News Items

Cybersecurity Snapshots #9 -

Organizations Need to Address Mobile Security

Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

Security researchers at Mitiga have discovered that threat actors can easily build malware-laced Community Amazon Machine Images (AMI) and make them available to unsuspecting AWS customers. The researchers released details of a malicious AMI found in the wild running an infected instance of Windows Server 2008. The researchers said the AMI was removed from a customer's Amazon Elastic Compute Cloud (EC2) instance earlier this month but is still available within Amazon's Community AMI marketplace. The AMI discovered was harboring a crypto miner, and was generating Monero coins for unknown hackers on a financial institution's EC2 for the past five years.

Threatpost reports: "Researchers Sound Alarm Over Malicious AWS Community AMIs"

New cyber-operational tools have been integrated into the U.S. Cyber Command's virtual cyber-training platform, called the Persistent Cyber Training Environment (PCTE). Cyber Command's warriors will use the new set of tools integrated into the platform during missions. They can log in to the PCTE from anywhere to go through cyber-training and mission rehearsals. This article continues to discuss the PCTE in relation to its growing advancement and importance, and what it has enabled teams to do.

Infosecurity Magazine reports "U.S. Cyber Command Gets New Operational Tools"

The world's largest cruise operator Carnival has disclosed that on August 15th, they suffered a ransomware attack and a possible security breach. The adversaries accessed and encrypted a portion of one brand's information technology systems, and gained unauthorized access to personal data of guests and employees.

Engadget reports: "World's Biggest Cruise Line Company Hit by Ransomware Attack"

IBM X-Force Red security researchers found a security flaw in components manufactured by Thales, which are included in millions of Internet of Things (IoT) devices. Thales produces components for over 3 billion devices used by 30,000 companies in different sectors, including healthcare. An attacker can remotely exploit the IoT vulnerability to control a device or access an enterprise network. The vulnerability can be found in Thales' Cinterion EHS8 M2M module, which has been installed in millions of connected devices within the last ten years. Other modules in Thales' products that are impacted by the vulnerability include BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, and PLS62. These modules are mini circuit boards that provide IoT devices the capability of mobile communication. They store and run Java code containing passwords, encryption keys, and other confidential information. If a hacker were to gain direct control of an unpatched module, they could instruct a device to give a medical patient an excess amount of medication or disrupt a power grid. This article continues to discuss the IoT vulnerability in relation to where it was discovered, what its exploitation could allow hackers to do, and its patching process.

HealthITSecurity reports "Remote Exploit Flaw Found in Millions of Connected IoT Devices"

Apple has released a new tool aimed at helping developers protect iOS apps against security threats. Apple's Attest API tool generates a cryptographic key on a user's device to ensure that an app is authentic. The tool also makes sure that a phone does not send a user's data to a malicious app created to steal information such as usernames and passwords. This article continues to discuss the capabilities of Apple's Attest API, why it is difficult for iPhone security researchers to determine whether hackers have successfully breached an individual device, and what can happen when hackers use malicious apps to infiltrate iPhones.

CyberScoop reports "Apple's Attest API Tool Aims to Tighten App Security"

Chinese hackers have infiltrated at least 10 Taiwan government agencies and gained access to about 6,000 email accounts in an attempt to steal data. According to a top Taiwan cyber official, the damage done is not small, and the full impact is still being assessed. According to the Taiwan Investigation Bureau's Cyber Security Investigation Office, Chinese hacking groups Blacktech and Taidoor, have been targeting government departments and information service providers since 2018. This information was made public to alert everyone of the threat and hopefully stop further damage.

SecurityWeek reports: "Thousands of Taiwan Government Email Accounts 'Hacked by China'"

Cyber-physical systems security researchers at the University of California demonstrated the use of inexpensive equipment to attack a grid-tied solar inverter. The researchers built a remote spoofing device composed of an electromagnet, an Arduino Uno microprocessor, and an ultrasonic sensor to abuse electromagnetic components contained by many grid-tied solar inverters. Without touching the solar inverter, one could hide the device in a coffee cup near the inverter, leave, and destabilize the power grid from anywhere in the world. Power grid destabilization could result in a major blackout. This article continues to discuss the spoofing apparatus assembled by researchers at the University of California to bring further attention to the vulnerability of solar inverters to attack and the ease at which the spoofing device can be constructed.

UCI reports "UCI Cyber-Physical Security Researchers Highlight Vulnerability of Solar Inverters"

Hackers used a social engineering technique called "phone spear phishing," also known as "vishing" or "voice phishing," in an attempt to compromise more than 100 Twitter accounts belonging to high-profile users, including CEOs, celebrities, and politicians. The hackers succeeded at taking control of 45 of those accounts to send tweets promoting a bitcoin scam. According to cybersecurity investigators, in the last month since the Twitter hack occurred, banks, cryptocurrency exchanges, web hosting firms, and other companies have been targeted in attacks involving the same phone spear phishing technique. This article continues to discuss the performance of phone spear phishing in the Twitter hack last month and the increased use of this type of phishing against different companies following the incident.

