There are new articles available, click to refresh the page.
Before yesterdaySecurity News

Devices from Dell, HP, and Lenovo used outdated OpenSSL versions

26 November 2022 at 00:35

Researchers discovered that devices from Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library.

Binarly researchers discovered that devices from Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library.

The OpenSSL software library allows secure communications over computer networks against eavesdropping or need to identify the party at the other end. OpenSSL contains an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

The researchers discovered the issue by analyzing firmware images used devices from the above manufacturers.

The experts analyzed one of the core frameworks EDKII used as a part of any UEFI firmware which has its own submodule and wrapper over the OpenSSL library (OpensslLib) in the CryptoPkg component.

EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and UEFI Platform Initialization (PI) specifications.

The main EDKII repository is hosted on Github and is frequently updated.

The experts first analyzed Lenovo Thinkpad enterprise devices and discovered that they used different versions of OpenSSL in the firmware image.

Lenovo Thinkpad enterprise devices used three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j. The most recent OpenSSL version was released in 2018.

“Many of the security-related firmware modules contain significantly outdated versions of OpenSSL. Some of them like InfineonTpmUpdateDxe contain code known to be vulnerable for at least eight (8) years.” reads the report published by Binarly. “The InfineonTpmUpdateDxe module is responsible for updating the firmware of Trusted Platform Module (TPM) on the Infineon chip. This clearly indicates the supply chain problem with third-party dependencies when it looks like these dependencies never received an update, even for critical security issues.”

One of the firmware modules named InfineonTpmUpdateDxe uses the OpenSSL version 0.9.8zb that was released on August 4, 2014.

The researchers discovered that most recent OpenSSL version is used by on Lenovo enterprise devices and dates back to the summer of 2021.

OpenSSL

The following image reports for each vendor all the versions of OpenSSL detected by the Binarly Platform in the wild:

OpenSSL vendors

The experts pointed out that the same device firmware code often rely on different versions of OpenSSL. 

The reason for this design choice is that the supply chain of third-party code depends on their own code base, which is often not available to device firmware developers. The researchers explained that this introduces an extra layer of supply chain complexity.

“Most of the OpenSSL dependencies are linked statically as libraries to specific firmware modules that create compile-time dependencies which are hard to identify without deep code analysis capabilities.” continues the report. “Historically the problem within third-party code dependencies is not an easy issue to solve at the compiled code level.”

The experts noticed that devices from Dell and Lenovo relied on version 0.9.8l that dates back to 2009.

Some Lenovo devices used the version 1.0.0a that dates back 2010, while the three vendors (Lenovo, Dell, HP) were observed using version 0.9.8w that dates back 2012.

“We see an urgent need for an extra layer of SBOM Validation when it comes to compiled code to validate on the binary level, the list of third-party dependency information that matches the actual SBOM provided by the vendor,” concludes the report. “A ‘trust-but-verify’ approach is the best way to deal with SBOM failures and reduce supply chain risks.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, firmware)

The post Devices from Dell, HP, and Lenovo used outdated OpenSSL versions appeared first on Security Affairs.

Russia-based RansomBoggs Ransomware Targeted Several Ukrainian Organizations

26 November 2022 at 04:28
Ukraine has come under a fresh onslaught of ransomware attacks that mirror previous intrusions attributed to the Russia-based Sandworm nation-state group. Slovak cybersecurity company ESET, which dubbed the new ransomware strain RansomBoggs, said the attacks against several Ukrainian entities were first detected on November 21, 2022. "While the malware written in .NET is new, its deployment is

U.S. Bans Chinese Telecom Equipment and Surveillance Cameras Over National Security Risk

26 November 2022 at 04:52
The U.S. Federal Communications Commission (FCC) formally announced it will no longer authorize electronic equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua, deeming them an "unacceptable" national security threat. All these Chinese telecom and video surveillance companies were previously included in the Covered List as of March 12, 2021. "The FCC is committed to protecting our national

All You Need to Know About Emotet in 2022

26 November 2022 at 11:49
For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it. Why is everyone scared of Emotet? Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication.

Data from 5.4M Twitter users obtained from multiple threat actors and combined with data from other breaches

26 November 2022 at 21:11

The massive data breach suffered by Twitter that exposed emails and phone numbers of its customers may have impacted more than five million users.

At the end of July, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting a now-fixed vulnerability in the popular social media platform.

The threat actor offered for sale the stolen data on the popular hacking forum Breached Forums. In January, a report published on Hacker claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options.

The seller claimed that the database was containing data (i.e. emails, phone numbers) of users ranging from celebrities to companies. The seller also shared a sample of data in the form of a csv file.

“The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings. The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account.” ” reads the description in the report submitted by zhirinovskiy via bug bounty platform HackerOne. “This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities”

In August, Twitter confirmed that the data breach was caused by the now-patched zero-day flaw submitted by the researchers zhirinovskiy via bug bounty platform HackerOne and that he received a $5,040 bounty.

“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.” reads the Twitter’s advisory. “In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed,” continues the social media firm.

“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”

This week, the website 9to5mac.com claimed that the data breach was word than initially reported by the company. The website reports that multiple threat actors exploited the same flaw and the data available in the cyberscrime underground have differed sources.

“A massive Twitter data breach last year, exposing more than five million phone numbers and email addresses, was worse than initially reported. We’ve been shown evidence that the same security vulnerability was exploited by multiple bad actors, and the hacked data has been offered for sale on the dark web by several sources.” reads the post published by 9to5mac.com

Source: Twitter account @sonoclaudio

9to5Mac‘s claims are based on the availability of the dataset that contained the same information in a different format offered by a different threat actor. The source told the website that the database was “just one of a number of files they have seen.” It seems that the impacted accounts are only those having the “Discoverability | Phone option (which is hard to find within Twitter’s settings)” enabled in late 2021.

