Health Care
Education
IT & Telecom
Government
CISO/CTO
DevSecops
Product
Our Product
We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.
Threatspy
Solutions
By Industry
Health Care
Education
IT & Telecom
By Role
Government
CISO/CTO
DevSecops
Resources
Resource Library
Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.
Threat Feeds
Threat Research
White Paper
SB Blogs
Subscribe to Our Weekly Threat Digest
Company
Contact Us
Have queries, feedback or prospects? Get in touch and we shall be with you shortly.
Our Story
Our Team
Careers
Press & Media
Contact Us
Join the waitlist
By submitting this form, you agree to our Subscription Agreement and Legal Policies.
Be informed in your inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Black Basta
Ransomware
Knauf
Black Basta ransomware group hits yet another target Knauf Group
Knauf Group reports ransomware attack following an abrupt shut down of their IT systems detecting disruption in the business operations…
20-Jul-2022
3 min read
Related Articles
MailChimp
DigitalOcean
Data Breach
DigitalOcean users' emails & other confidential details were surreptitiously com...
DigitalOcean began to warn its customers about a recent MailChimp security breach that exposed the email addresses of a set of customers, with a few numbers receiving unauthorized password reset notifications. The company stated that they first came to know about the security breach following MailChimp disabled their account without any prior warning on August 8th. DigitalOcean used this MailChimp account to issue email confirmations, password reset notifications, and customer alerts. DigitalOcean says that on the same day, a customer notified their cybersecurity team that their password was reset without authorization. After an investigation, they found an unauthorized email address from the @arxxwalls.com domain was added to their MailChimp account and used in emails starting on August 7th. Believing that their MailChimp account was breached, DigitalOcean says they reached out to the company but didn't hear back until August 10th, when they learned that a hacker had gained access to MailChimp's internal support tools. "We were formally notified on August 10th by Mailchimp of the unauthorized access to our and other accounts by what we understand to be an attacker who had compromised Mailchimp internal tooling," explains a [security advisory](https://www.digitalocean.com/blog/digitalocean-response-to-mailchimp-security-incident) from DigitalOcean. Further investigations showed that the threat actor used the stolen customer email addresses to try and gain access to DigitalOcean accounts by performing password resets. These password reset requests originated from the IP address x.213.155.164. However, those accounts using multi-factor authentication were protected from password reset attempts. DigitalOcean has since switched to another email service provider. The company notified affected customers about the data breach yesterday.  Secure Blink tried reaching out to DigitalOcean last night with further questions about the breach but did not receive a response. As for MailChimp, a security advisory posted on August 12th does not provide much information other than saying it targeted crypto-related customers. _"In response to a recent attack targeting Mailchimp’s crypto-related users, we’ve taken proactive measures to temporarily suspend account access for accounts where we detected suspicious activity while we investigate the incident further,"_ reads the [brief advisory](https://mailchimp.com/august-2022-security-incident/) from MailChimp. _"We took this action to protect our users’ data and then acted quickly to notify all primary contacts of impacted accounts and implement an additional set of enhanced security measures."_ However, in response to questions about the breach, MailChimp told Secure Blink that they were breached through phishing and social engineering tactics that allowed the hackers to access 214 MailChimp accounts. _"We recently experienced a security incident in which unauthorized actors targeted Mailchimp’s crypto-related users by employing sophisticated phishing and social engineering tactics. Based on our investigation to date, it appears that 214 Mailchimp accounts were affected by the incident."_ - MailChimp. MailChimp told us they are working to reinstate accounts and investigate the incident. Other MailChimp customers known to have been suspended without notification are Edge Wallet, Cointelegraph, NFT creators, Ethereum FESP, and Messari and Decrypt. [MailChimp's internal support tools were also breached in April 2022](https://www.secureblink.com/cyber-security-news/mailchimp-confirmed-a-massive-hack-compromising-its-internal-tool-to-obtain-crypto-assets) to target cryptocurrency-related customers. The audience data stolen during that breach led to a [massive phishing campaign targeting Trezor hardware wallet customers](https://www.secureblink.com/cyber-security-news/trezor-hardware-wallet-mailing-list-was-used-to-send-fake-data-breach-notifications-to-steal-cryptocurrency-wallets). After [Cisco disclosed how hackers breached their network](https://bit.ly/3BKOFxj) in what should be a [model of transparency](https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html), MailChimp's scant advisory is deafening. As part of DigitalOcean's disclosure, they mention that an email address from the @arxxwalls.com domain was added as a sender to its MailChimp account. While the owner of the arxxwalls.com domain states that it is not used for illegal activity, it has been abused by numerous scams, operators of fake companies, and phishing attacks.  Furthermore, research by Secure Blink shows that the domain is being used for callback phishing attacks that pretend to be antivirus subscriptions.  Callback attacks are a new type of hybrid phishing seeing enormous growth that starts with an email pretending to be from a legitimate company. These emails warn recipients that they must take action to prevent a cybersecurity incident or the [renewal of a grossly overpriced support/antivirus subscription](https://bit.ly/3smIQR3). Included in these emails is a phone number that, when called, will be used to steal information from the victim or to prompt the recipient to install remote access software on their device. The threat actors use this remote access to breach the network of the victim, commonly used to conduct data extortion or ransomware attacks.
17-Aug-2022
5 min read
Argentina
Ransomware
Argentina's Judiciary of Córdoba took down its IT systems following a ransomware...
