AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 12/21/2021

Mystery cloud storage service exposes 580 million customer passwords – but it might all be OK

The UK National Crime Agency (NCA) has discovered a database containing more than 585 million stolen passwords and emails, and shared it with Have I Been Pwned? to expand and update its database of breached info. Have I Been Pwned? is an online service where people can go to check if their email, passwords or other personal details have been compromised, and even identify in which breach this happened. According to the report, the NCA found the database in a “compromised cloud storage facility”. “During recent NCA operational activity, the NCCU’s Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility. Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown,” the organization’s announcement reads.

 

Western Digital warns customers to update their My Cloud devices

Western Digital is urging customers to update their WD My Cloud devices to the latest available firmware to keep receiving security updates on My Cloud OS firmware reaching the end of support. “On April 15, 2022, support for prior generations of My Cloud OS, including My Cloud OS 3, will end,” the company said this week. “If your device isn’t compatible with My Cloud OS 5, you will lose remote access and will only be able to access it locally. Devices on these older firmware versions will not receive security fixes or technical support.” Western Digital advises customers to protect their data from attackers after the firmware is no longer supported by backing up their devices, disabling remote access, disconnecting it from the internet, and choosing a unique and strong password.

 

Spider-Man Movie Release Frenzy Bites Fans with Credit-Card Harvesting

Friday’s release of Spider-Man: No Way Home is the first post-pandemic premiere to really have all the Hollywood blockbuster accessories: superheroes, Zendaya, a healthy dose of comic book nostalgia — even its own phishing scam. Researchers at Kaspersky warned that the release of Spider-Man: No Way Home is being used by cybercriminals to spread malware and steal banking information. “Fans’ expectations are through the roof right now, arguably higher than for any film,” Kaspersky’s Tatyana Shcherbakova explained in a statement. “Everyone who has ever been a fan of Spidey has their own theories about the films, which can be exploited by cybercriminals.” It’s hardcore Spider-Man fans, desperate to the first to see the movie or get inside information about it, who are prime targets for fake promises of an early look at the film or offers to sign up for other access to the superhero’s universe, Kaspersky’s researchers warned. Kaspersky said some of the Spider-Man phishing sites use fan art of the film’s stars to try and catch the attention of the most frenzied followers of the franchise.

 

Malicious Joker App Scores Half-Million Downloads on Google Play

The Joker malware is back again on Google Play, this time spotted in a mobile application called Color Message. The app was downloaded more than 500,000 times before its removal from the store. Users should immediately delete Color Message from their devices to avoid being defrauded, researchers at Pradeo Security warned. Joker is a persistent threat that’s been kicking around since 2017, hiding itself within legitimate-seeming, common application types like games, messengers, photo editors, translators and wallpapers, many of them aimed at children. But once installed, Joker apps subscribe victims to unwanted, paid premium services controlled by the attackers – a type of billing fraud that researchers categorize as “fleeceware.” Often, the victim is none the wiser until the mobile bill arrives.

 

CISA urges VMware admins to patch critical flaw in Workspace ONE UEM

CISA has asked VMware admins and users today to patch a critical security vulnerability found in the Workspace ONE UEM console that threat actors could abuse to gain access to sensitive information. Workspace ONE Unified Endpoint Management (ONE UEM) is a VMware solution for over-the-air remote management of desktops, mobile, rugged, wearables, and IoT devices. The flaw tracked as CVE-2021-22054 is a server side request forgery (SSRF) vulnerability with a severity rating of 9.1/10 and impacting multiple ONE UEM console versions. Unauthenticated threat actors can exploit this vulnerability remotely in low-complexity attacks without user interaction.

 

Ransomware Operators Leak Data Stolen From Logistics Giant Hellmann

Logistics giant Hellmann Worldwide Logistics has confirmed that attackers were able to exfiltrate data from its systems during a cyberattack earlier this month. On Thursday, December 9, after detecting the breach, the company took down servers at its central data center, to isolate them from the rest of the environment and contain the incident. Hellmann, which provides air and sea freight, rail and road transportation, and other services in 173 countries, was apparently targeted by RansomEXX ransomware, whose operators have already made available data allegedly stolen from the German company. One their leak website on the Tor network, the hackers published 70.64GB of compressed data, in the form of 145 archive files that contain, among others, customer names, user IDs, emails, and passwords. In an updated cyber incident statement published last week, the German company confirmed that the attackers stole data from its servers, although it did not provide details on the type of information that was compromised.

Related Posts