The archive seen by 9to5Mac includes data belonging to Twitter users in the UK, almost every EU country, and parts of the US.

“I have obtained multiple files, one per phone number country code, containing the phone number <-> Twitter account name pairing for entire country’s telephone number space from +XX 0000 to +XX 9999.” the source told 9to5Mac. “Any twitter account which had the Discoverability | Phone option enabled in late 2021 was listed in the dataset.”

The experts speculate that multiple threat actors had access to the Twitter database and combined it with data from other security breaches.

The security researcher behind the account @chadloder (Twitter after the disclosure of the news) told 9to5Mac that the “email-twitter pairings were derived by running existing large databases of 100M+ email addresses through this Twitter discoverability vulnerability.”

The researcher told the website that they would reach out to Twitter for comment, but the entire media relations team left the company.

UPDATE:

Update: After discussing with my colleague @sonoclaudio, we noticed that the post on the popular breach forum reports that 1.4 accounts were suspended. Now the question is, why months after the accounts were suspended, the data were still present in the database? Which is the retention period for Twitter? Does Twitter violate the GDPR for European users?

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Twitter)

The post Data from 5.4M Twitter users obtained from multiple threat actors and combined with data from other breaches appeared first on Security Affairs.

US FCC bans the import of electronic equipment from Chinese firms

27 November 2022 at 12:16

The U.S. Federal Communications Commission announced it will completely ban the import of electronic equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua.

The U.S. Federal Communications Commission (FCC) announced the total ban for telecom and surveillance equipment from Chinese companies Huawei, ZTE, Hytera, Hikvision, and Dahua due to an “unacceptable” national security threat.

The US government has already added the companies to the Covered List and the new rules aims at protecting the Americans from national security threats involving telecommunications.

“The Federal Communications Commission adopted new rules prohibiting communications equipment deemed to pose an unacceptable risk to national security from being authorized for importation or sale in the United States. This is the latest step by the Commission to protect our nation’s communications networks.” reads the announcement published by FCC. “In recent years, the Commission, Congress, and the Executive Branch have taken multiple actions to build a more secure and resilient supply chain for communications equipment and services within the United States.”

“The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here,” said Chairwoman Jessica Rosenworcel. “These new rules are an important part of our ongoing actions to protect the American people from national security threats involving telecommunications.”

The new rules implement the directive in the Secure Equipment Act of 2021, which was signed by President Biden in November.

Chinese firms Hytera, Hikvision, and Dahua have to provide details about the safeguards they have implemented on the sale of their devices for government use and the surveillance of critical infrastructure facilities.

In September, the U.S. Federal Communications Commission (FCC) has added Pacific Network Corp, ComNet (USA) LLC, and China Unicom (Americas) Operations Limited, to the Covered List.

The FCC explained that the above companies are subject to the exploitation, influence and control of the Chinese government, and the national security risks associated with such exploitation, influence, and control.

This week, the British government ordered its departments to stop installing Chinese security cameras at sensitive buildings due to security risks. The Government has ordered departments to disconnect the camera from core networks and to consider removing them.

The risk is related to the use of security cameras manufactured by Chinese-owned companies Dahua and Hikvision. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Federal Communications Commission)

The post US FCC bans the import of electronic equipment from Chinese firms appeared first on Security Affairs.

Security Affairs newsletter Round 395

27 November 2022 at 13:45

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Data from 5.4M Twitter users obtained from multiple threat actors and combined with data from other breaches
Devices from Dell, HP, and Lenovo used outdated OpenSSL versions
Google fixed the eighth actively exploited #Chrome #zeroday this year
Experts investigate WhatsApp data leak: 500M user records for sale
An international police operation dismantled the spoofing service iSpoof
UK urges to disconnect Chinese security cameras in government buildings
RansomExx Ransomware upgrades to Rust programming language
An aggressive malware campaign targets US-based companies with Qakbot to deliver Black Basta Ransomware
Threat actors exploit discontinues Boa web servers to target critical infrastructure
Pro-Russian group Killnet claims responsibility for DDoS attack that has taken down the European Parliament site
Ducktail information stealer continues to evolve
Experts claim that iPhone’s analytics data is not anonymous
Microsoft releases out-of-band update to fix Kerberos auth issues caused by a patch for CVE-2022-37966
Exclusive – Quantum Locker lands in the Cloud
5 API Vulnerabilities That Get Exploited by Criminals
Researcher warns that Cisco Secure Email Gateways can easily be circumvented
Aurora Stealer Malware is becoming a prominent threat in the cybercrime ecosystem
Two Estonian citizens arrested in $575M cryptocurrency fraud scheme
Emotet is back and delivers payloads like IcedID and Bumblebee
Expert published PoC exploit code for macOS sandbox escape flaw
Google won a lawsuit against the Glupteba botnet operators
Google provides rules to detect tens of cracked versions of Cobalt Strike
Octocrypt, Alice, and AXLocker Ransomware, new threats in the wild
PoC exploit code for ProxyNotShell Microsoft Exchange bugs released online

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 395 appeared first on Security Affairs.

Elon Musk Confirms Twitter 2.0 will Bring End-to-End Encryption to Direct Messages

28 November 2022 at 05:25
Twitter chief executive Elon Musk confirmed plans for end-to-end encryption (E2EE) for direct messages on the platform. The feature is part of Musk's vision for Twitter 2.0, which is expected to be what's called an "everything app." Other functionalities include longform tweets and payments, according to a slide deck shared by Musk over the weekend. <!--adsense--> The company's plans for

RansomBoggs Ransomware hit several Ukrainian entities, experts attribute it to Russia

28 November 2022 at 08:25

Several Ukrainian organizations were hit by Russia-based RansomBoggs Ransomware in the last week, ESET reports.

Researchers from ESET observed multiple attacks involving a new family of ransomware, tracked as RansomBoggs ransomware, against Ukrainian organizations.

