IT NEWS

Several vulnerabilities have been patched in the Google Android operating system (OS), the most severe of which could allow for arbitrary code execution. None of the vulnerabilities have been spotted in the wild.

Operating systems contain and manage all the programs and applications that a computer or mobile device is able to run. The Android OS was developed by Google for mobile devices like smartphones, tablets, smart watches, and more, and it’s installed on more than 70 percent of the world’s mobile phones.

Google’e latest security update for Android patched 42 vulnerabilities. Four of them received the label “critical”, of which three affect Qualcomm components. Qualcomm is a US-based chip maker that specializes in semiconductors, software, and services related to wireless technology.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The critical Qualcomm vulnerabilities all relate to the WLAN component and have the following CVEs:

• CVE-2022-25748 has a CVSS score of 9.8 out of 10 and could be exploited to trigger memory corruption leading to arbitrary code execution.
• CVE-2022-25718 has a CVSS score of 9.1 out of 10 and could allow a remote attacker to perform a machine in the middle (MitM) attack.
• CVE-2022-25720 has a CVSS score of 9.8 out of 10 and could allow a remote attacker to execute arbitrary code on an Android device by sending it send specially crafted traffic.

Looking at the three vulnerabilities listed above it seems that someone has taken a good look at the initial connection and authentication routines inn the Qualcomm WLAN firmware. All three vulnerabilities seem to lie in the initial stages of a connection.

The Group temporal key is used to encrypt all broadcast and multicast traffic between an access point and multiple client devices. It is part of the four-way handshake between an access point and the client device to generate some encryption keys which can be used to encrypt actual data sent over wireless.

The other critical vulnerability is listed as CVE-2022-20419 is a vulnerability in Framework that could lead to local escalation of privilege (EoP) with no additional execution privileges needed. In the bug description we can find that any sensitive information passed into ActivityManager via ActivityOptions can make its way to an unrelated app. The ActivityManager allows developers to retrieve information about the device the app is running on, like available memory, running processes, and tasks that the user has most recently started or visited.

Google’s updates will be rolled out for Android versions 10, 11, 12, 12L, and 13. Since some of the vulnerabilities are in suppliers’ software, not every device will need all the patches.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Stay safe, everyone!

Consumer Reports (CR), a US-based nonprofit consumer organization, has revealed that TikTok gathers data on people who don’t even use the app itself.

If this sounds familiar, it’s because it’s happened before. Meta’s near-omnipresence wherever you are online enabled it to gather data on users, even those who don’t have Facebook accounts—thanks, in part, to the Facebook “Like” button, a piece of code embedded on most websites. According to this Facebook Help Centre page, if a logged-in user visits a website with this button, the browser sends user data to Facebook so it can load content to that website.

Something similar happens to users who are either logged out of Facebook or don’t have an account. The only difference is that the browser sends a limited set of data. However you look at it, Facebook gets your data.

In TikTok’s case, the company embeds a tracker called a “pixel.” Pixel gathers user data from these websites to help companies target ads and measure how these work.

CR sought the aid of security firm Disconnect to scan for websites containing TikTok’s pixel, paying particular attention to sites that regularly deal with sensitive information, such as .gov, .org, and .edu sites. It turns out that pixels are already widespread.

“I think people are conditioned to think, ‘Facebook is everywhere, and whatever, they’re going to get my data.’,” said Disconnect Chief Technology Officer (CTO) Patrick Jackson. “I don’t think people connect that with TikTok yet.”

Among other data, TikTok collects the IP address; a unique number; the page a user is on; and what they’re clicking, typing, or searching for. While the data is used for targeted ads and ad effectiveness, TikTok spokesperson Melanie Bosselait said the data “is not used to group individuals into particular interest categories for other advertisers to target.” Data collected from non-TikTok users, however, are used in aggregated reports sent to advertisers.

CR also reported why websites use pixels (on top of other trackers). One school, Michigan State University, uses it to “help generate interest in applying to and enrolling courses at Michigan State”. Dan Olsen, the university spokesperson also said, “They help us target our advertising to relevant audiences. The most sensitive information this pixel captures is potential major interests of prospective students.”

Some sites like Mayo Clinic’s public-facing pages and RAINN, a leading anti-sexual-violence organization, have removed pixels, citing their presence was an oversight. Other businesses CR questioned either declined to comment or never responded.

