Month: November 2019

Earlier this week Spanish security firm Prosegur shut down its network after its systems were hit by a ransomware infection.

The first reports that the company – which employs 170,000 staff worldwide, and operates a fleet of 10,000 armoured security vehicles transporting cash between banks, ATMs, and retailers – had suffered a serious security breach emerged in the early hours of Wednesday 27 November.

By the afternoon the company had reportedly sent employees home, and confirmed via its Twitter account that the disruption had been caused by the Ryuk ransomware, and that it had taken its network offline as a “preventative measure” while it worked on restoring affected systems.

For a while visitors to the Prosegur website were greeted by an upbeat message explaining that its online presence would be restored soon.

The Ryuk ransomware was blamed for almost single-handedly increasing cryptocurrency payments made to cybercriminals by almost 90% in the first quarter of 2019.

Although Prosegur has not released any technical details of how it came to be infected by the Ryuk ransomware, it is not unusual for attacks to be launched against targeted organisations via malicious emails.

Recent victims of the Ryuk ransomware have included three hospitals in Alabama, which were forced to turn away non-critical patients and ambulances.

Earlier this month, security reporter Brian Krebs revealed that 110 nursing homes in the United States were unable to access health records due to a Ryuk ransomware attack.

To its credit, Prosegur used its social media presence to keep customers updated about the security incident, and its progress in recovering from the attack.

Security researcher Kevin Beaumont noted, however, that Prosegur’s customers were less than happy that the system outage had impacted their own alarm systems which were failing to connect with Prosegur’s monitoring systems.

Prosegur’s website is now back online. Lets hope that Prosegur is able to fully recover the rest of its systems safely and securely, and share more technical information with the community about what occurred so others might be better defended in future.

A
confidential report from the Netherlands’ National Cyber ​​Security Center
warns that ransomware operators are targeting at least 1,800 large
organizations worldwide in industries such as construction, chemical, healthcare,
food, entertainment and critical infrastructure (energy, water, utilities).

The report
says three ransomware strains are used in attacks worldwide, including many
targeting the Netherlands. Those are LockerGoga, MegaCortex and Ryuk, which have
gained notoriety over the past year in attacks on large infrastructures with
high annual turnover rates.

The NCSC said
it has only identified 1,800 victims, but the actual number of targeted
organizations could be much higher.

“Dutch
branches of multinationals have also been hit, including those of an American
chemical company. Moreover, that company is an important supplier of critical
infrastructure in the Netherlands. This includes, among other things, drinking
water, internet access and energy,” according to Dutch television channel NOS, which obtained
a copy of the NCSC report.

“We
conducted this investigation following disruptive ransomware attacks
abroad,” a spokesperson for the NCSC said, adding that the ransomware
campaign likely started in July last year.

Investigators
found evidence that “a professional criminal organization” is carrying out most
of the attacks, in an organized fashion. One group handles penetration efforts
while another deploys the malware, according to an example offered by the
government-operated cyber division. The NCSC warns that more government
institutions and critical infrastructures are likely in the attackers’
crosshairs, adding that organizations worldwide are not taking basic measures against ransomware infection.

As readers recall,
LockerGoga has been used in several
ransomware attacks against critical infrastructures this year, including the Norsk Hydro incident in Norway, the hit on Altran Technologies, and a subsequent attack on two chemicals companies in the United
States.

Ryuk has been used in attacks on government, education and healthcare
institutions and is designed
to infect these kinds of infrastructures.

The MegaCortex strain is a cyber Swiss army knife that encrypts files, changes the
user’s password and threatens to publish the victim’s files if they fail to pay
the ransom.

Twitter and Facebook developers found that a couple of software
development kits (SDKs) from third-party sources accessed private user data
outside of their purview, without the user’s knowledge and consent.

Twitter was the first to inform users of a malicious SDK
from oneAudience, explaining that its developers could exploit a vulnerability
in the mobile ecosystem to access personal data such as emails, usernames and
last Tweets.