The security firm first detected the attacks on November 21 and immediately alerted the CERT US. The ransomware is written in .NET and experts noticed that deployment is similar to previous attacks attributed to the Russia-linked Sandworm APT group.

On November 21st #ESETResearch detected and alerted @_CERT_UA of a wave of ransomware we named #RansomBoggs, deployed in multiple organizations in Ukraine🇺🇦. While the malware written in .NET is new, its deployment is similar to previous attacks attributed to #Sandworm. 1/9 pic.twitter.com/WyxzCZSz84

— ESET research (@ESETresearch) November 25, 2022

Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.

In April, Sandworm targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper.

The APT hacking group is believed to have been behind numerous attacks this year, including an attack on Ukrainian energy infrastructure and the deployment of a persistent botnet called “Cyclops Blink” dismantled by the US government in April.

From August 2022, Recorded Future researchers observed a rise in command and control (C2) infrastructure used by Sandworm (tracked by Ukraine’s CERT-UA as UAC-0113).

In September 2022, Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware.

The analysis of the RansomBoggs Ransomware code revealed that the authors make multiple references to the Pixar movie Monsters, Inc. The ransom note, SullivanDecryptsYourFiles.txt, shows the authors impersonating the main character of the movie James P. Sullivan and the executable file is also named Sullivan.<version?>.exe .

Threat actors used a PowerShell script to spread the ransomware, the experts noticed that it is almost identical to the script detected in April during the Industroyer2 attacks against the energy sector

There are similarities with previous attacks conducted by #Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller is almost identical to the one seen last April during the #Industroyer2 attacks against the energy sector. 4/9 pic.twitter.com/fdh6A2FCXk

— ESET research (@ESETresearch) November 25, 2022

The PowerShell script was tracked by CERT UA as POWERGAP and was used to deploy the CaddyWiper wiper in April attacks against Ukrainian entities.

RansomBoggs encrypts files using AES-256 in CBC mode and appends the .chsch extension to the encrypted files. The key is then RSA encrypted and written to aes.bin.

In some of the variants analyzed by ESET, the RSA public key was hardcoded, while in other samples it was provided as an argument.

In October, Microsoft reported a similar campaign targeting entities in Ukraine and Poland with ransomware called Prestige and attributed the attacks to Sandworm.

ESET also shared Indicators of Compromise (IoCs) for RansomBoggs ransomware.

IoCs:
F4D1C047923B9D10031BB709AABF1A250AB0AAA2
021308C361C8DE7C38EF135BC3B53439EB4DA0B4
ESET Detection names:
MSIL/Filecoder.Sullivan.A
MSIL/Filecoder.RansomBoggs.A
9/9

— ESET research (@ESETresearch) November 25, 2022

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RansomBoggs ransomware)

The post RansomBoggs Ransomware hit several Ukrainian entities, experts attribute it to Russia appeared first on Security Affairs.

Over a Dozen New BMC Firmware Flaws Expose OT and IoT Devices to Remote Attacks

28 November 2022 at 10:07
Over a dozen security flaws have been discovered in baseboard management controller (BMC) firmware from Lanner that could expose operational technology (OT) and internet of things (IoT) networks to remote attacks. BMC refers to a specialized service processor, a system-on-chip (SoC), that's found in server motherboards and is used for remote monitoring and management of a host system, including

Researchers Detail AppSync Cross-Tenant Vulnerability in Amazon Web Services

28 November 2022 at 11:56
Amazon Web Services (AWS) has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources. The issue relates to a confused deputy problem, a type of privilege escalation where a program that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. The shortcoming was reported

The 5 Cornerstones for an Effective Cyber Security Awareness Training

28 November 2022 at 11:45
It's not news that phishing attacks are getting more complex and happening more often. This year alone, APWG reported a record-breaking total of 1,097,811 phishing attacks. These attacks continue to target organizations and individuals to gain their sensitive information.  The hard news: they're often successful, have a long-lasting negative impact on your organization and employees, including:

Experts found a vulnerability in AWS AppSync

28 November 2022 at 15:04

Amazon Web Services (AWS) fixed a cross-tenant vulnerability that could have allowed attackers to gain unauthorized access to resources.

Amazon Web Services (AWS) has addressed a cross-tenant confused deputy problem in its platform that could have allowed threat actors to gain unauthorized access to resources. The problem was reported to the company by researchers from Datadog on September 1, 2022, and the bug was solved on September 6.

A confused deputy problem occurs when an entity that doesn’t have permission to perform an action can coerce a more-privileged entity to perform the action. AWS provides tools to protect an account if the owner provides third parties (known as cross-account) or other AWS services (known as cross-service) access to resources in your account.

The issue is related to the AppSync service in AWS that allows developers to quickly create GraphQL and Pub/Sub APIs.

“We have identified a cross-tenant vulnerability in Amazon Web Services (AWS) that exploits AWS AppSync.” reads the report published by Datadog. “This attack abuses the AppSync service to assume IAM roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts.”

Amazon investigated the potential exploitation of the issue in attacks in the wild and determined that no customers were affected.

“A security researcher recently disclosed a case-sensitivity parsing issue within AWS AppSync, which could potentially be used to bypass the service’s cross-account role usage validations and take action as the service across customer accounts.” reads the advisory published by Amazon.

“No customers were affected by this issue, and no customer action is required. AWS moved immediately to correct this issue when it was reported. Analysis of logs going back to the launch of the service has been conducted and we have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher. No other customer accounts were impacted.”

In the attack scenario, a less-privileged entity (the attacker) can force a privileged entity or service (AppSync) to perform some action on its behalf. 

The experts pointed out that to authorize the actions AppSync will perform, the developer creates a role (or AppSync can automatically create it on their behalf) with the required IAM permissions. The created role will have a trust policy that allows the AppSync service to assume the role.

