NATO investigates after criminals claim to be selling its stolen missile plans

In brief NATO officials are investigating after criminals put up some data for sale on dark forums that they claim is “classified” information stolen from European missile maker MBDA.

MBDA has denied any sensitive material has been compromised and said it had refused to pay the gang a ransom, claiming the data for sale was obtained from an “external hard drive” rather than its systems.

According to the BBC, which saw samples of the files and has reportedly spoken to the miscreants, 80GB of data – which it was unable to verify – is being offered up for 15 Bitcoins, or approximately $297,000, and the extortionists claim to have made at least one sale. 

The data allegedly includes designs for the Land Ceptor Common Anti-Air Modular Missile, which the BBC said has been used in the Ukrainian conflict. The crims described the total data package as “design documentation, drawings, presentations, video and photo materials, contract agreements and correspondence with other companies,” and also claimed it contained personal information about employees at defense companies. 

MBDA’s Italian division, meanwhile, says has filed a report with police of an attempt to blackmail the company and says not only that there was no actual network penetration, but that the data was neither classified nor sensitive.

The BBC has nonetheless claimed the sample it saw included documents labeled “NATO SECRET,” “NATO CONFIDENTIAL” and “NATO RESTRICTED.”

A former NATO official said that, while NATO tends to overclassify documents, a secret-level classification isn’t applied lightly. If the labels are indeed correct and recent, they said, “This is really the kind of information NATO doesn’t want out there in the public.” 

The criminal vendors wouldn’t verify if the data for sale online came from multiple sources or just MBDA but it’s understood that NATO’s investigation is centered around one of MBDA’s suppliers, which could mean any blame might ultimately lie with a third party.

TikTok’s Android app vulnerable to one-click takeover

Security researchers at Microsoft would like TikTok users to know that, if they ever accidentally click a malicious link that fails to take over their account, please direct gratitude in Redmond’s direction.

It turns out a specially crafted link sent to Android versions of the TikTok app, both the Chinese version and international flavor, could give an attacker total control over the victim’s account as soon as they clicked it.

Microsoft security researchers said they first found the bug in the Android version of TikTok in February, which the social media company quickly fixed due to its high severity. According to Microsoft, there’s no evidence the exploit has been used in the wild.

At the heart of the flaw is a method used to bypass TikTok’s deeplink verification process by forcing the code to load an arbitrary URL into WebView, the Android component that allows URLs to be opened inside of apps. 

From there, the malicious URL can access the JavaScript bridges that allow WebView to talk to TikTok, giving the attacker the ability to access and modify a victim’s profile, publicize private videos, send messages and upload posts. 

Exploiting JavaScript bridges is nothing new – it’s been a method used to compromise Android apps since at least 2012 when it was demonstrated at Black Hat. In that instance, researchers demonstrated how they could execute malware in an Android app after it had been scanned by Google Play for malicious code.

Google made changes to Play store policies in July 2021 that further restricted the misuse of interpretive languages like JavaScript, Python and Lua by Android apps, but it’s unclear how much those policies would have been able to stop abuse like Microsoft discovered in TikTok. 

“From a programming perspective, using JavaScript interfaces poses significant risks … we recommend that the developer community be aware of the risks and take extra precautions to secure WebView,” Microsoft said. 

Teenager cracks government encryption puzzle in an hour

A commemorative cryptographic puzzle minted on an Australian coin has been cracked, and it took the winner – an unnamed 14-year old from Tasmania – a little over an hour to accomplish a job that was supposed to take much longer. 

The Australian Signals Directorate (ASD), which handles foreign intelligence along with cyberwarfare and security duties in a similar way to the US’ NSA or the UK’s GCHQ, had a special 50-cent coin minted in a limited run of 50,000 to mark the agency’s 75th anniversary. 

Security conscious government agencies often employ encryption puzzles, making another one a fitting commemoration. ASD director-general Rachel Noble said the coin included four different layers of encryption that were progressively difficult, with clues also located on the coin. 

“There’s a challenge out there to see who can correctly break all the layers, and, would you believe it, yesterday the coin was launched at 8:45am; we put up our web form … and believe it or not, a boy, 14 years old in Tasmania, was the first person in just over an hour to get all four layers right,” The Australian Broadcasting Corporation reported Noble as saying. 

“So we’re hoping to meet him soon … to recruit him,” Noble said. 

Noble didn’t share what the hidden message on the coin is, only saying that it contained uplifting messages, which she encouraged others to go out and solve. Noble said the first few layers of the puzzle could be solved with a pencil and paper, but she warned that the last layer may require a computer. 

To those dismayed they lost a chance to solve the puzzle, Noble revealed that the game isn’t quite over yet: She said there’s a hidden fifth level of encryption on the coin that no one had broken yet, but an intelligence agency whose code was just cracked might say anything to save a bit of face. 

2.5 million student loan borrowers’ records exposed in hack

Student loan servicers Edfinancial and the Oklahoma Student Loan Authority (OSLA) are contacting more than 2.5 million borrowers to inform them that a breach may have exposed their names, addresses, emails, phone numbers and social security numbers. 

Edfinancial and OSLA aren’t directly responsible for the breach, which was suffered by Nebraska-based Nelnet Servicing, which provides tech services for the two student loan companies. Nelnet also services loans, but said none of its borrowers were affected by the breach. 

Sample letters and a statement from Nelnet filed with the state of Maine indicate that, between June and July 22, 2022, an unauthorized party had access to the records in question. Nelnet said that, upon noticing the breach it blocked the activity, fixed the vulnerability that led to the breach, began an investigation and notified the affected servicers.

The US Department of Education was also notified, and law enforcement is currently investigating, Nelnet said. 

As has been the case with previous large-scale breaches, Nelnet said it’s offering free credit monitoring services to affected borrowers through Experian, which itself was found vulnerable to being tricked into duplicating accounts for criminals, who used them to hijack Experian customers’ identities.

Nelnet customers who had their data stolen have wasted no time in launching a class action lawsuit against the company, which was filed in a Nebraska District Court on Tuesday. 

The suit asks for Nelnet to be forced to conform to higher security standards, as well as asking for an unspecified amount in damages to be awarded to the class, which includes students from around the country. 

Samsung says US customer data stolen

Samsung has admitted it was hit by a cyberattack that led to the theft of some of its US customers’ data in late July. 

According to the Korean tech company, an unauthorized third party stole the data, which Samsung determined in early August contained personal customer information. 

While no social security numbers were stolen, Samsung does admit that customer names, contact and demographic information, birth date and product registration information may have all been taken, with the specific stolen information varying between customers, Samsung said.

The Galaxy maker said it had taken action to secure affected systems and was coordinating with law enforcement, but Samsung’s statement makes no mention of how many customers may have been affected. 

There isn’t anything that Samsung customers need to immediately do to protect themselves, the multinational said, though it does recommend that kit owners beware of unsolicited communications asking for personal info or to tap a link, to not click links or download attachments from suspicious emails and to review their Samsung accounts for suspicious activity.

While theft of customer data may be new for Samsung, breaches of its perimeter resulting in large-scale theft of company information is not, as the tech company saw 190GB of its internal files, including source code for Samsung Knox and the company’s bootloader, published online earlier this year.

The data was stolen by online extortion gang Lapsus$, believed to be based in Brazil, who previously hacked and published files from Nvidia, game publishing company Ubisoft, and other high profile targets. 

Of the earlier breach, Samsung told The Register that it had responded by “implement[ing] measures to prevent further such incidents,” and that it would continue to serve its customers “without disruption.” ®

READ MORE HERE