Twitch blames server error for massive data leak

Livestreaming site Twitch says an “error” caused the unprecedented leak that posted vast amounts of sensitive data online this week. Twitch now says the breach was caused by a “server configuration change” that “exposed” some data that was subsequently accessed by a malicious third party”. The Amazon-owned company has not confirmed if all the data posted online is genuine. What the company has also not said is when this mistake was made. As we reported yesterday, some of the stolen data goes back three years, so there is a chance the servers could have been sitting ducks for some time – or the mistake could have left the door open for only a few days or weeks.

(BBC News)

Intel’s €80bn European chip plant investment plan not bound for UK because Brexit

Intel CEO Pat Gelsinger told the BBC that the hardware giant would have considered the UK as a site for a new chip factory before it took the decision to leave the European Union. Earlier this year, Gelsinger said the company was looking to invest up to €80bn in semiconductor fabrication in Europe to increase capacity over the next decade, although it would be seeking government subsidies “to make it competitive for us to do it here compared to in Asia.” In the meantime, Gelsinger said semiconductor supply constraints – which have hit production in both computer and automotive industries – were set to carry on into the end of the year.

(The Register)

FIN12 hits healthcare with quick and focused ransomware attacks

FIN12 is a prolific threat actor with a strong focus on making money quickly. While most ransomware actors spend time on data exfiltration, this group favors quick malware deployment against sensitive, high-value targets, executing a file-encrypting payload on the target network, most often Ryuk ransomware. This allows the group to execute attacks in less than two days from the initial compromise to the file encryption stage. A profile of the group published yesterday by cybersecurity company Mandiant, show that many FIN12 victims are in the healthcare sector. FIN12 is believed to be a group of Russian-speaking individuals that may be located in the Commonwealth of Independent States (CIS) region.

(Bleeping Computer)

Unpatched Dahua cams vulnerable to unauthenticated remote access

The authentication bypass flaws affecting these cameras are remotely exploitable during the login process by sending specially crafted data packets to the target device. The list of the affected models is extensive and covers many of Dahua cameras, even some thermal ones. Bleeping Computer has searched on Shodan and found over 1.2 million Dahua systems around the world. Dahua Technology is banned from doing business and selling products in the United States, as the Chinese surveillance camera vendor was added onto the U.S. Department of Commerce’s ‘Entity List’ back in October 2019. However, there are still tens of thousands of Dahua cameras actively used in the country. As a recent report from The Intercept details, many cameras sold in the U.S. under American or Canadian branding are, in fact, using Dahua hardware and even software.

(Bleeping Computer)

Thanks to our episode sponsor, Votiro

Your users need to accept and open files to do their jobs. Keep them safe and productive with Votiro. With Votiro, your users can download and use any file instantly, from PDF to Autodesk CAD, with malicious code already removed—and full file usability intact. The signatureless, agentless file sanitization process happens in milliseconds without user friction. Visit Votiro.com and learn why millions of users trust Votiro to disarm billions of files each year.

New Android malware ‘TangleBot’ phishing users via Covid-19 vaccine lures

Security researchers from Proofpoint recently uncovered a new mobile malware, distributed via SMS, targeting Android users in the U.S. and Canada. Tracked as TangleBot, the malware is designed to infect Android devices and steal sensitive information stored on them. The researchers stated the threat actors distributed TangleBot malware via multiple phishing SMS related to COVID-19 vaccine updates or a potential power outage. Attackers placed malicious URLs within the text messages, which, when clicked, redirect the victims to hacker-operated sources to install malware.

(CISO Magazine)

Iranian hackers abuse DropBox in cyberattacks against aerospace and telecom firms

Details have emerged about a new cyber espionage campaign directed against the aerospace and telecommunications industries, primarily in the Middle East, with the goal of stealing sensitive information about critical assets, organizations’ infrastructure, and technology while remaining in the dark and successfully evading security solutions. Boston-based cybersecurity company Cybereason dubbed the attacks “Operation Ghostshell,” pointing out the use of a previously undocumented and stealthy remote access trojan (RAT) called ShellClient that’s deployed as the main spy tool of choice. The first sign of the attacks was observed in July 2021 against a handpicked set of victims, indicating a highly targeted approach.

(The Hacker News)

Ransomware hackers find vulnerable target in US grain supply

A third U.S. grain distributor has been infected with ransomware, raising concerns that hackers have found an easy target in a vital part of the US food supply chain. The largest of the three known victims, New Cooperative in Iowa, is still working to restore automated systems after being hacked in September. Crystal Valley in Minnesota was hit shortly afterwards, and now Farmers Cooperative Company, also in Iowa, has been hit, although it is declining comment, citing advice from the company’s lawyers. CISA representatives suggest that these three attacks do not represent a dedicated assault on the agricultural industry, but rather the outcome of opportunistic hackers exploiting whatever victims they could. But Allan Liska, a ransomware analyst at the cybersecurity firm Recorded Future, suggests there may be others that have been attacked but who have not yet come forward.

(NBC News)

Resecurity researchers dumped gigabytes of data from Agent Tesla

Los Angeles-based Resecurity drained the Command & Control Servers (C2) of popular “malware-as-a-service” Remote Access Trojan tool Agent Tesla and extracted over 950GB of logs containing compromised Internet users credentials, files and other sensitive information that it had stolen through its malicious code. The data extraction was made possible through a collaboration with law enforcement and several ISPs in the European Union, Middle East and North America. The majority of intercepted credentials related to financial services, online-retailers, e-government systems and personal and business e-mail accounts in countries all over the world.

(Security Affairs)