Using the S3 example, if a developer was building that API, they would create a role with the S3 permissions they need and allow AppSync to assume that role. When that GraphQL API is called, AppSync will assume the role, perform the AWS API call, and interpret the results.

Amazon Web Services

The experts pointed out that AWS does have safeguards in place to prevent AppSync from assuming arbitrary roles by validating the role’s Amazon Resource Name (ARN). The check could be simply eluded by passing the “serviceRoleArn” parameter in a lower case.

An attacker can exploit the issue to provide the identifier of a role for a different AWS account.

“This vulnerability in AWS AppSync allowed attackers to cross account boundaries and execute AWS API calls in victim accounts via IAM roles that trusted the AppSync service. By using this method, attackers could breach organizations that used AppSync and gain access to resources associated with those roles.” concludes the report. “After finding this vulnerability, we contacted the AWS Security Team who swiftly remediated the issue.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Amazon Web Services)

The post Experts found a vulnerability in AWS AppSync appeared first on Security Affairs.

A flaw in some Acer laptops can be used to bypass security features

28 November 2022 at 20:08

ESET announced the discovery of a vulnerability impacting Acer laptops that can allow an attacker to deactivate UEFI Secure Boot.

ESET researchers announced in a series of tweets the discovery of a vulnerability impacting Acer laptops, the issue can allow an attacker to deactivate UEFI Secure Boot.

The experts explained that the flaw, tracked as CVE-2022-4020, is similar to the Lenovo vulnerabilities the company disclosed earlier this month.

Same as in Lenovo’s case, an attacker can trigger the issue to deactivate the UEFI Secure Boot by creating NVRAM variable directly from OS.

#CVE-2022-4020 is found in the DXE driver HQSwSmiDxe , which checks for the “BootOrderSecureBootDisable” NVRAM variable (notice the same name as in case of Lenovo’s #CVE-2022-3431). If the variable exists, the driver disables Secure Boot. 2/3 pic.twitter.com/AcP4IqH1lt

— ESET research (@ESETresearch) November 28, 2022

The Secure Boot is a security feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. “Detections are blocked from running before they can attack or infect the system specification.”

An attacker that is able to bypass the Secure Boot could bypass any security measure running on the machine and achieve persistence even in case the OS is reinstalled.

The CVE-2022-4020 impacts certain versions of Acer Aspire A315-22 from Acer, the vulnerability resides in the HQSwSmiDxe DXE driver on these consumer Acer Notebook devices. Similar to the Lenovo issues an attacker with elevated privileges can exploit the bug to modify UEFI Secure Boot settings by modifying an NVRAM variable. The DXE driver BootOrderDxe simply disables UEFI Secure Boot if NVRAM variables “BootOrderSecureBootDisable” exists.

Acer UEFI bug

ESET explained that the flaws affects only 5 devices Aspire A315-22/22G, A115-21 and Extensa EX215-21/21G. According to Acer, an update should be distributed as a critical Windows update. Alternatively, the updated BIOS version can be downloaded here.

Overall, 5 devices are affected: Aspire A315-22/22G, A115-21 and Extensa EX215-21/21G. According to Acer: https://t.co/YDVBvMastj, update should be distributed as a critical Windows update. Alternatively, updated BIOS version is available for download: https://t.co/39Ys8oFNbJ 3/3

— ESET research (@ESETresearch) November 28, 2022

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Moshen Dragon)

The post A flaw in some Acer laptops can be used to bypass security features appeared first on Security Affairs.

U.S. Govt. Apps Bundled Russian Code With Ties to Mobile Malware Developer

28 November 2022 at 22:08

A recent scoop by Reuters revealed that mobile apps for the U.S. Army and the Centers for Disease Control and Prevention (CDC) were integrating software that sends visitor data to a Russian company called Pushwoosh, which claims to be based in the United States. But that story omitted an important historical detail about Pushwoosh: In 2013, one of its developers admitted to authoring the Pincer Trojan, malware designed to surreptitiously intercept and forward text messages from Android mobile devices.

Pushwoosh says it is a U.S. based company that provides code for software developers to profile smartphone app users based on their online activity, allowing them to send tailor-made notifications. But a recent investigation by Reuters raised questions about the company’s real location and truthfulness.

The Army told Reuters it removed an app containing Pushwoosh in March, citing “security concerns.” The Army app was used by soldiers at one of the nation’s main combat training bases.

Reuters said the CDC likewise recently removed Pushwoosh code from its app over security concerns, after reporters informed the agency Pushwoosh was not based in the Washington D.C. area — as the company had represented — but was instead operated from Novosibirsk, Russia.

Pushwoosh’s software also was found in apps for “a wide array of international companies, influential nonprofits and government agencies from global consumer goods company Unilever and the Union of European Football Associations (UEFA) to the politically powerful U.S. gun lobby, the National Rifle Association (NRA), and Britain’s Labour Party.”

The company’s founder Max Konev told Reuters Pushwoosh “has no connection with the Russian government of any kind” and that it stores its data in the United States and Germany.

But Reuters found that while Pushwoosh’s social media and U.S. regulatory filings present it as a U.S. company based variously in California, Maryland and Washington, D.C., the company’s employees are located in Novosibirsk, Russia.

Reuters also learned that the company’s address in California does not exist, and that two LinkedIn accounts for Pushwoosh employees in Washington, D.C. were fake.

“Pushwoosh never mentioned it was Russian-based in eight annual filings in the U.S. state of Delaware, where it is registered, an omission which could violate state law,” Reuters reported.

Pushwoosh admitted the LinkedIn profiles were fake, but said they were created by a marketing firm to drum up business for the company — not misrepresent its location.

Pushwoosh told Reuters it used addresses in the Washington, D.C. area to “receive business correspondence” during the coronavirus pandemic. A review of the Pushwoosh founder’s online presence via Constella Intelligence shows his Pushwoosh email address was tied to a phone number in Washington, D.C. that was also connected to email addresses and account profiles for over a dozen other Pushwoosh employees.

