Unidentified Operatives Have Been Tracking Israeli Military Personnel Using Strava Fitness App

Russians can't download Windows 10 and 11 ISOs, Phishing campaign against Facebook users nets hundreds of millions of credentials, Office 365 and Outlook phishing campaign steals credentials, more

Check out my latest CSO column that delves into the details of the Russian hack of satellite provider Viasat and reviews how satellite-based assets are not immune to cyberattacks.

Photo by Tim Foster on Unsplash

Israeli open-source intelligence outfit FakeReporter discovered that unidentified operatives have been using the fitness tracking app Strava to spy on members of the Israeli military, even those who have the strongest possible account settings. The operatives have been tracking the military personnel’s movements across secret bases around the country and potentially observing them as they travel the world on official business.

Strava’s tracking tools allow anyone to define and compete over “segments,” short sections of a run or bike ride that may be regularly raced over, such as a long uphill climb on a popular cycling route or a single circuit of a park. But users can also upload their own segments, with Strava having no way of determining whether those GPS uploads are legitimate.

An anonymous user, with their location as “Boston, Massachusetts,” had set up a series of fake segments across several military establishments in Israel, including outposts of the country’s intelligence agencies and highly secure bases that were associated with its nuclear program. The fake segment approach also bypasses some of Strava’s privacy settings, allowing individual users to be identified.

FakeReporter’s executive director, Achiya Schatz, said, “We contacted the Israeli security forces as soon as we became aware of this security breach. After receiving approval from the security forces to proceed, FakeReporter contacted Strava, and they formed a senior team to address the issue.” (Alex Hern / The Guardian)

Related: i24News, Haaretz

People in Russia can no longer download Windows 10 and Windows 11 ISOs and installation tools from Microsoft, with no reason for the block provided by the company.

Russian users who attempt to download the Windows 10 Update Assistant, the Windows 10 Media Creation Tool, and the Windows 11 Installation Assistant are shown a message stating, "404 - File or Directory not found." When attempting to download Windows 10 and 11 ISOs, users are shown an error saying, "There was a problem with your request.” When trying to download Windows 10 and 11 ISOs, users are shown an error saying, "There was a problem with your request," as shown below. (Lawrence Abrams / Bleeping Computer)

Related: Tech Advisor - Security, TechCentral.ie, IT Pro, TechRadar

Researchers at PIXM recently discovered an ongoing, ever-enlargening phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million.

Just one landing page, out of around 400 Pixm found, got 2.7 million visitors in 2021 and has already tricked 8.5 million viewers into visiting it in 2022. The attacker reportedly spoke to an OWASP researcher in late 2021 and said they made $150 for every thousand visits from US Facebook users. (Brandon Vigliarolo / The Register)

Related: Bleeping Computer, PIXM

According to researchers at cloud security company ZScaler, a new phishing campaign has targeted U.S. organizations in the military, security software, manufacturing supply chain, healthcare, and pharmaceutical sectors to steal Microsoft Office 365 and Outlook credentials.

The threat actor behind the campaign uses fake voicemail notifications to lure victims into opening a malicious HTML attachment. ZScaler researchers say that the recently discovered campaign shares tactics, techniques, and procedures (TTPs) with another operation analyzed in mid-2020. (Bill Toulas / Bleeping Computer)

Related: The Register - Security, Reddit cybersecurity, Cyberintel Magazine, Heimdal Security Blog, Help Net Security

Michigan-based financial services provider Flagstar Bank is notifying 1.5 million customers of a data breach where hackers accessed personal data during a December cyberattack.

According to the notifications, Flagstar experienced a security incident in December 2021 when intruders breached the bank’s corporate network. Flagstar is providing free two years of identity monitoring and protection services to impacted individuals. (Bill Toulas / Bleeping Computer)

Related: iTech Post, Infosecurity Magazine, Cyberintel Magazine

Researchers at Forescout’s Vedere Labs say in a report dubbed Project Icefall say that many OT security vulnerabilities that are insecure by design, namely flaws that involve errors rather than design choices, are known to vendors already but the vendors have neither alerted users directly nor issued CVEs.

