After a couple of months of absence, our weekly news recap is back. Find out more about what happened this week in security, cryptocurrencies, privacy, and darkweb in about a thousand words only. In addition, if you have an iOS device, you might be interested in the article we wrote this week that suggests various ways to improve your security and privacy while using it.
APT#
EU officially blames Russia for ‘Ghostwriter’ hacking activities (Bleeping Computer)
‘Ghostwriter’ is a disinformation campaign promoting Russian security interests that has been going on since at least March 2017, according to FireEye. On September 24th, the European Union officially blamed Russia for the operation and pledged to consider taking further steps.
Cryptocurrencies#
Ethereum dev admits to helping North Korea evade crypto sanctions (Bleeping Computer)
Griffith, a cryptocurrencies expert who was notably involved in Ethereum development was arrested and faces 20 years in prison after (among other things) travelling to North Korea to give a presentation on how to use cryptocurrencies to launder money and evade sanctions.
China expands crackdown by declaring all crypto activities ‘illegal’ (Financial Times)
After banning domestic financial institutions from providing crypto-currencies services earlier in May, China’s central bank took the crackdown further by declaring all activities related to digital coins illegal. Furthermore, China’s authorities stated that it was illegal for overseas exchanges to provide their services to China’s residents.
Bitcoin.org hackers steal $17,000 in ‘double your cash’ scam (Bleeping Computer)
Hackers managed to break into bitcoin.org on September 23rd, and displayed a modal window saying: “The Bitcoin Foundation is giving back to the community! […] Send Bitcoin to this address, and we will send double the amount in return!”. As of now, the website is back to normal, but how it was breached is still unclear.
Darknet#
Trio Avoids Prison in Darkweb Drug Distribution Case (Darknet Live)
Three British residents received suspended sentences for selling marijuana, cocaine, and amphetamine in the darkweb. They got caught after a 1kg package shipped from the Netherlands to their residence was intercepted at the airport in 2017.
General Security#
Autodiscovering the Great Leak (Guardicore Labs)
Researchers managed to exploit a design flaw in Autodiscover, a protocol used by Microsoft Exchange, to obtain 96,671 unique Windows domain credentials. The flaw could be exploited by registering domains with the same tld as the victims. If victims had emails at example.com, registering the domain Autodiscover.com would lead to receiving victims’ data if an Autodiscover.xml could not be found at example.com. In addition, researchers managed to develop a downgrade attack to receive plain-text credentials through HTTP Basic Authentication (Microsoft announced it would be disabled from October 2022).
Microsoft adds novel feature to Exchange servers to allow it to deploy emergency temporary fixes (The Record)
On September 28th, Microsoft started rolling out a new security feature for Exchange email servers. Once Microsoft detects a new attack, the Microsoft Exchange Emergency Mitigation service will automatically download and apply temporary mitigations to Exchange servers while waiting for a proper patch to be available. This comes after Exchange servers were widely used by threat actors (such as China) as an attack vector for a couple of years.
Researcher dumps three iOS zero-days after Apple failed to fix issues for months (The Record)
A few days after Apple released iOS 15, a researcher published a list of three zero-days (along with proofs of concept) that he claims Apple failed to patch, despite being reported earlier this year. The flaws allow applications to get personal data such as AppleID emails, names, auth tokens, the list of applications installed on the device, and WiFi information.
Apple AirTag Bug Enables ‘Good Samaritan’ Attack (Krebs on Security)
Apple’s AirTags are devices allowing to track lost items. One of their features is to let the owner record a phone number where he can be contacted and a personal message. If someone finds the AirTag, he can just scan it to see this information. A researcher found that it is possible to inject code into the phone number field, which could be exploited in ways such as redirecting people scanning a lost device to a fake Apple portal to steal their personal information.
Cloudflare Ventures into Simplifying Email Security (Dark Reading)
Cloudflare announced its intention to help to tackle the email security problem. In addition to making it easier for its customers to configure DNS security features for email (DKIM, DMARC, SPF), they released a new service (in private beta) allowing users to route emails through their servers.
HTTPS Is Actually Everywhere (EFF)
EFF decided to start depreciating the HTTPS Everywhere extension after having maintained it for ten years. In this period, we saw a huge increase in HTTPS usage, thanks to initiatives like Let’s Encrypt, which allowed people to generate SSL certificates easily and free of charge. Lately, all the major browsers also integrate an option to force HTTPS when visiting websites.
Researchers discover bypass ‘bug’ in iPhone Apple Pay, Visa to make contactless payments (ZDNet)
Researchers from Birmingham university announced that they discovered a flaw allowing to bypass iPhone’s lock screen to make cashless transactions with Apple pay if it contains a Visa card setup in Express Transit Mode. The attack allows spending money over the contactless limit but requires having physical access to the phone.
FCC to work on rules to prevent SIM swapping attacks (The Record)
SIM swapping is an attack allowing hackers to get their hands on people’s phone numbers, which they then often use to steal from online banking or crypto-currencies exchange platforms. The FCC announced a formal rulemaking process due to a large amount of consumers complaints.
Android Trojan GriftHorse, the gift horse you definitely should look in the mouth (Malwarebytes)
Researchers at Zimperium discovered an Android malware campaign that they estimate has been active since at least November 2020. When victims download one of the malicious applications, they are subscribed to paying services, taking away over USD 30 a month. Over the last few months, GrigtHorse has infected more than 10 million devices in more than 70 countries.
Privacy#
Lithuania wants users to dump Chinese phones citing data collection (Hack Read)
Lithuania’s National Cyber Security Center announced the discovery of multiple flaws in some models of Android phones manufactured by the Chinese companies Huawei, OnePlus, and Xiaomi. In addition to applications leaking personal data, the researchers discovered that some Xiaomi and Huawei phones contained content-filtering features, and received updated lists of words/phrases to censor. Full report here.
New Chrome feature can tell sites and webapps when you’re idle (Tech Republic)
In the recently deployed Google Chrome 84, the company added a new API allowing to “notify developers when a user is idle, indicating such things as lack of interaction with the keyboard, mouse, screen, activation of a screensaver, locking of the screen, or moving to a different screen.”. Surely it could do more harm than good to the users and can be disabled in the browser’s configuration screen.
Masked Email from Fastmail and 1Password protects your identity online (Fastmail Blog)
1Password released a new feature in collaboration with Fastmail. It allows generating unique email addresses on the fly from the password manager. The addresses can then be changed or removed if spam occurs. Generally speaking, having a unique email address for each account you create is a good thing to do for both security and privacy.
Former OnlyFans Employees Could Access Users’ and Models’ Personal Information (Vice)
OnlyFans is a service largely used by sex workers to sell various pornographic material. According to a former employee, ex-employees of the company are able to access the support system long after leaving. Doing so may allow them to get a large number of sensitive information such as credit card information, driver’s licenses, passports, bank statements, …
Interesting Long Reads#
- The Business of Fraud: Laundering Funds in the Criminal Underground (Recorded Future)
- Value of the Choice Requirement Remedy (which.co.uk), full report here