canadian customers and interested buyers from a vendor used by Audi, Volkswagen, and some authorized dealers.” reported TechCrunch. “This included information gathered for sales and marketing purposes from 2014 to 2019. VWGoA believes the data was obtained when the vendor left electronic data unsecured at some point between August 2019 and May 2021, when VWGoA identified the source of the incident.”

Exposed data for over 97% of the individuals includes personal information about customers and prospective buyers, including name, personal or business mailing addresses, email addresses, and phone numbers.

For some individuals, the data also include information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages.

“For approximately 90,000 Audi customers or interested buyers, the data also includes more sensitive information relating to eligibility for a purchase, loan, or lease. Nearly all of the more sensitive data (over 95%) consists of driver’s license numbers. A very small number of records include data such as dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers.” continues the letter.

But more than 90,000 customers across the U.S. and Canada had more sensitive data exposed and for them, VWGoA is going to offer free credit protection services to these approximately 90,000 individuals through IDX.ù

At the time of this writing, it is not clear if the data exposed was misused, anyway their leak pose a risk of fraud and other malicious activities for the car owners.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post Volkswagen discloses data breach, 3.3 million customers impacted appeared first on Security Affairs.

McDonald’s discloses data breach in US, Taiwan and South Korea

12 June 2021 at 16:37

McDonald’s fast-food chain disclosed a data breach, hackers have stolen information belonging to customers and employees from the US, South Korea, and Taiwan.

McDonald’s, the world’s largest restaurant chain by revenue, has disclosed a data breach that impacted customers and employees from the US, South Korea, and Taiwan.

The hackers compromised the system of the company and have stolen business contact info belonging to US employees and franchises, the company pointed out that no sensitive and financial data were accessed.

The attackers also stole personal information from customers in South Korea and Taiwan, including names, emails, phone numbers, and addresses. The company states that only a small number of customers was impacted and their financial data was not exposed.

“In a message to U.S. employees, McDonald’s said the breach disclosed some business contact information for U.S. employees and franchisees, along with some information about restaurants such as seating capacity and the square footage of play areas.” reported the WSJ. “The company said no customer data was breached in the U.S., and that the employee data exposed wasn’t sensitive or personal. The company advised employees and franchisees to watch for phishing emails and to use discretion when asked for information.”

McDonald’s said that it was able to quickly identify the security breach and mitigate the threat.

“McDonald’s understands the importance of effective security measures to protect information, which is why we’ve made substantial investments to implement multiple security tools as part of our in-depth cybersecurity defense,” the WSJ added. “These tools allowed us to quickly identify and contain recent unauthorized activity on our network.”

“While we were able to close off access quickly after identification, our investigation has determined that a small number of files were accessed, some of which contained personal data,” reads a statement published by the company.

The company added that only customers in Korea and Taiwan had their data exposed.

McDonald’s is currently notifying affected customers and authorities in all impacted markets.

In April 2017, another cyber attack hit McDonald’s Canada career website and hackers stole records of 95,000 job seekers.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post McDonald’s discloses data breach in US, Taiwan and South Korea appeared first on Security Affairs.