Pushwoosh was incorporated in Novosibirsk, Russia in 2016.

THE PINCER TROJAN CONNECTION

The dust-up over Pushwoosh came in part from data gathered by Zach Edwards, a security researcher who until recently worked for the Internet Safety Labs, a nonprofit organization that funds research into online threats.

Edwards said Pushwoosh began as Arello-Mobile, and for several years the two co-branded — appearing side by side at various technology expos. Around 2016, he said, the two companies both started using the Pushwoosh name.

A search on Pushwoosh’s code base shows that one of the company’s longtime developers is a 41-year-old from Novosibirsk named Yuri Shmakov. In 2013, KrebsOnSecurity interviewed Shmakov for the story, “Who Wrote the Pincer Android Trojan?” wherein Shmakov acknowledged writing the malware as a freelance project.

Shmakov told me that, based on the client’s specifications, he suspected it might ultimately be put to nefarious uses. Even so, he completed the job and signed his work by including his nickname in the app’s code.

“I was working on this app for some months, and I was hoping that it would be really helpful,” Shmakov wrote. “[The] idea of this app is that you can set it up as a spam filter…block some calls and SMS remotely, from a Web service. I hoped that this will be [some kind of] blacklist, with logging about blocked [messages/calls]. But of course, I understood that client [did] not really want this.”

Shmakov did not respond to requests for comment. His LinkedIn profile says he stopped working for Arello Mobile in 2016, and that he currently is employed full-time as the Android team leader at an online betting company.

In a blog post responding to the Reuters story, Pushwoosh said it is a privately held company incorporated under the state laws of Delaware, USA, and that Pushwoosh Inc. was never owned by any company registered in the Russian Federation.

“Pushwoosh Inc. used to outsource development parts of the product to the Russian company in Novosibirsk, mentioned in the article,” the company said. “However, in February 2022, Pushwoosh Inc. terminated the contract.”

However, Edwards noted that dozens of developer subdomains on Pushwoosh’s main domain still point to JSC Avantel, an Internet provider based in Novosibirsk, Russia.

WAR GAMES

Pushwoosh employees posing at a company laser tag event.

Edwards said the U.S. Army’s app had a custom Pushwoosh configuration that did not appear on any other customer implementation.

“It had an extremely custom setup that existed nowhere else,” Edwards said. “Originally, it was an in-app Web browser, where it integrated a Pushwoosh javascript so that any time a user clicked on links, data went out to Pushwoosh and they could push back whatever they wanted through the in-app browser.”

An Army Times article published the day after the Reuters story ran said at least 1,000 people downloaded the app, which “delivered updates for troops at the National Training Center on Fort Irwin, Calif., a critical waypoint for deploying units to test their battlefield prowess before heading overseas.”

In April 2022, roughly 4,500 Army personnel converged on the National Training Center for a war games exercise on how to use lessons learned from Russia’s war against Ukraine to prepare for future fights against a major adversary such as Russia or China.

Edwards said despite Pushwoosh’s many prevarications, the company’s software doesn’t appear to have done anything untoward to its customers or users.

“Nothing they did has been seen to be malicious,” he said. “Other than completely lying about where they are, where their data is being hosted, and where they have infrastructure.”

GOV 311

Edwards also found Pushwoosh’s technology embedded in nearly two dozen mobile apps that were sold to cities and towns across Illinois as a way to help citizens access general information about their local communities and officials.

The Illinois apps that bundled Pushwoosh’s technology were produced by a company called Government 311, which is owned by Bill McCarty, the current director of the Springfield Office of Budget and Management. A 2014 story in The State Journal-Register said Gov 311’s pricing was based on population, and that the app would cost around $2,500 per year for a city with approximately 25,000 people.

McCarty told KrebsOnSecurity that his company stopped using Pushwoosh “years ago,” and that it now relies on its own technology to provide push notifications through its 311 apps.

But Edwards found some of the 311 apps still try to phone home to Pushwoosh, such as the 311 app for Riverton, Ill.

“Riverton ceased being a client several years ago, which [is] probably why their app was never updated to change out Pushwoosh,” McCarty explained. “We are in the process of updating all client apps and a website refresh. As part of that, old unused apps like Riverton 311 will be deleted.”

FOREIGN ADTECH THREAT?

Edwards said it’s far from clear how many other state and local government apps and Web sites rely on technology that sends user data to U.S. adversaries overseas. In July, Congress introduced an amended version of the Intelligence Authorization Act for 2023, which included a new section focusing on data drawn from online ad auctions that could be used to geolocate individuals or gain other information about them.

Business Insider reports that if this section makes it into the final version — which the Senate also has to pass — the Office for the Director of National Intelligence (ODNI) will have 60 days after the Act becomes law to produce a risk assessment. The assessment will look into “the counterintelligence risks of, and the exposure of intelligence community personnel to, tracking by foreign adversaries through advertising technology data,” the Act states.

Edwards says he’s hoping those changes pass, because what he found with Pushwoosh is likely just a drop in a bucket.

“I’m hoping that Congress acts on that,” he said. “If they were to put a requirement that there’s an annual audit of risks from foreign ad tech, that would at least force people to identify and document those connections.”

Yesterday — 29 November 2022Security News

CISA Warns of Actively Exploited Critical Oracle Fusion Middleware Vulnerability

29 November 2022 at 04:20
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical flaw impacting Oracle Fusion Middleware to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2021-35587, carries a CVSS score of 9.8 and impacts Oracle Access Manager (OAM) versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0. <!-

Last Week in Security (LWiS) - 2022-11-28

By: Erik
29 November 2022 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-11-14 to 2022-11-28.

