News – Page 5 – BU-CERT

Four major browsers impacted by a single zero-day vulnerability

Posted on 15 September 2023

From techmonitor.ai

Google Chrome, Microsoft Edge, Mozilla Firefox and Apple’s Safari browser have all been impacted by a single zero-day vulnerability, it has emerged. The flaw, tracked as CVE-2023-4863, is caused by a heap buffer overflow in the WebP code library. Once exploited it can lead to system crashes and arbitrary code execution, where hackers can gain control over an infected device.

CVE-2023-4863 was first identified by researchers at The Citizen Lab, a research arm of the University of Toronto. The institution subsequently informed Google and Apple of the vulnerability’s existence. Both companies have now released patches. They were joined by Mozilla, which released its own advisory on CVE-2023-4863 yesterday and updates for several versions of its Firefox browser and Thunderbird email client, and Microsoft.

Dark web price index 2023

Posted on 4 July 2023

From privacyaffairs.com

A recently published report from privacyaffairs‘ recent research revealed that, despite the impressive efforts of law enforcement to takedown and disrupt darknet markets selling illicit goods and services, the darkweb markets continue to flourish.

Some notable findigs from the report are as follows:

Sales volume: We have detected no long-term decrease in sales volume
Data volume: During this reporting period we noted that sellers and buyers preferred to transact more bulk data rather than individual goods
Prices: Most items and services we track for 3 years saw a significant decrease in pricing
No clear market leader: Unlike in 2020, 2021, and early 2022, in 2023 no market appears to dominate.
Telegram instead of websites: Telegram has become a major channel for facilitating the sale of hacked personal data.
Cloned Mastercard with PIN as usual costs around $20, at the same time for $100 they are selling stolen online banking logins with a minimum $100 on it.
Paypal accounts, PerfectMoney and other payment processing services are getting cheaper.
Verified Stripe account with payment gateway Is one of the most expensive on the list – $1200.
New payment processing services on the Dark Web: Revolut ($1600), Switzerland online banking login ($2200), Payoneer verified account ($200).
Cryptocurrency accounts were the only category that we saw to have experienced an increase: LocalBitcoins account ($70), Blockchain.com ($85), Coinbase ($250), Kraken (has significant increase in price from $250 in 2022 to $1170 in 2023).
Hacked Online Services & Entertainment Accounts as always are very cheap and very available – average price $5-$10 per account.
Fake money (mostly in 20- and 50-USD bills) is a very common and easy-to-find item.

Samsung Galaxy Store Bug Could’ve Let Hackers Secretly Install Apps on Targeted Devices

Posted on 1 November 2022

From thehackernews.com

A now-patched security flaw has been disclosed in the Galaxy Store app for Samsung devices that could potentially trigger remote command execution on affected phones.

The vulnerability, which affects Galaxy Store version 4.5.32.4, relates to a cross-site scripting (XSS) bug that occurs when handling certain deep links. An independent security researcher has been credited with reporting the issue.

2022 Dark Web Hacked Social Media Prices and Trends

Posted on 10 October 2022

From whizcase.com

Social media and entertainment accounts sold illegally are now carving out their niche in Dark Web marketplaces.

In a recent report, trends and prices of illegally sold hacked social media and entertainment accounts were collected and studied. Here are some key highlights:

You can buy ALL hacked social media accounts (LinkedIn, Facebook, Twitter, Instagram, Discord, Snapchat, Pinterest, TikTok, Reddit) for $127.
Access to all entertainment service accounts annually costs $100 (Apple Music, Netflix, Disney+, Spotify, Hulu, Twitch, HBO Max, Amazon Prime, SoundCloud).
Hacked communication and live chat tools cost $93.
LinkedIn and Gmail are the most expensive accounts. Both cost $45.
Lots of hacked accounts are sold under $10 – TikTok $8, Skype $8, Telegram $6, Signal $6, Amazon Prime $9.
Most of these are obtained from social engineering or phishing campaigns after hackers have compromised users’ email addresses used at registration.

Online reviews are broken – here’s how to fix them

Posted on 2 September 2022

From theconversation.com

It’s a crime story fit for the digital era. It was recently reported that a number of restaurants in New York had been targeted by internet scammers threatening to leave unfavourable “one-star” reviews unless they received gift certificates. The same threats were made to eateries in Chicago and San Francisco and it appears that a vegan restaurant received as many as eight one-star reviews in the space of a week before being approached for money.

Twitter confirms zero-day used to access data of 5.4 million accounts

Posted on 9 August 2022

From securityaffairs.co

At the end of July, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting a now-fixed vulnerability in the popular social media platform.

Cyberspies use IP cameras to deploy backdoors, steal Exchange emails

Posted on 4 May 2022

From bleepingcomputer.com

A newly discovered and uncommonly stealthy Advanced Persistent Threat (APT) group is breaching corporate networks to steal Exchange (on-premise and online) emails from employees involved in corporate transactions such as mergers and acquisitions.

Mandiant researchers, who discovered the threat actor and now track it as UNC3524, say the group has demonstrated its “advanced” capabilities as it maintained access to its victims’ environments for more than 18 months (in some cases).