LastPass confirms theft of customer passwords
LastPass has announced that its cloud storage system was breached using stolen passwords in an incident last August.
The attackers gained access to the company’s technical information and source code. Using these keys, they were able to steal customer account information and data stored in the vault, including passwords and notes.
While the vault data is encrypted, the company has warned its customers that attackers could attempt to brute-force their master passwords and gain access to all stored information.
* * *
BlueNoroff incorporates new techniques to bypass Windows MotW measures
Researchers have identified new methods for bypassing Windows’ Mark of the Web (MotW) protection measures, which have been adopted by the group known as BlueNoroff.
This malicious actor, associated with the Lazarus group and known for previous attacks to steal cryptocurrencies, has incorporated new techniques to bypass the warning message that Windows displays to users when they try to open a file downloaded from the internet. This was achieved by making use of file formats with .ISO and .VHD extensions.
While the investigation originated from a company in the United Arab Emirates affected by this group, the nomenclature of the domains and documents used in the attack chain would seem to indicate a more specific interest in Japanese companies, in the financial sector in particular.
* * *
400 million Twitter users’ data for sale
A malicious actor named Ryushi recently put a database of 400 million Twitter users up for sale on a popular underground forum. The seller has provided a sample of 1,000 accounts, including private information of prominent users such as Donald Trump Jr and Brian Krebs, as proof of his claims.
The seller also claims that the data was extracted through a vulnerability and includes emails and phone numbers of celebrities, politicians, businesses and ordinary users.
He also invites Twitter and Elon Musk to buy the data to avoid GDPR lawsuits, alluding to the fact that the Irish Data Protection Commission has opened an investigation into a data breach involving more than 5.4 million Twitter users that was obtained by exploiting an API vulnerability that Twitter had fixed in January 2022.
* * *
EarSpy: New eavesdropping attack
Researchers from five US universities have developed EarSpy, an eavesdropping attack for Android devices capable of recognising the gender and identity of the caller.
EarSpy is able to capture data readings from motion sensors caused by the reverberations of mobile device speakers. Although previously considered too weak to generate sufficient vibrations for this type of attack, modern smartphones with more powerful stereo speakers and sensitive motion sensors can register even small resonances.
In tests on a OnePlus 7T and OnePlus 9 device, gender identification accuracy ranged from 77.7% to 98.7%, caller ID accuracy ranged from 63.0% to 91.2%, and voice recognition accuracy ranged from 51.8% to 56.4%.
User volume, device hardware and motion can affect attack accuracy. Android 13 has introduced a restriction on the collection of sensor data without permission, but this only reduces accuracy by around 10%.
* * *
Netgear fixes vulnerabilities affecting several router models
Netgear has published two security advisories reporting the discovery of high criticality vulnerabilities in several of its router models. No CVE has been assigned, nor has Netgear detailed which component is affected, but it does point out that one of them is a preauthentication buffer overflow security flaw.
Exploitation of this type of vulnerability can allow anything from a denial of service to the execution of arbitrary code, without requiring permissions or user interaction.
The affected products include several models of Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6) and Wireless AC routers. Finally, it should be noted that exploitation of the second vulnerability could allow a targeted DDoS attack on Wireless AC Nighthawk and Wireless AX Nighthawk (WiFi 6) routers.