Tag Archive for: Exposed

A Mysterious Leak Exposed Chinese Hacking Secrets


While the documents have now been removed from GitHub, where they were first posted, the identity and motivations of the person, or people, who leaked them remains a mystery. However, Chang says the documents appear to be real, a fact confirmed by two employees working for i-Soon, according to the Associated Press, which reported that the company and police in China are investigating the leak.

“There are around eight categories of the leaked files. We can see how i-Soon engaged with China’s national security authorities, the details of i-Soon’s products and financial problems,” Chang says. “More importantly, we spotted documents detailing how i-Soon supported the development of the notorious remote access Trojan (RAT), ShadowPad,” Chang adds. The ShadowPad malware has been used by Chinese hacking groups since at least 2017.

Since the files were first published, security researchers have been poring over their contents and analyzing the documentation. Included were references to software to run disinformation campaigns on X, details of efforts to access communications data across Asia, and targets within governments in the United Kingdom, India, and elsewhere, according to reports by the New York Times and the The Washington Post. The documents also reveal how i-Soon worked for China’s Ministry of State Security and the People’s Liberation Army.

According to researchers at SentinelOne, the files also include pictures of “custom hardware snooping devices,” such as a power bank that could help steal data and the company’s marketing materials. “In a bid to get work in Xinjiang–where China subjects millions of Ugyhurs to what the UN Human Rights Council has called genocide–the company bragged about past counterterrorism work,” the researchers write. “The company listed other terrorism-related targets the company had hacked previously as evidence of their ability to perform these tasks, including targeting counterterrorism centers in Pakistan and Afghanistan.”

The Federal Trade Commission has fined antivirus firm Avast $16.5 for collecting and selling people’s web browsing data through its browser extensions and security software. This included the details…

Source…

Hacker exposed weakness in German electronic ID, magazine reports


A hacker has reportedly uncovered security gaps in the online functions of Germany’s new national ID cards, according to the news magazine Der Spiegel.

Using his own software instead of the official government AusweisApp, the hacker managed to access login data for the so-called eID function of Germany’s identity card, which is intended to allow German citizens to securely identify themselves online.

According to the report, this is activated for more than 50 million ID card holders and serves as the basis for digital administrative procedures. It is also used for identification at banks, among other things.

The hacker, who goes by the pseudonym “CtrlAlt,” used the trick to open an account at a major German bank under someone else’s name.

A spokesman for the Chaos Computer Club (CCC), a well-known German hacker and computer security group, confirmed to Der Spiegel that the hacker had exposed a critical point in the eID procedure on mobile devices.

“This is a realistic attack scenario,” the spokesman told the news magazine. “It must be prevented that an ID app other than the officially approved one can register and log into the cell phone for eID authentication.”

The hacker had already informed Germany’s Federal Office for Information Security (BSI) of his findings on December 31.

The agency told Der Spiegel that it saw no reason to “change the risk assessment for the use of the eID,” since the vulnerability appeared to be not in the eID system itself but in devices used by consumers.

However, the agency said it would still examine a possible adjustment to the system.

Source…

1.3 Million FNF Customers’ Data Potentially Exposed in Ransomware Atta


Fidelity National Financial (FNF) has revealed that around 1.3 million customers’ data may have been exposed during a ransomware attack it suffered in 2023.

The firm, which provides title insurance services to the real estate and mortgage industries, notified the Securities and Exchange Commission (SEC) of the number of potentially impacted consumers in an updated filing on January 9, 2024.

The incident was first disclosed in November 2023, and forced FNF to take down certain systems, resulting in disruption to its business operations.

The ALPHV/BlackCat ransomware group subsequently claimed responsibility for the attack, announcing FNF’s inclusion on their leak site.

New Details About the FNF Ransomware Attack

The updated filing appeared to confirm the incident was a ransomware attack.

The firm stated that following the completion of a forensic investigation on December 13, “we determined that an unauthorized third-party accessed certain FNF systems, deployed a type of malware that is not self-propagating, and exfiltrated certain data.”

FNF said it has notified approximately 1.3 million potentially impacted consumers, and is providing them with credit monitoring, web monitoring and identity theft restoration services.

It is also continuing to coordinate with law enforcement, regulators and other stakeholders.

There is no evidence any customer-owned system was directly impacted in the incident, nor has it received any customer reports that this has occurred, the company said.

FNF successfully contained the incident on November 26, 2023, and full services have been restored. The last confirmed date of unauthorized third-party activity in its network was November 20, 2023.

“At this time, we do not believe that the incident will have a material impact on the Company,” read the filing.

Details relating to how the attackers gained initial access into the firm’s systems and the nature of the personal data that was exposed were not provided.

FNF acknowledged that it is subject to several lawsuits related to the incident and will “rigorously defend itself” against such claims.

Earlier this week (January 9), retail mortgage lender LoanDepot revealed it had…

Source…

Google OAuth secrets exposed as account-hijacking MultiLogin vulnerability discovered


Facepalm: OAuth is an open standard designed to share account information with third-party services, providing users with a simple way to access apps and websites. Google, one of the companies offering OAuth authentication to its users, is seemingly hiding some dangerous “secrets” in the protocol.

A malware developer was recently able to discover one of Google’s OAuth secrets, a previously unknown feature named “MultiLogin” that is responsible for synchronizing Google accounts across different services. MultiLogin accepts a vector of account ID and auth-login tokens, using such data for managing simultaneous sessions or seamlessly switching between user profiles.

MultiLogin is a Chromium feature that can be abused to compromise a user’s Google account. The “bug” was unveiled by a malware developer known as PRISMA in October 2023. The cyber-criminal shared details about a critical exploit designed to generate persistent cookies for “continuous” access to Google services, even after a user’s password reset.

The exploit was first revealed on PRISMA’s Telegram channel, and it was soon adapted by various malware groups as a new, potent tool to steal access credentials on users’ PCs. As highlighted by CloudSEK analysts, the 0-day exploit provided two key features for infostealer creators: session persistence, and valid cookie generation.

Cyber-criminals quickly adapted the new exploit, integrating even more advanced features to bypass Google’s security restrictions for token regeneration. Recent infostealer malware can infect a user’s PC, scan the machine for Chromium session cookies, then exfiltrate and send the data to remote servers controlled by cyber-criminals.

Thanks to MultiLogin, the stolen tokens can be used to log in with an OAuth identity even if the user changes their Google password. The exploit can be countered by completely logging out from the Google account, invalidating the session tokens and thus preventing further exploitation.

CloudSEK said that the MultiLogin exploit underscores the “complexity and stealth” of modern security threats. Google confirmed the session-stealing attack, saying that such kind of malware is not new. The company routinely upgrades its…

Source…