CyberSecurity news

FlagThis - #telegram

Carly Page@TechCrunch //

PSEA Data Breach Exposes Personal Information of 500,000 Members - The Pennsylvania State Education Association (PSEA) experienced a data breach in July 2024, exposing the personal information of over 500,000 members.
The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, has announced a significant data breach affecting over 500,000 members. The breach, which occurred in July 2024, resulted in attackers stealing sensitive personal information. PSEA is now notifying the impacted individuals about the incident and the potential risks.

The stolen data includes highly sensitive information, such as government-issued identification documents, Social Security numbers, passport numbers, medical information, and financial data like card numbers with PINs and expiration dates. Member account numbers, PINs, passwords, and security codes were also accessed. PSEA took steps to ensure, to the best of its ability and knowledge, that the stolen data was deleted.

Recommended read:
References :
  • bsky.app: The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying over half a million individuals that attackers stole their personal information in a July 2024 security breach.
  • BleepingComputer: The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying over half a million individuals that attackers stole their personal information in a July 2024 security breach.
  • techcrunch.com: US teachers’ union says hackers stole sensitive personal data on over 500,000 members
  • www.bleepingcomputer.com: Pennsylvania education union data breach hit 500,000 people
  • The Register - Security: Attackers swipe data of 500k+ people from Pennsylvania teachers union
  • The DefendOps Diaries: Understanding the PSEA Data Breach: Lessons and Future Prevention
  • : The Pennsylvania State Education Association (PSEA) has sent breach notifications to over 500,000 current and former members
  • Zack Whittaker: Pennsylvania's biggest union for educators had a data breach, exposing over half a million members' personal information.
  • securityaffairs.com: Pennsylvania State Education Association data breach impacts 500,000 individuals
  • Carly Page: The Pennsylvania State Education Association says hackers stole the sensitive personal and financial information of more than half a million of its members.  PSEA said it “took steps†to ensure the stolen data was deleted, suggesting it was the target of a ransomware or data extortion attack, and subsequently paid a ransom demand to the hackers responsible
  • infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
  • securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
  • techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
  • CyberInsider: Cyber Insider article about Russian Zero-Day Firm Offering Record $4 Million for Telegram Exploits
  • www.techradar.com: Data breach at Pennsylvania education union potentially exposes 500,000 victims
Pierluigi Paganini@Security Affairs //

Russian Brokers Offering Millions for Telegram Exploits - Operation Zero, a Russian zero-day broker, is offering up to $4 million for zero-day exploits against Telegram, indicating Russian government and private organizations' interest in exploiting Telegram's security flaws for targeted attacks.
A Russian zero-day broker known as Operation Zero is offering up to $4 million for zero-day exploits targeting the Telegram messaging app. This broker exclusively sells vulnerabilities to Russian government and private organizations, suggesting a significant interest from these entities in exploiting Telegram's security flaws. The high bounty offered indicates the immense value of potential targets to these organizations and their willingness to invest heavily in acquiring such exploits.

Operation Zero has released multiple bounty tiers for security vulnerabilities targeting Telegram, with the price depending on the user interaction required. Remote code execution vulnerabilities needing one user interaction fetch $500,000, while a zero-click RCE vulnerability is valued at $1.5 million. A complete exploit chain capable of compromising the entire system may command up to $4 million. This highlights the potential for targeted attacks on individuals or user groups through the platform, given Telegram's user base of over a billion.

Recommended read:
References :
  • CyberInsider: Russian Zero-Day Firm Offers Record $4 Million for Telegram Exploits
  • infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
  • techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
  • securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
  • securityonline.info: The Russian vulnerability broker, Operation Zero, is a company specializing in the acquisition and sale of security vulnerabilities—whether The post appeared first on .
  • Davey Winder: The Russian exploit brokerage firm, Operation Zero, is offering up to $4 million for zero-day vulnerabilities in Telegram. This signifies heightened state-sponsored interest in hacking Telegram.
  • hackread.com: A broker that only sells to Russian private and government organizations has just offered $4 million for a zero-day hack attack against the Telegram messenger app.
info@thehackernews.com (The Hacker News)@The Hacker News //

