CYBAZE-News

Threat actors had access to the email accounts of at least four NRCC aides and spied on thousands of sent and received emails for several months.

The email system at the National Republican Congressional Committee (NRCC), the Republican Party’s campaigning arm, was hacked.

The news was first reported by Politico, later the committee admitted the intrusion and confirmed that attackers had access to mail messages for months.

Threat actors had access to the email accounts of at least four NRCC aides and spied on thousands of sent and received emails for several months.

“The House GOP campaign arm suffered a major hack during the 2018 midterm campaigns, exposing thousands of sensitive emails to an outside intruder, according to three senior party officials.” states the report published by Politico.

“The email accounts of four senior aides at the National Republican Congressional Committee were surveilled for several months, the party officials said. The intrusion was detected in April by an NRCC vendor, who alerted the committee and its cybersecurity contractor. An internal investigation was initiated, and the FBI was alerted to the attack, said the officials, who requested anonymity to discuss the incident.”

An NRCC vendor alerted the committee and its cybersecurity contractor in April. The National Republican Congressional Committee alerted the authorities and launched an internal investigation.

Politico reported that senior House Republicans, including Speaker Paul Ryan of Wisconsin, Majority Leader Kevin McCarthy of California and Majority Whip Steve Scalise of Louisiana, were not informed of the intrusion until the media outlet reported it to the NRCC earlier this week.

NRCC focus

It is a difficult moment for the Republican Party that lost 40 seats and gave up majority control to the Democrats in the House after the 2018 mid-term election.

At the time, the attack was not attributed to a specific threat actor, anyway, it is clear that hackers have carried out a cyber espionage campaign.

The attack presents many similarities with the DNC hack occurred before the 2016 election, US intelligence attributed it to Russia-linked APT groups.

It’s not clear, what measures adopted the NRCC to prevent such kind of intrusions, after being notified of the intrusion the committee alerted the security firm Crowdstrike.

“Like other major committees, the NRCC also had security procedures in place before the election cycle began to try to limit the amount of information that could be exposed to a potential hacker. It also employed a full-time cybersecurity employee.” concludes Politico.

Pierluigi Paganini

(Security Affairs – National Republican Congressional Committee (NRCC), hacking)


The post Email accounts of top NRCC officials were hacked in 2018 appeared first on Security Affairs.

Security experts reported a new strain of malware spreading in China, the malicious code rapidly infected over 100,000 PCs in just four days.

Unfortunately, the number of infections is rapidly increasing because hackers compromised a supply chain.

It is interesting to note that this ransomware requests victims to pay 110 yuan (nearly Euro 14) in ransom through WeChat Pay.

“On December 1, the first ransomware that demanded the “WeChat payment” ransom broke out in the country. According to the monitoring and evaluation of the “Colvet Threat Intelligence System”, as of the evening of the 4th, the virus infected at least 100,000 computers, not only locked the computer.” reads the analysis published by anti-virus firm Velvet Security

“The document also steals information on tens of thousands of user passwords on platforms such as Taobao and Alipay.” 

Victims are prompted to pay the ransomware to attackers’ WeChat account within 3 days to receive the decryption key. If the victim doesn’t pay the ransomware within a specific time, the malicious code will delete the decryption key from the C&C server.

The malicious code also implements password stealing abilities, the ransomware is able to steal users’ credential for popular Chinese services, including Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall , AliWangWang, and QQ websites.

The ransomware also collects information on the infected system, including CPU model, screen resolution, network information and list of installed software.

According to experts from Velvet Security, hackers compromised the supply chain of the “EasyLanguage” programming software used by a large number of application developers.

The tainted software is used by hackers to inject the malicious code into every software compiled through the programming software.

To avoid detection, author of the threat signed the code with a trusted digital certificate issued form from Tencent Technologies and avoid encrypting data in some specific directories, like “Tencent Games, League of Legends, tmp, rtl, and program.