News

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • nuvola is a tool to dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using a simple Yaml syntax.
  • ofrak is a binary analysis and modification platform that combines the ability to unpack, analyze, modify, and repack binaries.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Irish data protection commission fines Meta over 2021 data-scraping leak

29 November 2022 at 07:32

Irish data protection commission (DPC) fined Meta for not protecting Facebook’s users’ data from scraping.

Meta has been fined €265 million ($275.5 million) by the Irish data protection commission (DPC) for the data leak suffered by Facebook in 2021 that exposed the data belonging to millions of Facebook users.

The Data Protection Commission is also imposing a range of corrective measures on Meta.

“The Data Protection Commission (DPC) has today announced the conclusion to an inquiry into Meta Platforms Ireland Limited (MPIL), data controller of the “Facebook” social media network, imposing a fine of €265 million and a range of corrective measures.” reads the DPC’s press release.

On April 3rd, 2021, a user leaked the phone numbers and personal data of 533 million Facebook users in a hacking forum for free online.

The availability of the data was first reported by Alon Gal, CTO of cyber intelligence firm Hudson Rock.

Facebook leaked data

The data of Facebook users from 106 countries were available for free, with over 32 million records belonging to users from the US, 11 from the UK, and 6 million users from India. Leaked data included users’ phone numbers, Facebook IDs, full names, locations, birthdates, bios, and for some accounts the associated email addresses.

Immediately after the disclosures of the data leak the Irish DPC launched an investigation of potential GDPR violations by Meta. The data were amassed by threat actors by exploiting a vulnerability fixed in 2019 that allowed data scraping from the social network.

“The company, at the time known as Facebook, said the data had been gathered by what it said were malicious actors who misused a Facebook tool called “Contact Importer” to upload a large volume of phone numbers to see which ones matched the service’s users.” reported the WSJ. “On Monday, the company reiterated that it had removed the ability to use phone numbers to scrape its services in this way in 2019.”

Now DPC concluded the investigation and argued that Meta violated the GDPR for not implementing appropriate technical and organizational measures, and not adopting the necessary safeguards as required by the European Regulation.

“The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.” continues the press release.

Meta declared that it has made multiple changes to better safeguard users’ data since the incident took place. The Iris privacy regulator revealed it has several dozen more ongoing cases involving multiple tech giants.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)

The post Irish data protection commission fines Meta over 2021 data-scraping leak appeared first on Security Affairs.

Irish Regulator Fines Facebook $277 Million for Leak of Half a Billion Users' Data

29 November 2022 at 08:25
Ireland's Data Protection Commission (DPC) has levied fines of €265 million ($277 million) against Meta Platforms for failing to safeguard the personal data of more than half a billion users of its Facebook service, ramping up privacy enforcement against U.S. tech firms. The fines follow an inquiry initiated by the European regulator on April 14, 2021, close on the heels of a leak of a "collated

Tips for Gamifying Your Cybersecurity Awareness Training Program

29 November 2022 at 10:04

In today’s technological world, educating people about cybersecurity awareness is an absolute necessity.

According to one report, 82% of data breaches involved the human element, from social attacks to misuse of technologies. These errors are not always entirely preventable, as some level of human error is inevitable, but proper training in cybersecurity awareness can greatly decrease the likelihood of human mistakes leading to data breaches. Due to the increasing use of digital tools for business operations and reliance on employee conduct to ensure security, new solutions are required.

While cybersecurity awareness training can take many forms, most training programs are computer-based. It is important when developing and implementing these programs to be aware of what methods of education work best. This training must reach users who may not have any background or knowledge in cybersecurity, and it must be effective enough to ensure that security is “not only top of mind, but a fluent language.” 

In service of that end, gamification is a highly effective tactic. There are many benefits to gamifying your approach to cybersecurity awareness training, all of which contribute to the goal of educating employees and decreasing risk. Gamification incentivizes and motivates employees to be more engaged, participate more actively, retain information, and implement behavioral changes moving forward.

Below are five tips to gamify your cybersecurity awareness training program.

1. Visual Aids

One of the most basic elements of gamification is the use of visual aids. Visual aids such as graphs, charts, pictures, or videos are a quick and efficient way to convey information that might be harder to understand in text format. Statistics and numerical data are easily transferable into a visual format, and other information can also be translated into this context. These visual aids can help to keep employees engaged with the content by breaking up what could otherwise be a monotonous block of text. They are also often more easily remembered.

2. Rewards

Offering rewards for completion or performance is an incredible motivator. Whether the rewards are simply in-game points or real-life prizes like gift cards, the possibility of receiving something back for their hard work is a good incentive for employees to not only do the training, but pay attention and perform well. While there have previously been policies in place to administer consequences to employees who do not adhere to security measures, the implementation of positive repercussions is just as important in ensuring maximum retention and compliance.

3. Quizzes

Multiple results can be achieved with one simple tool in the form of quizzes. Quizzing employees on their training necessitates them paying attention to the training and retaining information that is vital for cybersecurity. It also presents them with a situation where their performance determines their score, and performing well on a quiz might earn them a reward. If quizzes are leveraged for healthy competition, employees can be even more motivated to do well.

4. Simulations

There are many different ways to deploy simulations in cybersecurity awareness training. Putting employees in a situation that mirrors a real-life attack, whether it be phishing emails or data breaches, gives them an opportunity to practice how they would respond should the real thing occur. This is similar to the idea behind fire drills: it is one thing to be told how to respond in case of an unfortunate event, and another thing entirely to actually go through the process of responding to it. Additionally, simulated security events are helpful for impressing upon employees that their training is not merely theoretical and that they will be expected to know what to do in a real-life attack.

5. Team Exercises

Adding social elements to your cybersecurity awareness training is a good practice because it allows employees to work together just as they would have to in the event of an attack. Employees who feel isolated during their training may not trust their colleagues to be reliable in this area, whereas employees who have worked together in training are more likely to be able to work together in practice. Cooperation is key, not just for security breaches, but for all aspects of a business. Employees who understand their role in a team and know how to work together to solve problems are not just better prepared in terms of cybersecurity awareness, but also better prepared to carry out their normal operations.

