Subterms
iOS Haptic Touch
Just
long-press
on
an
app
and
see
what
pops
up.
It
might
be
useful,
it
might
not
be.
It
depends
on
the
app!
You
can
even
do
the
same
with
built-in
iOS
features,
such
as
Control
Center.
… More
Avaddon ransomware group, one of the most prolific ransomware groups in 2021, has announced that they are shutting the operation down and giving thousands of victims a decryption tool for free. BleepingComputer’s Lawrence Abrams said he was sent an anonymous email with a password and link to a ZIP file named, “Decryption Keys Ransomware Avaddon.” The file had decryption keys for 2,934 victims of the Avaddon ransomware. The startling figure is another example of how many organizations never disclose attacks, as some reports have previously attributed just 88 attacks to Avaddon. Abrams worked with Emsisoft chief technology officer Fabian Wosar and Coveware’s Michael Gillespie to check the files and verify the decryption keys. Emsisoft created a free tool that Avaddon victims can use to decrypt files. Ransomware gangs — like those behind Crysis, AES-NI, Shade, FilesLocker, Ziggy — have at times released decryption keys and shut down for a variety of reasons. A free Avaddon decryption tool was released by a student in Spain in February but the gang quickly updated their code to make it foolproof again. “This isn’t new and isn’t without precedence. Several ransomware threat actors have released the key database or master keys when they decide to shut down their operations,” Wosar told ZDNet. “Ultimately, the key database we obtained suggests that they had at least 2,934 victims. Given the average Avaddon ransom at about $600,000 and average payment rates for ransomware, you can probably come up with a decent estimate of how much Avaddon generated.”
Wosar added that the people behind Avaddon had probably made enough money doing ransomware that they had no reason to continue. According to Wosar, ransom negotiators have been noticing an urgency when dealing with Avaddon operators in recent weeks. Negotiators with the gang are caving “instantly to even the most meager counter offers during the past couple of days.””So this would suggest that this has been a planned shutdown and winding down of operations and didn’t surprise the people involved,” Wosar explained. Data from RecordedFuture has shown that Avaddon accounted for nearly 24% of all ransomware incidents since the attack on Colonial Pipeline in May. An eSentire report on ransomware said Avaddon was first seen in February 2019 and operated as a ransomware-as-a-service model, with the developers giving affiliates a negotiable 65% of all ransoms. “The Avaddon threat actors are also said to offer their victims 24/7 support and resources on purchasing Bitcoin, testing files for decryption, and other challenges that may hinder victims from paying the ransom,” the report said. “What’s interesting about this ransomware group is the design of its Dark Web blog site. They not only claim to provide full dumps of their victims’ documents, but they also feature a Countdown Clock, showing how much time each victim has left to pay. And to further twist their victims’ arms, they threaten to DDoS their website if they don’t agree to pay immediately.”
DomainTools
The group has a lengthy list of prominent victims that include Henry Oil & Gas, European insurance giant AXA, computer hardware company EVGA, software company Vistex, insurance broker Letton Percival, the Indonesian government’s airport company PT Angkasa Pura I, Acer Finance and dozens of healthcare organizations like Bridgeway Senior Healthcare in New Jersey, Capital Medical Center in Olympia, Washington and others. The gang made a note of publishing the data stolen during ransomware attacks on its dark web site, DomainTools researcher Chad Anderson told ZDNet last month. Both the FBI and the Australian Cyber Security Centre released notices last month warning healthcare institutions about the threat of Avaddon ransomware.