The good news for the victims is that researchers were able to crack the ransomware; the experts discovered that the malware uses XOR cipher, instead of DES, to encrypt the file, it also stores a copy of the decryption key locally on the victim’s system in the following path:

%user%AppDataRoamingunname_1989dataFileappCfg.cfg

Velvet experts released d a free ransomware decryption tool that could be used to decrypt documents encrypted by the malware.

Experts attributed the ransomware to a software programmer named “Luo,” they reported their discovery to the Chinese authorities.

ransomware author

Pierluigi Paganini

(Security Affairs – cybercrime, China)


The post New strain of Ransomware infected over 100,000 PCs in China appeared first on Security Affairs.

Security experts from Trend Micro discovered that some machine-to-machine (M2M) protocols can be abused to attack IoT and industrial Internet of Things (IIoT) systems.

According to a study conducted by experts from Trend Micro and the Polytechnic University of Milan. attackers abuse M2M protocols to target IoT and IIoT devices.

The experts analyzed the M2M protocols, the Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP).

The former one is a messaging protocol used to establish communication between a broker and multiple clients, the latter is a UDP client-server protocol that allows communications between nodes.

M2M protocols flaws

The experts pointed out that attackers could abuse M2M protocols for target reconnaissance, industrial espionage, targeted attacks, and to make lateral movements.

Researchers monitored both protocols over a period of four months, they the attacker’s role for their research

“For data gathering, we played the role of a casual attacker with modest resources, scanning the internet for exposed MQTT brokers and CoAP hosts. In just nearly four months, such a “casual attacker” was able to collect 209,944,707 MQTT messages obtained from 78,549 brokers and 19,208,047 CoAP responses from 441,964 servers.” reads the research paper.

The analysis of the MQTT protocol revealed the existence of security flaws that could be exploited to trigger DoS condition or execute arbitrary code. Trend Micro reported vulnerabilities to the developers of the affected software that have quickly released patches.

Below a video PoC of the attacks abusing the MQTT protocols:

The researchers did not find security flaws in the  CoAP protocol, but warned that it is susceptible to IP spoofing, attackers could exploit it for DDoS amplification attacks.

“However, the Request for Comments (RFC) defining the protocol, RFC 7252,5 explicitly pinpoints the security issues (mainly due to the “connectionless” nature of UDP), which we confirmed with a practical experiment.” continues the report.

“On a test network with CoAP clients and servers, we launched an amplification attack with increasing payload size and estimated the maximum bandwidth amplification factor (BAF). According to our estimate, CoAP can reach up to 32 times (32x) amplification factor, which is roughly between the amplification power of DNS and SSDP.”

Experts highlighted the risks that malware in the next future could abuse M2M protocols for malicious activity.

“MQTT and CoAP are data protocols playing a fundamental role in M2M communication among consumer and industrial applications. The presence of unsecure MQTT and CoAP deployments shows no improved security awareness since 2017, when this problem was first highlighted for MQTT.” concludes the report.

“Despite the security recommendations being well highlighted in the CoAP RFC, CoAP already suffers from a deployment problem similar to that affecting MQTT. Both MQTT and CoAP have some features that, even in the absence of implementation vulnerabilities, can be abused to the attacker’s advantage. When deploying or using MQTT and CoAP services, the following practical points should be considered.”

Pierluigi Paganini

(Security Affairs – Daniel’s Hosting, dark web)


The post M2M protocols can be abused to attack IoT and IIoT systems appeared first on Security Affairs.

Security experts at Yoroi – Cybaze Z-Lab discovered a new variant of the infamous Ursnif malware targeted Italian users through a malspam campaign.

Introduction

In the last weeks, a new variant of the infamous Ursnif malware was discovered hitting Italian users through a malspam campaign. In fact, Yoroi-Cybaze ZLAB isolated several malicious emails having the following content:

  • Subject: “VS Spedizione DHL AWB 94856978972 proveniente dalla GRAN BRETAGNA AVVISO DI GIACENZA”
  • Attachment: “GR930495-30495.zip”

The content of the attachment is a .js file and when it is launched, starts the infection by downloading other components from the Internet.