Wired reports "The Attack That Broke Twitter Is Hitting Dozens of Companies"

Security researchers have discovered cryptocurrency mining malware capable of stealing AWS credentials from infected servers. The malware was observed being used by TeamTNT, a cybercrime group that targets Docker installations. According to researchers, TeamTNT has been active since April. TeamTNT scans the internet for misconfigured Docker systems that have their management API exposed without a password. After gaining access to the API, they deploy servers inside the Docker installation that would run Distributed Denial-of-Service (DDoS) and cryptocurrency mining malware. The researchers have now discovered that the cybercrime group is now targeting Kubernetes installations as well. This article continues to discuss the history and expanded operations of the TeamTNT gang.

ZDNet reports "Crypto-Mining Worm Steal AWS Credentials"

Researchers at Wordfence have discovered two critical flaws in a WordPress plugin called Quiz and Survey Master, which is actively installed on over 30,000 websites. The two critical flaws that were discovered include an arbitrary file-upload vulnerability ranking 10 out of 10 on the CVSS scale, and an unauthenticated arbitrary file deletion error which has a raking of 9.9 out of 10 on the CVSS scale. If the vulnerabilities are exploited, an adversary could launch varying attacks and could fully take over the vulnerable website. A patch is available for both issues in version 7.0.1 of the plugin.

Threatpost reports: "Critical Flaws in WordPress Quiz Plugin Allow Site Takeover"

Security researchers at Char49 found vulnerabilities in version 6.9.25 of Samsung's Find My Mobile (FMM) service. The FMM application is intended to help users locate their Samsung devices if they lose them. The exploitation of these vulnerabilities could allow a malicious application to take over the communications between the FMM application and its management servers. A range of malicious activities could be executed through the abuse of flaws in the FMM application, including resetting phones to factory settings, locking phones with a custom message, as well as stealing SMS messages, call logs, and more. The flaw-ridden version of FMM was discovered in Samsung Galaxy S7, S8, and S9 smartphone models. This article continues to discuss the vulnerabilities found in Samsung's FMM application, the attacks that could be performed against users by abusing the flaws, and other findings surrounding the masquerading of malicious applications as popular applications to hijack Android devices.

TEISS reports "Flaw in Find My Mobile App Exposed Samsung Users to Hacking Attacks"

A recently fixed vulnerability in Amazon's voice assistant Alexa is a reminder that users should delete their Alexa voice history regularly. The vulnerability discovered by Check Point researchers could have allowed hackers to view a user's voice chat history with the smart speaker. Hackers could have also abused the flaw to install or view skills, which are voice-driven Alexa capabilities. With access to a user's stored conversations from Alexa's history, attackers could gather sensitive information about the user regarding their health, finances, and more. This article continues to discuss the vulnerability that would have exposed a person's conversations with their Alexa device, other issues with Alexa that have been discovered by security researchers, and why smart voice assistants are attractive targets for hackers.

CNET reports "Alexa Vulnerability Is a Reminder to Delete Your Voice History"

A researcher claims that hackers took control over a part of the endpoint infrastructure used by the anonymizing internet browser Tor to route traffic. According to the researcher, attackers manipulated Tor traffic and mined cryptocurrency using Tor exit relays, which are the IP addresses through which the browser passes traffic. This finding brings further attention to how hackers can corrupt parts of Tor's infrastructure to perform malicious activities for their own advantage. This article continues to discuss hackers' abuse of Tor exit relays to generate bitcoin, other malicious Tor activity documented by researchers, and government efforts to ban Tor altogether.

CyberScoop reports "Hackers Exploited Tor Exit Relays to Generate Bitcoin"

Researchers from the Horst Gortz Institute for IT Security (HGI) at Ruhr-Universitat Bochum have shown that it is possible to decrypt the contents of telephone calls made via the LTE mobile network, 4G, which are supposed to be tap-proof. The decryption was performed through the exploitation of a flaw stemming from the implementation of the base stations. Relevant providers and manufacturers were made aware of the vulnerability before the researchers published the results about it. According to researchers, the vulnerability should have been addressed already. This article continues to discuss the security gap regarding how attackers could have exploited it and how researchers determined how widespread the gap was.

RUB reports "Security Gap Allows Eavesdropping on Mobile Phone Calls"

According to IBM's annual "Cost of a Data Breach" report released in July, the average losses incurred by the public sector worldwide per data breach is the lowest average cost compared to 17 other industries. Researchers examined the costs of data breaches experienced by more than 500 organizations between April 2019 and April 2020. They looked at how much an organization spent on the detection and management of a data breach, in addition to losses resulting from business disruption and the loss of customers after a breach. Security automation and orchestration practices have contributed to U.S. federal government agencies' reduced cost of data breaches. This article continues to discuss the average cost of data breaches incurred by the public sector and other industries and the effect of automated security practices on the cost of data breaches.

