Information Technology

Image: ZDNet
A well-known hacker has leaked this week the details of more than 2.28 million users registered on MeetMindful.com, a dating website founded in 2014, ZDNet has learned this week from a security researcher.

The dating site’s data has been shared as a free download on a publicly accessible hacking forum known for its trade in hacked databases.
The leaked data, a 1.2 GB file, appears to be a dump of the site’s users database.
The content of this file includes a wealth of information that users provided when they set up profiles on the MeetMindful site and mobile apps.
Some of the most sensitive data points included in the file include:
Real names
Email addresses
City, state, and ZIP details
Body details
Dating preferences
Marital status
Birth dates
Latitude and longitude
IP addresses
Bcrypt-hashed account passwords
Facebook user IDs
Facebook authentication tokens

Image: ZDNet
Messages exchanged by users were not included in the leaked file; however, this does not make the entire incident less sensitive.
While not all leaked accounts have full details included, for many MeetMindful users, the provided data can be used to trace their dating profiles back to their real-world identities.

When we reached out for comment to MeetMindful on Thursday via Twitter, a MeetMindful spokesperson redirected our request to an email address from where we have not heard back for three days.
In the meantime, the forum thread where the MeetMindful data was leaked has been viewed more than 1,500 times and most likely downloaded, in many cases.
The data is still available for download on the public file-hosting site where it was initially uploaded.
The site’s data was released by a threat actor who goes online as ShinyHunters, who earlier this week also leaked the details of millions of users registered on Teespring, a web portal that lets users create and sell custom-printed apparel.
A request for comment sent to an email address previously used by ShinyHunters was not answered.
The leak of this highly sensitive data represents a looming issue for the site’s users and the main reason why MeetMindful needs to notify account holders.
Over the past few years, many cybercrime groups have engaged in a practice called sextortion, where they take data leaked from dating sites and contact site users, threatening to expose their dating profiles and history to family or work colleagues unless they’re paid a ransom demand. More

Image: Cyrus Crossan
A Texas-based CCTV technician pleaded guilty this week to illegally accessing the security cameras of hundreds of families to watch 

people in their homes get naked and engage in sexual activities.
According to a criminal complaint [PDF], Telesforo Aviles, a 35-year-old, committed his crimes between November 2015 and March 2020 while working as a support technician for ADT, a provider of home security services.
Aviles’s job involved installing home video surveillance cameras at customer premises and configuring the devices to work with the company’s proprietary ADT Pulse app.
But prosecutors said that Aviles strayed from company policy and started adding his personal email address to customers ADT Pulse app during the installation and testing process.
Investigators said the technician usually targeted attractive women, and he used the backdoor account to access the camera’s real-time video feed and spy on customers in intimate moments in their homes and with their partners.
The technician’s scheme was discovered in January and February 2020 when several customers discovered Aviles’ email address in their app’s configuration panel and reported the incidents to ADT, which later referred the case to authorities.

Aviles was charged in April 2020 and pleaded guilty [PDF] this week, on Thursday.
Prosecutors said Aviles accessed more than 200 customer CCTV systems on more than 9,600 occasions.
The former ADT technician now faces a sentence of up to five years in prison and a fine of up to $250,000, according to court documents. He was conditionally released earlier this week [PDF].
ADT notified its customers of the incident in April 2020. The New York Post reported at the time that the company tried to convince customers to sign a confidentiality agreement in exchange for a monetary payment so Aviles’ actions wouldn’t leak online.
Their efforts didn’t work, and the company is currently facing three class-action lawsuits[1, 2, 3] as a result of its former employee’s actions. More

Networking device maker SonicWall said on Friday night that it is investigating a security breach of its internal network after detecting what it described as a “coordinated attack.”
In a short statement posted on its knowledgebase portal, the company said that “highly sophisticated threat actors” targeted its internal systems by “exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products.”
The company listed NetExtender VPN clients and the Secure Mobile Access (SMA) gateways as impacted:
NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls.
Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances, and the SMA 500v virtual appliance.
SonicWall said that the newer SMA 1000 series is not impacted as that particular product series is using a different VPN client than NetExtender.
Patches for the zero-day vulnerabilities are not available at the time of writing.
To help keep its own customers’ networks safe, the vendor has included a series of mitigations in its knowledgebase article, such as deploying a firewall to limit who can interact with SMA devices or disabling access via the NetExtender VPN client to its firewalls.
SonicWall also urged companies to enable two-factor authentication options in its products for admin accounts.

