The first incident was highlighted by the Swiss developer and researcher Tillie Kottmann. He wrote on Twitter (the account is now locked) that the Nissan server was not configured correctly, and the default combination was used for the login and password, that is, admin: admin.

Kottmann himself learned about the leak from an anonymous source and analysed the data belonging to Nissan. According to him, the company’s Git repository contained the source codes of:

• Nissan North America mobile applications;
• some details of the Nissan ASIST diagnostic tool;
• Dealer Business Systems/Dealer Portal;
• Nissan’s main internal mobile library;
• Nissan/Infiniti NCAR/ICAR services;
• tools for attracting and retaining customers;
• tools for sales and market research + data;
• various marketing tools;
• portal of transport logistics;
• services of connection to cars;
• various other backends and internal tools.

As a result, the problematic server was turned off last week, after torrent links to company data began to circulate on the network, and the leak was spotted on Telegram channels and on hacker forums.

The publication ZDNet writes that Nissan representatives have already confirmed the fact of the leak, but at the same time stressed that the personal information of customers, dealers or employees was not affected.

Swiss researchers figured out the problem on the Nissan Git server after they discovered a similarly misconfigured GitLab server in May 2020, which leaked the source code of various Mercedes Benz applications and tools.

By the way, we also talked about the fact that Microsoft left open one of the internal servers of the search engine Bing.

The post Nissan source code leaked due to admin: admin credentials appeared first on Gridinsoft Blog.

Prior to the end of support, ZDNet journalist Ed Bott consulted with some analytics experts and estimated that approximately 200 million PC owners worldwide would ignore the end of support date and continue to use the Windows 7 operating system. Admittedly, this was a rough estimate.

During the holiday lull at the end of 2020, the author decided to return to this issue and re-analyze the available reports in order to determine the approximate number of Windows 7 users.

Let’s start with the US Government’s Digital Analytics Program, which reports the current, unfiltered total number of US website visitors in the previous 90 days. One of the datasets includes a report of visits from all computers with any version of Windows, making it ideal for answering the question.

A year later, by the end of December 2020, the share of computers running Windows 10 grew by 12% to 87.8%; the number of Windows 7 users fell by more than 10 points – to 8.5%, and the number of people who abandoned Windows 8.x decreased even more, to a paltry 3.4%. The former PC operating system champion, Windows XP, is now nearly invisible, with its device count only a fraction of a rounding error.

If the author’s calculations are correct, it means that over 100 million Windows computers have been decommissioned or upgraded in the past 12 months.

Statistics from other sources show roughly the same result.

For example, on NetMarketShare, figures for the end of 2020 show that Windows 10 usage rose by 11 points, from 63.0% to 74.0%, and Windows 7 usage fell by 9.5 points, from 31.2% to 21.7%.

Likewise, StatCounter statistics showed that the number of computers running Windows 10 increased by more than 12 percent, from 64.7% to 76.0%, and the number of computers running Windows 7 fell by almost 10 points to 17.7%.

Microsoft has been telling us for years that the Windows user base is 1.5 billion, but a year ago, a ZDNet journalist argued that the number of Windows PCs is likely much smaller, even with the resurgence in PC sales fueled by the pandemic.

Even with this uncertainty in mind, it is clear that at least 100 million PCs are still running Windows 7, and that number could be significantly higher.

Let me remind you that the My Digital Life forum community has found an illegal way to extend support for Windows 7.

The post Millions of Windows 7 users refuse to upgrade to Windows 10 appeared first on Gridinsoft Blog.

According to Sebastian Porst, software development manager for Google Play Protect, the products that the new team will focus on include COVID-19 contact tracing apps as well as election-related apps.

“As a Security Engineering Manager in Android Security […] Your team will perform application security assessments against highly sensitive, third party Android apps on Google Play, working to identify vulnerabilities and provide remediation guidance to impacted application developers”, — says a new Google job listing posted on last week

In fact, Google experts will continue the job what independent researchers are currently doing as part of the bug bounty of the Google Play Security Reward program.

Let me remind you that this initiative encourages the search for bugs in third-party applications from the Google Play Store, and Google experts accept bug reports and pay rewards on behalf of the application owners.

At the same time, the existing bug bounty program is limited to applications with more than 100,000 users. However, applications that work with confidential data, as well as those related to critical tasks, do not always meet the conditions of the Google Play Security Reward, which means they are unlikely to be checked by bug hunters.