The Dropper

The initial dropper is an obfuscated javascript. Once run, it generates a lot of noisy internet traffic with the purpose to harden the detection of the real malicious infrastructures; as we can see from the following figures, the script contains a series of random-looking URLs it unsuccessfully tries to connect to, generating a huge volume of noise into the analysis environment.

dissecting-ursnif-dhl-campaign

Figure 1: Hard coded urls where the malware tries to connect to generate noise

dissecting-ursnif-dhl-campaign

Figure 2: Generated internet traffic noise

However, the real malicious action performed by the javascript is to create a batch file in the “%APPDATA%Roaming325623802.bat” path. The file is a simple script file containing the following code:

dissecting-ursnif-dhl-campaign

Figure 3: Extracted batch file

The script execution pops up to the screen a harmless “FedEx” brochure in pdf format used to decoy the victim, in the meanwhile it downloads and extract a PE32 executable file from a CAB archive hosted on a compromised Chinese website.

dissecting-ursnif-dhl-campaign

Figure 4: PDF downloaded to the internet and shown to the user

The second stage

The second stage of the infection chain is the “ppc.cab” file downloaded by the dropper to the “%APPDATA%Roaming” location: it actually is a Microsoft Cabinet archive embedding an executable file named “puk.exe”.
The “puk.exe” file promptly spawns a new copy of its own process to make the debugging harder, then it starts several instances of the Internet Explorer process to hide its network activity inside legitimate processes.

Figure 5: spawned processes by the original “puk.exe”

The network traffic generated by the iexplore.exe processes points to the remote destination 149.129.129.1 (ALICLOUD-IN) and 47.74.131.146 (AL-3), part of the malicious infrastructure of the attacker.

dissecting-ursnif-dhl-campaign
Figure 6: C2 network traffic

The beaconing pattern recognized in the C2 communication is consistent with Gozi/Ursnif/IFSB/Dreambot malware variants. In addition, the particular “/wpapi/” base url adopted by the sample matches several malspam campaign tracked during the current year (rif EW. N070618N030618N010318).

dissecting-ursnif-dhl-campaign
Figure 7: Malware’s beaconing requests

Persistency

The third stage of the malware is designed to ensure its persistence into the infected system in the long run. It sets up a particular registry key containing chunks of binary data: “HKEY_CURRENT_USERSoftwareAppDataLowSoftwareMicrosoft6C174C70-DB2B-7E6F-C560-3F92C994E3E6”

dissecting-ursnif-dhl-campaign

Figure 9: Registry key written by the malware

Among the registry key shown above, there is an entry named “ddraxpps”: this particular name has been also used into the persistency mechanism of other Ursnif samples analyzed back in January.  Also, the malware configures a key named “comuroxy” containing a wmic “process call create” command designed to invoke powershell code from the “ddraxpps” entry: C:Windowssystem32wbemwmic.exe /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:SoftwareAppDataLowSoftwareMicrosoft6C174C70-DB2B-7E6F-C560-3F92C994E3E6').ddraxpps))".

The “ddraxpps” registry key stores a hex string could be decoded applying a simple hex-to-ascii conversion, its content actually is the following obfuscated powershell code:

Figure 10: body of “ddraxpps” key

The first line of code shows a set of commands allowing the execution of some kind of payload encoded in decimal format. The array of numbers in at line two represents the actual executable payload in decimal notation.

  1. $sagsfg=“qmd”;function ndltwntg{$sxpjuhsps=[System.Convert]::FromBase64String($args[0]);[System.Text.Encoding]::ASCII.GetString($sxpjuhsps);};

The third line, instead, contains a base64 encoded powershell snippet revealing the usage of a known payload injection technique: the “APC injection” or “AtomBombing”, used to infect the “iexplore.exe” process.

