Ukraine destroys panic-spreading bot farms
The Security Service of Ukraine (SBU) has destroyed five bot farms which leveraged at least 100,000 social media accounts to spread misinformation and propaganda surrounding Russia’s invasion of Ukraine. SBU investigators seized over 100 GSM gateway devices, nearly 10,000 SIM cards, laptops, and other computing equipment. However, investigators have not reported any arrests. Ukraine has reportedly launched a new fact-check bot, dubbed “Perevirka,” that citizens can use to identify fake online content.
(ZDNet)
Yandex is sending iOS user data to Russia
A software development kit created by the Russian tech company Yandex, dubbed API AppMetrica, is embedded within roughly 52,000 iOS apps by their developers as a convenient way to obtain app analytics data. However, Researcher Zach Edwards discovered that the code sends collected user data to servers located in Russia. On Twitter, Edwards described Yandex as “part of the Putin-Russian propaganda machine.” Yandex admitted that its software does send device, network and IP address information to servers in Russia and Finland, but said that the data is stored in an anonymized condition, making it “extremely hard to identify users.”
Ronin Network victimized in record-breaking crypto heist
Sky Mavis, who is the producer of the Axie Infinity blockchain game, has reported that a hacker has stolen a record-breaking $617 million in Ethereum and USDC tokens from the game’s Ronin network bridge, which serves as way to transfer ERC-20 tokens between the Ethereum and Ronin blockchains. The threat actor was able to gain control over five of Ronin’s validator signatures needed to withdraw cryptocurrency from the bridge. While the attack occurred on May 23rd, Sky Mavis just discovered the issue on Tuesday when a user unsuccessfully attempted to withdraw 5,000 Ethereum from the bridge. Sky Mavis has shut down the Ronin Bridge and the Katana Dex as they continue to investigate the attack.
(Bleeping Computer and VentureBeat)
Hacked WordPress sites force visitors to DDoS Ukrainian targets
On Monday, MalwareHunterTeam discovered a WordPress site infected with a malicious script that uses visitors’ browsers to perform distributed denial-of-service (DDoS) attacks against ten Ukrainian websites including those used by Ukrainian government agencies, think tanks, Ukraine’s International Legion of Defense, and financial institutions. Because the attacks occur in the background, infected users won’t detect anything abnormal other than browser latency. Developer Andrii Savchenko states that there are about 100 infected WordPress sites adding that many providers are slow to react to such compromises.
Thanks to our episode sponsor, Varonis
Log4Shell exploited to infect VMware Horizon servers
On Tuesday, researchers from Sophos revealed that the now infamous 10.0 severity remote code execution (RCE) vuln, Log4Shell, is being actively exploited to deliver malware to unpatched VMware Horizon servers. The researchers say the attackers are deploying remote monitoring packages, Atera agent or Splashtop Streamer, as well as an offensive security implant called Silver, to serve as backdoors. The attackers have also been observed deploying four different Monero crypto miners (z0Miner, JavaX miner, Jin, and Mimu) to exploited machines. Finally, the researchers uncovered evidence of reverse shell deployment designed to collect device and backup information. Although Log4Shell patches were released back in December 2021, sadly many internet-facing servers have not yet been updated.
(ZDNet)
Wyze Cam flaw lets hackers remotely access saved videos
A Wyze Cam internet camera bug, which has not yet been assigned a CVE identifier, allows remote users to access the contents of the SD card in the camera via a webserver listening on port 80, without the need to authenticate. The SD card stores the camera’s video, images, and audio recordings but can also include other user information. Additionally, the SD card stores all the devices log files which contain the device’s unique identifier (UID) as well as its AES encryption key. The flaw was reported to the vendor by Bitdefender researchers in March 2019 but was only just fixed by Wyze on January 29, 2022. Security updates have been made available for Wyze Cam v2 and v3, with no plans to issue fixes for v1.
One in four employees who fell victim to cyberattacks lost their jobs
According to new data from Tessian, over the past 12 months, one in four employees lost their job after making a mistake that compromised their company’s security. Tessian’s report also highlighted that of those who made security errors at work, 26% fell for a phishing email in the last 12 months and 40% of employees sent an email to the wrong person, with almost 29% saying their business lost a client or customer because of the error. Half of those employees said they sent emails to the wrong person due to pressure to send the email quickly while over 40% of the phishing attack victims cited distraction and fatigue as the root cause. The report also highlighted a 5% uptick (to 21%) in employees who indicated they did not report security incidents versus the prior year’s report.
Dental practice fined for sharing patient data on social media
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has slapped a dental practice in North Carolina with a $50,000 fine after disclosing a patient’s protected health information (PHI) online. Back in 2015, Dr. U. Phillip Igbinadolor, DMD. & Associates, PA, (UPI), received a negative review on its Google page from a patient who used a pseudonym to mask their identity. UPI then posted a response which dismissed the patient’s accusations and proceeded to name the patient, their symptoms, and recommended treatment. UPI capped its response with a condescending and derogatory statement towards the patient. The OCR noted UPI’s lack of cooperation with their investigation and fined the practice for willfully and impermissibly disclosing the patient’s PHI.