Jackson said that most companies are unaware TikTok and other big brands gather data this way. “The only reason this works is because it’s a secret operation. Some people might not care, but people should have a choice. It shouldn’t be happening in the shadows.”

To prevent clandestine data collection, policymakers need to get involved. “Because of the way the web is structured, companies are able to watch what you do from site to site creating detailed dossiers about the most intimate parts of our lives,” said Director of Technology Policy for CR Justin Brookman. “In the US, the tech industry largely gets to decide what is and isn’t appropriate, and they don’t have our best interests front of mind.”

CP recommends three guidelines to follow for users to protect their personal information online:

• Use privacy-protected browser extensions, such as uBlock Origin.
• Take advantage of your browser’s privacy settings.
• Use a privacy-focused browser, such as Brave or Firefox.

When it comes to tracker presence online, Google and Meta still lead. But TikTok’s advertising business is booming. And, with that, data collection is expected to grow, too. 

The Internal Revenue Service (IRS) has issued a warning for taxpayers about a recent increase in IRS-themed smishing scams aimed at stealing personal and financial information.

Smishing is short for SMS phishing, where the phishes are sent via text message. The IRS has identified and reported thousands of fraudulent domains tied to multiple smishing scams targeting taxpayers.

Not the IRS

The most prevalent campaigns the IRS is warning about are scam messages that look like they’re coming from the IRS. These messages offer lures like fake COVID relief, tax credits, or help setting up an IRS online account.

In the latest campaign the IRS has seen, the scam texts ask taxpayers to click a link which leads them to phishing websites. Typically these websites are set up to collect the visitor’s information, but potentially could also send malicious code to their phones.

Industrial scale

This type of smishing is by no means new, but what prompted the warning is the scale of the campaigns. IRS Commissioner Chuck Rettig called it phishing on an industrial scale.

“In recent months, the IRS has reported multiple large-scale smishing campaigns that have delivered thousands – and even hundreds of thousands – of IRS-themed messages in hours or a few days, far exceeding previous levels of activity.”

How to avoid falling for a smishing scam

We can’t stop smishing completely, but we can take some steps to significantly reduce the chance of falling victim:

• Firstly, it’s important to keep in mind that the IRS does not send emails or texts asking for personal or financial information or account numbers.
• If a message sounds too good to be true, it probably is. Having said that, many smishing messages sound totally innocent and aren’t trying too hard to bribe or threaten, so don’t assume any message from services or organizations are the real deal.
• If you’re being asked to do something, like enter your details, transfer money, or similar, the very best thing you can do is contact the ‘sender’ directly via a known method you trust. If it turns out to be a phish, you should be able to report it there and then.
• Those living somewhere with Do Not Call lists or spam reporting services should make full use of them. Scam SMS/text messages can also be copied and forwarded to wireless providers via text to 7726 (SPAM), which helps the provider spot and block similar messages in the future.
• Never click links, and don’t enter personal information on any website if you do accidentally click through. Avoid replying to the scam SMS too. Doing so confirms you exist and may make it more likely for you to receive more messages.
• Report, block, and move on.

Forward to IRS

The IRS asks that you forward any smishing or other phishing scams using the following process:

• Create a new email to phishing@irs.gov.
• Copy the phish caller ID number (or email address).
• Paste the number (or email address) into the email.
• Press and hold the SMS/text message and select “copy”.
• Paste the message into the email.
• If possible, include the exact date, time, time zone and telephone number that received the message.
• Send the email to phishing@irs.gov.

All incidents, successful and attempted, should also be reported to the Internet Crime Complaint Center.

Any individual entering personal information, or otherwise finding themselves a victim of tax-related scams, can find additional resources at Identity Theft Central on IRS.gov.

Last week on Malwarebytes Labs:

• Why (almost) everything we told you about passwords was wrong
• Two new Exchange Server zero-days in the wild
• Local government cybersecurity: 5 best practices
• Optus data breach “attacker” says sorry, it was a mistake
• Fast Company hacked to send obscene and racist messages
• APT28 attack uses old PowerPoint trick to download malware
• Spyware disguises itself as Zoom downloads
• FCC moves to block robotexts
• Erbium stealer on the hunt for data
• 4 times students compromised school cybersecurity
• Facebook users sue Meta for allegedly building “secret workaround” to Apple privacy safeguards
• TikTok faces $28m fine for failing to protect children’s privacy
• Flaw in some ManageEngine apps is being actively exploited, says CISA
• Exchange servers abused for spam through malicious OAuth applications
• Calling in the ransomware negotiator, with Kurtis Minder: Lock and Code S03E20
• Windows 11 pulls ahead of Windows 10 in anti-phishing stakes
• Twitter fixes bug that left devices logged in after password reset

Stay safe!

