1.9 million+ records from the FBI’s terrorist watchlist available online

A security researcher discovered that a secret FBI’s terrorist watchlist was accidentally exposed on the internet for three weeks between July 19 and August 9, 2021.

A security researcher Bob Diachenko discovered a secret terrorist watchlist with 1.9 million records that were exposed on the internet for three weeks between July 19 and August 9, 2021.

In July, Diachenko discovered an unsecured Elasticsearch cluster containing 1.9 records of sensitive information on individuals, such as names, country citizenship, gender, date of birth, passport details, and no-fly status.

The list is extracted by the e FBI Terrorist Screening Center (TSC), a database used since 2003 by US feds and other agencies to track individuals who are “known or reasonably suspected of being involved in terrorist activities.”

 The copy of the TSC database was discovered by the expert on a Bahrainian IP address.

“The exposed Elasticsearch cluster contained 1.9 million records,” Diachenko wrote on LinkedIn. “I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed.

Each record in the watchlist contained some or all of the following info:

  • Full name
  • TSC watchlist ID
  • Citizenship
  • Gender
  • Date of birth
  • Passport number
  • Country of issuance
  • No-fly indicator”

At the time of this writing is not clear if the unsecured server was operated directly by the a U.S. government agency, a third-party, or in the worst case by a threat actor that obtained it.

Diachenko immediately reported his discovery to the U.S. Department of Homeland Security (DHS) and the instance of the database was taken down about three weeks later. It is a long period a circumstance that suggest that the server was not directly operated by the FBI.

“On July 19, 2021, The exposed server was indexed by search engines Censys and ZoomEye. I discovered the exposed data on the same day and reported it to the DHS.” continues the expert.

“The exposed server was taken down about three weeks later, on August 9, 2021. It’s not clear why it took so long, and I don’t know for sure whether any unauthorized parties accessed it.”

The exposed DA was also indexed by search engines Censys and ZoomEye, this means that other people could have had access to the secret list.

“It’s not clear why it took so long, and I don’t know for sure whether any unauthorized parties accessed it,” adds Diachenko.

This data leak could have a serious impact on the homeland security, the watchlist includes individual who represents a potential threat for the US even if they have yet to be charged of terrorism and other crimes.

“In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families.” says the researcher. “It could cause any number of personal and professional problems for innocent people whose names are included in the list,”

Cases, where people landed on the no-fly list for refusing to become an informant, aren’t unheard of.

Diachenko believes this leak could therefore have negative repercussions for such people and suspects.

“The TSC watchlist is highly controversial. The ACLU, for example, has for many years fought against the use of a secret government no-fly list without due process,” concludes the researcher

Source: https://securityaffairs.co/wordpress/121213/data-breach/fbi-terrorist-watchlist-leak.html

Nested Pages Patches Post Deletion Vulnerability

 Two vulnerabilities were identified in late August in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop functionality to manage your page structure and post ordering.

These vulnerabilities included a Cross-Site Request Forgery vulnerability that allowed posts and pages to be deleted, unpublished or assigned to a different author in bulk, as well as a separate open redirect vulnerability.

The plugin author released a patched version of the plugin, version 3.1.16, a few hours later.

Due to the nature of Cross-Site Request Forgery vulnerabilities, which involve tricking administrators into performing actions that they are allowed to perform, it is not possible to provide protection for these vulnerabilities without blocking legitimate requests. As such, it is strongly recommended to update to the latest patched version of Nested Pages to ensure your site is protected against exploits targeting these vulnerabilities.

Full article and analysis: https://www.wordfence.com/blog/2021/08/nested-pages-patches-post-deletion-vulnerability

Critical Authentication Bypass Vulnerability Patched in Booster for WooCommerce

Booster for WooCommerce is an addon plugin for WooCommerce designed to enhance its functionality through the use of various modules that site owners can enable and disable at any point. One module that the plugin offers is an Email Verification module, which adds a requirement for users to verify their email after they have registered on the site.

Unfortunately, the WordFence team found that this feature was insecurely implemented, which made it possible for an attacker to impersonate any user and send a verification request that could allow the attacker to easily recreate the token needed to “verify” the targeted user’s email, and be automatically logged in as that user.

More details at: https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce

Hacker returns $600M to Poly Network, is offered position as Chief Security Advisor

Last week, a hacker who stole more than $600 million in various cryptocurrencies began returning the ill-gotten gains. The hacker had exploited a weakness in the Poly Network platform of multiple blockchains to pull off the heist. At the time, he had returned almost half of the funds stolen.

This week nearly all of the crypto stolen from Poly Network has been returned, but then something bizarre happened. Instead of turning the thief, who Poly Network refers to as Mr. White Hat, over to authorities, the company hired him to be its Chief Security Advisor and gave him a $500,000 bug bounty for finding the exploit.

Poly Network said that it maintained constant communication with Mr. White Hat as he returned the crypto. He expressed concerns with the platform’s “security and overall development strategy.” The company was impressed enough with his abilities that it offered him a senior-level position at Poly Network. “We are also counting on more experts like Mr. White Hat to be involved in the future development of Poly Network since we believe that we share the vision to build a secure and robust distributed system,” Poly Network wrote in a blog post. “Also, to extend our thanks and encourage Mr. White Hat to continue contributing to security advancement in the blockchain world together with Poly Network, we cordially invite Mr. White Hat to be the Chief Security Advisor of Poly Network.”

XSS Vulnerability Patched in SEOPress Affects 100,000 sites

SEOPress is a WordPress plugin designed to optimize the SEO (Search Engine Optimization) of WordPress sites through many different features, like the ability to add SEO meta-data, breadcrumbs, schemas, and more. One feature the plugin implements is the ability to add a SEO title and description to posts, and this can be done while saving edits to a post or via a newly introduced REST-API endpoint.

Unfortunately, this REST-API endpoint was insecurely implemented. The permissions_callback for the endpoint only verified if the user had a valid REST-API nonce in the request. A valid REST-API nonce can be generated by any authenticated user using the rest-nonce WordPress core AJAX action. This meant that any authenticated user, like a subscriber, could call the REST route with a valid nonce, and update the SEO title and description for any post.

Full details: https://www.wordfence.com/blog/2021/08/xss-vulnerability-patched-in-seopress-affects-100000-sites

Ransomware Payments Explode Amid ‘Quadruple Extortion’

Two reports slap hard figures on what’s already crystal clear: Ransomware attacks have skyrocketed, and ransomware payments are the comet trails that have followed them skyward.

The average ransomware payment spiked 82 percent year over year: It’s now over half a million dollars, according to the first-half 2021 update report put out by Palo Alto Networks’ Unit 42. As far as the sheer multitude of attacks goes, Barracuda researchers on Thursday reported that they’ve identified and analyzed 121 ransomware incidents so far in 2021, a 64 percent increase in attacks, year-over-year.

Obviously, these are just the major incidents. It is unclear from these reports if the threat to small sites or individual consumers’ computers has continued at the same rate as previously now that there are so many attacks occurring against “big payout” targets.

It’s important to continue to be vigilant on all levels: keep backups (both on site and off site), be careful about what you click on, watch for phishing and consent phishing, use 2-factor authentication where offered, etc.

Full article at https://threatpost.com/ransomware-payments-quadruple-extortion/168622/

Update: Comedian John Oliver (Last Week Tonight) did a piece on Ransomware on Aug 16. (NSFW, but quite well researched.)

Olympic-themed passwords put people at risk

Beyond using “tokyo” and “olympics” as their passwords, people have been turning to names of athletes, such as “kenny,” “williams,” and “asher,” says NordPass.

Devising passwords for your website accounts is always a challenge. That’s why many people look to current events for inspiration. But that strategy is a recipe for trouble as it often leads to simple and weak passwords, making you easy prey for cybercriminals. A report released Tuesday by password manager NordPass looks at the most popular and weak Olympic-themed passwords floating in cyberspace.

With the Tokyo 2020 Olympics finally being held in 2021 due to the pandemic, people have been cheering on their favorite sports and rooting for their favorite athletes. As the games have created a lot of buzz and excitement, people naturally draw inspiration from them. And apparently that factor carries over into cybersecurity.

The latest research from NordPass shows that people are creating passwords based on Olympic events and athletes despite warnings from cybersecurity experts not to use simple or weak passwords. Among the sporting events themselves, “football” scores the top goal by being used as a password more than 5.8 million times, according to NordPass’ analysis.

“Baseball” hits a run as a password in use more than 4.1 million times. “Golf” putts as a password more than 3.2 million times, followed by “hockey” at 2.6 million times, “tennis” at 1.5 million times and “basketball” at 1.4 million times.

The names of athletes competing in the Olympics also popped up as popular passwords in NordPass’ analysis. Among them, “kenny” appeared 1.3 million times, “williams” more than 1 million times, “asher” 1 million times and “riner” 265,971 times. Other go-to athlete-inspired passwords include “masse” at 261,997 times, “curry” at 196,0165 times, “gonzales” at 194,129 times, “osaka” at 87,725 times, “sindhu” at 84,261 times, “federer” at 82,897 times and “biles” at 57,331 times.

The word “tokyo” was used as a password 231,818 times and “olympics” was used 27,881 times.

Though Olympic fever is all well and good, a line should be drawn in the sand when it comes to celebrating the games through your own cybersecurity.

“These passwords can be cracked almost instantly—that’s the main issue,” said NordPass security experts Chad Hammond. “While it’s amazing to support your favorite sport or athlete, it’s not advisable to take that support to your passwords as it really compromises your security. In fact, even if you don’t support, let’s say, Kylie Masse, but have the same last name as her, don’t use that as your password, as 261,997 people already have.”

Relying on current events to devise your passwords is nothing new.

“Earlier this year, NordPass reported that such passwords as “corona,” “lockdown,” and other words or phrases that have defined our lives in the past year are also used as passwords quite often,” Hammond added. “We’ve also noticed that people often simply use their names, favorite sports teams, or the name of the service they’re registering for.”

To better protect your website accounts with strong passwords and security, Hammond offers the following advice:

  1. Update all your passwords and use unique and complex ones to secure your accounts. Try using a password generator to create passwords that are difficult or impossible to guess.
  2. Use a password manager. Such tools can generate and store passwords. More advanced password managers include data breach scanners that can tell you if any of your accounts may have been compromised.
  3. Use two-factor authentication (2FA) where possible. Whether you rely on 2FA through an app, biometric data, or a physical security key, your accounts will be safer with that extra layer of security.

Source: https://www.techrepublic.com/article/olympic-themed-passwords-put-people-at-risk/

Millions of IoT devices, baby monitors open to audio, video snooping

The vulnerability would allow threat actors to remotely compromise a targeted ThroughTek IoT device and watch the real-time video feed, listen to audio, and compromise device credentials for additional attacks.

The cybersecurity researchers at FireEye have shared details of a critical IoT supply chain vulnerability that might be exposing millions of ThroughTek internet-connected cameras to espionage. Reportedly, the flaw affects IoT cameras worldwide and lets attackers hijack video streams.

It is worth noting that at the time of publishing this article; ThroughTek claims to have more than 83 million active IoT devices and over 1.1 billion monthly connections on their platform.

Flaw Identified in ThroughTek’s P2P SDK

The flaw was discovered in ThroughTek’s software core component of the Kalay cloud platform used by OEMs to manufacture IP cameras, baby/pet monitoring cameras, battery devices, and robotic devices.

The vulnerability (CVE-2021-28372) is present in the company’s P2P SDK, which is a function that allows a client on a desktop or mobile app to access the camera’s audio or video streams via the internet.

It is reported that the protocol used to transmit these data streams don’t possess a secure key exchange. Instead, it relies on a fixed key-based obfuscation scheme. Hence, attackers can access it and construct the audio/video stream to spy on users remotely.

Moreover, it can allow attackers to carry out device spoofing, eavesdropping on-camera audio/video, and hijack device certificates.

CISA Releases Security Alert

Yesterday, CISA released a separate advisory for ThroughTek P2P SDK and gave it a CVSS score of 9.1, stating that:

“ThroughTek supplies multiple original equipment manufacturers of IP cameras with P2P connections as part of its cloud platform. Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds.”

CISA noted that the vulnerability impacts SDK version 3.1.5 and older, versions with nossl tag, and device firmware lacking AuthKey for IOTC connection and using the RDT module, P2PTunnel, or AVAPI module without enabling DTLS.

The advisory revealed that the impacted P2P products don’t adequately protect the data transmitted between the company’s servers and the local device, letting the attackers access sensitive data such as camera feeds.

CVE-2021-28372 poses a huge risk to an end user’s security and privacy and should be mitigated appropriately. Unprotected devices, such as IoT cameras, can be compromised remotely with access to a UID and further attacks are possible depending on the functionality exposed by a device, FireEye researchers warned in a blog post.

ThroughTek’s Response

The company conveniently blamed developers who incorrectly implemented its SDK or didn’t update to the latest version. ThroughTek claims that it introduced version 3.3 in mid-2020 to fix this issue and update its devices’ SDK version, and those who didn’t upgrade the software are vulnerable to this threat.

Original article: https://cybersecdn.com/index.php/2021/08/17/millions-of-iot-devices-baby-monitors-open-to-audio-video-snooping/