The networking device maker, whose products are often used to secure access to corporate networks, now becomes the fourth security vendor to disclose a security breach over the past two months after FireEye, Microsoft, and Malwarebytes.
All three previous companies were breached during the SolarWinds supply chain attack. CrowdStrike said it was targeted in the SolarWinds hack as well, but the attack did not succeed.
Cisco, another major vendor of networking and security devices, was also targeted by the SolarWinds hackers. The company said last month it was investigating if attackers escalated their initial access from the SolarWinds products to other parts of its network.
Multiple sources in the threat intel community told ZDNet after the publication of this article that SonicWall might have fallen victim to a ransomware attack. More

Vladimir_Timofeev, Getty Images/iStockphoto
The Russian government has issued a security alert on Thursday evening warning Russian businesses of potential cyberattacks launched by the United States in response to the SolarWinds incident.
The Russian government’s response comes after comments made by the new Biden administration earlier in the day.
Also: Best VPNs • Best security keys • Best antivirus     
Answering questions about their plans on the SolarWinds hack, new White House officials said they reserved the right to respond at a time and manner of their choosing to any cyberattack.

At first White House press briefing @PressSec says on SolarWinds breach: “we’ve spoken about this previously…of course we reserve the right to respond at a time and manner of our choosing to any cyberattack”
— Shannon Vavra (@shanvav) January 21, 2021

Moscow’s response to this comment came hours later in the form of a security bulletin published by the National Coordination Center for Computer Incidents (NKTSKI), a security agency founded by the Russian Federal Security Service (FSB), Russia’s internal security and intelligence agency.
The short statement cited the Biden administration’s comments, interpreted as threats, and provided a list of 15 security best practices that businesses should adhere to in order to remain safe online.

(Text translated with Google Translate)
The best practices included in the alert are run of the mill security advice and nothing that companies or even the lowest skilled security practitioner wasn’t aware of already.

The security alert was published more as a response to the Biden administration’s aggressive statements earlier in the day.
The White House’s comments follow a tone set two weeks ago when US officials from the FBI, CISA, ODNI, and NSA formally blamed Russia for orchestrating the wide-reaching SolarWinds supply chain attack.
Kremlin officials denied multiple times of having had any hand in the SolarWinds incident.
During yesterday’s press conference, the Biden administration also promised to commit $9 billion towards cybersecurity in the aftermath of the SolarWinds hack.

SolarWinds Updates More

Image via PIRO4D
Extortion groups that send emails threatening companies with DDoS attacks unless paid a certain fee are making a comeback, security firm Radware warned today.
In a security alert sent to its customers and shared with ZDNet this week, Radware said that during the last week of 2020 and the first week of 2021, its customers received a new wave of DDoS extortion emails.
Extortionists threatened companies with crippling DDoS attacks unless they got paid between 5 and 10 bitcoins ($150,000 to $300,000).
Radware said that some of the emails it seen were sent by a group that was active over the 2020 summer when the extortionists targeted many financial organizations across the world.
Companies that received this group’s emails last summer also received new threats over the winter, Radware said.
The security firm believes that the rise in the Bitcoin-to-USD price has led to some groups returning to or re-prioritizing DDoS extortion schemes.
But Radware said that the Bitcoin price surge was so sudden and unexpected that it caught even some groups by surprise. Extortionists also had to adapt and reduce their demands over time, going from requesting 10 BTC to 5 BTC, as in some cases, the extortion fee would have been too large for some companies to pay, as the Bitcoin price tripled since August 2020.

And just like in the summer of 2020, Radware said that these DDoS extortion groups had the firepower to deliver on their threats.
Radware said it saw some organizations being targeted with DDoS attacks after receiving the extortion emails. Attacks typically lasted around nine hours and ranged around 200 Gbps, with one attack peaking at 237 Gbps.

