Category Archives: Information Security

Personal details and documents for millions of Indians available in the deep web

Researchers have discovered a dump containing 29.1M Indian jobseekers personal details that was offered for free in the hacking underground.

Researchers discovered a dump containing 29.1M Indian jobseekers personal details that was offered for free in the hacking underground.

An anonymous entity told Cyble researchers that the data were stored on an unprotected elastic search instance that is no longer accessible.

While Cyble was investigating the issue, a threat actor published more than 2,000 Indian Identity cards (Aadhaar cards) on one hacking forum, files appears to have originated from 2019.

Indian Identity card leak

Then the threat actor leaked 1.8M identity cards belonging to citizens of the Madhya Pradesh state on their forum.

“Cyble has indexed this information on their data breach monitoring and notification platform, Amibreached.com. People who are concerned about their information leakage, can ascertain the risks by registering to the platform.” reads the post published by Cyble.

Cyble researchers also discovered that a threat actor posted 2.3 GB (zipped) file on one of the hacking forums.

This time the leak contains a lot of personal details of millions of Indians Job seekers from different states. At the time of writing this article, the experts are still investigating the source of the leak.

“It appears to have originated from a resume aggregator given the sheer volume and detailed information.” state the experts.

“Cyble researchers have identified a sensitive data breach on the darkweb where an actor has leaked personal details of ~29 Million Indian Job Seekers from the various states. The original leak appears to be from a resume aggregator service collecting data from various known job portals. Cyble’s team is still investigating this further and will be updating their article as they bring more facts to the surface. This breach includes sensitive information such as email, phone, home address, qualification, work experience etc.”

Crooks could use personal information exposed in both data leaks to conduct various malicious activities, including identity thefts, scams, and corporate espionage.

Pierluigi Paganini

(SecurityAffairs – Indians data leaks, hacking)

The post Personal details and documents for millions of Indians available in the deep web appeared first on Security Affairs.

The Florida Unemployment System suffered a data breach

Officials revealed that the Florida Unemployment System suffered a data breach that impacted some residents who have made unemployment claims.

The Florida Department of Economic Opportunity revealed that the Florida Unemployment System suffered a data breach that impacted some residents who have made unemployment claims.

It has notified 98 people that have been impacted by the incident, government representatives didn’t disclose when the breach took place either the number of the affected individuals and the type of information compromised.

The agency spokeswoman Paige Landrum announced that the breach was addressed within one hour after the officials became aware of it. The Florida Department of Economic Opportunity is offering tho the impacted citizens identity protection services for free.

Impacted users should be vigilant and report any unauthorized activity on their financial accounts.

“The DEO has received more than 2 million claims seeking unemployment benefits from Floridians since the coronavirus pandemic caused mass business closings around the state, though only 1.6 million claims have been verified.” reported the AP agency. “Just under 1 million jobless workers in Florida have been paid more than $2.6 billion in benefits.”

State Sen. Linda Stewart, D-Orlando, expressed concern about the response of the agency to the security breach and the measures it has adopted to prevent future incidents. Stewart sent a letter to Department of Management Services Secretary Jonathan Satter, whose office oversees information technology for other state agencies.

“Given the agency’s (DEO) track record with processing unemployment applications, I’m sure you will understand the great concern I have that all remedies have been quickly taken and that Floridians can be assured that their personal information is now secured and will be protected from future attacks,” Stewart wrote.

The good is that the Florida Department of Economic Opportunity is not aware of malicious activity abusing exposed data.

Pierluigi Paganini

(SecurityAffairs – Florida, hacking)

The post The Florida Unemployment System suffered a data breach appeared first on Security Affairs.

Tens of thousands Israeli websites defaced

Thousands of Israeli websites have been defaced earlier today, hackers published an anti-Israeli message on their homepage and attempted to implant malicious code.

A massive hacking campaign defaced thousands of Israeli websites, attackers published an anti-Israeli message on their homepage and attempted to inject a malware seeking permission to access visitors’ webcams.

“Be ready for a big surprise” “The countdown of Israel destruction has begun since a long time ago,” reads the message published in in Hebrew and English on the defaced Israeli websites.

A video published by the hackers shows explosions in Tel Aviv and a battered and bloodied Prime Minister Benjamin Netanyahu swimming away from a burning city.

The hackers also added a link on some websites, asking users to click on the link and activate their camera

The list of hacked websites belong to local municipalities, several NGOs, popular restaurant chains, and a left-wing Member of parliament.

The attacks were carried out by a group calling itself the “Hackers of Saviour” most of the hacked websites were hosted on the Israeli WordPress hosting service uPress. The hacker group’s YouTube channel describes the crew as collective seeking on avenging Israel’s policy on the Palestinian situation.

“Early this morning we detected a widespread cyber attack against many websites stored on our servers. It is a case of a malicious and far-ranging attack carried out by anti-Israel (Iranian) sources. We detected a weakness in a WordPress add on that enabled the hack and are working closely with the National Cyber Bureau to research the breach and fix the affected sites.” reads a statement from the company sent to Ynet News.