Australian Cyber Security Centre
The notice said “Avaddon threat actors demand ransom payment via Bitcoin (BTC), with an average demand of BTC 0.73 (approximately USD $40,000) with the lure of a decryption tool offered (‘Avaddon General Decryptor’) if payment is made.”The group was also implicated in multiple attacks on manufacturing companies across South America and Europe, according to the Australian Cyber Security Centre. Cybersecurity firm Flashpoint said that alongside REvil, LockBit, and Conti, Avaddon was one of the most prolific ransomware groups currently active. Digital Shadows’ Photon Research Team told ZDNet in May that a forum representative for the Avaddon ransomware took to the Exploit forum to announce new rules for affiliates that included bans on targeting “the public, education, healthcare, and charity sectors.” The group also banned affiliates from attacking Russia or any other CIS countries. US President Joe Biden is expected to press Russian President Vladimir Putin on ransomware attacks at a summit in Geneva on June 16. More
I’ve long believed that Apple should separate security updates from iOS and iPadOS releases and allow iPhone and iPad users to choose if they want to upgrade or stick with the current release and continue to receive security updates. Come the launch of iOS 15 and iPadOS 15, iPhone and iPad users will get this exact choice.Must read: Apple should fix this privacy issue, not try to keep it quiet
The page listing the features for both iOS 15 and iPadOS 15 outlines the change.
Here is the relevant bit from the iOS 15 page:iOS now offers a choice between two software update versions in the Settings app. You can update to the latest version of iOS 15 as soon as it’s released for the latest features and most complete set of security updates. Or continue on iOS 14 and still get important security updates until you’re ready to upgrade to the next major version.The iPadOS 15 page contains similar language. Of course, there are questions around this.
For example, will users get to choose what path to take or will the iOS 15 opt-out feature be buried deep in the settings where few will see it. How long will Apple continue to offer updates for iOS 14? Will it be for the duration of the iOS 15 lifecycle (after which, will iOS 14 users have to choose to move to iOS 15 or iOS 16), or for a limited period?Also, will users who have upgraded to iOS 15 be able to roll back to iOS 14? Currently, Apple prevent rolling back by not signing earlier releases of iOS, for obvious security reasons).All this said, it’s a good thing that Apple is giving users this choice because it will mean iPhone and iPad users will be able to get security updates without having to take on a whole new release. This will be of particular interest to those running older hardware that might experience performance issues running under the weight of iOS 16.Interestingly, it seems that Apple Watch users will have to upgrade to watchOS 8 to get updates, because there is no mention of staying on watchOS 7 anywhere in what Apple has published.What will you do? Upgrade immediately to iOS 15, or sit back and play a wait-and-see game on iOS 14? More
The Justice Department filed charges against a former cybersecurity official this week over a 2018 cyberattack on Gwinnett Medical Center in Georgia.Vikas Singla was indicted for allegedly stealing information from a digitizing device while also disrupting the hospital’s phone and printer services. While the indictment did not name the company the 45-year-old worked for, Bleeping Computer reported he was chief operating officer of a healthcare-focused network security firm called Securolytics. The Marietta-native allegedly had help with the attack. The indictment said Singla was “aided and abetted by unknown others” on September 27, 2018 when he hacked into the hospital’s Ascom phone system as well as a series of Lexmark printers and a Hologic R2 Digitizer.Singla appeared before US Magistrate Judge Linda Walker of the U.S. District Court for the Northern District of Georgia on Thursday and was charged with 17 counts of intentional damage to a protected computer. Each count carries a sentence of up to 10 years in prison. He is also facing a charge of obtaining information by computer from a protected computer.Less than a month after the intrusion, Gwinnett Medical Center began investigating their own systems after patient information appeared online, according to ZDNet. They traced the breach back to an IT intrusion on September 29 — just two days after Singla’s alleged actions — and said the attackers were threatening the 500-bed non-profit hospital.
After three days, the attackers released full names, dates of birth, and gender of some patients while also boasting to news outlets about their access to the hospital’s systems. One of the attackers, angry that the hospital initially denied it was hacked, messaged security blog Salted Hash to tout their control of the hospital, writing, “does GMC have control of this system. The answer is no. The last time we checked, we own their Ascom system and their data.”The FBI and Justice Department did not say whether the two attacks were connected, but Acting US Attorney for Georgia Kurt Erskine said Singla “allegedly compromised Gwinnett Medical Center’s operations in part for his own personal gain.” Chris Hacker, Special Agent in Charge of the FBI’s Atlanta Field Office, added that the cyberattack could have had disastrous consequences and noted that patients’ personal information was compromised due to Singla’s alleged actions. More
US retailer Carter’s accidentally exposed the personally identifiable information (PII) of potentially hundreds of thousands of customers.
