Cyber criminals impacted by OVH data center fire
A fire in the Strasbourg data centers of OVHcloud disrupted a number of organizations, including cyber criminals. The analysts at Kaspersky Lab found that 36% of the 140 known C2 servers tracked at OVH were taken offline by the fire. This included servers used by several APT, like Charming Kitten, APT39, Bahamut and OceanLotus. Overall sites hosted on the .fr top level domain were the most impacted, with 1.9% of all .fr domains in the world temporarily taken offline as a result of the fire.
Journalist hit with $16 SMS attack
Vice’s Joseph Cox reported that a white hat hacker was able to intercept his text messages using a business service called Sakari to reroute the messages, all for about $16. From there the researcher was able to access Bumble, WhatsApp, and Postmates accounts. Unlike a SIM swapping attack, Cox didn’t see any visible disruption in service. All that was required for the take over was a prepaid card to sign up for a monthly Sakari subscription, and a Letter of Authorization to switch phone numbers filled out with false information. Sakari offers this service to let marketers import their own number to send out mass text marketing campaigns.
(Vice)
Hackers steal NFTs
If you haven’t been following the crypto art world, NFTs, or non-fungible tokens, have taken off as a way to sell unique pieces of digital art. So of course now that they have value, someone figured out how to steal them. The NFT marketplace Nifty Gateway confirmed some users had digital artwork stolen from accounts, although maintained there was no evidence that its platform was breached. The company suggested that users without two-factor authentication were hit with credential stuffing attacks using previously leaked login info. Some users also reported having credit cards stored with Nifty Gateway used to make other NFT art purchases. Nifty Gateway recommends users enable two-factor authentication.
Google warns of another Chrome zero-day exploit
The exploit impacts Windows and Mac versions of the browser, and is the third zero-day announced by Google in 2021, believed to be under active exploitation. A use-after-free vulnerability in the Blink browser engine in Chrome could allow a remote actor to execute arbitrary code when visiting a maliciously crafted website. Google is currently rushing out a fix for the exploit.
Thanks to our episode sponsor, Trend Micro
Phishing sites now avoiding virtual machine detection
It’s currently common practice to use VMs or headless machines to check if a website is used for phishing. That approach might be getting harder, as researchers at MalwareHunterTeam discovered phishing sites using a JavaScript WebGL API to query the rendering engine used by the browser, looking for software rendering or screen height and width less than 100 pixels. If either is detected the site will appear blank, otherwise the standard phishing site will be displayed. Researcher said a variety of signals and approaches are used to detect phishing sites, and altered browser information will prevent the script from working, but the game of cat and mouse continues.
Judge halts US investment ban on Xiaomi
U.S. District Judge Rudolph Contreras issued an initial injunction halting a forthcoming US investment ban on Xiaomi, agreeing with Xioami’s lawsuit that it deprived the company of due process. The investment ban came from an executive order signed in November which bars American investment in firms with ties to the Chinese military, with the US Department of Defense putting Xiaomi on that list and the ban set to go into effect next week. Judge Contreras said Xiaomi was likely to win a full reversal of the ban through litigation, and said the ban would do irreparable harm to the company.
Edge and Brave adjust release windows
Microsoft updated the release cadence of Edge browser releases, which will now match the 4-week release cycle Google announced for Chrome last week. The change will go into effect with Edge 94, currently scheduled for a September release. The makers of the Chromium-based Brave browser also committed to moving release windows to match Chrome.
WeLeakInfo lives up to its name
Last year, the FBI and overseas law enforcement agencies seized WeLeakInfo.com, which had sold access to 12 billion usernames and passwords stolen from thousands of hacked websites. However a contributor on the hacker forum Raidforums noticed the FBI let one of the domain registration used by the site lapse, wli.design, which had been for payment processing. This person registered the domain, used it to reset the site’s Stripe account, gaining access to customer data on 24,000 users over the site’s five year history. The information, including partial credit card data, email addresses, full names, IP addresses, physical addresses, and phone numbers was leaked online.