dissecting-ursnif-dhl-campaign

Figure 11: Commands of the third row of “ddraxpps” key

All the commands shown in Figure 11 are necessary to perform the operation of APC Injection: in the first variable “$jtwhasq” there is the import of the necessary library “kernel32.dll”, in particular the functions “GetCurrentProcess()” and “VirtualAllocEx()”. The second row provides the importing of of the functions “GetCurrentThreadId()”, “QueueUserAPC()”, “OpenThread()”. The third contains the real injection: while the first two lines contains the preparation of all imports, functions and relative parameters, the third one is the responsible of the execution of the actual APC Injection technique. The first step is to properly create a Virtual Section using the “VirtualAllocEx()” function of the current process, identified thanks to “GetCurrentProcess()”. The malware is then copied to the virtual section and, finally, this section is injected in a local thread within the “iexplore.exe” process thanks to the “QueueUserAPC()” function.

Conclusion

In the end, the whole infection chain could be summarized in four stages: the generation of network noise to hide the attacker’s infrastructure, the download of the executable payload, the achievement of persistence through the registry key installed and the checking and the download of the Ursnif modules.

dissecting-ursnif-dhl-campaign

Figure 12. Representation of the infection chain

Further details, including IoCs and Yara rules, are reported in the original blog post published by Yoroi.

Dissecting the latest Ursnif DHL-Themed Campaign

Pierluigi Paganini

(Security Affairs – Ursnif, malware)


The post Dissecting the latest Ursnif DHL-Themed Campaign appeared first on Security Affairs.

Society’s dependence on internet-based technologies means security professionals must defend against cyberattacks as well as more traditional threats, such as robbers or disgruntled employees.

However, cybercriminals target some industries at disproportionally high rates. Here are four of them:

1. Health Care

Since health care professionals deal with life-or-death situations, cyberattacks could hinder both productivity and patient care to a tremendous degree. Some attacks shut down entire health systems comprising multiple facilities or forcing affected individuals to switch from computerized processes to using pens and paper.

The medical industry faces an exceptional risk for cyberattacks because there are so many players involved in the sector. More than 83 percent of organizations responding to a recent survey reported making new or improved organizational security enhancements.

That’s notable progress, but analysts also worry about the potential for attacks that don’t directly target hospitals or similar organizations. Recent demonstrations from cybersecurity researchers have shown how it’s possible to hack into medical devices like pacemakers or insulin pumps.

There are also instances of hospitals being unable to perform fundamental services. In November 2018, a ransomware attack forced two hospitals to send ambulances elsewhere and only accept walk-up patients to the emergency rooms.

Hackers know they can wreak substantial havoc by attacking hospitals, thereby increasing the potential for notoriety. It doesn’t hurt that those organizations keep medical records containing valuable information hackers could sell on the black market. One instance with North Carolina-based company Atrium Heath potentially breached the data of 2.65 million people.

2. Nonprofit

Nonprofits typically focus their efforts on causes that improve society at large, at-risk groups and others in need. However, cyberattacks could thwart all those intentions to put energy toward the greater good. Research indicates cyberattacks threaten nonprofit organizations for various reasons.

Data from 2017 found only 27 percent of nonprofits broke even that year. So, if nonprofit leaders want to devote more money to cybersecurity, they may feel too financially strapped to make meaningful progress. Plus, many nonprofits have small teams of hired employees and rely heavily on volunteers otherwise. That bare-bones staffing structure could make it harder than average for nonprofits to recover after issues happen.

Also, nonprofits may feel overwhelmed about where to start as they learn about cybersecurity. Fortunately, some products geared toward nonprofits have robust integrated security. Volgistics is a company associated with volunteer management that serves 5,121 organizations. A section on its website details the online and offline measures taken to keep customer data safe.

3. Retail

The retail industry is cyclical, so certain times of the year — including the holiday season or when kids go back to school — are particularly busy. Plus, cybercrime problems could take websites offline or cause reputational damage. Despite those risks, retailers make blunders when budgeting for cybersecurity. A recent report found 50 percent of all data breaches in the U.S. happened at retail establishments.

