New leak of Epik data exposes company’s entire server
Anonymous has released what it claims to be new data from the controversial web hosting company Epik in a leak it is calling “The B Sides.” This is a follow-on from the breach of Epik earlier this month, and this time, it says it has leaked “several bootable disk images of assorted systems” in a roughly 70GB torrent file. A Texas-based hacker and cybersecurity expert with the handle WhiskeyNeon, who reviewed the file structure of the leak, told the Daily Dot how the disk images represented Epik’s entire server infrastructure, with all the programs and files required to host the application it is serving.” The data includes API keys and plaintext login credentials for not only Epik’s system but for Coinbase, PayPal, and the company’s Twitter account.
New Azure AD bug lets hackers brute-force passwords without getting caught
“This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory (Azure AD) without generating sign-in events in the targeted organization’s tenant,” researchers from Secureworks Counter Threat Unit (CTU) said in a report published on Wednesday. The weakness resides in the Seamless Single Sign-On feature that allows employees to automatically sign when using their corporate devices that are connected to enterprise networks without having to enter any passwords. Secureworks said it notified Microsoft of the issue on June 29, only for Microsoft to acknowledge the behavior on July 21 as “by design.”
Contactless payment card hack affects Apple Pay, Visa
A team of researchers from the University of Birmingham and the University of Surrey, both in the United Kingdom has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. If an iPhone is configured to use Apple Pay and a Visa card in “Express Transit” or “Express Travel” mode, an attacker can remotely steal money from the targeted individual without any authentication or authorization required — the attack works against locked iPhones. The feature was designed to enable users to quickly pay for rides on public transport networks without having to authorize with Face ID or Touch ID. Both Visa and Apple have been notified and the researchers provided recommendations on how the attack could be mitigated, but neither of them has released any patches. The companies believe this type of attack is impractical to execute at scale in the real world, and noted that attacks are made difficult by the multiple layers of security that are in place.
US Congress asks FBI to explain delay in helping Kaseya attack victims
Following up on a story we brought you on Monday, the House Committee on Oversight and Reform has requested a briefing to understand the rationale behind the FBI’s decision to delay providing the victims of the Kaseya REvil ransomware with a universal decryption key for three weeks, stating in a letter to FBI Director Christopher Wray, how many businesses, schools, and hospitals lost money and time while trying to recover their data and restore impacted systems. Last week, Mr. Wray testified before Congress, that the delay was because of a plan to disrupt the REvil ransomware gang without tipping them off.
Thanks to our episode sponsor, VMware
Hackers posed as Amnesty International, promising anti-spyware tool that actually collects passwords
Fraudsters are posing as human rights group Amnesty International to trick individuals into downloading malicious software, researchers at Cisco’s threat intelligence unit Talos report. The group used variations on the Amnesty name to advertise a demo for “Amnesty Anti Pegasus” software that could allegedly scan devices for the NSO Group spyware, which Amnesty has been hit by. The malware had a realistic-looking “Anti Pegasus” user interface, but is in fact Sarwent, a malicious software that gives attackers a backdoor to a victim’s machine, giving access to download and execute other malicious tools as well as exfiltrate data such as passwords.
New Tomiris backdoor found linked to hackers behind SolarWinds cyberattack
Cybersecurity researchers on Wednesday disclosed a previously undocumented backdoor likely designed and developed by the Nobelium advanced persistent threat (APT) behind last year’s SolarWinds supply chain attacks. Moscow-headquartered firm Kaspersky codenamed the malware “Tomiris,” calling out its similarities to another second-stage malware used during the campaign, SUNSHUTTLE (aka DarkHalo), targeting the IT management software provider’s Orion platform. The researchers pointed out it could also be a case of a false flag attack, wherein threat actors deliberately reproduce the tactics and techniques adopted by a known adversary in an attempt to mislead attribution.
UK gas shortage: Waze uses push notifications to track fuel stocks
Users of the app are receiving push notifications asking them to “help your community stay informed” which is being turned into live map data that shows which stations are open. While drivers appreciate the information, critics are suggesting the notifications are spurring panic buying and adding to the problem. “Fears of disruption to fuel supply have created bumper-to-bumper traffic at petrol stations,” Waze UK manager Ru Roberts said. The UK government by contrasts maintains there is no national fuel shortage – and any regional issues are simply a result of extreme demand.
Cybercriminals bypass 2FA and OTP with robocalling and Telegram bots
According to a new report from cybercrime intelligence firm Intel 471, the latest development in 2FA bypassing involves the use of robocalls with interactive messages that are meant to trick users into handing over their one-time passwords (OTPs) in real-time as attackers are trying to access their accounts. All of this is automated and controlled by using Telegram-based bots, much like teams in organizations use Slack bots to automate workflows. At their core these are social engineering attacks with a high level of automation.