Archive for April 30, 2021

Experts reported cyber attacks from the U.S. during the Navalny rallies in Russia

DDoS attacks were launched against official websites of the Ministry of Foreign Affairs, Ministry of Labor, Ministry of Economic Development, Prosecutor General's Office and The National Guard of the Russian Federation (Rosgvardiya).

Specialists of the National Coordinating Center for Computer Incidents (NCCI), established by order of Federal Security Service (FSB), recorded a series of attacks on governmental portals during unauthorized actions in support of Alexei Navalny (founder of the Anti-Corruption Foundation, included by the Ministry of Justice in the register of organizations performing the functions of a foreign agent). This was announced by Nikolai Murashov, deputy director of the NCCI.

According to him, the official websites of the Russian Ministry of Foreign Affairs, the Ministry of Labor, the Ministry of Economic Development, the Prosecutor General's Office and Rosgvardiya were subjected to DDoS attacks. The attacks were carried out on different days but followed the same scenario. Murashov noted that attacks were carried out from US IP-address.

Moreover, DDoS attacks were often used for extremist purposes as well. As an example, the expert cited the situation with the cyber-attack on the portal of the Traffic Organization Center of Nizhny Novgorod.

"After receiving unauthorized access, the resource posted a picture of Navalny and a text message stating that the attack was in support of him. The malicious influence was carried out from IP addresses of France and Germany," Murashov said.

In general, Murashov noted "a significant increase in the number of malicious resources in the foreign address space, the functioning of which was terminated in 2020," which "is associated with large-scale DDoS attacks on Russian information systems."  It is noted that in 2020, 68,420 large-scale cyber attacks on Russian Internet resources were stopped.

In addition, Murashov commented on the situation of Russian involvement in the hacking of SolarWinds.

He noted that the U.S. has not provided any information confirming the involvement of the Russians in the hacking of SolarWinds software.

"American colleagues do not bother to pass on any information that would make it possible to judge that certain Russian citizens were involved in these attacks," he said. 

Murashov pointed out that international cooperation is important in this area. "All our appeals to the U.S. side for international cooperation to investigate such incidents still remain unanswered," he said.

Lloyds Bank Warns Britons of Phishing Scam That Could Drain Their Bank Accounts

 

LLOYDS BANK has issued an urgent warning to Britons as many have been attacked by a highly dangerous scam text message. The latest phishing campaign once again centres around text messages, as more and more people become used to using their phones to manage their finances. The text reads: “LLOYDS-SECURITY: You have successfully scheduled a payment of £69.99 to payee MR ADAMS 28/04. If this was NOT you, visit: https://payee-confirmationcentre.com.” 

The malicious link contained within the text message often directs to a phishing website which can easily extract the personal details of unsuspecting individuals. It may also be the case that websites of this kind can download harmful malware onto a person’s desktop which could access their passwords and other sensitive information.

Lloyds Bank has now confirmed the text, and those like it, are a scam that Britons should do their best to avoid. Taking to their social media account, the bank wrote: “This is indeed a scam message and hasn’t been sent by us. Please don’t click on the link and delete the message”. Individuals should also look out for spelling or grammar errors contained within messages, as this is usually a sign of fraudulent correspondence.

Lloyds Bank will never ask their customers to share account details such as user IDs, passwords, or memorable information. Neither will they ask Britons for a PIN code, card expiry date, or Personal Security Number. Individuals who are asked to move their money or transfer funds by someone claiming to be from Lloyds Bank can be assured this correspondence is a scam. People who come into contact with a scam text message are strongly encouraged never to click the link and delete the message upon receipt. This is the best way to protect oneself and keep a guard up against dangerous cyber criminals looking to take advantage.

Several individuals have reported close brushes with this scam, which could have the potential to financially devastate those who fall victim. As such, individuals are being warned they must stay alert to such correspondence currently circulating widely. This could go on to be used for the purposes of identity fraud, and could clear out a person’s bank account. In some cases, banks are receptive to helping a person recoup the cost of falling prey, but in other circumstances, there may be nothing that can be done.

Data Breach at Digital Oceans Leaves Customer Billing Data Exposed

 

Digital Ocean, a cloud solutions provider, informs certain clients that the billing information they receive may indeed be breached as someone has exploited a flaw inside the central database of the company. 

US - Based Digital Ocean, Inc. is a supplier of cloud computing with global data centers located in New York City. Digital Ocean offers cloud services for developers which help build and scale applications distributed across multiple computers concurrently. 

Digital Ocean stated in an email to clients that the unauthorized access took place between 9th and 22nd April 2021 but was only "confirmed" seemingly on 26 April. 

“An unauthorized user gained access to some of your billing account details through a flaw that has been fixed,” the company told customers. Digital Ocean affirms that only a "small percentage" of its users have been affected and therefore no intervention is necessary. 

The billing information leaked includes the name, address, expiry date of the payment card, last four digits of the payment card, and the name of the bank issuing the card. The organization pointed out that the entire credit card details were not stored as this kind of information was not revealed. 

“According to our logs approximately 1% of billing profiles were impacted,” Tyler Healy, VP of security at Digital Ocean, told Security Week in an emailed statement. “This issue has been fixed and we have informed the impacted users and notified the relevant data protection authorities.”

