Author: Charley Nash

Slack has notified roughly 0.5% of its users that it reset their passwords after fixing a bug that exposed salted password hashes when creating or revoking shared invitation links for workspaces.

Reported by BleepingComputer, Slack said “when a user performed either of these actions, Slack transmitted a hashed version of their password (not plaintext) to other workspace members.”

“Although this data was shared via the new or deactivated invitation link, the Slack client did not store or display this data to members of that workspace.”

An independent security researcher disclosed the bug to Slack on 17th July. The issue affected all users who created or revoked shared invitations between April 17th 2017 and July 17th 2022.

The hashed passwords were not visible to Slack clients though, as active monitoring of encrypted network traffic from Slack’s servers is required to access this exposed information.

The company added that it has no reason to consider that the bug was used to gain access to plaintext passwords before being fixed. T

On Thursday, Slack said: “We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue,” the company stated on Thursday.

“However, for the sake of caution, we have reset affected users’ Slack passwords. They will need to set a new Slack password before they can log in again.”

Slack has added in security notices sent to affected users that hashed could still be reversed via brute force.

The company warned: “Hashed passwords are secure, but not perfect — they are still subject to being reversed via brute force — which is why we’ve chosen to reset the passwords of everyone affected.”

Slack has more than 169,000 paying customers from over 150 countries.

 

The post Slack Resets Passwords After Hashes Exposed When Invitations Shared appeared first on IT Security Guru.

According to a confidential United Nations (UN) report seen by Reuters on Thursday, North Korea stole hundreds of millions of dollars worth of crypto assets in at least one major hack.

Also, the document allegedly suggests that the US previously accused North Korea of carrying out cyber-attacks to fund its nuclear and missile programs.

The document stated: “Other cyber activity focusing on stealing information and more traditional means of obtaining information and materials of value to [Democratic People’s Republic of Korea]’s prohibited programs, including […] weapons of mass destruction, continued.”

Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, said “the latest report from the United Nations on North Korean nuclear tests should sound the klaxon of alarm for Western businesses, especially as it specifically mentions cyber-attacks being a key source of funding.

Looking at data gathered by Venafi in June, Bocek says that it is evident that the proceeds of cyber-criminal activities from groups such as Lazarus and APT38 are being used to circumvent international sanctions in North Korea.

“This money is being funnelled directly into weapons programs. And because developing nuclear weapons is expensive, especially in the face of rising inflation and the cryptocurrency crash, companies should be on high alert that the DPRK will be looking to cash in now and help feed their weapons programs and fund ongoing weapon development.”

Code signing machine identities are also a key component of North Korean nation-state attacks, according to the executive.

Additionally, the security expert mentioned code signing machine identities as a  key component of North Korean nation-state attacks.

“While the latest UN report is an important step in broadcasting this issue to the world, we still need to see governments and businesses act together and share intelligence on these attacks. This will be key to building knowledge on the importance of machine identities in security. If not, we’ll continue to see North Korean threat actors thrive.”

The post North Korea Allegedly Stole Millions of Dollars Worth of Crypto Assets appeared first on IT Security Guru.

Research by cybersecurity firm Akamai shows that Cyberattacks in the gaming sector have increased by 167% in the last year.

The report, titled Gaming Respawned, found that the US is the main target for attackers, followed by Switzerland, India, Japan, and the UK, alongside other European and Asian countries.

The report also claimed that gaming is the industry hit most often by the distributed denial-of-service (DDoS) attacks globally. Akamai estimate that the sector accounts for 35% of DDoS traffic worldwide.

Jonathan Singer, Akamai’s senior strategist, in the media and entertainment industries, explained that “as gaming activity has increased and evolved, so has the value of disrupting it through cyber-attacks.”

“Cyber-criminals typically disrupt live services and co-opt credentials to steal gaming assets. Also, with the industry’s expansion into the cloud, new threat surfaces have opened up for attackers by bringing in new players who are prime targets for bad actors.”

Akamai have uncovered key trends since their last report.

One of these trends relates to the fact that the industry shows no signs of slowing down after the boost that COVID-19 lockdowns and social distancing gave to gaming.