The role of SDKs is to gather usage data, which is then
used by data monetization companies for advertisement purposes. In fact,
developers are paid to implement such SDKs into their apps.

“While we have no evidence to suggest that this was used
to take control of a Twitter account, it is possible that a person could do
so,” said Twitter in an official
communique. “We have evidence that this SDK was used to access people’s
personal data for at least some Twitter account holders using Android, however,
we have no evidence that the iOS version of this malicious SDK targeted people
who use Twitter for iOS.”

The issue arose when some apps using this SDK were
authorized to access Twitter accounts. Unfortunately, users can do nothing about
it, besides checking which apps have permission to access Twitter.

According to a CNBC report,
Facebook had the same issue with OneAudience and a second company, by the name
of Mobiburn. Facebook sent a cease and desist letter to both companies, and
removed all apps using these SDKs from their platform.

Both companies said the data collected by their SDKs was
not used for nefarious purposes and wasn’t sold or used in any way.

Personal data for 1.2 billion people was discovered in an
open Elasticsearch server. It’s unclear who owned the server, how the data got there,
who had access to it, and how long sat in the open, free for anyone to access.

The more than 4 terabytes of data was discovered by
security researchers from Data Viper. Unlike other troves, this simple database
didn’t hold user names and passwords, but personal data, such as names, email
addresses, phone numbers, LinkedIn, and Facebook profiles, scrapped off the
Internet.

This type of information is collected online from social
media accounts that allow public access, and it seems that there’s no shortage
of people who don’t know that the whole world has access to their data, which
most of the time includes stuff you wouldn’t knowingly give strangers.

“For a very low price, data enrichment companies
allow you to take a single piece of information on a person (such as a name or
email address), and expand (or enrich) that user profile to include hundreds of
additional new data points of information,” says
security researcher Vinny Troia. “Collected information on a single person
can include information such as household sizes, finances and income, political
and religious preferences, and even a person’s preferred social
activities.”

It turned out that few companies provide data
“enrichment” as a service, and most of the data found in the Elasticsearch
server was identified as belonging to People Data Labs (PDL). One interesting point
is that the PDL data contains education histories, which the mystery server
doesn’t list.

Finally, since PDL denies suffering a breach, it’s
challenging to find someone accountable. The open Elasticsearch server doesn’t
seem to have any link to PDL, and Google Cloud hosted the information. This
also means it’s impossible to know, without a court order, who set it up. The
FBI and other law agencies won’t get involved unless a crime was committed, and
technically that’s not the case, at least not yet.

Police in California have arrested a man accused of being
among a group of hackers who found a way to take over Twitter CEO Jack Dorsey’s
Twitter account.

The hacker was allegedly part of a group called The
Chuckling Squad, which claimed responsibility for hacking the accounts of
Dorsey and other high-profile celebrities. The arrest was made a couple of
weeks ago, but it took a while to become public.

The hackers used a method called SIM-swapping, which
doesn’t require high technical expertise. The alleged Chuckling Squad member arrested
is accused of providing the group with numbers for high-profile targets. In the
case of Dorsey, the attackers tricked the mobile carrier into issuing a new SIM
card with the same number.

For 20 minutes, hackers posted anti-Semitic messages on Dorsey’s
account. With access to the phone number logged in the two-factor
authentication solution, resetting the password was easy. At this point, it’s
clear why two-factor authentication with SMS is vulnerable to attacks.

“He was a member of Chuckling Squad but not anymore.
He was an active member for us by providing celebs/public figure [phone]
numbers and helped us hack them,” said
Debug, a member of the Chuckling Squad to Vox.

SIM-swapping still works because few people use
two-factor authentication, the ones that have it use SMS codes, and the
call-center operators for mobile networks lack the training and procedures to
identify attackers.

