A 2023 red team exercise by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) at an unnamed federal agency exposed critical security failings, including unpatched vulnerabilities, inadequate incident response, and weak credential management, leading to a full domain compromise. According to The Register's Connor Jones, the agency failed to detect or remediate malicious activity for five months. From the report: According to the agency's account of the exercise, the red team was able to gain initial access by exploiting an unpatched vulnerability (CVE-2022-21587 - 9.8) in the target agency's Oracle Solaris enclave, leading to what it said was a full compromise. It's worth noting that CVE-2022-21587, an unauthenticated remote code execution (RCE) bug carrying a near-maximum 9.8 CVSS rating, was added to CISA's known exploited vulnerability (KEV) catalog in February 2023. The initial intrusion by CISA's red team was made on January 25, 2023. "After gaining access, the team promptly informed the organization's trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch," CISA's report reads. "Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response. About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on February 2, 2023." [...]

After gaining access to the Solaris enclave, the red team discovered they couldn't pivot into the Windows part of the network because missing credentials blocked their path, despite enjoying months of access to sensitive web apps and databases. Undeterred, CISA managed to make its way into the Windows network after carrying out phishing attacks on unidentified members of the target agency, one of which was successful. It said real adversaries may have instead used prolonged password-praying attacks rather than phishing at this stage, given that several service accounts were identified as having weak passwords. After gaining that access, the red team injected a persistent RAT and later discovered unsecured admin credentials, which essentially meant it was game over for the agency being assessed. "None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network," CISA said.

CISA described this as a "full domain compromise" that gave the attackers access to tier zero assets -- the most highly privileged systems. "The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts," the report reads. "With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. "They identified another account that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization's identity management (IDM)." From here, the red team realized the victim organization had trust relationships with multiple external FCEB organizations, which CISA's team then pivoted into using the access they already had.

The team "kerberoasted" one partner organization. Kerberoasting is an attack on the Kerberos authentication protocol typically used in Windows networks to authenticate users and devices. However, it wasn't able to move laterally with the account due to low privileges, so it instead used those credentials to exploit a second trusted partner organization. Kerberoasting yielded a more privileged account at the second external org, the password for which was crackable. CISA said that due to network ownership, legal agreements, and/or vendor opacity, these kinds of cross-organizational attacks are rarely tested during assessments. However, SILENTSHIELD assessments are able to be carried out following new-ish powers afforded to CISA by the FY21 National Defense Authorization Act (NDAA), the same powers that also allow CISA's Federal Attack Surface Testing (FAST) pentesting program to operate. It's crucial that these avenues are able to be explored in such exercises because they're routes into systems adversaries will have no reservations about exploring in a real-world scenario. For the first five months of the assessment, the target FCEB agency failed to detect or remediate any of the SILENTSHIELD activity, raising concerns over its ability to spot genuine malicious activity. CISA said the findings demonstrated the need for agencies to apply defense-in-depth principles. The cybersecurity agency recommended network segmentation and a Secure-by-Design commitment.

An anonymous reader quotes a report from 404 Media: John Binns, a U.S. citizen who has been incarcerated in Turkey, is linked to the massive data breach of metadata belonging to nearly all of AT&T's customers that the telecommunications giant announced on Friday, three sources independently told 404 Media. [...] As 404 Media reported in January, Binns has already been indicted for allegedly breaking into T-Mobile in 2021 and selling stolen data on more than 40 million people. Now, he is allegedly connected to the latest breach against AT&T, which the company said it detected in April.

The AT&T data was lifted from a Snowflake instance, a data warehousing tool, AT&T told 404 Media. Snowflake has been at the center of a series of massive and high profile breaches, including Ticketmaster and Santander. In a blog post published in June which covered a threat actor targeting Snowflake instances, cybersecurity company Mandiant said the threat actor, which it dubs UNC5537, "comprises members based in North America, and collaborates with an additional member in Turkey." In its breach announcement, AT&T said authorities had already apprehended one of the people involved in the breach. Binns was recently arrested and detained in Turkey, The Desk reported in May. That report, which is the last public information about his whereabouts, says he was detained following an extradition request from the U.S. Before he was arrested, Binns told 404 Media in January that he had "reasons to not be concerned" about being extradited.

Samsung unveiled new wearable devices at its Unpacked event earlier this week, drawing comparisons to Apple's offerings. The Galaxy Watch Ultra, set for release on July 24, bears striking similarities to Apple's Watch Ultra 2 launched last September. Both feature titanium cases, orange-accented buttons, and specialized bands. Samsung's version, priced at $650, undercuts Apple's $800 model. Business Insider adds: But the strategy has its downsides. If you spot someone wearing Galaxy Watch Ultra, there's a good chance you'd mistake it for Apple's model -- which doesn't help Samsung differentiate itself. In a statement to Business Insider, Samsung said that the design choices for its new smartwatch were "made to ensure comfort, usability, and durability in a variety of use cases." It didn't mention what went into naming the device.