The affected vendors and product lines are Bently Nevada (3700 and TDI equipment); Emerson (DeltaV, Ovation OpenBSI ControlWave, BB 33xx, ROC, Fanuc, PACsystems); Honeywell (Trend IQ*, Safety Manager FSC, Experion LX, ControlEdge, Saia Burgess PCD); JTEKT (Toyopuc); Motorola (MOSCAD, ACE IP gateway, MDLC, ACE1000, MOSCAD Toolbox STS); Omron SYSMAC (Cx series, Nx series); Phoenix Contact( ProConOS); Siemens (WinCC OA); and Yokogawa (STARDOM). (Joe Uchill / SC Magazine)

Related: SC Magazine, TechTarget, Tech Monitor, Bleeping Computer, Help Net Security, Forescout

According to FBI special agent Sean Ragan, cybercriminals are now turning to LinkedIn to defraud cryptocurrency investors and says the platform has become a “hotbed” of illicit activities.

The scammers create professional-looking fake profiles and strike-up conversations with hand-picked users via the in-built messaging feature. They initially direct victims to legitimate investment platforms to win their trust and then, over several months, convince them to move the money to a different platform, which is anything but legitimate and is usually operated by the scammer himself. (CNBCTV18.com)

Related: The Crypto Basic, Decrypt, Bitcoinist, Engadget, CoinDesk

Hot tub and spa maker Jacuzzi Brands has a feature called SmartTub that exposes an easily accessible admin panel populated with user data of every spa and its owner.

A second admin panel was discovered while reviewing the SmartTub’s Android app APK that was likewise easily accessed and exposed the same user data plus secret internal areas of the website. After multiple contact attempts through 3 different Jacuzzi/SmartTub email addresses and Twitter, a dialog was not established until Auth0 stepped in. Even then, communication with Jacuzzi/SmartTub eventually dropped off completely, without any formal conclusion or acknowledgment they have addressed all reported issues. (Eaton Works)

Related: Reddit

Lady G @gabsmashh

you could say jacuzzi was in...hot water Hacking into the worldwide Jacuzzi SmartTub networkeaton-works.com

June 21st 2022

5 Retweets55 Likes

Widespread issues at Cloudflare brought several crypto exchanges to a halt, with FTX saying in a tweet that its exchange and other sites “are going to be hard to access for many users,” adding that FTX markets are currently in “post-only” mode. Bitfinex and OKX also tweeted about the issue.

Cloudflare said later said that the issue “has been identified and a fix is being implemented.”(Ryan Weeks / The Block)

Related: Gizmodo, TechDator, Tech Monitor, Cloudflare

Gergely Orosz @GergelyOrosz

A Cloudflare outage knocked off a good part of the internet. This outage reminds me in impact when Facebook's SDK started crashing, breaking all mobile apps that used this SDK (which was a large number of mobile apps). Next up: how to mitigate when Cloudflare is down?

icon jen @iconjen

List of services that are down atm: #internetdown 2K Games League of Legends Minecraft Steam Amazon Web Services Discord DoorDash Gitlab Shopify Skype UPS Cloudflare DigitalOcean Udemy Coinbase Valorant Crunchyroll Patreon Legends of Runeterra Americas Cardroom eToro Betfair

June 21st 2022

26 Retweets117 Likes

Not all insider fraud scams involve digital technology, as the owner of a Jimmy John’s store in Sunset Hills, Missouri, discovered when he found out that his husband-and-wife management team had been pocketing cash from orders but failing to print receipts, an even more low-tech than BEC scams.

“One of [the managers] would take an order at the drive-thru, and when they determined the customer was going to pay with cash the other would make the customer’s change for it, but then delete the order before the system could complete it and print a receipt,” store owner Steve Saladin said. Saladin said his attorneys and local law enforcement are now involved, and he estimates the former employees stole close to $100,000 in cash receipts. That was on top of the $115,000 in salaries he paid each year to the two employees. (Brian Krebs / Krebs on Security)

Mathew Schwartz @mathewjschwartz

Excellent fraud story from @briankrebs, showing: 1) how without effective controls* it can be easy for malicious insiders to quietly steal 2) how risky it remains to run a mom-and-pop shop krebsonsecurity.com/2022/06/why-pa… *these do not necessarily have to be technically advanced!Why Paper Receipts are Money at the Drive-ThruCheck out the handmade sign posted to the front door of a shuttered Jimmy John’s sandwich chain shop in Missouri last week. See if you can tell from the store owner’s message what happened.krebsonsecurity.com

June 21st 2022

1 Retweet1 Like