2 July 2021 | Asia Cyber Summary

In the Spotlight This Week:

  • Hackers target private vendor for Government’s OneService app

  • Microsoft accidentally approved malware that could spy on Windows users

  • LinkedIn breach reportedly exposes data of 92% of users, including inferred salaries

  • Microsoft says new breach discovered in probe of suspected SolarWinds hackers

  • Security researchers accidentally leak remote execution vulnerability in windows



Hackers Target Private Vendor For Government’s OneService App


The databases of a vendor linked to the Singapore Municipal Services Office’s (MSO) OneService app have been hacked but users were not affected.


MSO said in a statement on Monday (June 28) that no data that could lead to the identification of people, including case details, was stored in these databases.


There was also no anonymised data of users and no profiles of people in the hacked databases. MSO was alerted on June 19 that the vendor Apptitude, which develops Web and mobile applications, was the subject of a cyber incident.



Microsoft Accidentally Approved Malware That Could Spy On Windows Users


Last week, Microsoft published a blog post saying it discovered a piece of malware that slipped past the company’s safeguards to get installed on Windows 10 computers in China. The malware, when installed, could collect all internet traffic going through a computer and send it to a third party.


Microsoft says the hackers targeted gamers and are not believed to be state-affiliated. A new update for Windows Defender has been released that neutralizes the malware that was allowed to run rampant for three months.


"The actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments," Microsoft wrote. "The actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers."



LinkedIn Breach Reportedly Exposes Data of 92% Of Users, Including Inferred Salaries


A second massive LinkedIn breach reportedly exposes the data of 700M users, which is more than 92% of the total 756M users. The database is for sale on the dark web, with records including phone numbers, physical addresses, geolocation data, and inferred salaries.


The hacker who obtained the data has posted a sample of 1M records, and checks confirm that the data is both genuine and up-to-date.


No passwords are included, but as the site notes, this is still valuable data that can be used for identity theft and convincing-looking phishing attempts that can themselves be used to obtain login credentials for LinkedIn and other sites.



Microsoft Says New Breach Discovered In Probe Of Suspected SolarWinds Hackers


Microsoft said on Friday that an attacker gained access to one of its customer service agents and used the obtained information to launch hacking attempts against customers. The company said it had found the compromise during its response to hacks by a team it identifies as responsible for earlier major breaches at SolarWinds (SWI.N) and Microsoft.


Microsoft warned affected customers to be careful about communications to their billing contacts and consider changing those usernames and email addresses, as well as barring old usernames from logging in.



Security Researchers Accidentally Leak Remote Execution Vulnerability in Windows


Security researchers have inadvertently leaked details of a critical Windows print spooler vulnerability, dubbed PrintNightmare, along with a proof-of-concept. The flaw -- said be a Stuxnet-style zero-day -- can be exploited to completely compromise a Windows system.

As explained by Bleeping Computer, towards the end of last month, researchers from Chinese security firm QiAnXin published code execution with the vulnerability. Then researchers from Sangfor -- another Chinese security firm -- got a little mixed up and published a technical write up of what they thought was the same bug, calling it PrintNightmare.

But in reality, PrintNightmare and CVE-2021-1675 are different vulnerabilities, so Sangfor had effectively revealed how to exploit a serious, unpatched vulnerability. Although the proof-of-concept exploit code was later pulled, this did not happen before it was seen and grabbed by many people -- and the reports that the code can still be retrieved via Google.

As a result, system administrators are being advised to disable the Windows print spool service on domain controllers, although the problem affects non-domain systems as well. At the moment, it is not clear when PrintNightmare will be patched.




Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.