Tag Archive for: exposes

A Confession Exposes India’s Secret Hacking Industry

/in


In the summer of 2020, Jonas Rey, a private investigator in Geneva, got a call from a client with a hunch. The client, the British law firm Burlingtons, represented an Iranian-born American entrepreneur, Farhad Azima, who believed that someone had hacked his e-mail account. Azima had recently helped expose sanctions-busting by Iran, so Iranian hackers were likely suspects. But the Citizen Lab, a research center at the University of Toronto, had just released a report concluding “with high confidence” that scores of cyberattacks on journalists, environmentalists, and financiers had been orchestrated by BellTroX, a company, based in New Delhi, that was running a giant hacking-for-hire enterprise. The operation had targeted numerous Americans. Burlingtons wondered: could Rey try to find out if Azima had been another BellTroX victim? He said yes.

Researchers at Citizen Lab had learned of BellTroX’s activities from someone that the company had tried to trick with “spear phishing”—sending a bogus message to trick a recipient into providing access to personal data. Citizen Lab spent three years investigating BellTroX, including by analyzing Web sites used to shorten and disguise phishing links, combing through social-media accounts of BellTroX’s employees, and contacting victims. Reuters, in coördination with Citizen Lab, published an exposé on BellTroX the same day as the report. But BellTroX’s owner denied any wrongdoing, the Indian authorities never publicly responded to the allegations, and the accusations remained unconfirmed.

Rey’s investigation into the Azima case shed new light not only on BellTroX but also on several other outfits like it, establishing beyond dispute that India is home to a vast and thriving cyberattack industry. Last year, Rey secured the first detailed confession from a participant in a hacking-for-hire operation. In court papers, an Indian hacker admitted that he had infiltrated Azima’s e-mail account—as had employees at another firm. Moreover, there were countless other Indian hackers for hire, whose work was often interconnected. John Scott-Railton, a senior researcher at Citizen Lab, who helped lead the BellTroX investigation, told…

Source…

Gigabyte Firmware Exposes Millions Of Motherboards To Backdoor Hacking Threat

/in


hero gigabyte backdoor logo

It’s really irritating when you set up a new system and it begins downloading and installing the motherboard vendor’s software without your permission or prompting. This can happen with a lot of different motherboard vendors, but there are secure ways and insecure ways to go about it, and Gigabyte seems to have chosen poorly.

We say that because security platform Eclypsium announced that it had detected “backdoor-like behavior” in Gigabyte systems. The specific behavior is that affected motherboards run internet-connected Windows software dropped from the system firmware to then update said firmware from the internet. The software in question is all completely legitimate in theory, but of course that’s where all kinds of trouble starts.

Because the application runs in the background, invisibly, there’s no way for the user to be aware if the tool has been hijacked by a threat actor. Don’t be confused; there’s not necessarily any problem with your system if you have a Gigabyte motherboard. It’s just that the update tool—which can be disabled from the UEFI setup but is enabled by default—performs very little in the way of security or safety checking.

That means that this innocuous update tool could be downloading a compromised firmware update from anywhere. This kind of “man in the middle” attack is particularly problematic because it’s very sneaky and not obvious to the user. It’s also a huge problem once it’s happened, because it’s very difficult to root out such an exploit as it can simply redownload itself, and prevent the user from flashing a “clean” firmware. This exploit affects nearly all Gigabyte motherboards made in the last few years. You can check this list [PDF] from Eclypsium to see if your board is affected.

For its part, Gigabyte has already released beta BIOS updates for all of its Intel LGA 1700 and AMD Socket AM4 motherboards that are vulnerable to this exploit. The company says that it has “implemented stricter security checks” on the tools, including signature verification and privilege access limitations, both of which should help keep bad guys from getting into your firmware. Updates for other systems, including Intel 400/500-series and AMD’s Socket AM5…

Source…

Critical security flaw exposes Wemo Smart Plugs to hackers

/in


Wemo Smart Plugs have a flaw

Researchers found a security flaw in an older version of the Wemo Mini Smart Plug that involved changing its name — and Belkin isn’t going to fix it.

The Wemo Mini Smart Plug is designed to offer convenient remote control over lights and basic appliances, such as fan lamps, through a mobile app. The application utilizes Wi-Fi for communication and seamlessly integrates with HomeKit and other smart home ecosystems.

Among other functions, the app lets people change the device name. The length is limited to 30 characters or less, but only the app enforces that rule.

However, through reverse engineering, the security experts at Sternum discovered a method to circumvent the character limit, thereby triggering a buffer overflow. They subsequently named this vulnerability “FriendlyName.”

A buffer overflow happens when there’s too much information put into a storage area (buffer) that it can’t handle. It’s like pouring more water into a cup than it can hold, causing it to overflow.

That can lead to unexpected results in computer systems because the extra information can overwrite or change nearby data. Hackers can use a buffer overflow to gain unauthorized access or cause malfunctions in a computer program.

Accessing the firmware

Accessing the firmware

The researchers from Sternum examined the smart plug’s firmware and used it to change the device’s name to one that was longer than the app’s rule of 30 characters. The resulting overflow allowed them to issue commands to the device and control it.

In the hands of a malicious hacker, that could lead to data theft or possibly controlling other devices plugged into the Wemo device.

The team contacted Belkin to inform the company of the security flaw. However, Belkin said it wouldn’t fix the vulnerability because the Wemo Smart Plug V2 is at the end of its life.

The current Wemo Smart Plug is version 4.

How to protect yourself from “Friendlyname”

Sternum says people who own one of these plugs shouldn’t connect them to the internet. They also shouldn’t be allowed to connect to sensitive devices on a…

Source…

Hack on Transportation Systems Exposes Employee Information

/in


The Department of Transportation’s administrative systems were hacked, exposing the data of hundreds of thousands of employees, the agency confirmed on Monday. 

According to Reuters, the agency notified Congress about the hack late Friday. Transportation confirmed the breach exposed the personal information of approximately 237,000 current and former agency employees.

The affected administrative systems were used, for example, to process employee transit benefits. The agency noted that the breach did not affect any transportation safety systems. 

Transportation’s Office of the Chief Information Officer is investigating the breach, “with the support of other federal agencies, including CISA,” an agency spokesperson told Nextgov in an emailed statement. ”The OCIO is addressing the breach and has suspended access to relevant systems while we further investigate the issue, and secure and restore the systems.” 

It is unclear who is behind the cyber attack, how it occurred and when it was first discovered.

“In an era where the federal government is asking the private sector to do more in terms of cybersecurity, the Department of Transportation breach shows the government needs to follow its own lead and better protect its own systems,” Brandon Pugh, director of Cybersecurity and Emerging Threats at the R Street Institute, told Nextgov in an emailed statement. “All data breaches are concerning, but there are particular risks with information on federal employees being made public. The information could be used to target the impacted federal employees or to carry out future attacks, depending on the precise data that was breached.”

“Cyber attackers require a single vulnerability to infiltrate an organization’s network, highlighting the critical importance of fortifying individual systems during a data breach,” Amit Bareket, CEO and co-founder of Perimeter 81, told Nextgov in an emailed statement. “In today’s rapidly evolving digital landscape, malicious actors continually devise novel techniques to target organizations and exploit their invaluable resources.”

Bareket noted that “individuals who were affected by the U.S. Department of Transportation data breach…

Source…