Deepfakes have settled into a groove, as most scam techniques do. It seems most deepfakers have decided to make as much cash as possible from unsuspecting victims instead of doing anything particularly earth-shattering with their technology.

One curious twist we may not have seen coming is the mashup of deepfake and romance scam, though this is a natural fit in many ways. Create a fictional entity, move from email to bogus video communications, and extract funds via wire transfer or a money-centric app.

You would expect to find scammers trying to keep their deepfakery as believable as possible, and yet it seems you can be anyone you want to be in Deepfake land and still make off with a tidy haul.

As such, we have a romance scam involving a victim handing over a small fortune, and a digital version of Incredible Hulk actor Mark Ruffalo.

A poisonous romance

Manga artist Chikae Ide’s new work, Poison Love, is a summary of her experience with the aforementioned Ruffalo fakeout. What’s interesting here is how the scam evolved from a fairly standard Facebook romance scam, to something making full use of digital technology perhaps long before other fakers decided to jump on the Deepfake train.

It’s still somewhat inexplicable that the scammers went with an incredibly recognisable Hollywood actor, given the numerous ways a victim could have figured out something was amiss. Even so, the faker went with flattery and exploited the author who used translation software to converse in English. Ide, still a little unsure, wanted proof that “Ruffalo” was the real deal. He responded with a half-minute video call to prove it was really him. Unfortunately for Ide, this was a faker using Deepfake technology to appear as the Hulk actor on webcam. It was enough to convince the artist to become involved in a fictional online relationship with real harm waiting in the wings.

A slow burn of money extraction began shortly after the bogus video call, and then a fake “online marriage”. CBR reports the artist said, in relation to the faker, that “…he respected my work, and he said that I, this old lady, am beautiful”. It may not sound much, but to someone in their 70s, burnt in the past by an abusive marriage, and unfamiliar with internet scams, it was just what the fake doctor ordered.

The promise of it all being too good to be true was swept away by multiple small requests for cash, which seem to have increased over time.

Counting the emotional and financial cost

In the end, it took the artist’s children to realise something was up and begin the painful process of extracting her from the scammer’s clutches. In total, 75 million Yen (roughly half a million US dollars) was wired to the fraudster, never to return.

Both her savings and those of her son were lost to the void, along with big chunks of change from work contracts and even cash earmarked for bills. This is the kind of attack which can easily wipe some folks out. In this instance, the artist can at least perhaps hope to recover some of the losses from upcoming art contracts and other client work. Most people may not have that level of financial safety net to fall back on.

The smartest deepfaker around?

This is where things become really interesting in terms of how the scam got off the ground. Keep in mind that this attack began in 2018. While pretty much everyone talking about deepfakes four years ago was largely obsessed with electoral interference, the scammer saw the real potential in deepfakery: financial plundering on a grand scale.

This individual set up a 30-second conversation with the artist, and it was enough to set aside any misgivings. Again: this is frankly remarkable considering it happened four years ago. The talking heads are all about electoral malfeasance. The actual Deepfake producers are churning out celebrity pornography. This person is using deepfakes to apparently create interactive conversations with someone about to lose a whole lot of money.

Tips for avoiding romance scams

Romance scams continue to be a major problem, and it’s very much a low effort, big reward attack which is why it pops up so frequently. Here are some of the warning signs:

• Their profile and picture seem too good to be true.
• They profess love and affection very quickly.
• They share a lot about themselves in the first meeting.
• They claim to be overseas and cannot stay in one place for long.
• They try to lure you from whatever platform you are on to talk to you via email or video chat.
• They claim to need money for something, which should be an immediate red flag no matter how convincing it sounds.

Here’s what you can do to keep yourself safe:

• Don’t give scammers the information they need. Scammers rely on what you volunteer about yourself online to tweak their script and lure you in.
• Perform an image search of the photo and the name of the person you’re in touch with. Scammers often steal someone else’s image to use as bait, and stolen identities are rife.
• Go slow. Scammers tend to rush, building rapport with their victims as quickly as possible before moving in for the money-themed kill.
• Never give money to anyone you’ve met online
• If in doubt, back away and report the account.

