We round up the week’s most important cybersecurity news.
- A Google engineer found a vulnerability in Telegram. Durov denied it.
- The United States accused a Russian of developing ransomware that caused $200 million in damage.
- Discord notified users of a data breach.
- Toyota disclosed location data for more than 2 million vehicles for ten years.
Google engineer finds vulnerability in Telegram; Durov disputes it
An exploit in the Telegram macOS client could potentially allow an attacker to access the computer’s camera and microphone. This was noted by Google engineer Dan Reva, but Telegram disputed the existence of a problem.
? A new vulnerability found in Telegram that can grant access to your camera and microphone.
Found by an engineer at Google, reported to Telegram and they haven’t addressed it.
So now we get a detailed public disclosure!
How this works and what it means for your privacy ?
— Matt Johansen (@mattjay) May 15, 2023
Discovered as early as February, the vulnerability involves the messenger not properly leveraging Apple’s security mechanisms — Hardened Runtime and Entitlements.
The first protects against memory manipulation and injection of malicious code; the second controls app permissions to microphone, camera and other device functionalities.
This enables an attacker to create and inject a third-party dynamic library (Dylib) that, on behalf of Telegram and with its rights, can record video from the camera and store it to a file.
A Telegram spokesman, commenting on the situation Durov’s code, said the exploit does not threaten users by itself. For the described scenario to be realized, malicious software would have to already be installed on the system.
“The real issue is that, apparently, it is possible to bypass the Apple sandbox restrictions designed to prevent such abuses by third-party apps,” the company noted.
The Google expert’s conclusions were disputed by Telegram founder Pavel Durov, who said that in technical terms the media “often chase sensational headlines and mislead users.”
Nevertheless, Telegram has implemented all possible changes on its end — the update is already available in the App Store.
The United States accused a Russian of developing ransomware with $200 million in damage
On May 16 the Office of Foreign Assets Control (OFAC) imposed sanctions on Russian national Mikhail Matveev, accused of developing the Babuk ransomware and distributing several variants, including LockBit and Hive.
The agency estimates the total damage from these attacks at $200 million.
Matveev operated under the aliases Wazawaka, Boriselcin and Uhodiransomwar. OFAC says he acted as an intermediary and sold access to networks compromised through vulnerabilities he identified.
The Babuk Locker group began operating in January 2021 and affected critical infrastructure, including hospitals, school districts and financial firms.
In April of the same year, operators attacked the Metropolitan Police Department of Washington, DC, stealing 250 GB of files. Subsequently, after not receiving a ransom, they published the data of law enforcement officers.
The Justice Department charged Matveev with several counts and offered a reward of up to $10 million for information leading to his arrest.
Discord notified users of a data breach
A third-party support staff account was compromised, leading to a leak of client data. The company said so in a letter to affected users at Reddit.
As a result, the attacker gained access to messages and attachments sent to the support manager, as well as user email addresses.
After detecting the breach, Discord engineers disabled the compromised account, but warned of possible fraud and phishing aimed at affected customers.
The company said it would implement additional safeguards to prevent similar incidents in the future.
Toyota disclosed location data for more than 2 million vehicles for ten years
Toyota Connected’s cloud service disclosed location data for 2.15 million vehicles due to a misconfigured database from January 2012 to April 2023, according to the company’s site.
The issue affected customers in Japan on the T-Connect service, which provides a wide range of features including voice-assisted driving, automatic connection to call centers for vehicle management and crash emergency support.
In the misconfigured database you could find GPS terminal ID, VIN and vehicle location information with timestamps.
Toyota Motor Corporation has not found evidence of misuse by third parties. However, it warned that theoretically unauthorized users could access real-time location of 2.15 million vehicles. It also noted the possibility of leakage of dashcam recordings from November 14, 2016 to April 4, 2023.
The company is investigating the incident and plans to set up a dedicated call center to handle inquiries from affected customers.
Suspect in the Pentagon leak previously flagged for excessive interest in intelligence data
Airman Jack Teixeira of the United States Air National Guard, suspected in the recent Pentagon documents leak, repeatedly ignored warnings about mishandling classified information. This is stated in court documents provided by the prosecution.
According to the department, in September 2022 Teixeira kept notes on secret intelligence and took briefings home, for which he received his first reprimand. In October that year, during a briefing, he asked very specific questions about such materials.
In February 2023 Teixeira was again caught looking at information unrelated to his duties but related to intelligence.
Prosecutors seek to extend his detention until trial. Defense lawyers request transfer to parental supervision, arguing that their client has no intent to flee.
Experts name common ransomware attack vectors
43% of ransomware attacks in 2022 began by exploiting vulnerabilities in public apps, 24% by using compromised user accounts, and 12% by malicious emails. This is according to a report from Kaspersky Lab.
In some cases attackers aimed not to encrypt but to gain access to users’ personal data, intellectual property and other confidential information of organisations.
Typically, attackers remained in a client’s network after gaining access. Attackers often used PowerShell for data collection, Mimikatz for privilege escalation, and PsExec for remote command execution, or frameworks such as Cobalt Strike to carry out all stages of the attack.
A survey of experts shown that more than 40% of companies worldwide faced at least one ransomware attack in 2022. Small and medium-sized businesses paid for data recovery on average $6,500, while large enterprises $98,000.
Also on ForkLog:
- Worldcoin will strengthen security to combat the black market for biometrics.
- Coin Cafe will pay $4.3 million for deceiving investors.
- The Bankman-Fried case: sued over purchase of Embed for $250 million on the eve of the FTX collapse.
- The Uranium Finance hacker moved 650 ETH to Tornado Cash.
- Justin Sun accused the brother of Huobi’s founder of selling “free” HT.
- In Upbit and Bithumb raids were conducted over suspicious cryptocurrency transactions by a deputy.
- A US citizen received six years in prison for cryptocurrency extortion.
- Users lost more than $15 million on a counterfeit HitBTC site.
- Attackers stole $30,000 in bitcoin via a fake hardware wallet.
- White House: North Korea funds half of its missile program through cryptocurrency theft.
What to read this weekend?
In the Cryptoarium educational section we discuss the flaws of algorithmic stablecoins.