The study also determined that entities spend the most money on cybersecurity measures considered among the least effective. No matter what, it’s crucial for the retail sector to take cybersecurity seriously. Research from Gemalto found 70 percent of people would stop doing business with companies that suffer data breaches. So, failing to conquer the problem could lead to profit losses in unexpected ways.

4. Financial Services

People rely on banks to do daily transactions for business or personal reasons. And, since financial institutions have extraordinary amounts of money on hand, it’s not surprising they’re prime targets for cybercriminals. Even financial industry businesses that don’t store so many financial resources on site — such as wealth management companies — keep documents filled with clients’ personal details.

The financial sector is also so potentially lucrative for hackers that they may set their sights on carrying out attacks on ATMs in multiple countries. Sources report a North Korean hacking group known as Lazarus is believed to be behind attacks in 23 countries totaling tens of millions of dollars.

There’s an emerging trend of banks hiring ethical hackers to find vulnerabilities and test existing safeguards. That’s a practical way to address cybercrime risks, but it’s an approach that’ll likely become increasingly harder to choose. That’s because there’s already a gigantic cybersecurity skills gap consisting of hundreds of thousands of open cybersecurity positions, and forecasts say the shortage will get worse.

cyberattacks

No Industry Is Immune

Any sector that uses the internet to conduct business could become a cybercriminal’s target.

Although the industries mentioned here need to take particular care to prevent issues, proactive steps taken to fix problems and monitor for suspicious issues could keep all companies safer from cybercrime.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – Cybersecurity, cyberattacks)


The post 4 Industries That Have to Fight the Hardest Against Cyberattacks appeared first on Security Affairs.

Another day another illustrious victim of the data breach, the popular question-and-answer website Quora suffered a major data breach that exposed 100 million users.

On Monday, the popular question-and-answer website Quora suffered a major data breach, unknown hackers breached its systems and accessed 100 million user data.

The company is notifying the incident to the affected users and reset their passwords as a precautionary measure, it also reported it to law enforcement. Quora hired a forensics and security firm to assist in the investigation.

Quora is still investigating the security breach, it discovered the intrusion on  November 30 and attributed it to a “malicious third party.”

“We recently discovered that some user data was compromised as a result of unauthorized access to one of our systems by a malicious third party. We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future.” reads the data breach notification.

“On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to one of our systems.”

Exposed data includes name, email address, hashed password, data imported from linked networks, public content and actions (e.g. questions, answers, comments, and upvotes), and non-public content and actions (e.g. answer requests, downvotes, and direct messages).

“While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.” continues the company.

quora data breach

Data belonging to users who posted anonymously was not exposed, financial data and social security numbers are at risk because the Quora platform doesn’t use it.

Quora has identified the root cause of the breach and has taken steps to address it, it did not disclose technical details on the incident.

The company announced additional efforts to mitigate the effects of the incident and to avoid future security breaches.

“Not all Quora users are affected, and some were impacted more than others.” states the FAQ page published by the company.

Pierluigi Paganini

(Security Affairs – Quora, Data breach)


The post Quora data breach: hackers obtained information on roughly 100 million users appeared first on Security Affairs.

Russia-linked cyber-espionage group Sofacy, (aka APT28Pawn StormFancy BearSednitTsar Team, and Strontium) use BREXIT lures in recent attacks.

Sofacy Brexit

The APT group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU).

“As the United Kingdom (UK) Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU), iDefense analysts identified a new campaign by SNAKEMACKEREL using a BREXIT-themed lure document to deliver the Zekapab (also known as Zebrocy) first-stage malware” reads a report published by Accenture.

The Sofacy APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

In September 2018, security experts from ESET spotted the first UEFI rootkit of ever, the code tracked as LoJax was used in attacks in the wild.

In November 2018, malware researchers at the Cybaze ZLab- Yoroi team discovered a new variant of the dangerous APT28 Lojax rootkit.

According to Accenture’s iDefense experts, on November 15 Sofacy attackers were using weaponized documents to deliver the Zebrocy backdoor.

Threat actors used the BREXIT-themed lure documents to load malicious content from an external source using the settings.xml.rels component embedded within the DOCX file.