Stay safe out there!

On September 29, 2022 the Cybersecurity & Infrastructure Security Agency (CISA) added three vulnerabilities to the catalog of known to be exploited vulnerabilities. One of them is a vulnerability in Atlassian’s Bitbucket Server and Data Center. The other two are the Exchange Server zero-day vulnerabilities we wrote about last week.

The Bitbucket vulnerability is no zero-day. Fixed versions were made available on August 24, 2022. The vulnerability allows an attacker who has read permissions to execute arbitrary code by sending a malicious HTTP request.

Mitigation

All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected. Atlassian recommends that you upgrade your instance to one of the versions listed below.

You can download the latest version of Bitbucket from the download center. Visit the Frequently Asked Questions (FAQ) page if you have any questions.

If, for any reason, you are unable to apply the security updates, you are advised to apply temporary partial mitigation by turning off public repositories by setting the option feature.public.access to false. This blocks unauthorized users from accessing the repository.

If you access Bitbucket via a bitbucket.org domain, it is hosted by Atlassian and you are not affected by the vulnerability.

Vulnerability

The Remote Code Execution vulnerability was found by Maxwell Garret a security researcher at  Assetnote and assigned CVE-2022-36804. The vulnerability was rated as critical, which indicates a CVSS score between 9 and 10 out of 10. If an attacker can read the content of a repository, either because it is a public repository or because they have read permission on a private repository, they are able to exploit the vulnerability.

Discovery

Bitbucket is a web based hosting service that distributes source code and development projects. Typically, Bitbucket Server is deployed on-premise and allows uploads of source code from GitHub and other platforms. Bitbucket uses git for many operations within the software. The discovery was inspired by the blog post from William Bowling about his RCE via git option injection in GitHub Enterprise.

Exploitation

The proof-of-concept (PoC) exploit was made public on September 19, 2022. Attackers did not wait long. Some were observed scanning for vulnerable instances as early as September 20th.

Besides CISA adding the vulnerability to the known to be exploited vulnerabilities list, the Belgian federal cyber emergency team (CERT.be) warned that an exploit kit is now available for CVE-2022-36804 and urged users to patch.

WARNING: An exploit kit is now available for CVE-2022-36804 affecting @Atlassian @Bitbucket Server and Data Center. More information on https://t.co/ccK9ng8j58
If you haven’t done so already, it’s time to #patch #patch #patch https://t.co/fytm6ZEGiw

— CERT.be (@certbe) September 27, 2022

Now that CISA has set a to-be-patched date of October 21, 2022 this will put the vulnerability higher on the agenda for US Federal Civilian Executive Branch Agencies (FCEB) agencies. As always, all other organizations are under advice to patch urgently if they haven’t already.

I have an embarrassing confession to make: I reuse passwords.

I am not proud of it, but honestly it’s a relief to finally get it off my chest. I am not a heavy re-user, nothing crazy, I use a password manager to handle most of my credentials but I still reuse the odd password from time to time.

It’s embarrassing to admit because recommending that users use unique passwords for each of their accounts is part of my job, and with good reason: Password reuse leads to credential stuffing, a form of automated attack where cybercriminals use lists of passwords stolen from one website to break into other websites. Credential stuffing attacks are large, automated, and persistent, and they are so successful that they happen almost constantly.

It seems obvious and important therefore to tell users not to reuse passwords. But telling them to stop doesn’t work and it never has. It doesn’t even work on me.

Why not?

I believe the reason is that for years we’ve been misdiagnosing the problem we thought we were solving. Consequently, we treated password reuse as a form of misbehavior that could be corrected rather than seeing it for what it is—a rational response to an impossible situation.

As computer and internet use exploded over the past forty years, the number of passwords each of us must remember has climbed precipitously.

The companies that make password managers are in broad agreement that we’re currently averaging a little less than 100 passwords each. Dashlane said its users have about 90 passwords; NordPass puts the figure at 70-80; and LastPass says it’s 85 passwords for employees of SMBs, and 25 passwords for people working in enterprises.

Me? I’ve got 742, and I’ve used 200 in the past year.

It simply isn’t possible to remember that many passwords, and the number of passwords we need to know probably exceeded the number we can remember decades ago.

