18-03-202120-03-2021

Security daily (19-03-2021)

Approaches for authenticating external applications in a machine-to-machine scenario

Amazon Web Services (AWS) supports multiple authentication mechanisms (AWS Signature v4, OpenID Connect, SAML 2.0, and more), essential in providing secure access to AWS resources. However, in a strictly machine-to machine (m2m) scenario, not all are a good fit. In these cases, a human is not present to provide user credential input. An example of […] (AWS Security Blog)

Two Infraud members sentenced for role in $568 million crime gang, US says

A U.S. federal judge has sentenced two men — one from Russia, the other from North Macedonia — to prison terms of 10 and five years, respectively, for their role in a $568 million cybercriminal ring that stole payment cards and personal data from around the world. Both Sergey Medvedev of Russia and Marko Leopard of North Macedonia had pleaded guilty last year to a racketeering conspiracy, the U.S. Justice Department said in announcing the sentencing Friday. The jail time is the latest in a series of moves by U.S. prosecutors against the once-powerful crime ring, known as Infraud, which Medvedev allegedly co-founded. At its height, Infraud had more than 10,000 members and became a go-to place for “carding,” or buying things online with stolen credit card data. But a U.S. indictment of 36 of the organization’s affiliates in 2018, and subsequent arrest of 13 alleged members, effectively put Infraud out of […] The post Two Infraud members sentenced for role in $568 million crime gang, US says appeared first on CyberScoop. (CyberScoop)

Electric equipment vendor Schweitzer joins US testing program to defend grid from hacking threats

A major supplier of U.S. electrical equipment has joined a Department of Energy-funded research program to defend industrial infrastructure from hacking, the Biden administration announced Thursday. As part of the program, Schweitzer Engineering Laboratories, which makes gear that helps power the grid, will submit products for testing to the Idaho National Laboratories (INL). The Department of Energy-backed INL hosts some of the U.S. government’s most talented penetration testers of industrial equipment. The program is “especially [important] now with nation-states paying particular interest to the electric sector,” David Whitehead, Schweitzer’s chief executive, said in an interview. The vulnerability-testing initiative is known as the Cyber Testing for Resilient Industrial Control System (CyTRICS) program, and has been in the works for at least two years. But it has taken on greater importance amid reports of a growing number of foreign hacking groups probing industrial control systems, the hardware and software that underpin energy systems. […] The post Electric equipment vendor Schweitzer joins US testing program to defend grid from hacking threats appeared first on CyberScoop. (CyberScoop)

SpaceX engineer makes a first with dark web securities violations case

First, U.S. authorities say, SpaceX engineer James Roland Jones tried to fake his way into a dark web insider trading forum, but that didn’t work out very well. Afterward, he still managed to sell fake insider trading information on the dark web anyway, according to the Securities and Exchange Commission. And on top of that, he bought sensitive personal information from a hard-to-reach forum with the goal of making transactions based on purported insider info, according to the Justice Department. (U.S. authorities did not disclose the names of the companies from which Jones claimed to have inside information.) Now, after the FBI used some of Jones’ own methods on him, he has pleaded guilty on charges of conspiracy to commit securities fraud. And the SEC has filed a complaint against the man who also went by the name “MillionaireMike” seeking to recoup his ill-gotten gains and civil penalties. It’s all […] The post SpaceX engineer makes a first with dark web securities violations case appeared first on CyberScoop. (CyberScoop)

Verkada breach spotlights ongoing concerns over surveillance firms' security

Even for Elisa Costante, who studies vulnerabilities in surveillance devices for a living, the breach at the security-camera startup Verkada was startling.  A group of hackers earlier this month claimed to have access to some 150,000 live-camera feeds that Verkada maintains in schools, prisons and hospitals. The incident provided outsiders with an entry into live video feeds at companies including Tesla, and enabled hackers to access archived video from Verkada subscribers. “It really opens the eyes on what can happen” when an attacker exploits access to a web of insecure surveillance devices, said Costante, a senior director at security vendor Forescout Technologies. The U.S. Department of Justice on Thursday announced an indictment against Tillie Kottman, one of the people who claimed responsibility for the incident, for alleged computer and wire fraud, and aggravated identity theft. The charges don’t mention the Verkada breach, and accuse Kottmann, who lives in Switzerland, and others […] The post Verkada breach spotlights ongoing concerns over surveillance firms' security appeared first on CyberScoop. (CyberScoop)