The macro component downloaded from the external source includes a function called AutoClose(), as well as two payloads embedded via Base64, encoded strings.

Analyzing an IP address (109.248.148.42) involved in the attack, the experts discovered two different .dotm components, attachedTemplate.dotm and templates.dotm.

Both components contain the same VBA macro code, each containing two different embedded payloads: one is an executable binary file and the other is a .docm file.

“Analysis into the two binaries shows that they are in fact a Delphi (initially UPX
packed) and .NET version of the Zekapab first-stage malware.” continues the report.

The malware collects system information and a list of running processes and sends the data to the command and control (C&C) server that in turn deliver the next stage malware is the system is deemed interesting.

Further information on the attack, including mitigation, are reported in the analysis published by Accenture

Pierluigi Paganini

(Security Affairs – Sofacy, Brexit)


The post Russia-linked APT Sofacy leverages BREXIT lures in recent attacks appeared first on Security Affairs.

Security experts at HackenProof are warning Open Elasticsearch instances expose over 82 million users in the United States.

Experts from HackenProof discovered Open Elasticsearch instances that expose over 82 million users in the United States.

Elasticsearch is a Java-based search engine based on the free and open-source information retrieval software library Lucene. It is developed in Java and is released as open source, it is used by many organizations worldwide.

Experts discovered 73 gigabytes of data during a regular security audit of publicly available servers. Using the Shodan search engine the experts discovered three IPs associated with misconfigured Elasticsearch clusters.

“A massive 73 GB data breach was discovered during a regular security audit of publicly available servers with the Shodan search engine.” reads a blog post published by HackenProof.

“Prior to this publication, there were at least 3 IPs with the identical Elasticsearch clusters misconfigured for public access.”

The first IP discovered by the experts on November 14, contained the personal information of 56,934,021 U.S. citizens (i.e. name, email, address, state, zip, phone number, IP address, and also employers and job title).

Experts discovered a second Index of the same archive that contained more than 25 million records with more detailed information (i.e. name, company details, zip address, carrier route, latitude/longitude, census tract, phone number, web address, email, employees count, revenue numbers, NAICS codes, SIC codes, and etc).

Elasticsearch instances data leak

Overall, HackenProof says (PDF), 82,851,841 people were impacted by this data breach.

The overall number of records exposed in the unprotected Elasticsearch instances is over 114,686,118 (114,686,118), according to HackenProof 2,851,841 individuals were impacted by this data leak.

At the time it is not clear which is the ownership of the exposed Elasticsearch instances, experts speculate that Data & Leads Inc. could be the data source.

Experts attempted to notify the incident to the company, but they did not receive any reply. The company website was taken offline just after the publication of the report.

It is not possible to determine for how long data remained exposed online, the good news is that the huge trove of data is no longer available.

“While the source of the leak was not immediately identifiable, the structure of the field ‘source’ in data fields is similar to those used by a data management company Data & Leads Inc. However, we weren’t able to get in touch with their representatives.” continues the blog post.

“Moreover, shortly before this publication Data & Leads website went offline and now is unavailable.”

In September, security experts from the firm Kromtech have discovered 4,000 compromised instances of open source analytics and search tool Elasticsearch that were running PoS malware.

Earlier 2017, the number of internet-accessible Elasticsearch installs was roughly 35,000.

In July, the security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server.

Unprotected Elasticsearch instances are a gift for hackers and cybercriminals, hackers can compromise them by installing a malware and gain full administrative privileges on the underlying servers.

Pierluigi Paganini

(Security Affairs – Elasticsearch installs, hacking)


 

The post Experts found data belonging to 82 Million US Users exposed on unprotected Elasticsearch Instances appeared first on Security Affairs.

New Zealand intelligence agency asked mobile company Spark to avoid using Huawei equipment for 5G infrastructure.

According to New Zealand’s Government Communications Security Bureau, Huawei equipment for 5G infrastructure poses a “significant network security risk,” for this reason, it asked mobile company Spark to avoid using the equipment of the Chinese company.