6. Repetition

The digital landscape is constantly changing, and cyber threats are evolving as well. This, combined with the human tendency to forget information or push it to the back of our minds after a while, means that ongoing training is vital. Refreshing information that employees have previously learned and providing new information that has emerged in the intervening time will help employees to understand that their cybersecurity awareness training is always relevant and present, rather than a distant concern. Depending on the frequency of training and the methods used, this can also allow you to track employees’ progress over time and potentially bestow rewards for consistently good performance or improvement.

Conclusion

As with many things in life, cybersecurity awareness training is often considered a necessary evil. While it is necessary, it does not have to be an evil at all. Gamification is a highly effective tactic to make sure that employees understand and internalize important information, and possibly even look forward to their training sessions. By leveraging simple concepts of rewards, teamwork, simulations, quizzes, and visual aids, you can give your employees an experience that is more engaging, more entertaining, and more effective than traditional methods.

About the Author: PJ Bradley is a writer on a wide variety of topics, passionate about learning and helping people above all else. Holding a bachelor’s degree from Oakland University, PJ enjoys using a lifelong desire to understand how things work to write about subjects that inspire interest. Most of PJ’s free time is spent reading and writing. PJ is also regular writer at Bora.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cyberSecurity)

The post Tips for Gamifying Your Cybersecurity Awareness Training Program appeared first on Security Affairs.

7 Cyber Security Tips for SMBs

29 November 2022 at 11:30
When the headlines focus on breaches of large enterprises like the Optus breach, it’s easy for smaller businesses to think they’re not a target for hackers. Surely, they’re not worth the time or effort?  Unfortunately, when it comes to cyber security, size doesn’t matter.  Assuming you’re not a target leads to lax security practices in many SMBs who lack the knowledge or expertise to put simple

Hackers Using Trending TikTok 'Invisible Challenge' to Spread Malware

29 November 2022 at 11:59
Threat actors are capitalizing on a popular TikTok challenge to trick users into downloading information-stealing malware, according to new research from Checkmarx. The trend, called Invisible Challenge, involves applying a filter known as Invisible Body that just leaves behind a silhouette of the person's body. But the fact that individuals filming such videos could be undressed has led to a

CISA adds Oracle Fusion Middleware flaw to its Known Exploited Vulnerabilities Catalog

29 November 2022 at 16:31

CISA added a critical flaw impacting Oracle Fusion Middleware, tracked as CVE-2021-35587, to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) a critical vulnerability impacting Oracle Fusion Middleware, tracked as CVE-2021-35587 (CVSS 3.1 Base Score 9.8), to its Known Exploited Vulnerabilities Catalog.

An unauthenticated attacker with network access via HTTP can exploit the vulnerability to compromise Oracle Access Manager.

“Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.8” states the NIST.

The flaw was reported in March and affects versions 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. The IT giant fixed the issue in January with the release of the Critical Patch Update.

“This vulnerability was discovered by accident by me and Peterjson while we were analyzing and building PoC for another mega-0day (which is still not fixed by now 😉 ).” reads the post published security researcher Nguyen Jang (Janggggg) who reported the flaw alongside peterjson. “It’s quiet easy to access the entrypoint and exploit the vulnerability, so it’s recommend to apply the patch now! It may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victim’s server.”

Below is the video PoC published by Nguyen Jang.

CISA orders federal agencies to fix these vulnerabilities by December 19, 2022.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

The post CISA adds Oracle Fusion Middleware flaw to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.

New Flaw in Acer Laptops Could Let Attackers Disable Secure Boot Protection

29 November 2022 at 16:39
Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines. Tracked as CVE-2022-4020, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G. <!--adsense--> The PC maker described the vulnerability as

Threat actors are offering access to corporate networks via unauthorized Fortinet VPN access

29 November 2022 at 22:22

Cyble observed Initial Access Brokers (IABs) offering access to enterprise networks compromised via a critical flaw in Fortinet products.

Researchers at Cyble have observed initial access brokers (IABs) selling access to enterprise networks likely compromised via a recently patched critical flaw, tracked as CVE-2022-40684, in Fortinet products.

In early October, Fortinet addressed the critical authentication bypass flaw, tracked as CVE-2022-40684, that impacted FortiGate firewalls and FortiProxy web proxies.

The company explained that an attacker can exploit the vulnerability to log into vulnerable devices.

“An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” reads the customer support bulletin issued by the company.

The company urged customers to address this critical vulnerability immediately due to the risk of remote exploitation of the flaw.

The vulnerability impacts FortiOS versions from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1, and FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0

The cybersecurity firm addressed the flaw with the release of FortiOS/FortiProxy versions 7.0.7 or 7.2.2.

The company also provides a workaround for those who can’t immediately deploy security updates.

Customers that are not able to upgrade their systems should restrict access to their devices to a specific set of IP addresses.

On October 18, Fortinet confirmed the critical authentication bypass vulnerability is being exploited in the wild.

“Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device’s logs: user=”Local_Process_Access”” continues the advisory.

proof-of-concept (PoC) exploit code for the CVE-2022-40684 flaw has been released online. The public availability of the PoC exploit code can fuel a wave of attacks targeting Fortinet devices.

In October, the Shadowserver Foundation reported that more than 17K Fortinet devices exposed online were vulnerable to attacks exploiting the CVE-2022-40684 flaw, most of them in Germany and in the US.

Now Cyble researchers reported more than 100,000 FortiGate firewalls accessible from the internet that may be targeted by threat actors if not patched yet.

