Cybersecurity News: BreachForums returns, First American data breach, Chinese nationals sanctioned

By
Sean Kelly
-

In today’s cybersecurity news…

BreachForums returns just weeks after FBI-led takedown

Just two weeks after we brought you the news of the FBI’s takedown of the notorious dark-web marketplace, BreachForums is back open for registration as of Tuesday. Back on May 15, BreachForums website and Telegram channel displayed warnings that they were now “under the control of the FBI.”  Additionally, profile pics of the BreachForum admins Baphomet and ShinyHunters depicted them behind bars and Baphomet was reportedly arrested. However the ShinyHunters crew claimed to escape unscathed and the marketplace now appears to be under their control. 

(The Register and HackRead)

First American data breach impacts 44,000 people

On Tuesday, ​First American Financial Corporation, the second-largest title insurance company in the U.S., revealed that it suffered a cyberattack affecting personal information of  approximately 44,000 individuals. The company’s filing with the Securities and Exchange Commission (SEC) indicated that back on December 21, it was forced to take some of its systems offline to contain the impact of the incident. However, the company provided very few details about the attack. First American said it will notify potentially affected individuals and provide them with free credit monitoring and identity protection services. Interestingly, just prior to the December incident, First American had agreed to pay a $1 million penalty to New York State for violating its cyber regulations after exposing personal and financial data in a separate breach they suffered back in May 2019.

(Bleeping Computer)

Chinese nationals sanctioned for botnet that stole ‘billions’ in COVID-19 relief funds

On Tuesday, the U.S. Department of the Treasury unveiled sanctions against three Chinese nationals (Yunhe Wang, Jingping Liu, and Yanni Zheng), for allegedly operating a malicious online anonymity service called 911 S5. The illegitimate residential proxy service lured victims by offering free VPN services to install malware designed to add their IP addresses to the botnet. Infected computers communicated with multiple command-and-control servers located offshore or hosted within a cloud server. OFAC said the botnet consisted of 19 million IP addresses that allowed cybercriminals to submit fraudulent Coronavirus relief applications, resulting in billions of dollars in losses. The Treasury Department’s sanctions prohibit the three individuals, and three related organizations, from any transactions involving U.S. interests and properties.

(Bleeping Computer and Krebs on Security)

Spyware maker pcTattletale shutters after data breach

The founder of spyware app pcTattletale, Bryan Fleming, said his company is “out of business and completely done” following a data breach over the weekend. pcTattletale advertised its spyware app as a way for organizations to monitor their employees’ Android and Windows devices, and also promoted its ability to snoop on spouses and domestic partners without their consent, which is illegal. The shutdown comes days after a hacker defaced the spyware maker’s website and published links containing large amounts of solen data. The hacker said pcTattletale’s servers could be tricked into coughing up the private keys for its Amazon Web Services account. The now-defunct app had 138,000 customers per the data breach notification site Have I Been Pwned.

(TechCrunch)

Thanks to today’s episode sponsor, Vanta

Are lengthy security reviews pulling attention away from your security program?

With the largest network of Trust Centers, Vanta can help you streamline security reviews to win customer trust, save time, and close deals fast.

Proactively demonstrate security by showcasing key resources like your SOC 2 or ISO 27001 and provide real-time evidence for passing controls. And when a security questionnaire is required, Vanta takes the first pass for you.

Visit vanta.com/ciso to take a tour.

Malicious apps on Google Play downloaded 5.5 million times 

More than 90 malicious mobile apps have been downloaded more than 5.5 million times from the Google Play store over the last few months. Researchers at Zscaler say the apps include a variety of PDF and QR code readers as well as file managers, editors, and translators. However these apps actually spread various malware, including a nasty banking trojan called Anatsa (aka Teabot). Though Google has made a significant effort to block malicious apps, Anatsa uses an attack vector that can slip past these protections. Organizations should protect themselves by ensuring all users are authenticated and authorized before accessing any resources. Additionally, users should be alert to suspicious app activity on their devices even those downloaded from trustworthy sites.

(Bleeping Computer and Dark Reading)

Attackers target Check Point VPNs to access corporate networks

On Monday, cybersecurity firm Check Point issued an advisory that it observed a small number of attempts to breach its customers’ VPNs this past Friday. The attacks did not attempt to exploit a software vulnerability but instead targeted customers who are using outdated VPN local accounts with password-only authentication. The company advised customers to secure network accounts by adding another layer of authentication. Check Point also released a solution designed to automatically prevent unauthorized access via local accounts using password-only authentication. 

(Infosecurity Magazine)

PoC exploit released for bug in Fortinet SIEM 

Security researchers at Horizon3’s Attack Team released a proof-of-concept (PoC) exploit for a remote code execution issue in Fortinet’s SIEM solution (CVE-2024-23108). The PoC exploit allows commands to execute as root on several versions of Internet-facing FortiSIEM appliances. Fortinet disclosed the maximum severity bug back in February, stating attackers may be able to execute unauthorized commands via crafted API requests. The researchers published indicators of compromise to help owners of vulnerable devices investigate potential issues.

(Bleeping Computer and Security Affairs)

Researchers crack 11-year-old password to $3 million crypto wallet

Researcher Joe Grand and a friend helped a man find the lost password to his cryptocurrency wallet containing 43.6 BTC, valued at nearly $2.96 million. The anonymous man, dubbed Michael, set up a crypto wallet in 2013 and then used RoboForm to create its unique 20-character password. Michael opted to store the password in an encrypted file instead of storing it in RoboForm due to security concerns. However, he lost the password when the encrypted file became corrupted. The researchers recovered Michael’s password by exploiting a long-fixed vulnerability in the RoboForm password generator. Michael said he was glad he lost access to his wallet as holding onto his tokens allowed them to appreciate from $5,300 in 2013 to roughly $68,000 at current rates. He gave a portion of his bitcoin to the researchers as payment for their help

(The Block and Slashdot)

Sean Kelly
Sean Kelly
Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.