Another trend is that cybercriminals have continued targeting attacks on gamers and game platforms, with web app attacks more than doubled over the past year. These attacks compromise three key attack vectors: LFI, SQLi and XSS. Ransomware and DDoS continue to be large threats.

Unsurprisingly, perhaps, the game industry’s overall attack surface seems to be growing alongside the continued growth of cloud gaming.

Microtransactions within games represent a huge draw for criminals who can capitalise on the spending power of gamers, as well as the fungible nature of virtual assets.

“Cyber-criminals know there is value in gaming, and they will continue to invent ways of getting it or exploiting the flow of virtual funds.”

The post Gaming Cyberattacks Increase by 167% in Last Year appeared first on IT Security Guru.

Law enforcement in Ukraine claim to have dismantled a large bot farm used by the Russian special services to spread disinformation and propaganda within the country.

The Secret Service of Ukraine (SSU) said that an audience of over 400,000 Ukrainians were receiving misinformation from the million-strong bot farm. They claim that the content was used to “spin destabilising content” on the country’s military and political leadership.

The content included fake news regarding the situation at the front, a campaign to discredit the first lady, and an alleged conflict between the President’s Office and the commander-in-chief of Ukraine’s armed forces.

A Russian citizen and ‘political expert’ based in Kyiv was unmasked as the leader of the operation. Equipment based in Kyiv, Kharkiv and Vinnystsia was used to automate the management of a large number of bot accounts across social media.

The set up included 5000 SIM cards used to register new accounts, as well as 200 proxy servers designed to spoof IP addresses and circumvent internet blocks.

Acting head of the SSU, Vasyl Malyuk, said “today, the information front is no less important than military operations. And Russia understands this very well – that’s why they throw such massive resources to divide Ukrainian society. Bot farms, pseudo-experts, information and psychological operations, enforcing pro-Russian messages – all this is in the enemy’s arsenal.”

“The adversary tries to use any opportunity to fuel internal strife or manipulate public opinion. Unfortunately, consciously or unconsciously, some Ukrainian political forces play along with the enemy and put their own ambitions above state interests. However, we are countering these destructive activities.”

In total, since the beginning of the invasion, Ukraine claims to have “neutralised” 1200 cyber-incidents and cyberattacks on government and strategic critical infrastructure.

Despite this, Russian propaganda efforts persist – both inside Ukraine and the wider public.

 

The post Ukrainian Law Enforcement Shut Down Large Russian Bot Farm appeared first on IT Security Guru.

The former owner of a T-Mobile store has been found guilty of a multimillion-dollar scheme to illegally unlock and unblock mobile devices.

Argishti Khudaverdyan, 44, from Burbank, was found guilty of 14 federal charges including wire fraud, money laundering, intentionally accessing a computer without  authorisation to obtain information, access a computer to defraud and obtain value, and aggravate identity theft.

From August 2014 to June 2019, Khudaverdyan fraudulently unlocked and unblocked devices on T-Mobile, AT&T, and Sprint networks. This enabled phones to be sold on the black market, according to the Department of Justice.

Khudaverdyan also ran Top Tier Solutions, a T-Mobile store based in Eagle Rock, from January to June 2017. He continued with the fraud scheme after his contract was terminated due to suspicious behaviour.

It was enabled by phishing for T-Mobile employee log-ins or socially engineering the firm’s IT help desk to gain access to T-Mobile’s internal computer systems.

He’s also said to have worked with individuals in overseas call centres to obtain employee credentials which he then used to access systems and harvest information on more senior staff. This information could be used with the help desk to reset passwords and provide privileged access.

The accounts of over 50 different T-Mobile USA employees were compromised by Khudaverdya and his co-conspirators. The group made $25m in the process.

The unlocking services were advertised as ‘legitimate’ T-Mobile unlocks via brokers, websites such as “unlocks247.com”, and email advertising.

Mobile devices are “locked” to a particular network until a contract is completed. Others are blocked if they are stolen or lost.

The post T-Mobile Retailer Found Guilty of $25m Fraud Scheme appeared first on IT Security Guru.

Football fans have been warned to exercise caution when online shopping after it has emerged that fraudsters are increasingly taking to social media to sell non-existent tickets for events.

According to Lloyds Bank data revealed that incidents surged between January and June 2022, with an average loss of £410 per victim.