ZDNet asked Lukáš Štefanko, a mobile malware analyst from the Slovak information security company ESET, to comment on these Google actions.

“Definitely it was a good move. Finding serious security issues is not easy and takes a lot of time and experience”, — said Lukáš Štefanko, while being asked to describe Google’s latest efforts.

According to the expert, having a dedicated team ensures that information security professionals will do their best to find applications that may go unnoticed and may ultimately be exploited by cybercriminals with devastating consequences.

So far, however, it is not clear if Google expects plan completely close the Google Play Security Reward program in this way, or will simply add to it new features.

Let me remind you that recently Researcher Earned $10,000 by Finding XSS Vulnerability in Google Maps.

The post Google recruits a team of experts to find bugs in Android applications appeared first on Gridinsoft Blog.

Thus, an attacker who somehow learned someone else’s credentials (for example, through a phishing attack or brute force) can log into the TikTok account through the site.

“This lapse in TikTok’s MFA implementation opens the door for scenarios where a malicious threat actor could bypass MFA by logging into an account with compromised credentials via its website, rather than the mobile app.”, — writes ZDNet journalists.

Fortunately, through the web version, hackers cannot change the user’s password and completely take over someone else’s account. Basically, all an attacker can do is upload and publish a new video, for example, to ruin an account’s reputation or advertise a fraudulent product on behalf of a popular user. The publication also notes that hacked accounts can be used to spread disinformation, propaganda, and so on.

Journalists note that the TikTok mobile app does not notify the user in any way about active sessions in the web version. This essentially means that TikTok doesn’t warn users at all if someone has used their credentials and logged into the account through a browser.

“It’s a well-known fact that Facebook and other companies have abused 2-factor SMS signups, and a clear indicator that TikTok has done something similar is the reality that the TikTok 2-factor is an illusion, and totally optional when using the website login features”, — told ZDNet security researcher Zach Edwards.

TikTok developers have already promised to fix the problem and extend multi-factor authentication to the site too, but they have not named any specific time frame yet.

“In the meantime, users who have enabled MFA for their TikTok account for security reasons should not be lowering their guard and reuse passwords from other accounts, thinking MFA blocks all attackers. These users should continue to use complex and hard-to-guess passwords”, — advised in TikTok company.

ZDNet notes that the login page is protected by a CAPTCHA, which means users can hardly expect a wave of automated attacks and massive compromises of TikTok accounts.

Let me remind you that earlier this year, researchers managed to hack TikTok using SMS.

The post Attackers can bypass TikTok multi-factor authentication through the site appeared first on Gridinsoft Blog.

Firefox Send was launched in March 2019. The service is a private file hosting service and allows Firefox users to share files. All files downloaded and transferred via Firefox Send are stored in encrypted form, and users can set the retention period for files on the server, as well as set the permissible number of downloads before this “expiration date” expires. The service was available to all users at send.firefox.com.

“Although Mozilla engineers planned Firefox Send, thinking about the privacy and security of their users, since the end of 2019, the service has become very popular not among ordinary people, but among malware developers”, – write ZDNet reporters.

In majority of cases, hackers exploit the service in a very simple way: they download the malware payloads into Firefox Send, where the file is stored in encrypted form, and then insert links to this file, for example, in their phishing emails.

ZDNet writes that in the past few months, Firefox Send has been used to store payloads of a wide variety of campaigns, from ransomware to financially oriented malware, from bank Trojans to spyware that attacked human rights defenders. Such well-known hack groups as FIN7, REVil (Sodinokibi), Ursnif (Dreambot) and Zloader abused the service.

British information security expert Colin Hardy explains exactly what factors attract malware authors to the Firefox Send service. So, Firefox URLs are considered reliable in many organizations, that is, spam filters do not detect or block them.

“In addition, attackers do not have to invest time and money in creating and maintaining their own infrastructure if they use Mozilla servers. And Firefox Send encrypts the files, which prevents the work of security solutions, and the download links for the malware can be configured so that they expire after a certain time or number of downloads, which complicates the work of information security experts”, – said Colin Hardy.

The growing number of malicious operations associated with Firefox Send has not escaped the attention of the information security community. Because of this, over the past few months, experts have regularly complained about the lack of a mechanism for reporting abuse or the “Report about a file” button that could be used to stop malicious operations.