The similarities extend to Samsung's new earbuds. The Galaxy Buds 3 Pro and the Galaxy Buds 3 -- also announced at Unpacked -- got a revamp that steps away from previous designs to make Samsung's Bluetooth earbuds shaped more like Apple AirPods. The Galaxy Buds 2 Pro are stemless and come in light purple, but their successor only comes in silver or white. Similar to the AirPods Pro, Galaxy Buds 3 Pro owners will be able to control their earbuds with gestures.

Indonesia said it is beginning to recover data that had been encrypted in a major ransomware attack last month which affected more than 160 government agencies. From a report: The attackers identified as Brain Cipher asked for $8 million in ransom to unlock the data before later apologising and releasing the decryption key for free, according to Singapore-based cybersecurity firm StealthMole. The attack has disrupted multiple government services including immigration and operations at major airports. Indonesian officials have acknowledged that the bulk of the data had not been backed up. Chief Security Minister Hadi Tjahjanto said in a statement late on Thursday that data for 30 public services overseen by 12 ministries had been recovered using a "decryption strategy" without elaborating.

U.S. phone giant AT&T confirmed Friday it will begin notifying millions of consumers about a fresh data breach that allowed cybercriminals to steal the phone records of "nearly all" of its customers. TechCrunch: In a statement, AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages -- such as who contacted who by phone or text -- during a six-month period between May 1, 2022 and October 31, 2022. AT&T said some of the stolen data includes more recent records from January 2, 2023 for a smaller but unspecified number of customers.

The stolen data also includes call records of customers with phone service from other cell carriers that rely on AT&T's network, the company said. [...] In all, the phone giant said it will notify around 110 million AT&T customers of the data breach, company spokesperson Andrea Huguely told TechCrunch.

An anonymous reader quotes a report from TechCrunch: A data breach at the phone surveillance operation mSpy has exposed millions of its customers who bought access to the phone spyware app over the past decade, as well as the Ukrainian company behind it. Unknown attackers stole millions of customer support tickets, including personal information, emails to support, and attachments, including personal documents, from mSpy in May 2024. While hacks of spyware purveyors are becoming increasingly common, they remain notable because of the highly sensitive personal information often included in the data, in this case about the customers who use the service. The hack encompassed customer service records dating back to 2014, which were stolen from the spyware maker's Zendesk-powered customer support system.

mSpy is a phone surveillance app that promotes itself as a way to track children or monitor employees. Like most spyware, it is also widely used to monitor people without their consent. These kinds of apps are also known as "stalkerware" because people in romantic relationships often use them to surveil their partner without consent or permission. The mSpy app allows whoever planted the spyware, typically someone who previously had physical access to a victim's phone, to remotely view the phone's contents in real-time. As is common with phone spyware, mSpy's customer records include emails from people seeking help to surreptitiously track the phones of their partners, relatives, or children, according to TechCrunch's review of the data, which we independently obtained. Some of those emails and messages include requests for customer support from several senior-ranking U.S. military personnel, a serving U.S. federal appeals court judge, a U.S. government department's watchdog, and an Arkansas county sheriff's office seeking a free license to trial the app. Even after amassing several million customer service tickets, the leaked Zendesk data is thought to represent only the portion of mSpy's overall customer base who reached out for customer support. The number of mSpy customers is likely to be far higher. mSpy's owners, a Ukraine-based company called Brainstack, have yet to publicly disclose the breach. You can visit Have I Been Pwned to see if your email address was involved in a breach.

snydeq shares a report from CSO Online, written by Lucian Constantin: A personal GitHub access token with administrative privileges to the official repositories for the Python programming language and the Python Package Index (PyPI) was exposed for over a year. The access token belonged to the Python Software Foundation's director of infrastructure and was accidentally included in a compiled binary file that was published as part of a container image on Docker Hub. [...] The incident shows that scrubbing access tokens from source code only, which some development tools do automatically, is not enough to prevent potential security breaches. Sensitive credentials can also be included in environment variables, configuration files and even binary artifacts as a result of automated build processes and developer mistakes. "Although we encounter many secrets that are leaked in the same manner, this case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands -- one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious ones), and even to the Python language itself," researchers from security firm JFrog, who found and reported the token, wrote in a report.