Russian man pleads guilty to Tesla hacking plot

A 27-year-old Russian has pleaded guilty to working to recruit a Tesla employee to hack the Nevada-based company last year. The man, Egor Igorevich Kriuchkov, last year tried to convince the unnamed employee to launch malware against the company’s computer network, allowing Kriuchkov and co-conspirators to steal data, according to court documents and admissions in court, the Department of Justice announced. The plan was that Kriuchkov and his co-conspirators would then conduct a distributed denial-of-service attack against Tesla in order to distract the company from the malware, and then extort the company with threats to disclose the purloined information, according to court documents. Kriuchkov allegedly traveled between Russia, California and Nevada on multiple occasions last year to try to convince the employee to help with the scheme, promising the employee bitcoin as payment. Kriuchkov also provided the employee, who is not named in court documents, a phone and taught them […] The post Russian man pleads guilty to Tesla hacking plot appeared first on CyberScoop. (CyberScoop)

Serious Security: Mac “XcodeSpy” backdoor takes aim at Xcode devs

Just one tiny line of script in your Xcode project - and you've been pwned! (Naked Security)

Apple Devs Targeted By Malicious Xcode Project

(News ≈ Packet Storm)

Zoom Screen Sharing Glitch Briefly Leaks Sensitive Data

(News ≈ Packet Storm)

Swiss Hacker Indicted After Claiming Credit For Breaching Nissan, Intel

(News ≈ Packet Storm)

Expert Hackers Used 11 Zero Days To Infect Windows, iOS, And Android Users

(News ≈ Packet Storm)

Tesla Ransomware Hacker Pleads Guilty; Swiss Hacktivist Charged for Fraud

The U.S. Department of Justice yesterday announced updates on two separate cases involving cyberattacks—a Swiss hacktivist and a Russian hacker who planned to plant malware in the Tesla company. A Swiss hacker who was involved in the intrusion of cloud-based surveillance firm Verkada and exposed camera footage from its customers was charged by the U.S. Department of Justice (DoJ) on Thursday (The Hacker News)

New Zoom Screen-Sharing Bug Lets Other Users Access Restricted Apps

A newly discovered glitch in Zoom's screen sharing feature can accidentally leak sensitive information to other attendees in a call, according to the latest findings. Tracked as CVE-2021-28133, the unpatched security vulnerability makes it possible to reveal contents of applications that are not shared, but only briefly, thereby making it harder to exploit it in the wild. It's worth pointing out (The Hacker News)

Google Reveals What Personal Data Chrome and Its Apps Collect On You

Privacy-focused search engine DuckDuckGo called out rival Google for "spying" on users after the search giant updated its flagship app to spell out the exact kinds of information it collects for personalization and marketing purposes. "After months of stalling, Google finally revealed how much personal data they collect in Chrome and the Google app. No wonder they wanted to hide it," the company (The Hacker News)

Critical F5 BIG-IP Flaw Now Under Active Attack

Researchers are reporting mass scanning for – and in-the-wild exploitation of – a critical-severity flaw in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure. (Threatpost)

Office 365 Phishing Attack Targets Financial Execs

Attackers move on new CEOs, using transition confusion to harvest Microsoft credentials. (Threatpost)

Bogus Android Clubhouse App Drops Credential-Swiping Malware

The malicious app spreads the BlackRock malware, which steals credentials from 458 services - including Twitter, WhatsApp, Facebook and Amazon. (Threatpost)

CopperStealer Malware Targets Facebook and Instagram Business Accounts

A previously undocumented password and cookie stealer has been compromising accounts of big guns like Facebook, Apple, Amazon and Google since 2019 and then using them for cybercriminal activity. (Threatpost)

18-03-202120-03-2021

/security-daily/ 20-03-2021 23:44:23