“We applaud the efforts of all the law enforcement
agencies involved in this arrest,” said the Santa Clara County District
Attorney’s Office for Vox. “REACT (Regional Enforcement Allied Computer
Team) continues to work with and assist our law enforcement partners in any way
we can. We hope this arrest serves as a reminder to the public that people who
engage in these crimes will be caught, arrested and prosecuted.”

Hackers have once again successfully compromised the website of Chinese phone manufacturer OnePlus.

Back in January 2018 it was revealed that the credit card details of some 40,000 people using the OnePlus website had been stolen by hackers. On that occasion the attackers managed to inject a malicious script into an payment webpage that skimmed card data as it was entered by customers.

At the time OnePlus said it was conducting an indepth security audit of its systems.

The latest security incident, detailed by OnePlus in an FAQ on its website, isn’t as serious as the payment card breach – but could still lead to customers being put at risk by fraudsters and online criminals.

The cellphone manufacturer has confirmed that customers’ names, contact numbers, email addresses and shipping details have been accessed by an unauthorised party via a vulnerability on its website.

Fortunately, payment information and passwords have not been compromised.

OnePlus has not revealed just how many customers have been impacted by the data breach, but says that all affected users have been sent an email notifying them of the security incident.

Of course, even if your passwords and payment details haven’t been exposed in this latest hack – that doesn’t mean that users have nothing to worry about.

Online criminals could abuse users’ names and contact details to launch phishing attacks, spread spam, or even attempt to commit fraud over the telephone.

Of course, the challenge for affected users is that – unlike passwords – details such as your name and contact details can not be easily changed.

Customers are being advised to contact OnePlus’s support team for assistance if they have any concerns.

According to the company it has since patched the vulnerable website, and checked it for similar security flaws:

“We’ve inspected our website thoroughly to ensure that there are no similar security flaws. We are continually upgrading our security program – we are partnering with a world-renowned security platform next month, and will launch an official bug bounty program by the end of December.”

No details have been shared of the nature of the website vulnerability which allowed the hackers to access customer data, but OnePlus must realise that the patience of customers is not limited – and for a second serious security breach to have occurred in a relatively short period of time will have done nothing to strengthen users’ trust in the brand.

More transparency about what has occurred and how, combined with strengthened security, would go a long way to reassure customers who must be feeling rattled by this latest incident.

OnePlus says it has informed the authorities about the data breach and is working with the police to further investigate who might be responsible for the attack.

Google has announced a significant expansion of its Android
Security Rewards (ASR) program, which is used to reward security researchers
who manage to find vulnerabilities in the companies’ various products.

A top prize of $1 million is now on the table for any
security researcher who can compromise the Titan M secure element on Pixel
devices with a full chain remote code execution exploit. While the prize is already
impressive, Google added a 50% bonus if the researcher manages to identify
exploits on upcoming versions of the Android operating system.

Phones can be compromised in multiple ways, and not all
exploits or vulnerabilities relate to the core of the OS or to the Titam M
chip. Google will also offer rewards up to $500,000, depending on the
discovery, for data exfiltration and lockscreen bypass.

“In 2019, Gartner rated the Pixel 3 with Titan M as
having the most ‘strong’ ratings in the built-in security section out of all
devices evaluated,” said Jessica Lin from the Android Security Team.

“This is why we’ve created a dedicated prize to reward
researchers for exploits found to circumvent the secure elements protections.”

The Android Security Rewards (ASR) program has been highly lucrative in the past, and Google has paid over $1.5 million in the past year alone. In total, over 100 security researchers earned an average of $3,800 per finding. The top reward paid in 2019 was $161,337, which only underlines the massive increase in the payment system.

A phishing campaign emulating the US Internal Revenue
Service (IRS) to target more than 100,000 people world-wide was identified and
tracked by CDN (cloud delivery network) and cloud service Akamai.

The campaign, involving 289 domains and 832 URLs,
remained active for 47 days, and it started unusually early, in August 2019,
according to Akamai.

