23andMe, Facebook, GitHub’s Secret Scanning, MGM Resorts, Grindr, & Jason Wood – SWN #332

Google's research team has launched v8CTF, a capture-the-flag (CTF) challenge focused on its Chrome browser’s V8 JavaScript engine.

The competition opened on October 6, 2023, and is accessible to any exploit writers. “Once you have identified a vulnerability present in our deployed version, exploit it, and grab the flag,” Google software engineers Stephen Roettger and Marios Pomonis noted in a public statement.

Contestants can either try to find known vulnerabilities (n-days) or discover new ones (zero-days or 0-days), but their exploits must be “reasonably stable,” which the company described as having a runtime of less than five minutes and at least 80% success rate.

“If the bug that led to the initial memory corruption was found by you, i.e. reported from the same email address as used in the v8CTF submission, we will consider the exploit a 0-day submission. All other exploits are considered n-day submissions,” Google explained.

Valid submissions will get a reward of $10,000.

The v8CTF challenge is set to complement Google’s Chrome Vulnerability Reward Program (VRP), meaning that exploit writers who discover a zero-day exploit are eligible for an additional reward of up to $180,000.

A credential harvesting campaign is targeting Citrix NetScaler gateways that have not been patched against a recent vulnerability, IBM reports.

Tracked as CVE-2023-3519 (CVSS score of 9.8), the vulnerability was disclosed in July, but had been exploited since June 2023, with some of the attacks targeting critical infrastructure organizations.

Genetic testing giant 23andMe confirmed that a data scraping incident resulted in hackers gaining access to sensitive user information and selling it on the dark web.

The information of nearly 7 million 23andMe users was offered for sale on a cybercriminal forum this week. The information included origin estimation, phenotype, health information, photos, identification data and more. 23andMe processes saliva samples submitted by customers to determine their ancestry.

CDW, one of the largest resellers on the planet, will have its data leaked by LockBit after negotiations over the ransom fee broke down, a spokesperson for the cybercrime gang says.

Speaking to The Register, the spokesperson, who uses the alias LockBitSupp, implied that during negotiations CDW offered a sum that was so low it insulted the crooks.

"We published them because in the negotiation process a $20 billion company refuses to pay adequate money," the source said.

"As soon as the timer runs out you will be able to see all the information, the negotiations are over and are no longer in progress. We have refused the ridiculous amount offered."

Facebook’s official page was hacked on Facebook after bizarre posts, including demands for the release of ex-Pakistani PM Imran Khan, filled its timeline.

Facebook’s official page was apparently hacked on Friday, 6th October 2023.

Social media users were shocked to see Facebook posting strange messages.

One of the many weird messages was the hacker demanding the release of ex-PAK prime minister Imran Khan.

Mr Khan was arrested in early August 2023.

Whether it was a prank or the page was actually hacked, it raises serious concerns over the security of Facebook accounts and pages.

Hacking of user accounts and pages on social media is nothing new. Even high-profile personalities, including politicians and celebrities, have experienced page compromises, with scammers posting messages in their names.

Default configurations of software and applications Improper separation of user/administrator privilege Insufficient internal network monitoring Lack of network segmentation Poor patch management Bypass of system access controls Weak or misconfigured multifactor authentication (MFA) methods Insufficient access control lists (ACLs) on network shares and services Poor credential hygiene Unrestricted code execution

GitHub has announced an improvement to its secret scanning feature that extends validity checks to popular services such as Amazon Web Services (AWS), Microsoft, Google, and Slack.

Validity checks, introduced by the Microsoft subsidiary earlier this year, alert users whether exposed tokens found by secret scanning are active, thereby allowing for effective remediation measures. It was first enabled for GitHub tokens.

The cloud-based code hosting and version control service said it intends to support more tokens in the future.

MGM Resorts said the previously disclosed cyberattack in September will impact the company’s third quarter financial results by about $100 million, mainly related to the impact on its Las Vegas operations, according to a Thursday filing with the Securities and Exchange Commission.

The company said it will incur about $10 million in costs for technology consultants, legal fees and other third-party advisors.

“While we experienced disruptions at some of our properties, operations at our affected properties have returned to normal, and the vast majority of our systems have been restored,” said MGM Resorts President and CEO Bill Hornbuckle in an open letter to customers Thursday.

Cybercriminals are now deploying ransomware within the first day of initially compromising their targets, a dramatic drop on the 4.5 days that the task had been taking last year, according to a new threat report.

Cybersecurity company Secureworks warns that “2023 may be the most prolific year for ransomware attacks to date” with three times as many victims listed on leak sites in May this year as there were in the same month a year ago.

Leak sites are a poor metric for assessing the size of the ransomware problem, the company’s report notes, pointing out that the leak site for Hive — which was disrupted by law enforcement earlier this year — listed only around 10% of the total victims law enforcement knew about.

A complaint filed with the Federal Trade Commission (FTC) Wednesday urges the agency to investigate the LGBTQ+ dating app Grindr for potentially illegally storing and disclosing users’ sensitive data, including HIV and vaccination status.

The Electronic Privacy Information Center’s (EPIC) complaint lays out Grindr’s history of compromising users’ privacy and safety, pointing most recently to allegations made by the app’s former chief privacy officer, Ronald De Jesus, who is suing the company for wrongful termination.

De Jesus’s suit, filed in June, alleges that Grindr fired him after he alerted executives to rampant violations of the company’s privacy policy, according to EPIC’s complaint.

Grindr executives were notified about the privacy violations, EPIC’s complaint says, but they expressed “disinterest [which] escalated into displeasure and contempt.”

Hackers Join In on Israel-Hamas War With Disruptive Cyberattacks