Flaw in iPhone Allows Bad Actors to Make Payments With Visa Card From Locked Devices

Anonymous leaks data for Epik's entire infrastructure, Telegram bots intercept one-time passwords, GriftHorse Android app campaign affected 10M victims, Cryptocurrency ATMs highly vulnerable, more

Researchers at the University of Birmingham and the University of Surrey in the U.K. devised a way to make fraudulent payments using Apple Pay from a locked iPhone with a Visa card in the digital wallet with express mode enabled.

They were able to leverage an Apply Pay’s Express Transit, a feature that allows a transaction to go through without unlocking the device, “to bypass the Apple Pay lock screen, and illicitly pay from a locked iPhone, using a Visa card, to any EMV reader, for any amount, without user authorisation.” The researchers sent their findings to Apple and Visa in October 2020 and May 2021, respectively, but neither has fixed the problem. (Ionut Ilascu / Bleeping Computer)

Related: ZDNet Security, Daily Mail, MacRumors, Cybersecurity Insiders, The Apple Post, iMore, BetaNews, Hackers Review, Tech Xplore, 9to5Mac, Telegraph, Cult of Mac, iMore, The Apple Post, Infosecurity Magazine, Hackers Review

The hacktivist collective Anonymous has released what it claims to be new data from the controversial web hosting company Epik in a 70GB torrent file as part two of what it calls “Operation EPIK FAIL.”

A Texas-based hacker and cybersecurity expert called WhiskeyNeon says that the leaked disk images represent Epik’s entire server infrastructure. The data includes API keys and plaintext login credentials for Epik’s system and for Coinbase, PayPal, and the company’s Twitter account. (Mikhael Thalen / Daily Dot)

Researchers at Intel471 have seen an increase in cybercrime bots that allow attackers to intercept one-time password (OTP) tokens operating from the instant messaging system Telegram.

One new Telegram one-time password bot called SMSRanger is popular because it is easy to use and is successful in extracting OTP tokens when the attacker already has the target’s “fullz,” personal information such as Social Security number and date of birth. The researchers say that the rise of these bots underscores how more robust forms of two-factor authentication, such as One Time Password (TOTP) codes from authentication apps, push-notification-based codes, or a FIDO security key, provide a greater degree of security than SMS or phone-call-based options. (Brian Krebs / Krebs on Security)

Related: ZDNet, Candid.Technology, CSO Online, Search Security, HackRead, Intel471

Researchers from mobile security firm Zimperium discovered an aggressive Android premium services campaign with up to 10 million victims globally, with the total amount stolen possibly reaching hundreds of millions of Euros.

The attackers were able to sneak around 200 trojan-laden apps with innocuous names such as "Handy Translator Pro," "Heart Rate and Pulse Tracker," and “Bus - Metrolis 2021” into Google Play and other third-party app stores as part of what Zimperium calls the “GriftHorse” trojan attack. Google removed the apps identified by Zimperium and banned the corresponding app developers. (Lily Hay Newman / Wired)

Related: PC Mag, Zimperium, Reddit - cybersecurity, Tom's Guide, Bleeping Computer, The Hacker News, The Record, Security Affairs, ZDNet Security, Android Authority, PCMag.com, TechSpot, Security News | Tech Times, The Register - Security, The Hacker News, Reddit - cybersecurity, Sensors Tech Forum, Threatpost, Silicon Angle, Forbes

Researchers at Kaspersky Lab discovered a campaign delivering a previously unknown backdoor, Tomiris, that may be connected to the Russian Nobelium advanced persistent threat (APT) behind the high-profile SolarWinds supply-chain attacks of 2020.

However, the targeting of the Tomiris campaign has several overlaps with Kazuar, a backdoor linked to the Russian Turla APT group, first reported by Palo Alto in 2017. Tomiris is designed to establish a foothold in compromised systems that could be used to download additional, as yet unidentified malware, the researchers say. (Lisa Vaas / Threatpost)

Related: ZDNet, Securelist, The Register - Security

Facebook has open-sourced Mariana Trench, an internal security tool used by its security teams for finding and fixing bugs in Android and Java applications.

Available on Github, the tool works by analyzing Dalvik bytecode, the format in which Android apps are packaged for distribution. The benefit of using Dalvik is that Mariana Trench can scan apps with or without direct access to their source code. (Catalin Cimpanu / The Record)

Related: Bleeping Computer, The Hacker News, GitHub

The U.S. Attorney’s office in the Northern District of Illinois has indicted Turkish hacker Izzet Mert Ozek for using the WireX botnet to orchestrate a distributed denial-of-service (DDoS) attack on a Chicago-based multinational hospitality company. WireX consisted of compromised Google Android devices.

The indictment charges Ozek with one count of intentionally causing damage to a protected computer. Ozek is believed to be residing in Turkey, and a warrant for his arrest will be issued. (Catalin Cimpanu / The Record)

Related: Justice.gov, DataBreaches.net

The U.S. House of Representatives passed the Federal Rotational Cyber Workforce Program Act, sponsored by Reps. Ro Khanna (D-CA) and Nancy Mace (R-SC), which establishes a program to allow cybersecurity professionals to rotate through multiple federal agencies and enhance their expertise. 

The bill also encourages federal agency leaders to identify cybersecurity positions that can be rotated through government and gives the Office of Personnel Management (OPM) jurisdiction over the Federal Rotational Cyber Workforce Program. (Maggie Miller / The Hill)

Related: FedScoop

Leaders of the House Oversight and Reform Committee Representatives Carolyn Maloney (D-NY) and James Comer (R-KY) sent a letter to FBI Director Christopher Wray asked for a briefing about why the Bureau reportedly withheld a key to decrypt the Kaseya ransomware for nearly three weeks, potentially costing victims millions of dollars in recovery costs.

The lawmakers say they want to understand the rationale behind the FBI's decision to withhold the decryption key. (Sean Lyngaas / CNN)

Related: The Hill: Cybersecurity

Kraken Security Labs, an arm of cryptocurrency exchange Kraken, said it had uncovered multiple hardware and software vulnerabilities in a commonly used cryptocurrency ATM, the General Bytes BATMtwo (GBBATM2).

The researchers say they found many of the ATMs are configured with the same default Q.R. code, allowing anyone with the Q.R. code to walk up to an ATM and compromise it. They also found a lack of secure boot mechanisms and critical vulnerabilities in the ATM management system. General Bytes is headquartered in the Czech Republic and currently has installed 6,391 General Bytes ATMs worldwide, mostly in the U.S. and Canada. (Camomile Shumba / Business Insider)

Related: Business Insider, Coindesk, Kraken, Cointelegraph

U.S.-based Akamai Technologies has announced that it has acquired Israeli cybersecurity company Guardicore for $600 million.

Guardicore has developed a platform for preventing ransomware and other cyberattacks in real time. Akamai CEO Tom Leighton said he believes that with Guardicore, Akamai will be able to provide the most effective way to combat ransomware on the market today. (Assaf Gilead / Globes)

Related: Globes, ZDNet Security, The Times of Israel, Street Insider, Globes, CRN, Cybertech, Globes, Venture Capital Journal, Help Net Security, NoCamels, SiliconANGLE, Security Week, Benzinga, SiliconANGLE, Security Week, Fierce Telecom, CRN, The Register - Security, Reuters

Photo by Martin Sanchez on Unsplash