According to a report prepared by the firm Aqua Security, tens of thousands of user tokens would have been exposed through the Travis CI API, which contains more than 770 million records with multiple types of credentials belonging to users of free subscriptions.

According to the report, Travis CI did not apply sufficient protections for record numbers, which would allow the execution of an enumeration script to retrieve an undetermined number of code strings: “This is not easy with other providers since they must mention in the URL a client ID, making it difficult to execute enumeration in the records.”  

During this research a second API call was also found in a documented API system that was allowing access to another set of records in plain text that were previously unavailable. Using both methods, the researchers were able to find records dating from January 2013 to May 2022.

Aqua Security estimates that valid records are in a range of between 4.2 million and 774 million. After analyzing a sample of 8 million records, experts found nearly 73,000 sensitive strings in the form of tokens, secrets, and various credentials associated with cloud services such as GitHub, AWS, and Docker Hub.

Experts note that some of the data in the historical records was obfuscated. However, this is insufficient because Travis CI allows developers to use various naming conventions for sensitive information.

“We found that, in many cases, ‘github_token’ was masked and revealed no secrets. However, we found around 20 variations of this token that were not protected in any way by Travis CI,” the researchers add.

Travis CI received a report and while the researchers believed the bugs would be addressed soon, a message from the platform responded by mentioning that this is a design issue and probably won’t be fixed. User log exposure appears to be a recurring issue for Travis CI, as reports on this type of risk have been published in 2015, 2019, and 2021.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post More than 770 million records available through the Travis CI API: Anyone can extract tokens, secrets, and other credentials associated with services like GitHub, AWS, and Docker Hub appeared first on Information Security Newspaper | Hacking News.

Parents, students, and staff from schools in the school district were notified of the situation just a few hours ago, and have been receiving regular updates through The Tenafly Public Schools notification system, a structure independent of the affected systems.

So far, the ransomware variant used in this attack or the amount of the ransom demanded by cybercriminals is unknown. It is also not known whether local authorities plan to negotiate with the attackers or whether they will try to restore their systems on their own.

Unofficial sources had reported that the ransomware attack rendered dozens of computers useless in the county before which local authorities were being forced to pay a ransom in cryptocurrency.

The Bergen County Prosecutor’s Office and the New Jersey State Police’s CyberCrime Unit are already aware of the attack, and an investigation has been ordered by the Federal Bureau of Investigation (FBI), as Bergen authority believes this case is beyond its capabilities.

This is an increasingly common hacking variant. Just a few weeks ago, Somerset County suffered a cybersecurity breach that forced the temporary shutdown of all its electronic systems, while last year Hillsborough and Bernards Township school districts also had to disrupt their academic activities due to an encryption malware infection.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post <strong>Ransomware attack targeting public schools in New Jersey forces cancellation of final exams</strong> appeared first on Information Security Newspaper | Hacking News.

The report, by Bitdefender, mentions: “Users in a position to validate a link in an email client before clicking on it, will be susceptible to clicking on it because it has not yet been translated into a real domain name in their browser. The actual domain name would only be seen after the page has started to open.”

The term IDN refers to domain names that, in whole or in part use characters from a non-Latin script or alphabet, which are encoded by the Unicode standard. In order for the Domain Name System (DNS) to interpret them correctly, IDNs are stored in the DNS as ASCII strings using Punycode transcription.

Counterfeit IDN homograph domains can be created by combining letters from different alphabets, which to the user look so similar to each other that it is impossible to distinguish them, although Unicode treats them as separate entities. This is not a new concept, although it is still a problem for many users.

Most browsers, for example, display in the address bar the real name of an internationalized domain name (https://xn--n1aag8f.com, for example) instead of the name to display the real name (https://žugec.com) if the site is suspicious. However, Office applications, including Outlook, display the name in another method:

Since domain registration verification greatly limits which counterfeit domains can be registered and most browsers display the real name of the spoofed IDN domain, IDN homograph attacks have ceased to be a constant cybersecurity threat, although threat actors may find ways to deploy these attacks on a large scale.

Microsoft acknowledged the problem when it received the Bitdefender report, though it’s unclear if the issue will be fixed. While the issue is resolved, endpoint security solutions and IP and URL reputation services could collaborate by blocking most suspicious domains.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How to hide spoofed malicious domain when users hover above a link in a phishing email in Microsoft Outlook, Word or Excel document? appeared first on Information Security Newspaper | Hacking News.

The researchers described it as a zero-day flaw in Confluence Server and Data Center. Volexity does not plan to publish its proof of concept (PoC), as Atlassian has not issued an official patch yet. The flaw was discovered when researchers identified suspicious activity on their Atlassian Confluence servers, being able to verify that the error exists because a threat actor launched an RCE exploit against their infrastructure.