Tickets for the top six English clubs plus internationals and European games are the most sought after and therefore most at risk of scams similar to these. For cup finals, some victims have lost thousands of pounds on fake tickets.

The fear is the fraudsters will double down on these tactics as the new Premier League season gets underway in the UK this coming weekend.

The scammers typically advertise on social media, often accompanies by a fake image, and then request payment via bank transfer. There is no fraud protection via BACs for victims.

Tickets for concerts and other sold out events are targets for scammers too. Lloyds bank said that fraud cases involving the concert tickets have risen by 72% so far in 2022.

Lead security awareness advocate at KnowBe4, Javvad Malik, warned that consumers should be wary if a deal appears too good to be true (because it usually is!)

He said, “while it can be tempting to buy tickets from touts or other unauthorized channels, people should always do their due diligence as to what kind of website or individual they are making purchases from.”

“In particular, they should look out for red flags such as pushy sales techniques, limited offers, heavily discounted prices, or payments requested through unconventional channels such as through bank transfers.”

CEO of CyberSmart, Jamie Akhtar, said that football and concert tickets have been popular targets for years.

“If you do find yourself buying on the reseller market, stick to licensed ticket resellers and avoid buying from strangers on social media,” he advised. “For every legitimate fan selling a ticket, there will be dozens of fraudsters looking to make a quick buck or steal your financial details.”

The post Increase in Fake Tickets Being Sold by Cybercriminals on Social Media appeared first on IT Security Guru.

Security researchers in the UK warn of potentially malicious efforts to alter the result of the upcoming Conservative Party leadership election.

The next Prime Minister of the country will be decided by around 160,000 party members when they decide between current foreign secretary Liz Truss and former chancellor Rishi Sunak.

The National Cyber Security Centre (NCSC), part of the spy agency GCHQ, was forced to alert the party that the voting system for members could be hijacked by hackers.

Party members are able to vote online or by post. However, a loophole in the system means that they, or potentially a more malicious third party, could have changed only results after they had been cast.

After the NCSC’s intervention, there is now a unique code which will be deactivated once online ballots are cast so that it’s impossible to re-enter the voting site once voted.

A NCSC statement seen by The Guardian noted that, “defending UK democratic and electoral processes is a priority for the NCSC and we work closely with all parliamentary political parties, local authorities and MPs to provide cybersecurity guidance and support.”

“As you would expect from the UK’s national cybersecurity authority we provided advice to the Conservative Party on security considerations for online leadership voting.”

In 2017, GCHQ warned lawmakers of the prospect of Russian state hackers interfering in UK elections.

It’s unclear why the Conservative Party decided to break with the precedent on no online voting, given the extra security risks presented by digitalising the process.

The post Conservative Party Leadership Election Warned of Potentially Malicious Efforts to Alter the Result of Upcoming Election appeared first on IT Security Guru.

Several government websites in Taiwan suffered intermittent outages due to multiple distributed denial of service (DDoS) attacks yesterday following the arrival of senior US lawmaker, Nancy Pelosi.

The visit has angered Beijing, which claims Taiwan as its own.

Pelosi reportedly met the Taiwanese President Tsai Ing-wen and reiterated Washington’s support for the democratic island nation, with a population of 24 million.

Simultaneously, reports suggested the websites of Taiwan’s presidential office, foreign ministry and other government portals were briefly knocked offline after being flooded with traffic.

In a statement seen by Reuters, the foreign ministry claimed that the websites of the ministry and the presidential office were hit with up to 8.5 million traffic requests per minute from a “large number of IPs from China, Russia and other places.”

In a separate statement on Facebook, a Tsai spokesperson said that the attack had funnelled 200 times more traffic than usual to the site. However, the site was back up and running just 20 minutes later, reportedly.

The scale of the attacks indicates patriotic hacktivists rather than Chinese state hackers are behind the raids.

Casey Ellis, founder and CTO of Bugcrowd, said “while the PRC is more than capable of this type of attack, DDoS is fairly unsophisticated and somewhat brutish, and it’s not a tool they are known to deploy.”

“China has enormous population of very clever technologists, a large security research and hacking community, and a large government-sponsored team with offensive capability ranging from information warfare to targeted exploit development and R&D.”

