Monthly Archives: August 2019

@jack’s twitter attacked, phone number hacked

The latest high-profile celebrity Twitter account to get hacked…

…was none other than @jack, which belongs to Jack Dorsey, the founder and CEO of Twitter itself.

Twitter’s corporate communications account has confirmed that the account got taken over, but says that @jack is “now secure, and there is no indication that Twitter’s systems have been compromised.”

Twitter Comms later confirmed that the attack was possible because “the phone number associated with the account was compromised”, suggesting that Dorsey was the victim of a SIM swap attack.

In a successful SIM swap attack, hackers persuade a mobile phone provider to transfer a victim’s phone number to the hacker’s SIM card, giving the hacker access to the victim’s calls and messages. Dorsey is rumoured to use a service that allows him to tweet via SMS messages, and this may be what gave the hackers the ability to tweet in his name.

The alternative is that they first cracked his password and then used their access to his phone number to steal a 2FA code sent to it via SMS.

The good news for Twitter users is that this wasn’t a hack on Twitter’s infrastructure and possibly not even a full takeover of the @jack Twitter account (we don’t know if Dorsey was prevented from using his account, only that others gained some ability to abuse it).

The bad news for Dorsey is that he lost more than his Twitter account: he lost his phone number, giving crooks privileged access to any service that relies on that number, not just Twitter.

from Naked Security – Sophos http://bit.ly/30Rx5Cw
via IFTTT

Anteater – CI/CD Security Gate Check Framework

Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of nominated strings, filenames, binaries, deprecated functions, staging environment code/credentials etc.

It’s main function is to block content based on regular expressions.

Anteater - CI/CD Security Gate Check Framework

Anything that can be specified with regular expression syntax, can be sniffed out by Anteater. You tell Anteater exactly what you don’t want to get merged, and anteater looks after the rest.

How Anteater CI/CD Security Gate Check Framework Works

If Anteater finds something, it exits with a non-zero code which in turn fails the build of your CI tool, with the idea that it would prevent a pull request merging. Any false positives are easily negated by using the same RegExp framework to cancel out the false match.

Entire projects may also be scanned also, using a recursive directory walk. With a few simple steps, it can be easily implemented into a CI/CD workflow with tooling such as Travis CI, CircleCI, Gitlab CI/CD and Jenkins.

Anteater also provides integrates with the Virus Total API, so any binaries, public IP addresses or URL’s found by Anteater, will be sent to the Virus Total API and a report will be returned. If any object is reported as malicious, it will fail the CI build job.

You can also set it to block all binaries or tamper with existing binaries (this includes PDFs, Images etc.) and you can whitelist desired binaries using a SHA256 checksum.

Using Anteater CI/CD Security Gate Checks

There is some excellent documentation for Anteater here:

Docs » Anteater – CI/CD Gate Check Framework

This includes how to get it working with CircleCI which is my personal choice for CI tooling.

In order to use the VirusTotal API, you will first require an API key. These are free to get and can be obtained by signing up to the service here.

Once you have your key, it needs to be set as an environment variable.

You can download Anteater here:

anteater-master.zip

Or read more here.

from Darknet – The Darkside http://bit.ly/2ZHyyKe
via IFTTT

Phishers are Angling for Your Cloud Providers

Many companies are now outsourcing their marketing efforts to cloud-based Customer Relationship Management (CRM) providers. But when accounts at those CRM providers get hacked or phished, the results can be damaging for both the client’s brand and their customers. Here’s a look at a recent CRM-based phishing campaign that targeted customers of Fortune 500 construction equipment vendor United Rentals.

Stamford, Ct.-based United Rentals [NYSE:URI] is the world’s largest equipment rental company, with some 18,000 employees and earnings of approximately $4 billion in 2018. On August 21, multiple United Rental customers reported receiving invoice emails with booby-trapped links that led to a malware download for anyone who clicked.

While phony invoices are a common malware lure, this particular campaign sent users to a page on United Rentals’ own Web site (unitedrentals.com).

A screen shot of the malicious email that spoofed United Rentals.

In a notice to customers, the company said the unauthorized messages were not sent by United Rentals. One source who had at least two employees fall for the scheme forwarded KrebsOnSecurity a response from UR’s privacy division, which blamed the incident on a third-party advertising partner.

“Based on current knowledge, we believe that an unauthorized party gained access to a vendor platform United Rentals uses in connection with designing and executing email campaigns,” the response read.

“The unauthorized party was able to send a phishing email that appears to be from United Rentals through this platform,” the reply continued. “The phishing email contained links to a purported invoice that, if clicked on, could deliver malware to the recipient’s system. While our investigation is continuing, we currently have no reason to believe that there was unauthorized access to the United Rentals systems used by customers, or to any internal United Rentals systems.”

United Rentals told KrebsOnSecurity that its investigation so far reveals no compromise of its internal systems.

“At this point, we believe this to be an email phishing incident in which an unauthorized third party used a third-party system to generate an email campaign to deliver what we believe to be a banking trojan,” said Dan Higgins, UR’s chief information officer.

United Rentals would not name the third party marketing firm thought to be involved, but passive DNS lookups on the UR subdomain referenced in the phishing email (used by UL for marketing since 2014 and visible in the screenshot above as “wVw.unitedrentals.com”) points to Pardot, an email marketing division of cloud CRM giant Salesforce.

Companies that use cloud-based CRMs sometimes will dedicate a domain or subdomain they own specifically for use by their CRM provider, allowing the CRM to send emails that appear to come directly from the client’s own domains. However, in such setups the content that gets promoted through the client’s domain is actually hosted on the cloud CRM provider’s systems.

Salesforce did not respond to multiple requests for comment. But it seems likely that someone at Pardot with access to United Rental’s account was phished, hacked, or perhaps guilty of password re-use.

This attack comes on the heels of another targeted phishing campaign leveraging Pardot that was documented earlier this month by Netskope, a cloud security firm. Netskope’s Ashwin Vamshi said users of cloud CRM platforms have a high level of trust in the software because they view the data and associated links as internal, even though they are hosted in the cloud.

“A large number of enterprises provide their vendors and partners access to their CRM for uploading documents such as invoices, purchase orders, etc. (and often these happen as automated workflows),” Vamshi wrote. “The enterprise has no control over the vendor or partner device and, more importantly, over the files being uploaded from them. In many cases, vendor- or partner-uploaded files carry with them a high level of implicit trust.”

Cybercriminals increasingly are targeting cloud CRM providers because compromised accounts on these systems can be leveraged to conduct extremely targeted and convincing phishing attacks. According to the most recent stats (PDF) from the Anti-Phishing Working Group, software-as-a-service providers (including CRM and Webmail providers) were the most-targeted industry sector in the first quarter of 2019, accounting for 36 percent of all phishing attacks.

Image: APWG

from Krebs on Security http://bit.ly/2LbMyYQ
via IFTTT