In continuing its investigation, Volexity identified bash shells launched from Confluence’s web application processes: “We believe that the attacker launched a single exploit attempt on each of the Confluence server systems, which in turn loaded a malicious class file into memory. This allowed the threat actor to effectively have a webshell that they could interact with through subsequent requests.”

A successful attack would allow actors to facilitate access to the affected server and execute commands without the need to use a backdoor on the compromised system disk or redeploy an attack whenever hackers wish to access the target system.

At the moment there is no list of all the versions of Confluence Server affected, although the researchers assure that the flaw can be exploited even in implementations with the latest patches installed. Simply put, it is likely that all versions in use of Confluence Server can be exploited.

Successful attacks would allow hackers to deploy a copy in the BEHINDER implant memory and thus access memory-only webshells and built-in support for interaction with tools such as Meterpreter and Cobalt Strike. This is a functional attack method, not to mention that it does not require writing files to the target disk and does not allow persistence, so restarting the system will remove any traces of the attack.

When the BEHINDER implant is deployed, threat actors use the in-memory webshell to deploy two additional webshells to disk.

Active security risk

As mentioned above, the vulnerabilities have not been fixed by Atlassian, so administrators of affected deployments are advised to consider some alternative security measures. Volexity’s recommendations include:

• Restrict access to Confluence Server and Data Center instances from the Internet
• Disable Confluence Server and Data Center instances

For users who cannot apply any of these recommendations, we recommend that you implement a Web Application Firewall (WAF) rule to block URLs with the characters ${, which should reduce the risk of attack.  

In addition to these recommendations, Atlassian Confluence administrators can apply the following actions:

• Block external access to Confluence Server and Data Center systems
• Verify that Internet-facing web services have robust monitoring capabilities and log retention policies
• Sending relevant log files from Internet-connected web servers to a SIEM or Syslog server

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post CVE-2022-26134: Zero-day remote code execution vulnerability affecting Confluence Server and Data Center appeared first on Information Security Newspaper | Hacking News.

This malicious operation is characterized by not using malware during its intrusions, contrary to virtually any other extortion group. The ransoms demanded by Karakurt range from $25,000 to $13 million, and payment must always be made via Bitcoin.

When contacting their victims, the hackers sent screenshots or copies of stolen files to prove that the attack was real, in addition to sharing details about the intrusion method employed. Karakurt operators also harass employees, partners and customers of the affected companies, in an attempt to force the ransom payment.

In the most critical cases, hackers leak small samples of the stolen information, including sensitive details such as full names, social security numbers, phone numbers, medical records, and more sensitive records.

Karakurt had started as a grouping of leaks and auctions on the dark web, although the domain used for its operations was disconnected a couple of months ago. By early May, Karakurt’s new website contained several terabytes of data allegedly belonging to victims in North America and Europe, as well as a list of alleged victims.

Another characteristic feature of Karakurt is that they do not focus only on a specific type of victim, since they simply base their attacks on the possibility of accessing the compromised networks. For their attacks, hackers can use poorly protected mechanisms and infrastructure weaknesses, or collaborate with other cybercriminal groups to gain initial access to the target. According to CISA, hackers commonly gain access to compromised networks by exploiting SonicWall VPN or Fortinet FortiGate devices if updates or obsolete, employing popular flaws such as Log4Shell or bugs in Microsoft Windows Server.

According to a report by security firm AdvIntel, Karakurt is part of the Conti network, which operates as an autonomous group alongside Black Basta and BlackByte, two other groups that rely on data theft and extortion for monetization purposes.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Warning: New cyber criminal group Karakurt is extorting millions of companies around the world appeared first on Information Security Newspaper | Hacking News.

Even though Verizon was notified and has already acknowledged the leak, its representatives deny that the compromised information poses a security threat to its employees and customers.

The alleged hackers behind this incident claimed that it was very easy for them to access this database, as they simply had to contact a Verizon employee and pose as a co-worker in the internal support area. After fooling this unsuspecting employee, the hackers were able to connect to Verizon’s internal tool and access sensitive information.

Once in the database, the hacker reported having created a tool that allowed them to download the information stored in the company’s systems. Verizon would soon receive a ransom note threatening to expose the compromised information if a $250,000 ransom is not paid.

Not a security risk?

As mentioned above, a Verizon representative stated that the company does not consider the compromised records as confidential information, so they do not plan to negotiate any ransom with the hackers. The representative added that, for Verizon, information security is a serious matter, so the company has the best measures to protect their customer and employees’ data.

Information security specialists differ from Verizon’s stance, as while the leak does not involve passwords, bank records, or social security numbers, the stolen data could still prove useful for multiple hacking groups. Phishing campaigns, phone fraud, SIM swap, and email spam are just some of the risks to which those affected could be exposed.  

