cRyPtHoN™ INFOSEC (EN)

2022-05-19 12:14:59 PA: Ransomware group claims to have hit Mercyhurst University.

You may need to add Mercyhurst University in Pennsylvania to any list of post-secondary educational entities hit by ransomware.

SuspectFile notes that the university has not confirmed any breach and LockBit has not posted any proof (yet?). But SuspectFile notes the irony that one month after one of the university’s four colleges participated in Cyber Impact 2022 and patted themselves on the back for their work in cybersecurity, the university seems to have been hit.

As of this morning, there is no statement on the university’s website or Twitter account about any breach. LockBit’s listing claims that it will publish “all data” (which they claim is 300 GB) in a little more than 5 days from now.

https://www.databreaches.net/pa-ransomware-group-claims-to-have-hit-mercyhurst-university/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-19 12:10:25 Hackers Gain Fileless Persistence on Targeted SQL Servers Using a Built-in Utility.

Microsoft on Tuesday warned that it recently spotted a malicious campaign targeting SQL Servers that leverages a built-in PowerShell binary to achieve persistence on compromised systems.

The intrusions, which leverage brute-force attacks as an initial compromise vector, stand out for their use of the utility "sqlps.exe," the tech giant said in a series of tweets.

The ultimate goals of the campaign are unknown, as is the identity of the threat actor staging it. Microsoft is tracking the malware under the name "SuspSQLUsage."

The sqlps.exe utility, which comes by default with all versions of SQL Servers, enables an SQL Agent — a Windows service to run scheduled tasks — to run jobs using the PowerShell subsystem.

https://thehackernews.com/2022/05/hackers-gain-fileless-persistence-on.html

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-19 12:08:59 Data of 22.5 million Malaysians born 1940-2004 allegedly being sold for US$10k.

ETALING JAYA (THE STAR/ASIA NEWS NETWORK) - An alleged data leak containing the information of 22.5 million Malaysians born between 1940 and 2004, purportedly stolen from the National Registration Department (NRD), has once again put the country's data security measures in the spotlight.

Local tech portal Amanz reported that the database, 160GB in size, is being sold for US$10,000 (S$13,846) on the dark web.

In the screenshot shared by the portal, the seller claimed that this is an expanded database compared to the one he sold in September last year, which was only up to 1998.

https://www.straitstimes.com/asia/se-asia/data-of-225-million-malaysians-born-1940-2004-allegedly-being-sold-for-us10k

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-19 11:58:59 Spanish police dismantle phishing gang that emptied bank accounts.

The Spanish police have announced the arrest of 13 people and the launch of investigations on another seven for their participation in a phishing ring that stole online bank credentials.

The threat actors used phishing lures to trick their victims into believing they received an alert from their bank and proceeded to steal their account credentials.

Having access to banking accounts, the adversaries used their victims' money to make online purchases, direct transfers to "money mule" accounts, or request personal loans.

The police say the threat actors stole at least 443,600 Euros ($466,000). from approximately 146 victims as part of these phishing attacks.

https://www.bleepingcomputer.com/news/security/spanish-police-dismantle-phishing-gang-that-emptied-bank-accounts/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-19 11:57:03 Total Commander forced to stop letting you install APKs

The dev took action following a Play Store policy complaint

One of the handiest features on Android that sets it apart from the mobile competition is the ability to install apps from outside the Play Store. APK installation is why you can still play Fortnite — even as Epic's legal battle with Google continues — and it's how you can skip the wait for automatic updates to bring the latest features to your favorite apps. Unfortunately, one of Android's most trusted file browsers has removed the ability to install APK files after receiving takedown warnings from Google.

Total Commander has been around since the 90s, eventually expanding into Android after the platform launched over a decade ago.

https://www.androidpolice.com/total-commander-apk-installation-block/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-19 11:49:22 Your snoozing iOS 15 iPhone may actually be sleeping with one antenna open.

No, you're not really gonna be hacked. But you may be surprised

Some research into the potentially exploitable low-power state of iPhones has sparked headlines this week.

While pretty much no one is going to utilize the study's findings to attack Apple users in any meaningful way, and only the most high-profile targets may find themselves troubled by all this, it at least provides some insight into what exactly your iOS handheld is up to when it's seemingly off or asleep. Or none of this is news to you. We'll see.

According to the research, an Apple iPhone that goes asleep into low-power mode or is turned off isn't necessarily protected against surveillance. That's because some parts of it are still operating at low power.

https://www.theregister.com/2022/05/19/apple-iphone-malware/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-19 11:46:12 Personal Information of Nearly Two Million Texans Exposed.

The personal information of nearly two million Texans was exposed for nearly three years due to a programming issue at the Texas Department of Insurance (TDI).

The department revealed that details of 1.8 million workers who have filed compensation claims were publicly available online from March 2019 to January 2022 in a state audit report published last week. This included Social Security numbers, addresses, dates of birth, phone numbers and information about workers’ injuries.

In a public notice on March 24, the TDI said it first became aware of a security issue with a TDI web application that manages workers’ compensation information on January 4 2022. This issue enabled members of the public to access a protected part of the online application.

https://www.infosecurity-magazine.com/news/personal-information-two-million/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-19 11:38:54 Pwn2Own hacking schedule released – Windows and Linux are top targets.

The 2022 edition of the famous (or infamous, depending on your viewpoint) Pwn2Own competition kicks off later today in Vancouver, British Columbia.

(Actually, it’s a so-called “hybrid” event this year, so that entrants who can’t or don’t want to travel, whether for coronavirus or environmental reasons, can participate remotely.)

Numerous vendors have put forward monetary prizes for hacking various of their products, with this year’s potential targets being:

https://nakedsecurity.sophos.com/2022/05/18/pwn2own-hacking-schedule-released-windows-and-linux-are-top-targets/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-19 11:34:17 Ransomware Attackers Get Short Shrift From Zambian Central Bank.

Bank of Zambia refused to pay ransom to cyberattack group Hive

Hive attacks have become prolific since being detected in June

Zambia’s central bank said it refused to pay ransom to a group known as Hive that was behind a cybersecurity breach that caused minimal damage to its systems.

“All of our core systems are still up and running,” Greg Nsofu, information and communications technology director at the Bank of Zambia, told reporters in Lusaka, the capital. “Not much sensitive data has actually been shipped out.”

https://www.bloomberg.com/news/articles/2022-05-18/ransomware-attackers-get-short-shrift-from-zambian-central-bank

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-19 11:31:14 Over 380,000 Kubernetes API Servers Exposed to Internet: Shadowserver.

The Shadowserver Foundation has started scanning the internet for Kubernetes API servers and found roughly 380,000 that allow some form of access.

ShadowServer is conducting daily scans of the IPv4 space on ports 443 and 6443, looking for IP addresses that respond with an HTTP 200 OK status, which indicates that the request has succeeded.

Of the more than 450,000 Kubernetes API instances identified by Shadowserver, 381,645 responded with “200 OK”. This does not mean these servers are fully open or vulnerable to attacks, but Shadowserver believes they represent an “unnecessarily exposed attack surface” and this level of access was likely not intended.

https://www.securityweek.com/over-380000-kubernetes-api-servers-exposed-internet-shadowserver

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment