1.2M GoDaddy Customers Breached, Meta Not E2E, Ransom Your Employer Arrest Made, Gift-Card Scams
Friday, November 26, 2021
Happy Thanksgiving from us to you!
We hope you had the best of holidays (and “Gobbled til you Wobbled”). We couldn’t be more thankful for the opportunity to share our “technical jargon” with you on a weekly basis.
As per usual, welcome to another edition of HN (Hacker News) Notes. Below you will find this week’s list of top articles.
Cheers!
William from Hacker News
This Week’s Episode (Also available on Apple, Spotify, Google Podcasts, and more)Due to the holiday, this week’s podcast will be delayed to Monday for upload. Check back here to find the direct link, check out our RSS, or follow us on your favorite platform!
General News for the Week
Facebook Postpones Plans for E2E Encryption in Messenger and Instagram Until 2023
Meta, the parent company of Facebook, Instagram, and WhatsApp, disclosed that it doesn't intend to roll out default end-to-end encryption (E2EE) across all its messaging services until 2023, pushing its original plans by at least a year.
"We're taking our time to get this right and we don't plan to finish the global rollout of end-to-end encryption by default across all our messaging services until sometime in 2023," Meta's head of safety, Antigone Davis, said in a post published in The Telegraph over the weekend.
The new scheme, described as a "three-pronged approach," aims to employ a mix of non-encrypted data across its apps as well as account information and reports from users to improve safety and combat abuse, noting that the goal is to deter illegal behavior from happening in the first place, giving users more control, and actively encouraging users to flag harmful messages. Meta had previously outlined plans to be "fully end-to-end encrypted until sometime in 2022 at the earliest."
Arrest in ‘Ransom Your Employer’ Email Scheme
The brazen approach targeting disgruntled employees was first spotted by threat intelligence firm Abnormal Security, which described what happened after they adopted a fake persona and responded to the proposal in the screenshot above.
“According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Abnormal’s Crane Hassold wrote.
…
Mr. Krebson also heard from an investigator representing the Nigeria Finance CERT on behalf of the Central Bank Of Nigeria. While the Sociogram founder’s approach might seem amateurish to some, the financial community in Nigeria did not consider it a laughing matter.
On Friday, Nigerian police arrested Medayedupin. The investigator says formal charges will be levied against the defendant sometime this week.
Apple Sues Israel's NSO Group for Spying on iPhone Users With Pegasus Spyware
Apple has sued NSO Group and its parent company Q Cyber Technologies in a U.S. federal court holding it accountable for illegally targeting users with its Pegasus surveillance tool, marking yet another setback for the Israeli spyware vendor.
The Cupertino-based tech giant painted NSO Group as "notorious hackers — amoral 21st-century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse."
In addition, the lawsuit seeks to permanently prevent the infamous hacker-for-hire company from breaking into any Apple software, services, or devices. The iPhone maker, separately, also revealed its plans to notify targets of state-sponsored spyware attacks and has committed $10 million, as well as any monetary damages won as part of the lawsuit, to cybersurveillance research groups and advocates.
Breaches and Leaks of the Week
GoDaddy’s Latest Breach Affects 1.2M Customers
Web-hosting giant GoDaddy has confirmed another data breach, this time affecting at least 1.2 million of its customers.
On Monday, the world’s largest domain registrar said in a public filing to the SEC that an “unauthorized third party” managed to infiltrate its systems on Sept. 6 – and that the person(s) had continued access for almost two and a half months before GoDaddy noticed the breach on Nov. 17.
“We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement,” Demetrius Comes, GoDaddy CISO, said in the website notice.
The information the lurking cybercriminal(s) was/were able to purloin is a mixed bag. The Scottsdale, Ariz.-based firm said that it included:
Emails and customer numbers for 1.2 million active and inactive Managed WordPress customers
sFTP and database usernames and passwords for active customers (passwords are now reset)
SSL private keys “for a subset of active customers,” used to authenticate websites to internet users, enable encryption and prevent impersonation attacks. GoDaddy is in the process of issuing and installing new certificates for affected customers.
It didn’t attach numbers as to how many customers are affected by the database log-in or certificate compromises.
And not only was this breach connected to these 1.2 million customers, it also reaches into the reseller subsidiaries.
The additional affected companies are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple, and tsoHost.
Attacks of the Week
Hackers Exploiting New Windows Installer Zero-Day Exploit in the Wild
Attackers are actively making efforts to exploit a new variant of a recently disclosed privilege escalation vulnerability to potentially execute arbitrary code on fully-patched systems, once again demonstrating how adversaries move quickly to weaponize a publicly available exploit.
Cisco Talos disclosed that it "detected malware samples in the wild that are attempting to take advantage of this vulnerability."
Tracked as CVE-2021-41379 and discovered by security researcher Abdelhamid Naceri, the elevation of privilege flaw affecting the Windows Installer software component was originally resolved as part of Microsoft's Patch Tuesday updates for November 2021.
However, in what's a case of an insufficient patch, Naceri found that it was not only possible to bypass the fix implemented by Microsoft but also achieve local privilege escalation via a newly discovered zero-day bug.
New Twists on Gift-Card Scams Flourish on Black Friday
Black Friday cyber-pariahs have revamped gift-card scams to better target modern online shoppers hungry for deals post-Thanksgiving. Experts warn new tactics include bogus gift-card generators that install malware designed to sniff out a victim’s cryptocurrency wallet address.
Internet-based Black Friday and Cyber Monday scams have become as common as the Macy’s Thanksgiving Day Parade. That’s why scammers save to trot out new ways to snare cyber-savvy shoppers. In a Tuesday-post, researchers at Malwarebytes Labs, outlined this year’s latest gift-card scams. One novel twist includes offering gift cards for significantly less than face value as a ploy to entice users to buy stolen gift-cards or download malware.
“If you see websites offering all kinds of discounts on gift cards, you can be assured that these will turn out to be fakes or they have been acquired in an illegal way and you could be acting as a fence,” wrote Pieter Artnz, Malwarebytes malware intelligence researcher.
This Week’s Featured Tools
ThreatBox
ThreatBox is a standard and controlled Linux-based attack platform. It started as a collection of scripts, lived as a rolling virtual machine, existed as code to build a Linux ISO, and has now been converted to a set of Ansible playbooks. Why Ansible? Why not? This seemed to be the next natural evolution to the configuration of standard attack platforms.
This project uses Ansible playbooks and roles to perform post-deployment configuration on a Linux target (Tested on Ubuntu 18.04).
Whispers
Whispers is a static code analysis tool designed for parsing various common data formats in search of hardcoded credentials and dangerous functions. Whispers can run in the CLI or you can integrate it in your CI/CD pipeline.
Detects
Passwords
API tokens
AWS keys
Private keys
Hashed credentials
Authentication tokens
Dangerous functions
Sensitive files
Supported Formats
Whispers is intended to be a structured text parser, not a code parser.
The following commonly used formats are currently supported:
YAML
JSON
XML
.npmrc
.pypirc
.htpasswd
.properties
pip.conf
conf / ini
Dockerfile
Dockercfg
Shell scripts
Python3
Python3 files are parsed as ASTs because of native language support.
** Please keep in mind that this is a curated list of links to articles, not posts created by HN. We claim no ownership of any article discussed above.