Image: Radware
But this resurgence in DDoS extortion tactics was also documented by Lumen’s Black Lotus Labs, which reported on their comeback last week.
The former CenturyLink division, now part of Lumen, said these schemes never actually stopped, although the frequency of these email threats died down over the fall, compared to their prevalence over the summer.
Just like before, the DDoS extortion gangs also kept using the names of more famous hacking groups to send their threats, hoping to intimidated victims. Attackers used names such as Fancy Bear, Cozy Bear, Lazarus Group, and Armada Collective.
But towards the end of the year, Black Lotus Labs reported that some of these extortion emails were also signed using the name of Kadyrovtsy, the name of an elite Chechen military group that has also been associated with DDoS gangs and extortionists in the early 2010s.
Both Black Lotus Labs and Radware recommended that companies not pay the ransom as this merely invites more extortions in the future. Instead, companies are advised to request additional protection against any potential attacks from their security providers. More

Image: ZDNet
A security researcher launched this month a web portal that lists vulnerabilities in the code of common malware strains. The researcher hopes other security professionals will use the bugs to crash, disable, and uninstall malware on infected hosts as part of incident response operations.
Created and launched by bug hunter John Page, the new MalVuln portal is available at malvuln.com.
The site itself is your typical vulnerability disclosure portal. It lists the software’s name (in this case, the malware’s name), describes the vulnerability in technical detail, and provides proof-of-concept (PoC) exploit code so others can reproduce the issue.
Page tells ZDNet he created the site out of boredom during the recent COVID-19 lockdown.
“It’s out of the norm, there’s never been a dedicated website for this type of thing,” the researcher told ZDNet in an email interview.

Currently, MalVuln lists 45 security flaws. Some are for current threats like Phorpiex (Trik) but also for old malware strains like Bayrob.
Page said all the vulnerabilities listed on MalVuln right now are of his discovery.

“There have been no outside submissions, and I am not currently accepting them,” Page said. However, a PGP key is listed on the site, and the plan is to allow others to submit their findings sometime in the future.
Controversy brewing?
But the site also touches on a sensitive topic in the cyber-security industry. For decades, security researchers have been secretly hacking back against malware operators.
Just like malware sometimes uses bugs in legitimate apps to infiltrate systems, security firms have also used bugs in malware code to infiltrate the attacker’s infrastructure.
Security firms will often hack a malware’s command and control server to retrieve data about victims, or they’ll use bugs in malware to disable and remove it from infected systems.
This practice has been a closely guarded secret, primarily due to the legal ramifications that come with the practice of “hacking back,” and the benefits that come with secretly abusing malware bugs to track threat actors.
For example, for years, security firm Fox-IT used a bug in Cobalt Strike, a legitimate tool abused by cybercrime gangs, to track the location of possible malware command and control servers. The company disclosed that it had done so only after the bug was reported and fixed in 2019.
It is so with no wonder that when a website like MalVuln launched earlier this month, there were quite a few grumblings about how MalVuln was giving away these closely guarded secrets and indirectly helping malware operators by pointing out bugs in their code, effectively taking away valuable tools from security firms and incident responders.
But Page told ZDNet that he doesn’t care about this aspect.
“I do my own thing and I don’t respond. These are usually the same people who think vulnerabilities should not be public because it helps attackers,” he said.
And Page is not the only one sharing this opinion, with other security researchers demanding more openness about this practice and more sharing of such details in the cyber-security community.

Im very happy someone has dome this. Mamy times when discussing attacking malware, c2s, etc… people lose their shit or shut up and refuse to talk about it. I think this is a big move forward for infosec as a whole, even the dreaded “hacker turf war” comes of it https://t.co/XQh5fHVYOE
— Célia Catalbas (@MaraAnn333) January 11, 2021

Either way, the topic will remain controversial, but MalVuln has touched on a real issue — that malware also contains bugs just as bad as regular software.
“Lots of self-hating malware out there,” Page said, promising to release more malware bugs in the future. More

Cisco is warning customers to update its networking software immediately, flagging four critical security vulnerabilities affecting SD-WAN, DNA, and the Smart Software Manager Satellite. 
The Cisco SD-WAN has three command injection vulnerabilities that are tracked as CVE-2021-1260, CVE-2021-1261, and CVE-2021-1262. Collectively, they have a severity score of 9.9 out of 10. In other words, these are serious flaws and require immediate action. And that rating comes despite an attacker on the internet actually needing a valid password. 