In 2012, a group of researchers gave us a big clue about how small our capacity for remembering passwords is by looking at how often users forgot theirs, or got them mixed up. 84 percent of users with 7-9 passwords reported problems, and there was a precipitous decline in recall between users remembering 1-3 passwords and those remembering 4-6.

The sense that we can, at best, remember just a handful of passwords is reinforced by more research from 2018. In this study the participants had just 13 accounts each. Despite this relatively modest number, 91 percent resorted to password reuse, choosing to service their accounts with an average of 5.8 passwords each.

It was a snapshot of what had happened everywhere.

In the face of an ever-growing gap between the number of accounts and the number of passwords they could remember, users did the only things that made sense: They made their passwords weaker, so they were easier to remember; they wrote them down; and they reused them.

The collective response of the security community was to tell them to STOP: Don’t write them down; stop making them simpler; stop reusing them; and by the way please make every password a mixture of no fewer then fourteen uppercase, lowercase and wacky characters; oh, and please change your impossibly complex password for a different impossibly complex password as often as you change your underwear.

We should not have been surprised when we were completely ignored.

Nevertheless, we persisted for years. Some of the advice got better, but the bits about making strong passwords and not reusing them didn’t change even though password reuse remained endemic, and every data breach brought further evidence that users remain firmly wedded to very bad password choices.

Several years ago, experts at Microsoft Research and Carleton University, Canada did the math that explains what’s going on.

According to their calculations, a conscientious user with 100 unique, random passwords would have to perform an impossible feat of memory—the equivalent of remembering 1,362 random digits, a task that “far exceeds what users can manage by memorization”. You don’t say.

Many users’ first instinct is make their passwords easier to remember, which makes them less secure. It helps, a bit, but it doesn’t come close to turning a 100-password portfolio into something a normal human can manage.

One of the “Eureka” moments in the research is that users don’t just have to remember their passwords, they have to remember which password goes with which account. Just that task alone is more difficult than remembering the order of a shuffled card deck.

No amount of weakening your passwords can overcome that. The only strategies that work are writing passwords down or reusing them.

One weird trick to improve your passwords

You may be reading this thinking that the answer to all of this is to use a password manager—a piece of software that can generate strong passwords and remember them for you.

Password managers are a potential answer to this problem, and advocating for them has been an important piece of security advice for several years now. However, despite all that advocacy only about 20% of us use one and almost half of us still don’t know what a password manager is. Teaching users to be better users is a long game.

More worryingly, buried deep within a 2016 password reuse study is the startling conclusion (with some caveats) that “third-party password managers do not significantly reduce password re-use across websites.” This probably requires more study, but from a personal perspective I can say that having a password manager has certainly helped my reuse problem, although it has not eliminated it.

But that isn’t password managers’ only trick: They can still generate strong passwords, and that’s good, right? Yes, it is, but we may have been seriously overestimating the importance of them.

In 2019, Microsoft’s Alex Weinert wrote that “When it comes to composition and length, your password (mostly) doesn’t matter.” And he’s not alone in believing that. Password strength just isn’t a factor that affects your security most of the time.

A strong password won’t protect you from a credential stuffing attack, phishing, or keylogging malware, for example.

Avoiding the most common form of attack—password spraying—where attackers use very short lists of very common passwords against lots of targets, requires only that you don’t use one of the 50 worst possible passwords (things like qwerty and 123456). You can have a very bad password indeed and still be safe from everything I’ve mentioned above. A modest password of just six characters or so will protect you from almost any kind of brute force attack conducted across the internet.

The only situation where password strength really matters is in an offline brute force attack where an attacker uses specialist hardware to crack the contents of a stolen password database. These attacks are very rare, but they are the reason you are asked to concoct 14-character masterpieces of uppercase, lowercase and wacky characters.

Solving the difficult edge case of offline password cracking by demanding all users create vastly more complex passwords than they otherwise need, either in their own head or with a password manager, seems like tilting at windmills. Defending against determined and well-resourced adversaries is a job for experts. We should be taking on the burden of defending against these attacks with better password management and storage rather than by demanding better users.

We need to stop and think about all the things we’re asking users to do. The more rules we offer, the less likely people are to follow any them. And the more rules we offer that subsequently turn out to be counterproductive, such as demanding regular password resets, or valuing special characters over adding more characters, the more credibility we burn.

