Emails, chat logs, more leaked online from far-right militia linked to US Capitol riot
Plus: Other infosec news from this month
In brief Emails, chat logs, membership records, donor lists and other files siphoned from a far-right anti-government self-styled militia were leaked online on Monday, it appears.
Some 5GB of data belonging to the Oath Keepers ‒ at least four of whom have been indicted for and admitted their role in the January 6 storming of the US capitol – was passed to the DDoSecrets Collective and shared online. The membership list contains accounts with 160 US government and military email addresses, the Daily Dot reported.
"While the emails and chat logs are being made available to the public," the collective noted, "the remainder (a small minority of the files) is only being provided to journalists and researchers due to the presence of PII, financial information, passwords, decryption keys and other information which could be abused."
This comes right after 180GB of documents – from domain ownership records to account credentials and payment histories – were leaked online from compromised servers belonging to Epik, which has provided web hosting for, among other things, the Oath Keepers as well as Parler and Gab, and that website that could be used to report women under Texas's anti-abortion law.
It's not clear if the Oath Keepers and Epik leaks are directly related. Epik at first denied it was compromised, then confirmed it had been ransacked when confronted by journalist Steven Monacelli, who earlier broke the news of the security breach, during a wild video conference session.
FBI accused of withholding ransomware key as part of REvil probe
The FBI had obtained a key to undo a flood of ransomware infections but sat on it for a while in an attempt to strike at the malware operators, it's claimed.
“The decryptor key would have been nice three weeks before we got it, but we had already begun a complete restoration of our clients’ systems,” Joshua Justice, owner of the Maryland IT company JustTech, which had about 120 clients hit by the extortionware, told the Washington Post.
The Post claimed "several current and former US officials" had confirmed the agency had the key but didn't hand it over to businesses for three weeks so the criminals would not be tipped off while agents prepared a raid. The Justice Department and White House declined to comment.
Parental controls blowback for Netgear
A CVSS 8.1 remote-code execution vulnerability in older Netgear kit has been spotted and thousands of R-series routers need a firmware update.
The issue is not related to a flaw in Netgear's own code, but rather in a third-party component included in the firmware in many of its devices: the Circle parental-control filtering software originally developed by Disney. Enabled to run by default even for those who have not configured their routers to use parental control features, the Circle update daemon has root privileges and can be hijacked over the network in a man-in-the-middle attack, according to Grimm. Full patches are available here.
AMD driver security fix
AMD has patched a Windows driver security flaw, CVE-2021-26333, discovered by researchers at British bug hunters Zeroperil.
The chips affected by this software blunder were thought to be fairly limited in scope, though AMD said its fix applies to a broader range of gear. Essentially, the bug can be exploited by normal users and programs to read any part of physical memory, which may contain keys and other secrets to steal.
"The discretionary access control list (DACL) may allow low privileged users to open a handle and send requests to the driver resulting in a potential data leak from uninitialized physical pages," AMD said in its advisory.
NSA-championed algorithm in Juniper software exploited by China
Over 14 months after US lawmakers asked for Juniper to shed a little more light on its 2015 discovery of "unauthorized" VPN-decryption code inside its NetScreen firewall firmware, a report emerged with some more info on the mystery.
An article by Bloomberg stated Juniper used the now discredited Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) to encrypt its NetScreen traffic. The generator was pushed by the NSA and adopted by some businesses, with Juniper starting to use it in its NetScreen kit, apparently at the behest of the US Department of Defense.
The NSA was keen to see Dual_EC_DRBG used more often because, it's understood, it knew how to exploit a weakness in the design and thus decrypt traffic. Unfortunately, the report suggested, Chinese cyber-spies dubbed APT 5 had themselves discovered the flaw by 2012, when they started abusing it in one way or another to spy on Juniper customers' encrypted traffic, eventually installing a backdoor of their own in Juniper's code in 2014, apparently.
Juniper noticed some shenanigans – someone was reading its email and siphoning its documents – but didn't link it with the Dual_EC_DRBG debacle. A year later, in 2015, it caught on, and replaced its software to remove this unwanted code.
- Frustrated dev drops three zero-day vulns affecting Apple iOS 15 after six-month wait
- Microsoft Exchange Autodiscover protocol found leaking hundreds of thousands of credentials
- Suex to be you: Feds sanction cryptocurrency exchange for handling payments from 8+ ransomware variants
- Mafia works remotely, too, it seems: 100+ people suspected of phishing, SIM swapping, email fraud cuffed
There's a warning in the case as to why government-installed backdoors are a dumb idea: if there's a flaw to be found, someone will find it. Too bad neither the US nor the UK government has understood that yet.
Police cuff alleged pipe-bomb pensioner
A Michigan man was arrested and charged in connection with two separate pipe bomb attacks on shops selling mobile phones.
The 75-year-old is accused of setting up improvised explosive devices and leaving them outside AT&T and Verizon stores as well as leaving threatening letters by cell towers. The devices and documents were recovered by the police before any harm could be done. The accused, John Douglas Allen, is facing a minimum five-year prison sentence if convicted.
Keep your Fortinet devices fresh
We hope you've not only patched but also cycled the credentials on your Fortinet VPN SSL – because 500,000 usernames and passwords supposedly harvested last year from vulnerable installations were leaked online this month.
It's believed miscreants exploited the CVE-2018-13379 vulnerability that was fixed in 2019, or simply bruteforced the boxes, to collect their credentials last summer. The data was uploaded to a Tor-hosted website dubbed Groove, which has connections with the Babuk gang and the cyber-crime forum RAMP.
Yelisey Boguslavskiy and Anastasia Sentsova at AdvIntel today shared some insights into the sudden appearance of Groove. It's likely the credentials, along with the IP addresses for their devices, were shared this month for free to draw attention to Groove and RAMP. The details should prove useful to those seeking to break into networks and infect systems with extortionware.
At least some of the credentials are said to still work: the leaked collection contains 498,908 username-password pairs for 12,856 Fortinet VPN SSL boxes, 2,959 of which have IP addresses that suggest they are in the US. Someone has helpfully compiled a list of IP addresses of devices in the credential dump, in case you want to see if your Fortinet equipment is caught up in the leak.
Don't forget Cisco
A critical out-of-bounds vulnerability (CVE-2021-34746) was found in Cisco's Enterprise NFV Infrastructure Software.
"This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script," Cisco said in an advisory this month.
"An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device."
Cisco also released a bundle of high severity patches for its IOS XR operating system.
SEC slaps brokerage firms for lax cloud control
The US Securities and Exchange Commission has reached a settlement with three brokerages over their failings in security that let staff and customers' financial information fall into the wrong hands.
Five divisions of brokerage Cetera were named by the SEC as losing control of 60 employee cloud email accounts between November 2017 and June 2020, so much so that miscreants were able to access info on at least 4,388 clients and customers. Some of its divisions were also accused of sending out misleading security breach notifications.
Meanwhile, Cambridge Investment Research and Cambridge Investment Research Advisors had 121 staff email accounts compromised by system intruders, exposing the information on at least 2,177 Cambridge customers and clients. KMS Financial Services managed to lose control of 15 financial advisers' email accounts, exposing data on 4,900 KMS accounts.
Cetera agreed to pay $300,000 as punishment while Cambridge will pay $150,000 and and KMS $200,000. As is the way of such settlements, none of the companies admitted any wrongdoing. ®