Apple has issued a new round of threat notifications to iPhone users across 98 countries, warning them of potential mercenary spyware attacks. It's the second such alert campaign from the company this year, following a similar notification sent to users in 92 nations in April. TechCrunch: In its communication to affected users, Apple stressed the sensitive nature of its threat identification methods, cautioning that divulging additional details could potentially aid attackers in evading future detection. Apple has also made a notable shift in its language since last year, opting to describe these incidents as "mercenary spyware attacks" instead of the previously used term "state-sponsored" attacks.

Microsoft is under fire for its handling of customer notifications following a data breach by Russian state-sponsored hackers. The tech giant confirmed in March that the group known as Midnight Blizzard had accessed its systems, potentially compromising customer data. Cybersecurity experts, including former Microsoft employee Kevin Beaumont, have raised concerns about the notification process. Beaumont warned on social media that the company's emails may be mistaken for spam or phishing attempts due to their format and the use of unfamiliar links. "The notifications aren't in the portal, they emailed tenant admins instead," Beaumont stated, adding that the emails could be easily overlooked. Some recipients have reported confusion over the legitimacy of the notifications, with many seeking confirmation through support channels and account managers.

An anonymous reader shares a report: A CNN investigation found the use of hidden cameras is a persistent problem in the industry. Regulations are sparse, and the punishments for those that commit these crimes are lenient -- video voyeurism is typically charged as a misdemeanor. Meanwhile, the people who are recorded -- often naked or engaging in sexual activities -- say they suffer from long-term trauma and the fear that their images could, at any moment, be disseminated on the internet. An Airbnb spokesperson told CNN that hidden camera complaints are rare, but when they do occur, "we take appropriate, swift action, which can include removing hosts and listings that violate the policy."

At a court-ordered deposition last year, an Airbnb representative was supposed to answer a key question from the attorney suing the company: How many complaints or reports had been made to Airbnb since December 1, 2013, of people who had been recorded by surveillance devices? The Airbnb representative testified that the company generated 35,000 customer support tickets about surveillance devices in the preceding decade. An Airbnb spokesperson told CNN that a single report could create multiple tickets. The company declined to specify how many unique complaints there have been. In the deposition, which has not been previously reported, the company representative sought to downplay the significance of the number of tickets, testifying they could reflect instances such as a malfunctioning doorbell camera or a tablet with recording capabilities left out on a coffee table. The representative did not provide any statistics detailing the number of claims she suggested were innocuous among the 35,000 tickets.

Google has streamlined its Advanced Protection Program, allowing users to enroll using a single passkey instead of two physical security keys. The program, designed for individuals at high risk of targeted online attacks, now uses built-in biometric authentication on Pixel phones and iPhones.

wiredmikey shares a report from SecurityWeek: Security vendor InkBridge Networks on Tuesday called urgent attention to the discovery of a thirty-year-old design flaw in the RADIUS protocol and warned that advanced attackers can launch exploits to authenticate anyone to a local network, bypassing any multi-factor-authentication (MFA) protections. The company published a technical description of what is being called the BlastRADIUS attack and warned that corporate networks such as internal enterprise networks, ISPs, and telcos are exposed to major risk. The vulnerability is being tracked as CVE-2024-3596 and VU#456537. "The root cause of the attack is that in the RADIUS protocol, some Access-Request packets are not authenticated and lack integrity checks. An attacker can modify these packets in a way which allows them to control who gets onto the network," the research team explained (PDF).

The RADIUS protocol, first standardized in the late 1990s, is used to control network access via authentication, authorization, and accounting and is still used widely today in switches, routers, access points and VPN products. "All of those devices are likely vulnerable to this attack," the researchers warned. "The key to the attack is that in many cases, Access-Request packets have no authentication or integrity checks. An attacker can then perform a chosen prefix attack, which allows modifying the Access-Request in order to replace a valid response with one chosen by the attacker. Even though the response is authenticated and integrity checked, the chosen prefix vulnerability allows the attacker to modify the response packet, almost at will," according to the InkBridge Networks documentation. The researchers say that every single RADIUS server must be upgraded in order to protect against this vulnerability. "It is not sufficient to upgrade only RADIUS clients, as doing so will allow the network to remain vulnerable."

The Federal Communications Commission said it is preparing to block a phone company that carried illegal robocalls pushing fake programs that promised to wipe out consumers' tax debt. From a report: Veriwave Telco "has not complied with FCC call blocking rules for providers suspected of carrying illegal traffic" and now has two weeks to contest an order that would require all downstream voice providers to block all of the telco's call traffic, the FCC announced yesterday.

