At a glance.
- Allegations of Chinese surveillance of US mobile phone users.
- TA505's reconfigured loader.
- Bouncy Castle's threat to password security.
- Bogus Facebook Messenger invitations to "see if that's you in the video."
- Cyberpunk 2077 spyware threat.
- Data stolen from hardware wallet provider dumped in criminal forum.
China allegedly spying on US mobile phone users.
Telecompaper reports that China has allegedly been conducting an espionage campaign on the US by intercepting mobile phone communications through Caribbean telecommunications networks. Signalling messages, usually used to help telecom operators locate and connect mobile phone users across global telecommunications networks, can be exploited by bad actors to intercept phone calls. Due at least in part to network vulnerabilities, US mobile phone operators have not been effectively securing communications against such attacks. Former mobile security analyst Gary Miller has discovered that, by taking advantage of these security flaws via mobile phone operator China Unicom, China has been intercepting phone calls from US subscribers. According to his analysis, tens of thousands of American cell phone users have been targeted since 2018, usually while traveling abroad. The Guardian reports that the US Federal Communications Commission threatened to shut down China Unicom in April over concerns the company was vulnerable to the “control of the Chinese Communist party.” Furthermore, the Americans targeted by China also appear to have been tracked through Flow Barbados and Bahamas Telecommunications Company, signaling the possibility of a coordinated effort. China Unicom has stated that it “strongly refutes the allegations that China Unicom has engaged in active surveillance attacks against US mobile phone subscribers using access to international telecommunications networks.”
TA505 reemerges with reconfigured loader.
Intel 471 reports that, after being inactive since September, malware gang TA505's Get2 Loader has reappeared, indicating the group could be making a comeback. The loader now boasts revamped download and execute configurations that will allow the group’s attacks to go undetected by defense protocols. TA505 is a Russian-speaking gang known for past large-scale operations against Japan, South Korea, and the United Arab Emirates.
Bouncy Castle bug could make password decryption child’s play.
Infosecurity Magazine reports that an authentication bypass vulnerability has been found in Java cryptography library Bouncy Castle that could allow hackers to bypass password checks in applications using the Bcrypt hashing algorithm. Though Bouncy Castle, which is used by 26,000 organizations and has been downloaded over 170 million times in the past year, released a patch in November, over 90% of the affected users have not patched the bug.
No, it’s not you in the video.
By gaining access to a social media account, phishing scammers can use your likeness, or that of a contact, as bait. Naked Security reports that one such scam sends the target a message from a “friend” on Facebook Messenger containing what appears to be an embedded video and the simple question “Is this you in the video?” The video link actually leads to a website posing as a Facebook login page, where, if fooled, the victim unwittingly hands over their login credentials. Once “logged in,” the victim is directed to one of several additional scam pages, run by another set of crooks, pushing fake phone deals or similar transactions designed to collect credit card info.
Cyberpunk 2077 pulled, but scam apps have already worked their damage.
Gamers have been waiting for Cyberpunk 2077 since 2012. It was released on December 10th, and last week was pulled from the Sony PlayStation store, its complex world so buggy as to render the game unplayable. The New York Times has an account of what went wrong. What's interesting with respect to privacy, however, isn't a game that overpromised beyond any reasonable expectation, but rather the way the hype and gamer interest that surrounded it drew cybercriminals.
Kaspersky researcher Tatyana Shishkova has found that threat actors are using the popular video game Cyberpunk 2077 to fool Android users into downloading ransomware, reports Threatpost. What appears to be a download of the popular game, offered on a fraudulent version of the Google Play mobile app, is actually Coderware ransomware linked to the Black Kingdom gang. Once a victim executes the binary, they are confronted with a message declaring that their machine has been infected and demanding $500 in bitcoin for the decryption key. This is not the first time the game has been linked to CoderWare, as in November a Windows Cyberpunk 2077 installer was found to be infecting users with the malware.
Hardware wallet provider data dumped in online forum.
Cryptocurrency hardware wallet provider Ledger’s marketing database, stolen in a June data breach, is now being released in the RaidForums criminal-to-criminal souk, the Block reports. More than 270,000 customers appear to have had their "emails, physical addresses, and phone numbers" compromised. Up to a million individuals suffered exposure of their "email." It's not clear from the Block's account whether "emails" means addresses or messages, but apparently the information has been used in phishing attempts. Ledger has tweeted its response to the news, including the measures it's taking to shore up its security.
Cointelegraph says that unmollified users are considering taking legal action against Ledger. We received comment on the breach from ImmuniWeb's Ilia Kolochenko, who thinks Ledger's terms of service may make it difficult for any plaintiffs. “The current terms of service, published by Ledger, prevent most of the legal actions the victims may be considering under the circumstances," he wrote, adding that, "If at the moment of the breach the terms were different and more favorable for the plaintiffs, the success of the threatened class action is still highly uncertain. It largely depends where the victims file the lawsuit, but virtually everywhere they will be required to prove specific and measurable damages, not just a speculative risk of hypothetic future damage. As the existing jurisprudence coherently demonstrates, the only parties who get wealthier in data breach class actions (or individual lawsuits) – are attorneys representing the parties. I think the best, the fastest and cheapest for everyone solution would be to find a fair settlement proportional to the inflicted harm.”