Over one million programmers from each country in the world use its resources on its web portal added, Digital Ocean. 

Last year the company announced to its customers that some of their information had been disclosed after a document file had been published accidentally, though at that point it was sure that the documentation was not malicious. 

Furthermore, the email reads as “yesterday we learned that a digital ocean owned document from 2018 was unintentionally made available via a public link. This document contained your email addresses and/or account name (the name you gave your account at sign-up) as well as some data about your account that may have included Droplet count, bandwidth usage, some support or sales communications notes, and the amount you paid during 2018. After a detailed review by our security team, we identified it was accessed at least 5 times before the document was taken down.” 

They also affirmed that they will be teaching their employees how to protect customer data, establish new protocols to warn everyone timelier about possible exposures, and make adjustments in specification to avoid future exposure of data.

Stop Tweeting, Says Click Studios: Phishers Use Breach Notification Information to Create New Lures

 

Click Studios, an Australian password protection company, claims that only a small percentage of its 29,000 customers were impacted by a security breach caused by a compromised update containing malicious code. 

In a new advisory posted on their website, Click Studios issued an update on their investigation into the breach which took place between 8:33 p.m. Universal Coordinated Time on April 20 and 12:30 a.m. UCT April 23. During that time, any customer who changed their PasswordState tool may have been hacked. In this incident, it's unclear how Click Studios defines "affected" customers. 

According to CSIS Security Group researchers, the compromised update was most likely only the first stage of a multi-stage malware attack. At least one customer downloaded the update, but the attack was stopped before any second-stage malware could be deployed. 

“The number of affected customers is still very low. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected,” the company stated. 

SC Media has contacted the company for additional details. Although Click Studios has been notifying affected customers, they have also asked them to stop posting screenshots of the company's correspondence online, claiming that the bad actor is "actively scanning social media" for more information to use in future attacks. They say that an email sent on Friday, April 23 confirming the violation and detailing possible remediation measures was repurposed and sent to some customers as phishing emails. 

Customers are asked to download an update, which is actually a modified version of the dynamic link library used in the original attack, which requested a malware payload from a content delivery network server that was not under the company's control. The server has been taken down now, according to ClickStudios, and a copy of the payload has been retrieved for further study. Customers can spot a fake by searching for a domain suffix that does not match that of legitimate Click Studios emails or claims that an "urgent" update is required to correct a flaw in the previous patch, or emails that direct the user to a subdomain to download the update. 

In the aftermath of data breaches, companies are often criticized for a lack of accountability or for keeping their customers in the dark about the possible consequences. This incident highlights the other side of the coin: how bad actors can weaponize information or communications from an organization following a breach. The fact that these latest lures are built to look like legitimate notification emails shows a sophisticated social engineering tactic, basically exploiting PasswordState users' fears to learn more about the previous breach and infect them with the same assault. 

Inon Shkedy, a security researcher for Traceable stated, “What happened with the Click Studios disclosure seems like a new trend that companies should be aware of and shows us how phishing campaigns are becoming more and more sophisticated."

“Click Studios was adopting normal post-breach notification procedures, according to Chris Morales, the chief information security officer at resolution intelligence company Netenrich, and that some of the blame should fall on the customers who posted their correspondence online without knowing the possible consequences. “The issue here isn't with the notification system. The people who got the message are the ones who are publicizing it on social media, even though there is supposed to be a time window to fix any problems before making it public,” Morales explained. “Of course, it would just exacerbate the situation.” 

Others argued that companies should not be shocked to see the letters they send users that end up on the internet and keep companies responsible for the effects of a breach, not their customers.

Credit Scores of Americans were Exposed Through Experian API

 

According to a researcher, almost every American's credit score was leaked due to an API platform used by the Experian credit bureau that was left accessible on a lender's website without even basic security safeguards. Experian, for its part, dismissed security experts' fears that the problem could be structural. 

The Experian Connect API is a platform that helps lenders to simplify FICO-score queries. According to a published article, Bill Demirkapi, a sophomore at Rochester Institute of Technology, was looking for student loans when he came across a lender who would verify his eligibility with only his name, address, and date of birth. Demirkapi was taken aback and wanted to look into the code, which revealed that the tool was driven by an Experian API, he said.

“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi told Krebs On Security, which was the first to break the story of the leak. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.” 

Demirkapi said he was able to create a command-line tool called "Bill's Cool Credit Score Lookup Utility" that allowed him to automate lookups even after entering all zeros in the fields for date of birth. Krebs said he was able to use the API link to get “risk factors” from Experian that clarified possible vulnerabilities in a person's credit background, in addition to raw credit scores. He ran a credit check for his buddy "Bill," who had “Too many consumer-finance company accounts,” according to his mid-700s credit score.

Demirkapi refused to reveal the identity of the lender or the website where the API was revealed to Experian. He declined because he believes there are hundreds, if not thousands, of firms using the same API, and that all of those lenders are leaking Experian's customer data in the same way. “If we let them know about the specific endpoint, they can just ban/work with the loan vendor to block these requests on this one case, which doesn’t fix the systemic problem,” he explained. 

“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter,” Experian said in a written statement. “While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously. Data security has always been, and always will be, our highest priority.”