On Friday, vpnMentor said the incident was not caused by an unsecured bucket or misconfiguration in a cloud storage system — as is often the case with when it comes to accidental leaks — but rather a “simple oversight” in the firm’s online order tracking infrastructure. The breach, discovered through a web mapping project underway at vpnMentor, was caused by a failure to implement authentication protocols for a popular URL shortener tool used on the retailer’s US e-commerce domain. Carter’s is a major retailer for baby clothing and apparel in the United States which now operates worldwide. The company generated over $3 billion in revenue during 2020. When a purchase was made through the Carter’s US website, the vendor would automatically send them a shortened URL to access a purchase confirmation page. However, a lack of security around the URLs themselves, together with no authentication to verify the customer, was problematic. The confirmation pages, generated by Linc’s automation platform, contained a variety of customer PII — and to add another potential problem, the links never expired, allowing anyone to access these pages at will, at any time, alongside backend JSON records. Information exposed on these pages included full names, physical addresses, email addresses, phone numbers, shipping tracker IDs, as well as purchase and transaction details.
“Due to the massive volume of sales Carter’s enjoys every year, this simple but drastic oversight exposed 100,000s of people to fraud, theft, and many other dangers,” the researchers say. Due to the nature of the flaw, the exact number of records exposed is unknown. However, the team estimates that over 410,000 records could have been open to abuse, with the potential impact including phishing, social engineering, and identity theft. Carter’s was informed of the security breach on March 22, five days after the initial discovery. Contact was made on March 30, and initially, the retailer asked vpnMentor to submit their findings through Bugcrowd. However, Carter’s eventually accepted the direct report and the shortened URLs were pulled between April 4 – 7. ZDNet has reached out to Carter’s but has not heard back at the time of publication. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More
The story that an iPhone owner’s personal data was leaked online while it was in the hands of an authorized Apple repair center should bring chills to any owner of Apple hardware out there.And Apple’s response to the matter is even more worrying.This incident happened in 2016 at a Pegatron facility in California.It’s quite shocking. Our devices contain a vast array of private and personal data, ranging from health and financial data, our communications, movements, and personal photos and videos.The idea that someone could be going through this when a device is in for repair and go as far as to share that information is appalling.Must read: I just found my lost AirTag… you’ll never guess where it went
Apple is a company that claims to put privacy at the core of everything it does. And yet, everything about how it handled this, to its inaction since, suggests Apple is more concerned about its image rather than user privacy.
The fact that Apple’s involvement in this was kept confidential, becoming public only as a result of a legal dispute between Pegatron and its insurer over the cost, doesn’t look good.Now, there are always going to be people who end up in positions of trust that shouldn’t be trusted. It’s a fact of life. But Apple is supposedly leading the way when it comes to user privacy, and that should include the privacy of users wanting their devices repaired.It’s unclear here whether the repair center asked for access to the iPhone in question, or whether the device was unprotected, but either way, the best way to prevent this from happening is to make it so that it can’t happen.Just as some cars, such as Tesla, have a valet mode that secures certain features of the vehicle from access, Apple needs to implement a similar feature for its devices. This “repair mode” feature would allow repairers access to the device but no access to any of the data on the device. This would be a great addition to newer devices, closing a privacy loophole.I would also expect authorized repair centers to offer an environment where snooping on data, and being able to copy or share it, would be hard to do. I’ve seen secured repair facilities where CCTV is in use, the test networks don’t have access to the internet and are managed, and employees are not allowed to bring their own tech into the repair areas. This is somewhat extreme, but as users are asked to trust Apple with more and more of their data, there needs to be a barrier between repair agents and the user’s personal data. An alternative is a secure backup followed by a wipe before a device is handed over for repair, with the data reloaded following the repair. I know that companies try to cut costs when to comes to repair, especially when it comes to warranty work, but for a company rolling in cash, that’s a poor excuse.Also, while taking control of the privacy and security of user data during repair sounds costly, privacy breaches are costly, both in monetary terms and bad publicity.Apple does offer users tips on getting their device ready for service, which shifts the responsibility to the user. Problem is, depending on what’s wrong with a device or how it is damaged, this is not always possible. For example, on an iPhone with a dead screen, suffering from water intrusion, or stuck in a boot loop, this isn’t going to be possible. Owners should be confident they can send in their hardware for service without having that data snooped on even if they can’t securely erase it. You might also think that this is a lot for Apple in response to a single case from 2016, but given that Apple wanted to keep this quiet, we must bear in mind that this could be the one case we know of out of many that we don’t.Suppressing its involvement in these things isn’t helping secure end users. It just allows Apple to pretend that it’s not an issue.And it clearly is a problem. More
Chinese law enforcement has made over 1,100 arrests in a nationwide crackdown on telecoms and banking fraud.
