Tag Archive for: access

DeleFriend Vulnerability Could Allow Unwanted Access to APIs, According to Researchers

/in


Hunters researchers noted the vulnerability could lead to privilege escalation. Google said the report “does not identify an underlying security issue in our products.”

Cybersecurity researchers from the firm Hunters discovered a vulnerability in Google Workspace that could allow unwanted access to Workspace APIs. The flaw is significant in that it could let attackers use privilege escalation to gain access that would otherwise only be available to users with Super Admin access. Hunters named this security flaw DeleFriend.

Jump to:

Vulnerability uncovered in Google’s domain-wide delegation

According to the Hunters team, the vulnerability is based on Google Workspace’s role in managing user identities across Google Cloud services. Domain-wide delegation (DWD) connects identity objects from either Google Workspace Marketplace or a Google Cloud Platform Service Account to Workspace.

Domain-wide delegation can be used by attackers in two main ways: to create a new delegation after having gained access to a Super Admin privilege on the target Workspace environment through another attack, or to “enumerate successful combinations of service account keys and OAuth scopes,” Hunters said. This second way is the novel method the researchers have discovered. Yonatan Khanashvilli, threat hunting expert at Team Axon at Hunters, posted a much more detailed explanation of DeleFriend.

Response from Google

Hunters disclosed this flaw to Google in August 2023 and wrote, “Google is currently reviewing the issue with their Product team to assess potential actions based on our recommendations.”

An anonymous Google representative told The Hacker News in November 2023, “This report does not identify an underlying security issue in our products. As a best practice, we encourage users to make sure all accounts have the least amount of privilege possible (see guidance here). Doing so is key to combating these types of attacks.”

Why this Google Workspace vulnerability is particularly dangerous

Hunters said this vulnerability is particularly dangerous because it is long-term (GCP Service account keys do not have expiry dates by default), easy to hide and hard to…

Source…

ID Theft Service Resold Access to USInfoSearch Data – Krebs on Security

/in


One of the cybercrime underground’s more active sellers of Social Security numbers, background and credit reports has been pulling data from hacked accounts at the U.S. consumer data broker USinfoSearch, KrebsOnSecurity has learned.

Since at least February 2023, a service advertised on Telegram called USiSLookups has operated an automated bot that allows anyone to look up the SSN or background report on virtually any American. For prices ranging from $8 to $40 and payable via virtual currency, the bot will return detailed consumer background reports automatically in just a few moments.

USiSLookups is the project of a cybercriminal who uses the nicknames JackieChan/USInfoSearch, and the Telegram channel for this service features a small number of sample background reports, including that of President Joe Biden, and podcaster Joe Rogan. The data in those reports includes the subject’s date of birth, address, previous addresses, previous phone numbers and employers, known relatives and associates, and driver’s license information.

JackieChan’s service abuses the name and trademarks of Columbus, OH based data broker USinfoSearch, whose website says it provides “identity and background information to assist with risk management, fraud prevention, identity and age verification, skip tracing, and more.”

“We specialize in non-FCRA data from numerous proprietary sources to deliver the information you need, when you need it,” the company’s website explains. “Our services include API-based access for those integrating data into their product or application, as well as bulk and batch processing of records to suit every client.”

As luck would have it, my report was also listed in the Telegram channel for this identity fraud service, presumably as a teaser for would-be customers. On October 19, 2023, KrebsOnSecurity shared a copy of this file with the real USinfoSearch, along with a request for information about the provenance of the data.

USinfoSearch said it would investigate the report, which appears to have been obtained on or before June 30, 2023. On Nov. 9, 2023, Scott Hostettler, general manager of USinfoSearch parent Martin Data LLC shared a written…

Source…

‘It’s not ideal’: Kansas lawmakers talk security incident that took down online court access

/in


TOPEKA — A dragon spitting fire at the Kansas statehouse, depicted in a Vincent Van Goh style, illuminated the possibilities of Artificial Intelligence to lawmakers during a Wednesday meeting.

An overview of AI creative designs provided some levity before legislators turned to discussion of the state’s changing internet landscape — one that IT officials have repeatedly warned needs to be better secured.

“I’d like to improve our ability to respond and recover from cyber incidents, including testing, tracking and training for known unlikely eventualities,” said Michael Murphy, security engineer with the Kansas Legislative Office of Information Technology.

Murphy said he and other legislative IT staff would look into system security upgrades and improvements before the upcoming legislative session.

“The first priority right now is security awareness training,” Murphy said. “Like I said, the biggest point of failure is going to be the people. So we need to make sure everybody’s trained up on how to do things properly.”

The renewed discussion on internet security comes after a “security incident” that shut down online operations for most of the state’s courts. Kansas’ judicial branch publicly announced the issue on Oct. 12, later indicating that clerks in 104 counties were unable to receive online filings. The Johnson County District Court, which operates its own e-filing and case management system separately from the state, is the only state district court not affected.

While courts are still operating, all filings have to be submitted in paper. The investigation into the incident is ongoing, with little information publicly released.

“We also have to figure out how to stop these bad actors from doing things that screw everything up, like they’ve done in judiciary,” said committee lawmaker Rep. Barb Wasinger, R-Hays, before lawmakers withdrew to speak privately about judiciary IT security during an executive session.

Though last year’s risk assessment of the state’s court system has been earmarked as confidential, previous audits of several state agencies have shown several weaknesses. A cybersecurity…

Source…

Allies To Gain Access to US Ransomware Data Under New Policy

/in


Allies To Gain Access to US Ransomware Data Under New Policy

Allies To Gain Access to US Ransomware Data Under New Policy

The White House is set to announce a new policy for responding to ransomware attacks, as the number of such attacks continues to grow substantially. The US accounts for 46% of ransomware attacks globally, according to Anne Neuberger, Deputy National Security Advisor.

Recent high-profile attacks have hit major companies like casino operator MGM Resorts and cleaning products maker Clorox. In these attacks, hackers encrypt systems and demand ransom payments, usually in cryptocurrency, to decrypt them. Sensitive stolen data is often used to further extort victims.

The new White House policy will facilitate intelligence sharing related to ransomware attackers between the US and its allies. In particular, authorities will share cryptocurrency wallet addresses criminals use to collect ransoms.

The policy reflects the increasingly interconnected nature of ransomware schemes. Attackers routinely use infrastructure and data from one country to attack organizations in others. Enhanced coordination will allow rapid response.

A 40-country alliance led by the US, including Nigeria, Singapore and South Korea, will collaborate to cut off ransomware funding flows. The group will leverage artificial intelligence to trace ransom payments on the blockchain and maintain a blacklist of known criminal wallets.

“Ransomware attackers extorted at least $456.8 million from victims in 2022, down from $765.6 million the year before,” Chainalysis reported.

Source: Chainalysis

With this alliance, authorities hope to stem the tide of attacks. But with billions in cryptocurrency paid annually to ransomware criminals, curbing the epidemic remains an ongoing battle.

Source…