Robocalls sent in the months before tax filing season "purported to provide information about a 'National Tax Relief Program' and, in some instances, also discussed a 'Tax Dismissal Program,'" the FCC order said. "The [Enforcement] Bureau has found no evidence of the existence of either program. Many of the messages further appealed to recipients with the offer to 'rapidly clear' their tax debt." Call recipients who listened to the prerecorded message and chose to speak to an operator were then asked to provide private information. Nearly 16 million calls were sent, though it's unclear how many went through Veriwave.

williamyf writes: Mozilla has released version 128 of the Firefox web browser. Some noteworthy features include: "Firefox can now translate selections of text and hyperlinked text to other languages from the context menu. [...] Firefox now has a simpler and more unified dialog for clearing user data. In addition to streamlining data categories, the new dialog also provides insights into the site data size corresponding to the selected time range. [...] On macOS, microphone capture through getUserMedia will now use system-provided voice processing when applicable, improving audio quality." More info in the release notes here.

But the most important feature of 128 is that it is the newest ESR. Why is this important? Glad you asked:

* Firefox ESR is the browser of choice for many Linux distros (including Debian), so this is important for the Linux community at large.
* Many downstream projects (like Thunderbird or KAiOS) use Firefox ESR as their base, so whatever is included in 128 will determine the capabilities of those projects for the next year.
* Many ISVs (software makers), both big and small, test/certify their software only against the ESR version of Firefox. For users of such software, the new ESR is very important.
* Many companies and individuals value stability of the UI/Workflow over new bells and whistles, for them, ESR is important.
* When an OS is discontinued, Mozilla lets the ESR be the last browser on the platform, exceeding the support window of the likes of Alphabeth, Apple or Microsoft, so for people on older OSs, ESR is important.

Link to download (the ESR) here.

Australia's government cybersecurity agency on Tuesday accused a China-backed hacker group of stealing passwords and usernames from two unnamed Australian networks in 2022, adding that the group remained a threat. From a report: A joint report led by the Australian Cyber Security Centre said the hackers, named APT40, had conducted malicious cyber operations for China's Ministry of State Security, the main agency overlooking foreign intelligence. "The activity and techniques overlap with the groups tracked as Advanced Persistent Threat (APT) 40," said the report, which included inputs from lead cyber security agencies for the United States, Britain, Canada, New Zealand, Japan, South Korea and Germany. U.S. and British officials in March had accused Beijing of a sweeping cyberespionage campaign that allegedly hit millions of people including lawmakers, academics and journalists, and companies including defense contractors. They said China-backed "APT31" was responsible for the network intrusion.

Google will extend its Dark Web monitoring service to all account holders starting late July 2024, following the closure of its VPN offering last month. The feature, which scans for personal data compromised in breaches, was previously exclusive to Google One subscribers in dozens of countries.

An anonymous reader shares a report: Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare. While the user registered in late May 2024, they have previously shared an employee database from the law firm Simmons & Simmons, a lead from an online casino AskGamblers, and student applications for Rowan College at Burlington County.

The team cross-referenced the passwords included in the RockYou2024 leak with data from Cybernews' Leaked Password Checker, which revealed that these passwords came from a mix of old and new data breaches. "In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks," researchers said.

An anonymous reader shares a report: Microsoft is finally rolling out spellcheck and autocorrect for its Notepad app in Windows 11, more than 40 years after the simple text editor was first introduced in Windows in 1983. The software giant started testing both features in March, and has now quietly started enabling them for all Windows 11 users in recent days. The spellcheck feature in Notepad is almost identical to how Word or Edge highlight misspelled words, with a red underline to clearly show mistakes.

Workers at delivery company Shipt "found that their paychecks had become...unpredictable," according to an article in IEEE Spectrum. "They were doing the same work they'd always done, yet their paychecks were often less than they expected. And they didn't know why...."

The article notes that "Companies whose business models rely on gig workers have an interest in keeping their algorithms opaque." But "The workers showed that it's possible to fight back against the opaque authority of algorithms, creating transparency despite a corporation's wishes." On Facebook and Reddit, workers compared notes. Previously, they'd known what to expect from their pay because Shipt had a formula: It gave workers a base pay of $5 per delivery plus 7.5 percent of the total amount of the customer's order through the app. That formula allowed workers to look at order amounts and choose jobs that were worth their time. But Shipt had changed the payment rules without alerting workers. When the company finally issued a press release about the change, it revealed only that the new pay algorithm paid workers based on "effort," which included factors like the order amount, the estimated amount of time required for shopping, and the mileage driven. The company claimed this new approach was fairer to workers and that it better matched the pay to the labor required for an order. Many workers, however, just saw their paychecks dwindling. And since Shipt didn't release detailed information about the algorithm, it was essentially a black box that the workers couldn't see inside.