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Full names, IDs, email addresses, and phone numbers of hacked Verizon employees: Customers could experience increased SIM swap attacks appeared first on Information Security Newspaper | Hacking News.

The incident was informed to Chennai Police by a concerned customer, as he feared his bank account could have been breached by malicious parties. Local authorities contacted the client’s branch managers, who late explained that transfer notification messages were wrongly sent to multiple users, causing confusion and requiring a software patch.

Eventually, dozens of users began making social media posts about the incident: “My HDFC Bank account showed a balance of Rs 2.4 million yesterday morning,” a customer of the banking institution said via Twitter.

After multiple complaints, the bank’s official account on Twitter started a customer service process through the social platform:

At the time of writing, nearly 100 accounts affected by this strange security incident were known. Most of the error messages showed a balance of Rs 130 million, although the alleged amounts paid varied between the different users affected.

In an update published a few hours later, a representative of the bank confirmed that everything was due to a technical failure during a routine maintenance process to the bank’s computer systems, completely ruling out the hypothesis of a cyberattack, which had feared hundreds of customers. 

Bank employees took additional measures, such as temporarily blocking the affected accounts: “There was no money deposited in these accounts, but to be sure, we restricted movements until the problem was fixed,” the spokesperson added.

By Monday morning, the bank had already reinstated restricted features for 80% of affected users. HDFC Bank will publish a supplementary report once the investigations are concluded.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Indian HDFC Bank deposits millions in customers’ accounts by mistake. Hacking incident or just a software flaw? appeared first on Information Security Newspaper | Hacking News.

Local authorities have already confirmed that they do not plan to negotiate with the hackers or pay any ransom, as there is no evidence that the information was exposed before encryption. Local government IT teams will conduct a recovery process using their backup resources.

The incident had an impact on the systems for government procedures. Gerd Kurath, Carinthia’s press chief, said: “We believe that, of the 3,000 workstations affected, at least half will be available again this Friday. Until then, no new passports can be issued or traffic fines paid.”

In addition to the passport and fine system, the attack had an impact on state email servers and the main local government website, which could be out of service until next week. Another system affected by the infection is the COVID-19 positive case tracking service.

Carinthia authorities have decided not to share further information on the incident, so details like the ransom amount demanded by hackers or the amount of supposedly exposed data are still unknown.

The local police concluded their report by assuring that they will continue to work with the national authorities to determine the causes of the incident and implement the necessary security mechanisms to prevent new incidents in the future.

Since 2021, ransomware has become one of the biggest cybersecurity concerns for countries in Europe, especially for members of the European Union. Just a few days ago, the Killnet ransomware operation launched a series of powerful attacks against public systems in Italy and Germany, attracting the attention of researchers, law enforcement agencies, and even groups like Anonymous.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Black Cat ransomware shuts down Austria’s passport and transport departments after encrypting 3,000 computers appeared first on Information Security Newspaper | Hacking News.

After a lot of work of sample collection, analysis and follow-up, experts discovered some details about this RAT. While these phishing campaigns have not been attributed to a specific threat actor, all indications are that this operation is handled by a Chinese Advanced Persistent Threat (APT) group.

Simultaneous operations

As mentioned initially, hackers deployed four malicious email campaigns since the end of February, working simultaneously and using various lures to attract unsuspecting users.

Below, we’ll briefly review the features of each phishing attack based on evidence collected by Malwarebytes.

Interactive map

Hackers began distributing the RAT in a file identified as interactive_map_UA.exe, an alleged interactive map of Ukraine. The malware distribution started a few days after Russia invaded Ukraine, indicating that hackers tried to exploit the international conflict.

Update for Log4j

Another of the detected malicious campaigns uses a fake update to fix the Log4Shell vulnerability using a tar file identified as Patch_Log4j.tar.gz. Reports of these emails began in March and targeted at least 100 employees of RT TV, a media network funded by Russia’s government.

The messages appear to be sent by the Russian state defense conglomerate Rostec and include various images and PDFs to make it less suspicious.

The attached PDF, named О кибербезопасности 3.1.2022.pdf, contains instructions on how to run the fake patch, plus a bullet list with supposed safety tips.

Among these recommendations, hackers even added a link to VirusTotal announcing that the file has not been identified as malicious by any antivirus engine.

The message also includes links to the rostec.digital website, registered by threat actors and designed similarly to Rosec actual site. Interestingly, the fraudulent website was registered in mid-2021, months before the Russian invasion of Ukraine began.

Rostec

Hackers again use Rostec’s image in the third campaign, distributing a malicious file named build_rosteh4.exe.

Fake job offers

The latest detected campaign uses a Word document containing an alleged job offer at state oil company Saudi Aramco. The attack involves a self-extracting file using the Jitsi icon and creating a directory identified as Aramco in C:\ProgramData.

