AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 05/17/2022

Misconfigured ElasticSearch Servers Exposed 579 GB of Users’ Website Activity

The IT security researchers at Website Planet have identified two exposed ElasticSearch servers belonging to an unnamed organization using open-source data analytics software developed by the London, England-based software vendor, SnowPlow Analytics. This software allows companies to track and store information on their website (s) visitors apparently without their knowledge. It is worth noting that a web analytics tool can collect versatile data metrics. The data is then used for creating an extensive, detailed profile for site visitors.  According to researchers, both ElasticSearch servers didn’t have any encryption or user authentication measures in place meaning anyone could have accessed the data without the need for a password. The unsecured, misconfigured servers eventually exposed 359,019,902 records, which equals around 579.4 GB of data. The exposed servers contained detailed logs of web user traffic, including the following.


Fake Pixelmon NFT site infects you with password-stealing malware

A fake Pixelmon NFT site entices fans with free tokens and collectibles while infecting them with malware that steals their cryptocurrency wallets. Pixelmon is a popular NFT project whose roadmap includes creating an online metaverse game where you can collect, train, and battle other players using pixelmon pets. With close to 200,000 Twitter followers and over 25,000 Discord members, the project has garnered a lot of interest. To take advantage of this interest, threat actors have copied the legitimate pixelmon.club website and created a fake version at pixelmon[.]pw to distribute malware.


Conti ransomware gang calls for Costa Rican citizens to revolt if government doesn’t pay

Conti is escalating its rhetoric to force Costa Rica to pay a ransom after the nation was breached last month, including calls for potential regime change from its newly elected president to assemble a government more willing to pay. New President Rodrigo Chaves Robles declared a state of national emergency last week rather than pay an alleged $10 million ransom. “I appeal to every resident of Costa Rica, go to your government and organize rallies so that they would pay us as soon as possible,” Conti wrote on its leaks site in a new update. “[I]f your current government cannot stabilize the situation? maybe it’s worth changing it?”


Researchers devise iPhone malware that runs even when device is turned off

When you turn off an iPhone, it doesn’t fully power down. Chips inside the device continue to run in a low-power mode that makes it possible to locate lost or stolen devices using the Find My feature or use credit cards and car keys after the battery dies. Now researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down. It turns out that the iPhone’s Bluetooth chip—which is key to making features like Find My work—has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany’s Technical University of Darmstadt figured out how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone’s location or run new features when the device is turned off. This video provides a high overview of some of the ways an attack can work.


Europe moves closer to stricter cybersecurity standards, reporting regs

Europe has moved closer toward new cybersecurity standards and reporting rules following a provisional network and information systems agreement dubbed NIS2 by the European Council and Parliament.  Once approved, NIS2 [PDF] will replace the current Directive on Security of Network and Information Systems, aka NIS, which was adopted in 2016. The new directive sets more stringent requirements — and possible sanctions, including fines — for a larger number of sectors that must comply with the computer security rules. It also aims to eliminate “the wide divergences” among EU member states’ risk management and security reporting rules by establishing uniform criteria for assessing, reporting on, and taking steps to reduce cyber risk.


This simple cyberattack is still among the most effective

Cybercriminals may be getting more sophisticated by the day, but simple HTML file distribution still remains one of the most popular tactics, new research shows. According to telemetry data from cybersecurity company Kaspersky, in the first four months of 2022, there were more than two million malicious emails carrying weaponized HTML files. March 2022 was the most active month of the year so far for this type of attack, with 851,000 detections. Last month saw just 387,000 detections, although Kaspersky says this could just be a “momentary shift”, and doesn’t necessarily suggest a shift in the wider trend.

Related Posts