While preparing a publication about these problems, ZDNet reporters turned to Mozilla for a comment, wanting to know the organization’s position regarding the placement of malware, as well as the progress in developing a mechanism for reporting about violations.

Mozilla’s response surprised both journalists and information security professionals, as the organization immediately suspended the Firefox Sens service and announced that it was working to improve it.

“We will temporarily take Firefox Send offline while we improve the product. Before starting the [service] again, we will add a violation reporting mechanism to supplement the existing feedback form, and we will also require all users who want to share content using Firefox Send to log in using their Firefox account,” — said Mozilla representatives.

Currently it is unclear when Firefox Send will return online. All links to Firefox Send have stopped working, which means that all malicious campaigns that used the service are also temporarily disabled.

Let me remind you that Firefox Refuses to Support FTP Protocol.

The post Mozilla suspended Firefox Send service due to abuse and malware appeared first on Gridinsoft Blog.

Judging by the complaints of the victims, which can be found on Reddit, on Twitter and so on, the first attacks began last week.

“But the matter did not stop with a text message in support of Trump: the avatars of the hacked accounts were also changed and now show clothes typical of Donald Trump’s supporters: a red cap and a T-shirt with an American flag and a bald eagle”, – say ZDNet reporters.

Many victims who reported hacking their accounts on Roblox forums admitted that they reused the same passwords or had very simple credentials, unstable even before a simple brute force attack.

Many also admit that they did not include two-factor authentication. Roblox uses a 2FA email-based system, it requires the user to first enter a username and password, and then a one-time code that is sent to the email specified by him.

Currently, it is unclear how hackers managed to compromise such a number of accounts, and Roblox representatives did not comment on the situation. However, KE-LA information security experts told ZDNet that they were able to find Roblox user names with plaintext passwords on paste sites. Journalists checked dozens of users from these lists and found that many of them really called to vote for Trump. Their publication suggests that this is how most accounts were hacked.

At the same time, attacks are still ongoing.

“When the researchers first began to study the problem last weekend, they counted about 750 hacked profiles. During the week, their number remained almost unchanged, stopping at around 1,000 hacked accounts, but now the number of compromised accounts is growing again. So, in just an hour, hackers increased the number of hacks from 1680 to 1820”, – reported in ZDNet.

Since there are a lot of children among Roblox users, experts recommend their parents to help their children to choose more secure passwords and enable 2FA.

Let me remind you that researcher found that every 142nd password is “123456”.

The post Attackers hack Roblox accounts and urge to vote for Trump appeared first on Gridinsoft Blog.

It was reported that the detected text file contains 33,726,800 lines, among which you can find user IDs, email addresses, links to user profiles, as well as passwords in plain text format (among them 795,402 lines had a blank password).

Subsequent analysis of passwords shoed that 69% of mail/password combinations were unique, that is, they had never been found in other leaks before.

Now ZDNet has published material that sheds light on the details of what happened.

“Apparently, LJ suffered from a break-in back in 2014, and rumors about this have been circulating in the network for many years. For example, they talked about compromise in October 2018, when LiveJournal users massively reported that they received old but unique passwords from LiveJournal as part of a blackmail sextortion campaign”, – write ZDNet reporters.

Although the 2014 hack was not officially confirmed, in recent months the DreamWidth blogging platform, created on the basis of the LiveJournal code base, has also been attacked. In a series of posts and tweets, DreamWidth developers talked about the massive credential stuffing attacks they have noted recently.

DreamWidth claims that hackers used old combinations of user names and passwords from LiveJournal to crack DreamWidth accounts and posted spam messages on the site.

However, the Rambler company, which owns LiveJournal, still refused to acknowledge the fact of compromise, even after DreamWidth administrators contacted it.

Now, the authoritative leak aggregator Have I Been Pwned (HIBP) has confirmed the fact of leakage of user data from LJ. The administration of the service received a copy of the LiveJournal user database and indexed it on its website.

“The dump contains data of 26 372 781 LiveJournal users: user names, email addresses and passwords in plain text. This is consistent with Ashot Hovhannisyan’s information, which estimates that the dump contains approximately 22.5 million unique mail/password combinations”, – reported in HIBP.