The hosting provider confirmed the attack and revealed that the hackers exploited a vulnerability in a WordPress plugin to compromise the Israeli websites. Below the message published by the company on Facebook:

הודעת עדכון: לקוחות יקרים, היום בשעה מוקדמת זיהנו מתקפת סייבר רחבת היקף על אתרים רבים שמאוחסנים אצלנו. מדובר במתקפה…

Gepostet von ‎אחסון וורדפרס – uPress‎ am Donnerstag, 21. Mai 2020

The company said it was working with Israeli authorities to investigate the hack. uPress also took down all defaced websites and pulled the file hackers were exploiting. The company is working to restore all the defaced websites.

“The Israel National Cyber Bureau, the government agency tasked with protecting Israel from hacking attacks confirmed that “a host of Israeli websites were hacked in the morning hours in a suspected Iranian cyber-attack.”” reported the website Calcalistech.

“The matter is being handled by the Bureau. We recommend users refrain from pressing any links on compromised sites,”.

The hosting provider reported the incident to the authorities that launched an investigation into the attacks.

The Israeli National Cyber-Directorate (INCD), the Israeli cyber-security agency, warned users against visiting and interacting with the hacked websites.

Israeli press outlets blame Iranian hackers for the attacks, but at the time there is no concrete evidence to support this attribution.

Pierluigi Paganini

(SecurityAffairs – Israeli websites, hacking)

The post Tens of thousands Israeli websites defaced appeared first on Security Affairs.

Adobe fixed several memory corruption issues in some of its products

Adobe addressed multiple memory corruption vulnerabilities, including one that allows arbitrary code execution, in several of its products.

Adobe addressed multiple memory corruption vulnerabilities in several of its products, including an arbitrary code execution.

The issues affect Character Animation, Premiere Rush, Premiere Pro, and Audition, they were reported to Adobe by researcher Mat Powell of Trend Micro’s Zero Day Initiative (ZDI).

APSB20-29 Security update available for Adobe Premiere Rush05/19/202005/19/2020
APSB20-28 Security update available for Adobe Audition05/19/202005/19/2020
APSB20-27 Security update available for Adobe Premiere Pro05/19/202005/19/2020
APSB20-25 Security update available for Adobe Character Animator 05/19/202005/19/2020

The most serious flaw, tracked as CVE-2020-9586, is a critical stack-based buffer overflow affecting the Windows and macOS versions of the Adobe’s Character Animation product.

The vulnerability could be exploited by a remote attacker to execute arbitrary code.

“Adobe has released an update for Adobe Character Animator for Windows and macOS. This update resolves a stack-based buffer overflow vulnerability that could lead to remote code execution.” reads the advisory published by Adobe.

Adobe has also addressed updates an out-of-bounds read vulnerability in Adobe Premiere Rush for Windows and macOS that could lead to information disclosure. 

The IT giant has released security updates for Adobe Premiere Pro for Windows and macOS that addressed an out-of-bounds read vulnerability that could lead to information disclosure.

The last issue addressed by Adobe is a stack-based buffer overflow vulnerability in Adobe Character Animator for Windows and macOS that could lead to remote code execution. 

The good news is that Adobe is not aware of attacks in the wild that exploited the above vulnerabilities and assigned them a priority rating of 3 because they are unlikely to ever be exploited.

At the beginning of this month Adobe released security updates to address 36 vulnerabilities in Adobe Acrobat, Reader, and Adobe DNG Software Development Kit.

Pierluigi Paganini

(SecurityAffairs – memory corruption flaws, hacking)

The post Adobe fixed several memory corruption issues in some of its products appeared first on Security Affairs.

Israel is suspected to be behind the cyberattack on Iranian port

Israel is likely behind the recent cyberattack which disrupted some operations at Iran’s Shahid Rajaei Port, located near the Strait of Hormuz.

A couple of weeks ago, Iranian officials announced that hackers damaged a small number of systems at the port of Shahid Rajaei in the city of Bandar Abbas.

Bandar Abbas is the capital of Hormozgān Province on the southern coast of Iran, on the Persian Gulf. The city occupies a strategic position on the narrow Strait of Hormuz, and it is the location of the main base of the Iranian Navy. Bandar Abbas is also the capital and largest city of Bandar Abbas County.

Iranian officials did not reveal details of the cyber attack that took place on May 9, two days before Iranian officials disclosed the incident.

Local authorities, including the Ports and Maritime Organization (PMO) in the state of Hormozgan, confirmed that operations at the port were impacted by the cyber attack.

Initially, officials denied the cyber-attack, but due to media pressure that later admitted the cyber intrusion.

The authorities did not attribute the attack to a specific threat actor, Iran’s Deputy Minister of Roads and Urban Development stated that he did not have any information about the origin of the attack.

“Currently, the distribution of cargo in northern ports is good; although the performance of all southern ports is negative.” Mohammad Rastad.