The Ministry of Public Security announced the operation on June 9, dubbed “Card Broken,” which aims to destroy criminal gangs that are conducting cybercriminal activities. In particular, Card Broken is focused on telecommunications network fraud, including the sale of phone, payment cards, and money laundering services over China and across borders. The department specifically notes “coin farmers” as being involved, in which accomplices or members of criminal groups facilitate money laundering through cryptocurrency to avoid the scrutiny of law enforcement in the country. Coin farmers would allegedly sign up for different cryptocurrency exchanges and set up personal accounts. These traders would then buy or sell cryptocurrency based on their handler’s instructions and funds issued to them. The virtual currency would then be sent to wallets controlled by gang members and designated elsewhere. In return for their activity, coin farmers would receive a commission of between 1.5% and 5%. “The high illegal income attracts a large number of people to participate, causing serious social harm,” the department says.
Now in its fifth leg, the operation honed in on the criminal chains of these activities, breaking down at least 170 allegedly criminal groups. Action has been taken by law enforcement in provinces including Beijing, Hebei, and Shanxi. In total, the Broken Card operation has resulted in the destruction of roughly 15,000 gangs and 311,000 individuals suspected of involvement have been arrested, according to the ministry. China has taken a tough stance on cryptocurrency, outlawing exchanges and warning that trading disrupts “economic and financial order.” While individuals are still allowed to own cryptocurrency assets, three state-backed financial authorities recently issued a joint warning reminding citizens that cryptocurrency cannot play a part in Chinese financial activities. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More
Law enforcement has seized one of the largest marketplaces for selling stolen account credentials.
The website’s infrastructure has been taken over by the police, according to the US Department of Justice (DoJ). A seizure warrant affidavit unsealed on Thursday outlined Slilpp’s past activities. In operation since at least 2012, the marketplace — with domains on both the clear and dark web — offered stolen credentials for services including PayPal, Wells Fargo, Amazon, Chase, Capital One, and more. These included usernames and passwords, mobile phone accounts, and e-commerce accounts. The DoJ says that over 80 million credentials were available for purchase from over 1,400 victim organizations worldwide. Law enforcement from the US, Germany, the Netherlands, and Romania was involved in the confiscation of servers supporting the platform’s infrastructure and various domain names. Slilpp buyers would allegedly use these credentials to perform banking theft and fraud, such as wire transfers from victims to accounts owned by them.
“To date, over a dozen individuals have been charged or arrested by US law enforcement in connection with the Slilpp marketplace,” the DoJ says. According to Acting Assistant Attorney General Nicholas McQuaid, Slilpp allegedly caused “hundreds of millions of dollars in losses to victims worldwide” — and at least $200,000 in losses in the US alone. However, the “full extent” of the marketplace’s role in the credential theft economy is “not known.” “The department will not tolerate an underground economy for stolen identities, and we will continue to collaborate with our law enforcement partners worldwide to disrupt criminal marketplaces wherever they are located,” McQuaid commented. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More