Analysts of the information security company KELA found many references to the stolen database and its copies in different places of the hacker underground, and confirmed the existence of a dump.

So, first KELA and ZDNet discovered several ads that posted data brokers. In these ads, hackers said they wanted to sell or buy the LiveJournal database. That is, criminals were well aware of the data stolen from LJ and actively exchanged it.

Judging by these announcements, after LJ was compromised in 2014, hackers sold the stolen data privately, handing databases from hand to hanв among spammer groups and botnet operators. Since this data was exchanged again and again, information eventually leaked to the public.

The first notification that the LiveJournal database became public arrived in July 2019, which was announced by the now defunct WeLeakInfo service that was selling stolen data.

Over time, this dump became available even wider. For example, recently LiveJournal databases were sold on darknet for the price of only $35. The ad, which is shown in the illustration below, refers to 33 million records, but this is the overall dump before removing duplicates.

As a result, the LiveJournal database was published on the well-known hacker forum, from where it instantly spread, and now the dump is offered for free on Telegram channels and uploaded to file sharing services.

ZDNet notes that the DreamWidth platform still suffers from attacks with the use of old credentials, stolen from LiveJournal, although the company’s developers release updates and try to protect their users.

Of course, not only DreamWidth users are at risk. People that use LJ logins and passwords on other sites are also at risk of hacking due to credential stuffing attacks. Users that changed their LJ password after 2014 may be safe, however, experts still advise changing the passwords from any other accounts where the same credentials could be reused.

Interestingly, ZDNet managed to get a comment from Rambler representatives yesterday. The fact is that two weeks ago the company announced that the information about the data leak “is not true – this is one of the clickbait news, the task of which is to attract interest of a third party in this matter.”

No representatives of the Rambler Group holding continue to deny that hackers have gained access to their systems, but confirm the existence of a dump and say that the database contains information that hackers have been collecting for many years from various sources: malware-infected systems (data stolen from browsers) and brute force – attack (hackers simply selected passwords to LiveJournal accounts).

The post Experts confirm data leak of 26 million LiveJournal users appeared first on Gridinsoft Blog.

Let me remind you that this year the FBI called Dharma the second most profitable ransomware in recent years during its report at the conference and RSA. Therefore, from November 2016 to November 2019, ransomware operators received $24 million in ransom from their victims.

The most dangerous ransomware last year, I recall, was called Emotet.

“The current sale of the Dharma code is likely to soon result in a leak to the public. That is, the malware will become available to a wider audience. This, in turn, will lead to a wide distribution of source code among many hack groups, and this will ultimately be followed by a surge of attacks”, – ZDNet quotes an unnamed information security expert.

However, the head of the cyber intelligence department at McAfee told ZDNet that the Dharma code has been circulating among hackers for a long time, and now it just arrived on public forums.

At the same time, the expert expressed the hope that sooner or later the source code will fall into the hands of information security specialists, and this will help to identify the shortcomings of the malware and create decoders.

“Dharma existed since 2016, and the ransomware underlying this malware was originally called CrySiS. It worked on the Ransomware-as-a-Service (RaaS) scheme, that is, other criminals could create their versions of malware to distribute, usually through spam campaigns, exploit kits, or RDP brute force”, – noted ZDNet reporters.

At the end of 2016, a user with the nickname crss7777 posted on the Bleeping Computer forums a link to Pastebin containing master keys from the CrySiS encryptor, which, as experts later established, were genuine. After that, CrySiS ceased to exist, “reborn” as Dharma.

Although Dharma keys suffered the same fate in 2017, this time the ransomware operators did not rebrand and continued to work, eventually turning their RaaS into one of the most popular ransomware on the market.

“So, in recent years, Dharma regularly receives updates. For example, in 2018 and 2019, the criminal underground adapted to new trends and moved from the mass distribution of ransomware through mail spam to targeted attacks on corporate networks. So did the Dharma operators”, – says the ZDNet publication.

It is noted that in the spring of 2019, a new strain of Phobos ransomware appeared on the network, used mainly for targeted attacks. Researchers at Coveware and Malwarebytes have noted that it is almost identical to Dharma. However, at the same time, Dharma did not stop existing and continued to work in parallel with Phobos. For example, Avast experts noticed three new versions of Dharma last week.

The post Dharma ransomware source code put for sale appeared first on Gridinsoft Blog.