Rastad told Fars News Agency that the attack was carried out by a foreign governenment.

Now a foreign government security official said the attack was “highly accurate” and the damages caused to the Iranian infrastructure were greater than described in official Iranian accounts.

The news was reported by The Washington Post, which blamed Israel for the cyber attack that was launched in retaliation for an earlier cyberattack on rural water distribution systems in Israel.

In April, the Israeli government has issued an alert to organizations in the water sector following a series of cyberattacks that targeted the water facilities.

Earlier May, Israel’s security cabinet discussed alleged Iranian cyberattack on Israeli water and sewage facilities that fortunately did not cause serious damage. The attack demonstrates an escalation by the Iranians, because they targeted civilian infrastructure.

“This was a very unordinary cyberattack against civilian water facilities which is against every ethic and every code even in times of war,” a senior Israeli official told Channel 13. “We didn’t expect this even from the Iranians. It is just not done.”Iran reported three cyberattacks within one week back in December. At least one of the attacks was allegedly “state-sponsored.”

Israel’s National Cyber Directorate announced to have received reports of cyber attacks aimed at supervisory control and data acquisition (SCADA) systems at wastewater treatment plants, pumping stations and sewage facilities.

The recent attack could be a response of the Israeli cyber army against the wave of attacks that targeted Israely water sector.

“Israel appears to be behind a cyberattack earlier this month on computers at Iran’s Shahid Rajaee port that caused massive backups on waterways and roads leading to the facility, the Washington Post reported on Monday.” reads the report published by the Reuters.

“Citing unnamed U.S. and foreign government officials, the Post said the May 9 disruption of Iranian computers was presumably in retaliation for an earlier attempted cyberattack on rural water distribution systems in Israel.”

The Reuters agency contacted the Israeli Embassy in Washington for a comment by it has yet to respond.

In December 2019, Iran foiled two massive cyber-attacks in less than a week, the country’s telecommunications minister Mohammad Javad Azari-Jahromi revealed.

The news was reported by both the ISNA and Mehr news agencies, the Iranian minister defined the attacks as “really massive” and attributed them to a nation-state actor.

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Israel is suspected to be behind the cyberattack on Iranian port appeared first on Security Affairs.

Coronavirus-themed attacks May 10 – May 16, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 10 to May 16, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 12 – Zeus Sphinx continues to be used in COVID-19-themed attacks

The Zeus Sphinx banking Trojan continues to evolve while receiving new updates it is employed in ongoing coronavirus-themed scams. 

May 13 – Crooks continues to use COVID-19 lures, Microsoft warns

Microsoft discovered a new phishing campaign using COVID-19 lures to target businesses with the infamous LokiBot information-stealer.

May 14 – China-linked hackers are attempting to steal COVID-19 Vaccine Research

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal COVID-19 vaccine research.

May 16 – Microsoft is open-sourcing COVID-19 threat intelligence

Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source. 

May 16 – QNodeService Trojan spreads via fake COVID-19 tax relief

Experts spotted a new malware dubbed QNodeService that was involved in COVID-19-themed phishing campaign, crooks promise victims COVID-19 tax relief.

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Coronavirus-themed attacks May 10 – May 16, 2020 appeared first on Security Affairs.

Crooks stole $10 million from Norway’s state investment fund Norfund

Norway’s state investment fund, Norfund, suffered a business email compromise (BEC) attack, hackers stole $10 million.

Hackers stole $10 million from Norway’s state investment fund, Norfund, in a business email compromise (BEC) attack.

Norfund is a private equity company established by the Norwegian Storting (parliament) in 1997 and owned by the Norwegian Ministry of Foreign Affairs. The fund receives its investment capital from the state budget.

The fraudsters compromised the Norfund email system and monitored communications between the employees of the fund and their partners for months.

Once identified the employee that responsible for money transfers. the attackers created a Norfund email address to impersonate an individual authorized to transfer large sums of money through the bank Norfund.

In a classic BEC scheme, hackers replaced the payment information provided to the partners to hijack the transfer to an account under their control in a bank in Mexico.

“Through an advance data breach, the defrauders were able to access information concerning a loan of USD 10 million (approx. 100 million NOK) from Norfund to a microfinance institution in Cambodia.” reads a notice published by Norfund.

“The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified”

Norfund was not able to block the fraudulent wire transfer because the attackers managed to delay of its discovery.

The BEC attack took place on March 16, but it was discovered more than a month later, on April 30 when the fraudsters attempted to carry out a new fraud, that was detected and blocked.

To delay the discovery of the scam, the attacker sent an email to the Cambodian beneficiary informing it of a delay due to the current Coronavirus lockdown in Norway.

“This is a grave incident. The fraud clearly shows that we, as an international investor and development organisation, through active use of digital channels are vulnerable. The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this” said company CEO, Tellef Thorleifsson.

Pierluigi Paganini

(SecurityAffairs – BEC, hacking)

The post Crooks stole $10 million from Norway’s state investment fund Norfund appeared first on Security Affairs.