Dark Web “Leaksmas” Event Exposes Massive Volumes of Leaked Data

Cybercriminal activities continued in full force over the New Year, as Resecurity observed Dark Web actors releasing substantial dumps of data over the holiday season. The dumps were the result of data breaches and network intrusions on a variety of companies and government agencies. Several leaks were tagged “Free Leaksmas,” indicating that these leaks were being shared between cybercriminals as a form of mutual gratitude.

The leaks will inevitably cause a host of adverse effects, including account takeovers (ATO), business email compromises (BEC), identity theft, and financial fraud. Significantly, these breaches extended all over the world, impacting individuals in a wide range of countries including the US, France, Peru, Vietnam, Italy, Russia, Mexico, the Philippines, Switzerland, Australia, India, South Africa, and even mixed international sources. This widespread geographical distribution highlights the extensive global reach and severe impact of these cybercriminal activities.

A significant event during the ‘Leaksmas’ in the Dark Web involved the release of a large dataset from Movistar, a leading telecommunications provider in Peru. This dataset contained over 22 million records, including customers’ phone numbers and DNI (Documento Nacional de Identidad) numbers. The DNI, being the sole identity card recognized by the Peruvian Government for all civil, commercial, administrative, and judicial activities, makes its exposure on the Dark Web a serious threat, potentially leading to widespread identity theft and fraud. This incident underscores the critical need for robust Digital Identity Protection programs, particularly in Latin America, where there is an escalating trend of cyber-attacks resulting in major data breaches and significant damages.

In another incident targeting the Asia-Pacific region, cybercriminals released a substantial leak involving one of the major credit services in the Philippines. The perpetrators disclosed over 15.77 GB of data in this breach.

Read: https://www.resecurity.com/blog/article/cybercriminals-launched-leaksmas-event-in-the-dark-web-exposing-massive-volumes-of-leaked-pii-and-compromised-data

Facebook Unveils New User Tracking Feature Link History

Facebook has launched a new feature, “Link History”, which tracks every link a user clicks within the app. This feature is part of Facebook’s broader strategy to track users’ online activity for data collection and monetization, mirroring practices of other Big Tech firms. Although not mandatory, the feature is enabled by default, requiring users to opt out if they wish to avoid tracking.

Critics have raised privacy concerns about this feature. Despite Facebook’s assertion that it improves user experience by consolidating clicked links, the introduction of Link History is seen as part of a larger political narrative. With Facebook under increased scrutiny, especially during election years, the motivations behind such tracking practices are being questioned.

To deactivate Link History, users must first be aware of its existence and then navigate to the appropriate setting to opt out. However, many users do not take this step, inadvertently allowing their online activity to be tracked. The announcement of Link History also hinted at the possibility of using the collected data to enhance ads across Meta platforms, but it remains unclear whether this will alter Facebook’s existing tracking methods.

Read: https://reclaimthenet.org/facebook-rolls-out-link-history-showing-how-it-tracks-all-the-websites-users-visit

Indian journalists’ iPhones infected with Pegasus Spyware, according to Amnesty and Apple

In late October, Apple warned Indian journalists and opposition figures that they may have been targeted by state-sponsored attacks by Narendra Modi’s government. Indian officials, however, publicly doubted Apple’s findings and announced a probe into the device’s security.

India has never confirmed or denied using the Pegasus tool, but nonprofit advocacy group Amnesty International reported Thursday that it had found NSO Group’s invasive spyware on the iPhones of prominent journalists in India.

“Our latest findings show that, increasingly, journalists in India face the threat of unlawful surveillance simply for doing their jobs, alongside other tools of repression including imprisonment under draconian laws, smear campaigns, harassment, and intimidation,” said Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab.

“Despite repeated revelations, there has been a shameful lack of accountability about the use of Pegasus spyware in India which only intensifies the sense of impunity over these human rights violations.”

The Washington Post separately reported Thursday that Apple faced heat from senior officials from Modi’s administration, who had earlier demanded that Apple soften the political impact of its warnings. Senior Indian officials summoned Apple representatives to insist on alternative explanations, even going as far as to fly in Apple security experts to meet with ministry leaders, the report adds.