NextGov reports "Using Automated Security Protocols Reduce the Cost of Data Breaches, Report Says"

Researchers at Check Point discovered that phishing emails with subject lines related to COVID-19 vaccines are now being used to trick recipients into downloading malicious files typically in file type forms of .exe, .xls, or .doc. The researchers also discovered that the number of new, vaccine-related coronavirus domains doubled in June and July 2020. 1 out of every 25 malicious coronavirus-related websites' landing pages is vaccine-related. They also discovered that email (82%) dominates web (18%) as the attack vector of choice for malicious files in the last 30 days.

Information Security Buzz reports: "Hackers Exploit Covid-19 Vaccine Interest As Cover For Attacks"

CISOs need to make protecting HR data a high priority during the Covid-19 pandemic. Since most employees are working from home, companies are even more susceptible to data breaches. If compromised, the data stored by HR can do a devastating amount of damage to both the company and the personal lives of its employees. HR data is one of the highest risk types of information stored by an organization. It usually contains everything from basic contractor details and employee demographics to social security numbers and medical information.

Help Net Security reports: "Securing Human Resources From Cyber Attack"

In June, JSOF researchers disclosed a set of 19 vulnerabilities, dubbed "Ripple20," that affect millions of connected devices, including those used in the healthcare industry. These vulnerabilities were found in Treck's widely adopted low-level TCP/IP software library. The exploitation of Ripple20 vulnerabilities could enable information leakage, device disruption, remote access for hackers from outside the network, and more. Infusion pumps were among the devices discovered to be vulnerable to Ripple20, posing a significant threat to safety as these devices deliver doses of medicine directly to patients. According to a new report recently released by Tenable Research and developed in collaboration with JSOF, 47 more devices, some from 34 new vendors, have been identified as vulnerable to Ripple20. The devices most at risk to Ripple20 are those found in the healthcare sector. This article continues to discuss what causes most of the Ripple20 vulnerabilities, the malicious activities that hackers could perform through the abuse of these vulnerabilities, and the identification of additional devices potentially impacted by Ripple20.

HealthITSecurity reports "Researchers Find More Devices, Vendors Vulnerable to Ripple20"

Researchers from Micro Focus Fortify have discovered more than 30 vulnerabilities in Microsoft SharePoint, Atlassian Confluence, and 18 other popular Content Management Systems (CMSs). CMSs enable the creation and modification of digital content for web content management and enterprise content management. CMSs have grown more important due to an increase in remote work during the coronavirus pandemic. The exploitation of vulnerabilities found in CMSs could allow unprivileged attackers to escape template sandboxes and execute arbitrary code in CMS products. This article continues to discuss the use of CMSs and what the vulnerabilities discovered in these systems could allow attackers to do.

Security Week reports "Over 30 Vulnerabilities Discovered Across 20 CMS Products"

The car security research team from Qihoo 360, called the Sky-Go Team, discovered over a dozen vulnerabilities in a Mercedes-Benz E-Class car by reverse-engineering the car's components using a testbench they built. According to the researchers, the exploitation of these flaws could allow attackers to open the car's doors and start its engine remotely. As the connectivity of vehicles increases, the more they become vulnerable to being hijacked, manipulated, and disabled by cybercriminals. The existence of vulnerabilities in connected cars creates more opportunities for cybercriminals to perform malicious activities that could impact safety. Katharina Becker, a spokesperson for Mercedes' parent company Daimler, stated that the vulnerabilities found by the team were fixed before any vehicle in the market was impacted. The vulnerabilities could have affected around two million Mercedes-Benz cars in China. This article continues to discuss the discovery of vulnerabilities that could have allowed hackers to control a Mercedes-Benz car remotely and other research that demonstrated the vulnerability of internet-connected vehicles to hacking.

TechCrunch reports "Security Bugs Let These Car Hackers Remotely Control a Mercedes-Benz"

A researcher at Oxford University demonstrated the potential exploitation of vulnerabilities in satellite broadband communications to intercept unencrypted web traffic through the use of an inexpensive satellite dish and a digital broadcasting satellite tuner. Attackers could abuse the vulnerabilities to spy on sensitive communications covertly from an extremely far distance. The researcher was able to intercept real traffic from ships, law firms, and Internet of Things (IoT) providers from a fixed point in the UK. This article continues to discuss the technique demonstrated to gain access to sensitive information via traffic transmitted by satellites.

"How Hackers Could Spy on Satellite Internet Traffic With Just $300 of Home TV Equipment"

Although smart home technologies are marketed to increase the convenience of our daily lives, many consumers still do not trust the privacy and security of these technologies. Researchers from WMG and Computer Science, University of Warwick, conducted a survey to which 2,101 UK consumers responded. The survey asked respondents questions regarding their awareness of the Internet of Things (IoT), their current ownership of smart home devices, experiences with using these devices, as well as their trust in the reliability, competence, privacy, and security of smart home devices. The survey findings suggest that consumers do have anxiety about the possibility of a security incident resulting from the use of smart home technology. Overall, respondents were unconvinced that their privacy and security would not be at risk when using such technology. Other survey results highlighted trends in smart home technology adoption based on gender, age, and education level. This article continues to discuss findings from the study of trust in smart home technologies' security and privacy.

Science Daily reports "Consumers Don't Fully Trust Smart Home Technologies"