Chinese president Xi Jinping has stirred up nationalist feeling in the country since coming to power in 2021, in a bid to cement the rule of the Communist Party and continue China’s ascent.

These efforts are aided by online censorship measures, leaving only pro-party and nationalist rhetoric standing.

The post Taiwan Hit By Multiple DDoS Attacks Following Arrival of Pelosi appeared first on IT Security Guru.

Cybersecurity firm Volexity spotted new activity from a threat actor (TA) allegedly associated with North Korea and deploying malicious extensions on Chromium-based web browsers.

The threat has been dubbed SharpTongue by security researchers, despite it being publicly referred to under the name Kimsuky.

The researchers frequently observed the TA targeting individuals working for organisations in the US, Europe and South Korea.

The TA would reportedly victimise individuals and companies who work on topics including weapons systems, North Korea, nuclear issues, and other matters of strategic interest to North Korea.

The new advisory also clarifies that in September 2021 Volexity began observing an undocumented malware family used by SharpTongue dubbed “SHARPEXT”.

The advisory explains that “SHARPEXT differs from previously documented extensions used by the “Kimsuky” actor, in that it does not try to steal usernames and passwords.”

“Rather, the malware directly inspects and exfiltrates data from a victim’s webmail account as they browse it.”

Volexity explains that the extension, since its discovery, has evolved and is currently at version 3.0 based on the internal versioning system.

The first versions of SHARPEXT investigated by Volexity only supported Google Chrome, while the latest version supports Chrome, Whale, Edge.

To deploy the malware attackers first manually exfiltrate files required to install the extension from the infected workstation. SHARPEXT is then manually installed by an attacker-written VBS script.

This is the first time Volexity observed malicious browser extensions as part of the post-exploitation phase of a compromise.

The researchers explained that “by stealing email data in the context of a user’s already-logged-in session, the attack is hidden from the email provider, making detection very challenging.”

Volexity recommend enabling and analysing the results of PowerShell ScriptBlock logging and often reviewing installed extensions on machines of high-risk users to detect and investigate attacks.

 

The post North Korean Hackers Use Malicious Extensions on Chromium-based Web Browsers to Spy on User Accounts appeared first on IT Security Guru.

A 24-year-old Australian national has been charged for his purported role in the creation and sale of spyware for use by child sex offenders and domestic violence perpetrators.

Jacob Wayne John Keen, from Melbourne, is said to have created the remote access trojan (RAT) when he was 15, alongside working as an administrator for the tool from 2013 until it was shutdown in 2019 by the authorities.

The Australian Federal Police (AFP) alleged in a press release over the weekend that: “The Frankston man engaged with a network of individuals and sold the spyware, named Imminent Monitor (IM), to more than 14,500 individuals across 128 countries.”

The defendant has been given six counts of committing a computer offense by developing and supplying the malware, as well as profiting off its illegal sale.

A 42 year old woman, who also lives in the same house as the accused (and has been identified by The Guardian as the accused’s mother), has been charged with “dealing with the proceeds of crime.”

The AFP said the investigation, codenamed Cepheus, was set in motion in 2017 when it received information about a “suspicious RAT” from cybersecurity firm Palo Alto Networks and the US FBI.

The operation, which saw 85 search warrants executed globally in collaboration with many European Law agencies, culminated in the seizure of 434 devices and the arrest of 13 people for using the malware for dodgy purposes.

No less than 201 individuals obtained by the RAT in Australia alone.

Imminent Monitor, distributed via emails and text messages, came with capabilities to quietly log keystrokes as well as record the devices’ webcams and microphones, making it a good tool for users to keep tabs on targets.

The surveillanceware was sold for about AUS$35 on an underground hacking forum. The operator is said to have made between $300,000 and $400,000.

If proven guilty, the individual faces a maximum of 20 years imprisonment.

The AFP commander of cybercrime operation, Chris Goldsmid, said  “these types of malware are so nefarious because it can provide an offender virtual access to a victim’s bedroom or home without their knowledge.”

“Unfortunately there are criminals who not only use these tools to steal personal information for financial gain but also for very intrusive and despicable crimes.”

The post Australian Man Charged With Purported Role in Creation and Sale of Spyware Used by Domestic Violence Perpetrators appeared first on IT Security Guru.