The document, written in English, includes a message in Russian asking the user to enable macros on their device.

A remote template injection then allows you to download a template embedded in a macro, which runs a macro to deliver a VBS script identified as HelpCenterUpdater.vbs to the %USER%\Documents\AdobeHelpCenter directory. The template also verifies the existence of %USER%\Documents\D5yrqBxW.txt; as long as it exists, the script will be delivered and executed.

The HelpCenterUpdater.vbs script delivers another obfuscated VBS file named UpdateRunner.vbs and downloads the primary payload, a DLL called GE40BRmRLP.dll, from your C&C server. Although they appear to share code, the script provides an EXE instead of a DLL in another related payload.  

The UpdateRunner.vbs script is responsible for running the DLL through rundll32.exe.

The malicious DLL contains the code that communicates with the C&C server and executes the received commands.

The campaign is still active and relatively prosperous, although many details remain unknown, and it is difficult to know what specific purposes the attackers are pursuing. Malwarebytes has committed to continue monitoring this campaign and the malware used by hackers.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How hackers took control of 100 email accounts of employees of RT and other Russian organizations for cyber spying purposes? appeared first on Information Security Newspaper | Hacking News.

As reported just a few hours ago, the package received an update version identified as v0.2.6, which attracted attention because ctx Python had not received updates in 8 years.

After the update was reflected in the GitHub repository, some researchers began analyzing the code, finding some exciting features:

This code is specially crafted for when creating a dictionary; all its environment variables are sent to a URL of the Heroku application under attackers’ control.

Experts consider this a clear sign that the current version of the package has been manipulated for malicious purposes and should not be used.

Other versions of a ‘phpass’ fork, published in the Packagist repository, were also manipulated to add this malicious code. PHPass has reportedly been downloaded about 2.5 million times.

According to security researcher Somdev Sangwan, the insertion of this backdoor could be aimed at extracting access credentials for Amazon Web Services (AWS).

The malicious version was released on May 14, so users who installed the package before that date are employing the original version (v0.1.2) and will not be affected by this issue. On the other hand, any installation of ctx Python after May 14 could include malicious code.

About the attack method, specialists mention that the domain name of the original maintainers of ctx Python expired, which would have allowed the attackers to register it again and take control of this package, adding the malicious payload for later distribution.

The official page of the ctx Python project in PyPI has been removed, showing the error ‘Not Found’ to visitors.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Popular Python package ctx Python and PHP library were compromised and injected with a backdoor appeared first on Information Security Newspaper | Hacking News.

This information would have been taken from other data breach incidents, specifically two data breaches detected a couple years ago. 10 million records posted on a hacking forum in 2020 and 142 million more exposed months later are now together available on the messaging platform.

The compromised records date back to 2017 and include sensitive details such as:

• Full names
• Addresses
• Email addresses
• Telephone numbers
• Dates of birth

As in any phishing incident, threat actors could use the compromised information for the deployment of phishing campaigns, SIM swap, identity fraud and other attack variants against the millions of affected customers. In addition, cybercriminals can easily identify older adults, who are especially vulnerable to these types of attacks.

However, because the exposed data does not appear to be up to date, the security risk is reduced. At the time of the original leaks, this data was on sale for at least $2,900 USD; that they are now available for free seems to confirm that the information is of no value or interest to hacking groups.

Although considered a low-security risk, MGM customers are advised to take steps to prevent an attempted attack; resetting passwords for your online platforms, enabling multi-factor authentication, and ignoring suspicious emails or phone calls are recommended measures.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Personal data of MGM Resorts customers leaked on Telegram for free. 142 million records exposed appeared first on Information Security Newspaper | Hacking News.

Razorpay Software Private Limited provides online payment services that allow businesses in India to collect payments via credit card, debit card, net banking, and even cryptocurrency wallets.

The malicious activity was detected when a team at Razorpay Software Private Limited was auditing the transactions. Company employees were unable to reconcile transaction files with funds in enterprise accounts.

Abhishek Abhinav Anand, in charge of legal disputes and legislative compliance at Razorpay, filed a complaint with the southeast Indian cybercrime unit earlier this week.

Authorities are trying to identify the hacker or hacker group responsible for the attack, based on recorded online transactions. Meanwhile, Razorpay also ordered an internal investigation, revealing that the attacker compromised and manipulated the transaction authorization process to complete the attack; as a result, threat actor approved a total of 831 failed transactions, which mean losses around $1 million.

Razorpay shared with law enforcement detailed information about these 831 illegitimate transactions, including date, time and IP address.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Hackers steal $1 million USD from Razorpay appeared first on Information Security Newspaper | Hacking News.