More on privacy

“Multiple vulnerabilities in Cisco SD-WAN products could allow an authenticated attacker to perform command injection attacks against an affected device, which could allow the attacker to take certain actions with root privileges on the device,” Cisco notes. 
SEE: Network security policy (TechRepublic Premium)
That severity rating could be due to its impact: “A successful exploit could allow the attacker to gain root-level access to the affected system,” Cisco notes. 
This issue affects Cisco’s SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software, and SD-WAN vSmart Controller Software.
Cisco SD-WAN suffers from two other bugs with a severity score of 9.8, which are tracked as CVE-2021-1300 and CVE-2021-1301. 

These nasties allow “an unauthenticated, remote attacker to execute attacks against an affected device”, according to Cisco. 
They affect IOS XE SD-WAN Software, SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software, and SD-WAN vSmart Controller Software. 
With a severity rating of 9.6, the Command Runner tool of Cisco DNA Center “could allow an authenticated, remote attacker to perform a command injection attack.” It’s tracked as CVE-2021-1264. 
Again, the attacker needs a correct login, but leaky input validation by the Command Runner tool could “allow the attacker to execute arbitrary CLI commands on devices managed by Cisco DNA Center,” according to Cisco. 
Finally, the Cisco Smart Software Manager Satellite Web user interface has a 9.8 severity bug because remote attackers can inject malicious commands into it even without a password.
The advisory consists of three distinct bugs, tracked as CVE-2021-1138, CVE-2021-1139, and CVE-2021-1140. These are bad bugs and warrant an immediate update, according to Cisco. 
“An attacker could exploit these vulnerabilities by sending malicious HTTP requests to an affected device. A successful exploit could allow the attacker to run arbitrary commands on the underlying operating system,” Cisco explained. 
SEE: How do we stop cyber weapons from getting out of control?
The good news is that Cisco engineers found all but one of the critical vulnerabilities, while one was found by a customer that reported an issue. Cisco was not aware of any of the flaws being actively exploited.
Cisco published advisories for a total of 19 bugs in January, 2021. Besides the four critical vulnerabilities, there were nine high severity flaws, and 18 medium severity flaws. 
Some customers may already be protected from these vulnerabilities because Cisco regularly pushes out releases with security fixes before it discloses security flaws.  More

Cybersecurity should be on every organization’s mind these days, because if the US government can be hacked, so can anyone else. This means there’s plenty of opportunities for cybersecurity professionals to shine. If you’re interested in learning about network security and computers in general, you might enjoy a career in IT, and this 8-course bundle can get you started for $34.99.

ZDNet Recommends

The best VPNs
VPNs aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices for best VPNs in 2020 and how to get set up.
Read More

The Ultimate Cybersecurity & IT Career Certification Pathway Training Bundle is packed with 169 hours of study material on some of the most in-demand Cisco and CompTIA certifications. 
The Cisco course is led by David Bombal, a Cisco Certified Systems Instructor who has taught Cisco courses for over 15 years. He’s also a top-rated Udemy instructor who has taught over 600 thousand students to date. His Cisco CCNA 200-301 Exam course serves as an introductory course to networking that uses real-world scenarios to teach you how to configure routers and switches, secure a network, and much more.
The CompTIA courses are provided by Total Seminars, an e-learning platform that produces the #1-selling CompTIA A+ and Network+ Certification books in the world. In these courses, you’ll find in-depth video courses that will guide you through CompTIA’s entry-level ITF+ and A+ certifications all the way up to CySA+ and PenTest+.
As mentioned, ITF+ and A+ are the easiest CompTIA certifications you can earn, and these Total Seminars courses are ideal if you’re interested in IT but still unsure if you want to make a career out of it yet. Here, you’ll learn how to set up and configure networking devices, basic scripting, command-line tools, and even introductory security concepts. 
If you enjoy what you’ve learned, you can earn your certifications, build up work experience, and make your way down CompTIA’s cybersecurity learning path, and the rest of the courses will guide you along the way. 
Joining the front lines against cybercrime requires skills in network security and threat management, all of which you’ll learn in The Ultimate Cybersecurity & IT Career Certification Pathway Training Bundle, which is on sale today for just $34.99. More