If we’re going to spend time advocating for a change in behaviour, we should probably pick one thing. And there is something that can make an enormous difference to password security, without users needing to worry about what passwords they use, where they store them and how often they use them: Multi-factor authentication (MFA).

The simple act of having to type in a code from an app alongside your password is a game changer—it kills credential stuffing, password spraying and brute force attacks stone dead.

Weinert: “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

Even better, while we can advocate for users adopting MFA where it’s available, we aren’t reliant on them listening. The most important thing is to persuade organizations, or better yet groups of organizations or even legislators, that it’s important. When that happens, users are just along for the ride.

So, from now on, my password advice is this: If you have time and energy to spare, find somewhere you’re not using MFA and set it up. If you do I promise never to nag you about how weak your passwords are or how often you reuse them ever again.

Microsoft has issued some customer guidance as it investigates (yes, more) reported vulnerabilities in Microsoft Exchange Server, affecting the 2013, 2016, and 2019 versions of the software. The company says it “is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.” The move follows discussion online about whether two new Exchange zero-days are really new vulnerabilities, or just new exploits for known vulnerabilities.

So, let’s start with the most important part: What should you do if you’re tasked with administering an Exchange Server? Microsoft is working on an accelerated timeline to release a fix. In the meantime it’s providing mitigations and detection guidance:

Microsoft Exchange Online Customers do not need to take any action.

Users of the on premises product should add a blocking rule in IIS Manager to block the known attack patterns. According to Microsoft, the following URL Rewrite instructions, which are currently being discussed publicly, are successful in breaking current attack chains:

• Open the IIS Manager.
• Expand the Default Web Site.
• Select Autodiscover.
• In the Feature View, click URL Rewrite.
• In the Actions pane on the right-hand side, click Add Rules. 
• Select Request Blocking and click OK.
• Add String .*autodiscover.json.*@.*Powershell.* and click OK.
• Expand the rule and select the rule with the Pattern .*autodiscover.json.*@.*Powershell.* and click Edit under Conditions.
• Change the condition input from {URL} to {REQUEST_URI}

The instructions above can be found on the Microsoft blog, with screenshots. It adds that there is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.

Another option is to block the ports that are used for Remote PowerShell—HTTP: 5985 and HTTPS: 5986.

The vulnerabilities

The vulnerabilities were discovered by GTSC while performing security monitoring and incident response services. It was able to assess that the attacks were based on exploit requests with the same format as ProxyShell. But the servers being attacked had all the latest updates, including those that stop ProxyShell.

The attacks were used to drop web shells on the Exchange servers—a script that can be used by an attacker to run remote commands and maintain persistent access on an already compromised computer.

According to security researcher Kevin Beaumont a significant number of Exchange servers has been backdoored. But he adds that this is not unusual, since the patching process is apparently such a mess that people end up on old Content Updates and don’t patch ProxyShell properly.

On his blog on the subject he points out that if you don’t run Microsoft Exchange on premise, and don’t have Outlook Web App (OWA) facing the internet, you are not impacted either. In addition, Microsoft also notes that attackers need authenticated access to the vulnerable Exchange Server in order to exploit either of the two vulnerabilities associated with these attacks.

The vulnerabilities, which are chained together, are:

CVE-2022-41040, a Server-Side Request Forgery (SSRF) vulnerability. SSRF is a web security vulnerability that allows an attacker to induce the server-side application to make requests to other services within an organization’s infrastructure.

CVE-2022-41082, a vulnerability that allows remote code execution (RCE) when PowerShell is accessible to the attacker.

Yesterday, Apple News announced it had disabled the channel of Fast Company, a US-based business magazine, after surprised Twitter users reported it was tweeting offensive comments.

An incredibly offensive alert was sent by Fast Company, which has been hacked. Apple News has disabled their channel.

— Apple News (@AppleNews) September 28, 2022

Fast Company was hacked on Sunday, September 25. The attacker responsible modified article titles to obscene and racist things:

“Hacked by Vinny Troia. [redacted] tongue my [redacted]”, one title read.

This is what Fast Company looked like after it was hacked by an actor named “Thrax.”

Fast Company took its site offline to fix the defacement but the hacker successfully got in again on Tuesday via content management system WordPress, in order to push the same offensive text to its followers on Apple News.

Fast Company tweeted on Wednesday:

Fast Company’s Apple News account was hacked on Tuesday evening. Two obscene and racist push notifications were sent about a minute apart.