The announcement follows the decision of the Australian Government to ban Huawei equipment from Australia’s 5G network due to security concerns.

New Zealand is a member of the FiveEyes intelligence alliance, the remaining countries (UK, US, Australia), except Canada, banned Huawei over security fears.

The Chinese company has been founded by a former People’s Liberation Army official in 1987. The US was the first country that warned of the security risks associated with the usage of the products manufactured by the Chinese telecommunications giant.

The Chinese firm denies having shared Australian customer data with the Chinese intelligence, but it is not enough for the Australian Government.

Australian authorities also banned the Chinese firm ZTE Corp.

Huawei was already helping Spark to build 5G mobile networks.

“In New Zealand, Huawei has previously helped build mobile networks. In March, Spark and Huawei showcased a 5G test site across the street from the Parliament, in a publicity move that was attended by then Broadcasting Minister Clare Curran.” reported the Associated Press.

China and New Zealand have a good commercial partnership and the ban imposed by the government could have severe repercussions on it. In 2008, New Zealand signed a free-trade deal with China.

“The economic and trade cooperation between China and New Zealand is mutually beneficial in nature,” said Foreign Ministry spokesman Geng Shuang.

“We hope New Zealand will provide a level-playing field for Chinese enterprises’ operation there and do something conducive for mutual trust and cooperation.”

Which is the Spark’s opinion on the ban?

The company is disappointed with the decision by New Zealand’s Government Communications Security Bureau, it is doing all the best to launch the 5G network by July 2020.

“Spark said it had wanted to use Huawei 5G equipment in its planned Radio Access Network, which involves technology associated with cell tower infrastructure.” concludes the AP.

“The company said it has not yet had time to review the detailed reasoning behind the spy agency’s decision, or whether it will take further steps.”

Pierluigi Paganini

(Security Affairs – New Zealand, Huawei)


The post New Zealand Security Bureau halts Spark from using Huawei 5G equipment appeared first on Security Affairs.

The TheHackerGiraffe used the Printer Exploitation Toolkit (PRET) to hijack +50k vulnerable printers to Promote PewDiePie YouTube Channel.

An anonymous hacker hijacked over 50,000 internet-connected printers worldwide to print out messages promoting the subscription to the PewDiePie YouTube channel. Felix Arvid Ulf Kjellberg, aka PewDiePie, is a popular Swedish Youtuber, comedian, and video game commentator, formerly best known for his Let’s Play commentaries and now mostly known for his comedy and vlogs.

This is the last act of disputed for the “most-subscribed Youtube channel” crown between T-Series and PewDiePie.

The PewDiePie has more than 73 million YouTube subscribers.

Now a hacker with the Twitter account TheHackerGiraffe decided to promote his favourite YouTube channel in his way, he hacked tens of thousands of printers exposed online.

hacked printers

The hacker scanned the Internet for printers with port 9100 open using Shodan and hacked them publishing a message that invited the victims to unsubscribe from T-Series channel and subscribe to PewDiePie instead.

“PewDiePie is in trouble, and he needs your help to defeat T-Series!”

“PewDiePie, the currently most subscribed to channel on YouTube, is at stake of losing his position as the number one position by an Indian company called T-Series that simply uploads videos of Bollywood trailers and campaigns,”

The TheHackerGiraffe used the Printer Exploitation Toolkit (PRET) to compromise vulnerable printers. The PRET is a legitimate developed by researchers from Ruhr-Universität Bochum in Germany for testing purposes.

The case is very singular and raises the discussion about the importance of properly secure Internet-connected devices.
In this case, attackers simply printed out a message but vulnerable printers exposed online could be the entry points for attackers that with further lateral movements can compromise an entire network and access sensitive information.
printers hijacking

Don’t forget that every device in your organization that is exposed online enlarges your attack surface.

Pierluigi Paganini

(Security Affairs – vulnerable printers, hacking)


The post Hacker hijacks printers worldwide to promote popular YouTube channel appeared first on Security Affairs.