The workers could have quietly accepted their fate, or sought employment elsewhere. Instead, they banded together, gathering data and forming partnerships with researchers and organizations to help them make sense of their pay data. I'm a data scientist; I was drawn into the campaign in the summer of 2020, and I proceeded to build an SMS-based tool — the Shopper Transparency Calculator [written in Python, using optical character recognition and Twilio, and running on a home server] — to collect and analyze the data. With the help of that tool, the organized workers and their supporters essentially audited the algorithm and found that it had given 40 percent of workers substantial pay cuts...

This "information asymmetry" helps companies better control their workforces — they set the terms without divulging details, and workers' only choice is whether or not to accept those terms... There's no technical reason why these algorithms need to be black boxes; the real reason is to maintain the power structure... In a fairer world where workers have basic data rights and regulations require companies to disclose information about the AI systems they use in the workplace, this transparency would be available to workers by default.
The tool's creator was attracted to the idea of helping a community "control and leverage their own data," and ultimately received more than 5,600 screenshots from over 200 workers. 40% were earning at least 10% less — and about 33% were earning less than their state's minimum wage. Interestingly, "Sharing data about their work was technically against the company's terms of service; astoundingly, workers — including gig workers who are classified as 'independent contractors' — often don't have rights to their own data...

"[O]ur experiment served as an example for other gig workers who want to use data to organize, and it raised awareness about the downsides of algorithmic management. What's needed is wholesale changes to platforms' business models... The battles that gig workers are fighting are the leading front in the larger war for workplace rights, which will affect all of us. The time to define the terms of our relationship with algorithms is right now."

Thanks to long-time Slashdot reader mspohr for sharing the article.

An anonymous reader quotes a report from The Register: The latest figures suggest that around 1,500 medical procedures have been canceled across some of London's biggest hospitals in the four weeks since Qilin's ransomware attack hit pathology services provider Synnovis. But perhaps no single person was affected as severely as Johanna Groothuizen. Hanna -- the name she goes by -- is now missing her right breast after her skin-sparing mastectomy and immediate breast reconstruction surgery was swapped out for a simple mastectomy at the last minute. The 36-year-old research culture manager at King's College London and former researcher in health sciences was diagnosed with HER2-positive breast cancer in late 2023. It's an aggressive form known for spreading faster and is more commonly recurring, which necessitates urgent treatment. Hanna soon began a course of chemotherapy following her diagnosis until she was able to have what will hopefully be the first and only major procedure to remove the disease. Between then and the operation, which was scheduled for June 7 -- four days after the ransomware attack was carried out -- she had been told repeatedly that the planned procedure was a skin-sparing mastectomy which would have allowed surgeons to cosmetically reconstruct her right breast immediately after the operation.

How the ordeal actually unraveled, however, was an entirely different story. Hanna was given less than 24 hours by doctors to make the daunting decision to either accept a simple mastectomy or delay a life-changing procedure until Synnovis's systems were back online. The decision was thrust upon her on the Thursday afternoon before her Friday surgery. This was after she was forced to chase the medical staff for updates about whether the procedure was going ahead at all. Hanna was told on the Tuesday of that week, the day after Qilin's attack, that despite everything going on, the staff at St Thomas' hospital in London were still planning to go ahead with the skin-sparing mastectomy as previously agreed. Per the updates Hanna requested on Thursday, it was strongly suggested that the operation was going to be canceled. The hospital deemed the reconstruction part of the procedure too risky because Synnovis was unable to support blood transfusions until its systems were back online.

The ransomware attack wasn't easy on hospitals. The situation was so dire that blood reserves were running low just a week after the attack, prompting an urgent appeal for O-type blood donations. For Hanna, though, this meant she had to make the unimaginably difficult choice between the surgery she wanted, or the surgery that would give her the best chance at survival. The mother of two young children, aged four and two, felt like she had no other choice but to accept the simple mastectomy, leaving her with only one breast. [...] At the time of writing, it's now nearly five weeks since Qilin's attack on Synnovis -- a pathology services partnership between Synlab, Guy's and St Thomas' NHS Foundation Trust, and King's College Hospital NHS Foundation Trust. The most recent update provided by the NHS said disruption to services was still evident across the region, although some services such as outpatient appointments are returning to near-normal levels. Between June 24-30, there were 1,517 cute outpatient appointments and 136 electric procedures that needed to be postponed across the two NHS trusts partnered with Synlab. "The total number of postponements for the entire month since the attack took hold (June 3-30) stand at 4,913 for acute outpatient appointments and 1,391 for elective procedures," notes the report.