Threat actors might exploit the vulnerability to perform malicious activities such as:

  • Modify the admin users’ SSH keys to enable the attacker to log in to the compromised system.
  • Add new local users.
  • Update networking configurations to reroute traffic.
  • Download the system configuration.
  • Initiate packet captures to capture other sensitive system information.
  • The sensitive system information, system configurations, and network details might be further distributed over the darkweb

“While during routine monitoring, researchers at Cyble observed a Threat Actor (TA) distributing multiple unauthorized Fortinet VPN access over one of the Russian cybercrime forums,” reads the analysis published by Cyble.

“While analyzing the access, it was found that the attacker was attempting to add their own public key to the admin user’s account. As per intelligence gathered from sources, the victim organizations were using outdated FortiOS. Hence, with high confidence, we conclude that the Threat Actor behind this sale exploited CVE-2022-40684.”

Fortinet FortiOS access-being-distributed-over-Russian-Cybercrime-forums.webp

Cyble researchers observed that threat actors have been targeting Fortinet instances since October 17, 2022.

“The authentication bypass vulnerability in Fortinet products allows an unauthenticated attacker to perform operations on the administrative interface. With large numbers of exposed assets that belong to private-public entities exposed over the internet, the vulnerability falls under the critical category.” concludes the post. “Publicly distributed Proof of Concepts (POCs) and automation tools have made it more convenient for attackers to target victim organizations within a few days of the announcement of the new CVE.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

The post Threat actors are offering access to corporate networks via unauthorized Fortinet VPN access appeared first on Security Affairs.

Today — 30 November 2022Security News

Chinese Cyber Espionage Hackers Using USB Devices to Target Entities in Philippines

30 November 2022 at 06:21
A threat actor with a suspected China nexus has been linked to a set of espionage attacks in the Philippines that primarily relies on USB devices as an initial infection vector. Mandiant, which is part of Google Cloud, is tracking the cluster under its uncategorized moniker UNC4191. An analysis of the artifacts used in the intrusions indicates that the campaign dates as far back as September

3 New Vulnerabilities Affect OT Products from German Companies Festo and CODESYS

30 November 2022 at 07:21
Researchers have disclosed details of three new security vulnerabilities affecting operational technology (OT) products from CODESYS and Festo that could lead to source code tampering and denial-of-service (DoS). The vulnerabilities, reported by Forescout Vedere Labs, are the latest in a long list of flaws collectively tracked under the name OT:ICEFALL. "These issues exemplify either an

Australia Passes Bill to Fine Companies up to $50 Million for Data Breaches

30 November 2022 at 09:33
The Australian government has passed a bill that markedly increases the penalty for companies suffering from serious or repeated data breaches. To that end, the maximum fines have been bumped up from the current AU$2.22 million to AU$50 million, 30% of an entity's adjusted turnover in the relevant period, or three times the value of any benefit obtained through the misuse of information,

ENC Security, the encryption provider for Sony and Lexar, leaked sensitive data for over a year

30 November 2022 at 09:06

CyberNews experts discovered that ENC Security, a Netherlands software company, had been leaking critical business data since May 2021.

Original post at https://cybernews.com/security/encsecurity-leaked-sensitive-data/

When you buy a Sony, Lexar, or Sandisk USB key or any other storage device, it comes with an encryption solution to keep your data safe. The software is developed by a third-party vendor – ENC Security.

Netherlands-based company with 12 million users worldwide provides “military-grade data protection” solutions with its popular DataVault encryption software.

As it turns out, ENC Security had been leaking its configuration and certificate files for more than a year, the Cybernews research team discovered.

“The data that was leaking for over a year is nothing less than a goldmine for threat actors,” Cybernews researcher Martynas Vareikis said.

The company said a misconfiguration by a third-party supplier caused the issue and fixed it immediately upon notification.

The discovery

The data inside the leaky server included Simple Mail Transfer Protocol (SMTP) credentials for sales channels, the single payment platform’s Adyen keys, email marketing company’s Mailchimp API keys, licensing payment API keys, HMAC message authentication codes, and public and private keys stored in .pem format.

The data was accessible from 27 May 2021 up until 9 November 2022. The server was closed after Cybernews disclosed the vulnerability to ENC Security.

According to Vareikis, the discovery is worrying since bad actors could exploit the aforementioned data for a variety of cyberattacks – from phishing to ransomware.

ENC Security

For example, sales communication channels could be used to phish clients by sending them fake invoices or spreading malware via trusted email addresses.

“Mailchimp API keys add even more value for the malicious actors interested in phishing campaigns, as it allows them to send massive marketing campaigns and view/collect leads. Having a client list and the ability to use real email for phishing campaigns is nothing less than a goldmine for threat actors,” Vareikis explained.

Ransomware operators exploit .pem files – the keys left inside could result in unauthorized access or even a server takeover.

The repercussions of such a takeover could be devastating. Threat actors might switch the download file with an infected one.

“Having clients such as SanDisk, Sony, Lexar, and more promoting (TrustPilot reviewers complain being forced into using this software when purchasing thumb drives) your infected files would produce one of the biggest ransomware campaigns yet,” Vareikis explained.

ECN Security says its solution is downloaded over 2,000 times monthly.

Payment API keys could expose sensitive client information to the public.

Company’s response

ENC Security said it had taken swift action after analyzing the issue discovered by the Cybernews research team. The vulnerability concerned a misconfiguration by a third-party supplier, ENC Security told Cybernews. The issue is now resolved.

“At ENC Security we take the security and protection of our data seriously. Every finding is thoroughly researched and remediated with appropriate measures. Relevant measures are taken when required, amongst which security measures, informing customers and further enhancing security,” the company’s spokesperson said.

Pelissier discovery

Vareikis believes the Cybernews discovery is no less worrying than the researcher’s Sylvain Pelissier discovery in December 2021.

If you want to read more about Pelissier’s discovery read the post published by CyberNews.

About the author: Jurgita Lapienytė, Chief Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ENC Security)

The post ENC Security, the encryption provider for Sony and Lexar, leaked sensitive data for over a year appeared first on Security Affairs.

❌
❌