New Golang Backdoor Exploits Telegram API for C2 - A new Golang-based backdoor leverages Telegram’s Bot API for command-and-control, potentially of Russian origin, using cloud applications to evade detection and execute PowerShell commands.
A new Golang-based backdoor has been discovered that leverages the Telegram Bot API for command-and-control (C2) communications. Cybersecurity researchers at Netskope Threat Labs detailed the malware, suggesting it may be of Russian origin. According to security researcher Leandro Fróes, the malware, while seemingly still under development, is fully functional and acts as a backdoor once executed. The backdoor utilizes an open-source library offering Golang bindings for the Telegram Bot API.

Once launched, the malware checks if it’s running under a specific location and name ("C:\Windows\Temp\svchost.exe"). If not, it copies itself to that location and creates a new process. The backdoor interacts with the Telegram Bot API to receive commands from an attacker-controlled chat, supporting commands to execute PowerShell commands, relaunch itself, and self-destruct. Though not fully fleshed out, a screenshot command is also present.

Netskope highlights the use of cloud applications like Telegram presents a challenge for defenders, as attackers exploit the ease of use and setup these apps provide during various attack phases. The use of the Russian language in the "/cmd" instruction, which sends the message "Enter the command:" in Russian, further supports the assessment of potential Russian origin. This malware uses Telegram for C2, and has the capability of executing PowerShell commands and self-destructing to evade detection.

Recommended read:
References :
  • ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
  • securityaffairs.com: New Golang-based backdoor relies on Telegram for C2 communication
  • Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations [mal]
  • The Hacker News: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
  • ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
  • hackread.com: Hackers Exploit Telegram API to Spread New Golang Backdoor with Russian Connection
  • Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
  • securityonline.info: A new Golang-based backdoor, potentially of Russian origin, uses Telegram for C2 communication, exploiting cloud apps for enhanced stealth.
  • Talkback Resources: Talkback.sh article summarizing a new Golang-based backdoor using Telegram Bot API for evasive C2 operations.
  • www.scworld.com: Telegram API exploited by new Golang backdoor
  • Security Risk Advisors: New #Golang backdoor abuses #Telegram Bot API for stealthy remote commands and self-destruct. The post appeared first on .
  • securityonline.info: Security researchers at Netskope Threat Labs have uncovered a new backdoor malware written in Golang that leverages Telegram The post appeared first on .
  • Threat Labs - Netskope: 🚩Golang Malware Uses Telegram Bot API for Stealthy Remote Commands and Data Exfiltration
  • www.csoonline.com: Russian malware discovered with Telegram hacks for C2 operations
Mandvi@Cyber Security News //

Telegram for Android Zero-Day Exploited - A zero-day vulnerability, dubbed EvilLoader, in Telegram for Android allows attackers to install malware disguised as video files.
A critical zero-day vulnerability, dubbed EvilLoader, has been discovered in Telegram for Android by security researcher 0x6rss. This exploit allows attackers to disguise malicious APK files as video files, potentially leading to unauthorized malware installations on users' devices. The vulnerability exploits Telegram's file handling mechanism, tricking the app into treating HTML files with .mp4 extensions as legitimate video files, even though the file is not a video file.

When a user attempts to play these crafted "videos," Telegram prompts them to open the file in an external application, potentially leading to the installation of malicious software. For the attack to succeed, users must click the embedded link multiple times, disable Android’s security restriction on installing apps from unknown sources, and proceed with the installation. The file facilitating this attack has been available for sale on underground hacker forums.

Recommended read:
References :
  • Cyber Security News: A critical zero-day vulnerability in Telegram for Android, dubbed EvilLoader, has been discovered by security researcher 0x6rss. This exploit allows attackers to disguise malicious APKs as video files, potentially leading to unauthorized malware installations on users’ devices.
  • WeLiveSecurity: ESET researchers discuss how they uncovered a zero-day Telegram for Android exploit that allowed attackers to send malicious files posing as videos
  • securityonline.info: Telegram’s EvilLoader: Hackers Exploit Video Flaw Again

Posts

Blogs

Research Tools