The messages are vile and not in line with the content and ethos of Fast Company. (continued below)

— Fast Company (@FastCompany) September 28, 2022

On Thursday, Fast Company’s website was displaying a statement regarding the hack on a black background.

“The messages are vile and are not in line with the content and ethos of Fast Company.”

While the company is working to resolve what happened, it said it will continue publishing stories on its social channels, including Facebook, LinkedIn, and TikTok.

Speaking with BleepingComputer, “Thrax” revealed how they hacked Fast Company’s website.

Thrax claimed they infiltrated Fast Company after bypassing basic HTTP authentication that secured the WordPress instance the company uses for their website. They then used a default password in “dozens” of accounts to take control of the CMS.

They then stole Auth0 tokens, Apple News API keys, and Amazon SES secrets. Using the tokens, “Thrax” says they created admin accounts on the CMS systems, which were then used to push out the notifications to Apple News.

Since Australian telecoms company Optus disclosed a security breach on September 22, 2022, a lot has been happening.

Much of it reads like a movie script.

Prologue

A hacker acting under the pseudonym “optusdata” claims to have stolen the data of 10 million Optus customers. The information included home addresses, drivers’ licenses, Medicare numbers, and passport numbers. No passwords or financial details have been compromised.

Optus disclosed the breach on a dedicated page on its website. According to Kelly Bayer Rosmarin, Optus’ CEO:

“We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it.”

At this point we don’t know what exactly happened, but as always there are some interesting theories about it.

Optus says it has sent an email or SMS message to all the customers whose identification document numbers, such as driver’s license or passport number, were compromised as a result of the cyberattack.

Extortion

On an online forum, optusdata threatened to publish the data of 10,000 Optus customers per day unless they received $1 million in cryptocurrency. They began by posting the data of 10,200 customers.

In a definitely related activity, but probably not by the same threat actor, victims of the data breach have also started to receive text messages saying they must pay AUD 2,000 ($1,300) within two days or their data will be sold on for “fraudulent activity”. While the texts include the name “OptusData” it is probably not the same person, and more likely to be someone who has just gained access to the partial dataset that the original threat actor leaked.

Too much attention

The Australian Federal Police in cooperation with the FBI and other law enforcement organizations are investigating the data breach, and have launched Operation Hurricane.

We are aware of reports of stolen data being sold on the dark web and that is why the AFP is monitoring the dark web using a range of specialist capabilities. Criminals, who use pseudonyms and anonymizing technology, can’t see us but I can tell you that we can see them.

Apparently the heat has grown beyond what the threat actor could bear. In a statement on a forum where they announced the hack, they wrote:

“Too many eyes. We will not sale data to anyone. We cant if we even want to: personally deleted data from drive (Only copy)

Sorry too 10.200 Australian whos data was leaked.

Australia will see no gain in fraud, this can be monitored. Maybe for 10.200 Australian but rest of population no. Very sorry to you.

Deepest apology to Optus for this. Hope all goes well from this

Optus if your reading we would have reported exploit if you had method to contact. No security mail, no bug bountys, no way too message.

Ransom not payed but we dont care any more. Was mistake to scrape publish data in first place.”

Note: I left the typos alone since it may give an expert some clues about the writers’ first language

Happy end?

Let’s start with the good news.

Australian victims of the Optus breach will be able to change their driver’s license numbers and get new cards. The New South Wales, Victoria, Queensland, and South Australia governments have started clearing bureaucratic hurdles for anyone who can prove they are victims of the hack. Optus is expected to bear the multimillion-dollar cost of the changeover.

There is also talk about a class action lawsuit.

Optus is offering customers the option to take up a 12-month subscription to a credit monitoring and identity protection service.

The Commonwealth Bank confirmed it had identified and blocked the account of the SMS extortionist.

All the customers who have an unexpired Medicare card will be contacted by Optus. There are a further 22,000 expired Medicare card numbers that were exposed, and the holders of those cards will also be contacted directly. It’s worth noting that Optus says personal information cannot be accessed using just a Medicare number.

The bad news is, of course, in the uncertainty. Can we really trust the threat actor when they claim they have deleted the data? They have proven to be a criminal so why would we take their word for it? We can’t even be hundred percent sure that the person posting that statement is the actual holder of the data.

So, stay safe and be on the lookout for the phishing campaigns that will undoubtedly try to bank on these events.

We will keep you updated here if the plot decides to take another turn.