The pressure campaign by Indian officials to soften the impact of the warnings disturbed Apple executives in California but achieved limited results, The Washington Post added. While Apple India officials initially helped cast doubt on the alerts — issuing a statement that in part said it was possible some notifications may be false alarms — the company issued no follow-up statement placating authorities after the expert’s visit.

Read: https://techcrunch.com/2023/12/27/india-pressed-apple-on-state-sponsored-warnings-report-says/

Windows 10 and 11 Protections Bypassed by New Variant of DLL Search Order Hijacking

According to security researchers, a recently discovered variant of the DLL search order hijacking technique poses a threat to the security of Microsoft Windows 10 and Windows 11. This technique, outlined in a report by cybersecurity firm Security Joes exclusively shared with The Hacker News, takes advantage of executables frequently present in the trusted WinSxS folder and exploits them using the traditional DLL search order hijacking approach. By doing so, threat actors can bypass security measures and execute malicious code on affected systems.

DLL search order hijacking is a technique that exploits the loading order of DLLs to execute malicious payloads, aiming to evade defenses, achieve persistence, and escalate privileges. Specifically, attackers target applications that do not provide the full path to the required libraries. Instead, they rely on a predetermined search order to locate DLLs on disk.

Security Joes warns of additional vulnerable binaries in the WinSxS folder susceptible to DLL search order hijacking. Organizations must take precautions by examining process relationships and closely monitoring activities of binaries in WinSxS to mitigate this threat.

Read: https://thehackernews.com/2024/01/new-variant-of-dll-search-order.html

Malware Leveraging Google OAuth Endpoint to Restore Cookies and Hijack User Accounts

Numerous families of information-stealing malware are exploiting an undisclosed Google OAuth endpoint called ‘MultiLogin’ to revive expired authentication cookies and gain unauthorized access to users’ accounts, even after a password reset. Session cookies, a specific type of browser cookie, store authentication details, enabling individuals to log into websites and services seamlessly, without the need to enter their login credentials.

Towards the end of November 2023, BleepingComputer published an article about two information-stealing malware, Lumma and Rhadamanthys, which asserted their capability to recover expired Google authentication cookies acquired through attacks. By utilizing these cookies, cybercriminals could illicitly access Google accounts even after the rightful owners had logged out, reset their passwords, or their sessions had expired.

Following a subsequent update from Lumma, the exploit was enhanced to counter Google’s mitigation efforts, indicating that the tech giant is aware of the zero-day flaw being actively exploited. Lumma, in particular, adopted the use of SOCKS proxies to evade Google’s abuse detection mechanisms and implemented encrypted communication between the malware and the MultiLogin endpoint.

Read: https://www.bleepingcomputer.com/news/security/malware-abuses-google-oauth-endpoint-to-revive-cookies-hijack-accounts/

Elsewhere Online:

Libs of TikTok Account Suspended by Facebook
Read: https://reclaimthenet.org/facebook-disables-libs-of-tiktok-account

By Exploiting a Black Basta Flaw, Researchers have Created a Decryptor that Allows Ransomware Victims to Recover Files for Free
Read: https://www.bleepingcomputer.com/news/security/new-black-basta-decryptor-exploits-ransomware-flaw-to-recover-files/

The British Radioactive Waste Management (RWM) Company Reveals Recent LinkedIn Cyberattack, Sparking Nuclear Safety Concerns
Read: https://www.hackread.com/linkedin-hackers-attack-uk-nuclear-waste-services/\

Cybersecurity Breach Exposes Australian Court’s Hacked Hearing Recordings
Read: https://www.infosecurity-magazine.com/news/australian-court-hacked-hearing/

Google Resolves Lawsuit Regarding Tracking Users in ‘Incognito Mode
Read: https://www.euronews.com/next/2024/01/01/google-settles-lawsuit-over-tracking-people-in-incognito-mode

Previously on #AxisOfEasy