The Judiciary of Córdoba, Argentina, has shut down its IT systems following a ransomware attack, which purportedly originated from the new 'Play' ransomware operation. The incident occurred on Saturday, August 13, prompting the Judiciary to take down its IT infrastructure and internet site. In addition, the disruption necessitates using pen and paper to submit formal paperwork. In a ***[Cyberattack Contingency Plan](https://www.scribd.com/document/587216530/Acuerdo-Reglamentario-1778-a-15-08-2022-Plan-de-Contigencia-Ciberatque-PJ-1#from_embed)*** released by Cadena 3, the Judiciary admitted it was infected with ransomware and recruited Microsoft, Cisco, Trend Micro, and local experts to examine the attack. A piece of the plan translated by Google says, _"The cyberattack experienced by the electronic infrastructure of the Court of Córdoba on Saturday, August 13, 2022, for ransomware that has undermined the availability of its IT services."_ According to [sources](https://www.clarin.com/sociedad/denuncian-hackearon-poder-judicial-cordoba-pagina-web-sistemas-base-datos-funcionan_0_c2JqFXVITJ.html) cited by Clarn, the hack compromised the IT systems and databases of the Judiciary, making it the _"greatest attack on public institutions in history."_ While the Judiciary has not given specifics about the incident, writer Luis Ernest Zegarra tweeted that encrypted files were appended with the ".Play" suffix. In contrast to other ransomware operations, which leave victims with long ransom letters containing grave threats, the Play ransom notes are extremely brief. Instead of creating ransom notes in every folder, Play's ReadMe.txt ransom note is only written at the root of a hard disk (C:) and contains only the word 'PLAY' and an email address for contact. The given email address may not be related to the assault on the Judiciary of Córdoba, as Secure Blink is aware of various email addresses used in attacks. It is uncertain how Play gained access to the Judiciary's network. However, a list of staff email addresses was exposed in March as part of the [Lapsus$ breach of Globant](https://www.secureblink.com/cyber-security-news/lapsusdollar-group-leaked-over-70gb-of-stolen-data-after-claiming-to-hack-it-giant-globant), which may have allowed threat actors to undertake a phishing assault to collect credentials. There are no data leaks or indications that data is taken during assaults related to the ransomware group. This is not the first time an Argentine government entity has been attacked by ransomware. The Netwalker ransomware group targeted the Dirección Nacional de Migraciones in September 2020 and wanted a $4 million ransom.
16-Aug-2022
3 min read
MediaTek
Xiaomi
Vulnerability
Xiaomi Redmi Note 9T and Redmi Note 11 flaws could be used to fake transactions ...
Security researchers from Check Point found evidence while analyzing the payment system integrated into MediaTek-powered Xiaomi smartphones. Mobile devices that process and store sensitive security data, such as fingerprints and cryptographic keys, often include a crucial component called the trusted execution environment (TEE). Even on rooted devices or systems infected by malware, TEE protection uses hardware extensions (such as ARM TrustZone) to secure data in this enclave. The Secure Execution Environment (QSEE) from Qualcomm and Trustronic's Kinibi are the two TEE implementations that are most widely used, but the majority of devices in the larger Asian market are powered by MediaTek chips, which security experts have less experience with. On Xiaomi devices, trusted apps are kept in the vendor/thh/ta directory, according to the experts. The apps are in the form of binary files that are not encrypted and have a specific structure. While Xiaomi uses its own format, trusted apps of the Kinibi OS use the MCLF format magic fields are the same in all trustworthy apps on the mobile device, and a trusted app may have numerous signatures. The version control feature in the file format for trusted apps is missing, which implies that an attacker can transmit an older version of a trusted app to the device and use it to overwrite the current app file, as was discovered by the researchers. The TEE will load the app that the attacker transferred utilizing this approach. _"As a result, an attacker can use trusted apps' unpatched versions to get around security updates released by Xiaomi or MediaTek. We were able to replace the admin trusted app on our test device running MIUI Global 12.5.6.0 OS with an outdated version we had extracted from a different device running MIUI Global 10.4.1.0 OS to demonstrate the problem" successfully_ [reads the research report](https://research.checkpoint.com/2022/researching-xiaomis-tee/) from Check Point researchers Even though the code for the old version of the admin app has changed dramatically from the original, it was launched successfully. The experts also discovered a number of vulnerabilities in the "thhadmin" app that could be used to leak stored keys or run malicious code while the app is open. Researchers from Check Point have examined Tencent Soter, an embedded mobile payment mechanism utilized by Xiaomi smartphones. This framework provides an API for third-party Android applications to integrate the payment features. Tencent soter allows to verification of packages exchanged between a mobile application and a remote backend server; hundreds of millions of android devices support it. A heap overflow vulnerability in the soter trusted app could be exploited to produce a denial-of-service by an Android app that has no rights to interface with the TEE directly. The researchers replaced the Soter dedicated app with an older version compromised by an arbitrary read vulnerability to show that it is easy to obtain the private keys required to sign payment packages. Xiaomi tracked the problem as CVE-2020-14125. The CVE-2020-14125 vulnerability can be used to run custom code. The trusted apps from Xiaomi do not use ASLR. Examples of exploiting a typical heap overflow vulnerability in Kinibi programs can be seen online. In reality, we don't want to run the code; instead, we want to steal one of the Soter private keys. The Tencent Soter platform is totally compromised by the key breach, making it possible for an unauthorized user to sign phony payment packets. _"We exploited yet another arbitrary read vulnerability in the old soter app in order to steal a key"_ (extracted from the MIUI Global 10.4.1.0). On Xiaomi devices, we can downgrade the app, as mentioned. Xiaomi patched the CVE-2020-14125 vulnerability.
15-Aug-2022
4 min read
Secure Blink built a heuristic application security management platform that offers Vulnerability Management, Version Management & Application Healthbot. Secure Blink envisions a safer web by reinventing cybersecurity.