Phishing campaigns that emulate the IRS usually pop up
each year during tax season, which generally lasts from October to January the
next year. But the volatile nature of political stress points and often changes
to tax law encourage such phishing campaigns to appear all year round.

“By analyzing the activity of the IRS phishing domains,
we see the majority of them were active for fewer than 20 days (out of the 47
days that were monitored),” says
Akamai. “Yet, a significant number of domains were active even after one month.
The lack of maintenance on legacy websites, as well as the challenges of
patching and removing injected content, explains the duration over which
phishing pages can remain active.”

One issue, as the researchers underlined, is that many of
these fake IRS pages are hosted on legitimate domains, which were hacked.
Legacy websites that are not maintained are the prime targets for attackers who
use these platforms to gain credibility.

As usual, the best protection against phishing campaigns
and websites, besides a security solution, is to pay attention to suspicious
emails and links. The most important thing Internet users need to know is that neither
the IRS nor any other government and private institution will ever ask for
personal details or sensitive financial data. Always be wary when such
information is requested.

Personal details belonging to approximatively 2.2 million user accounts from GateHub and EpicBot were leaked online, according to Troy Hunt, creator of the Have I Been Pwned? Data breach search website.

The websites of GateHub, a cryptocurrency wallet service,
and EpicBot, a RuneScape bot service, were compromised sometime this year. It’s
difficult to say when the incidents happened precisely, but there’s a bit of
good news as well. Both websites were using bcrypt, a password hashing function
that can prevent bad actors from reading the actual data, or at least delay
them for a very long time.

According to an Ars Technica report, the hackers took wallet hashes, mnemonic phrases, and two-factor authentication keys for 1.4 million accounts from the cryptocurrency wallet GateHub. The EpicBot hack was a little bit smaller, with 800,000 accounts leaked, including usernames, IP addresses, and encrypted passwords.

Of the two services, only GateHub admitted to being
hacked, but when they initially announced it back in August, they only
mentioned around 18,000 being compromised.

“On affected accounts, the following data was being
targeted: email addresses hashed passwords, hashed recovery keys, encrypted XRP
ledger wallets secret keys (non-deleted wallets only), first names (if
provided), last names (if provided),” GateHub said a few months ago.

While it’s good that the services encrypted some of the
data, even leaking user names is a problem. Many people have the same user
names and passwords for multiple online accounts, and other websites might not take
care to encrypt their data. Matching user names from multiple leaks is not difficult.

GateHub sent notices telling users to change their
passwords when the breach was announced, but if you didn’t change your password
then, you should do it now. More importantly, users should consider changing
their mnemonic phrases.

For EpicBot, things are a little bit more complicated
since the people running the bot service have yet to acknowledge any intrusion,
which means that they haven’t notified their users. So, if you have an EpicBot
account, you need to change your password now.

The website of the Monero open-source cryptocurrency was
compromised, and some users downloaded a modified binary that contained malware
designed to steal funds from people’s wallets.

When a Linux user downloaded the latest Monero binary
from the website, he did something that we should all do whenever we download a
file. He compared the SHA256 secure hash algorithm of the downloaded file to
the one listed on the website and noticed a difference. It turned out the
website was compromised, and a modified binary was offered to users.

One of the MD5 or SHA256 hash roles is to help people
compare the download files with those on the server. A different hash could signal
a problem with your system’s RAM but also show you’ve downloaded a different
file than the original.

In the case of Monero, hackers had compromised the
official website and download servers and replaced the file with their own
version, laced with malware used to transfer funds from people’s wallets.

“Some users noticed the hash of the binaries they
downloaded did not match the expected one:
https://github.com/monero-project/monero/issues/6151

It appears the box has been indeed compromised and
different CLI binaries served for 35 minutes. Downloads are now served from a
safe fallback source. Always check the integrity of the binaries you download!”
said the developers on Reddit.

“If you downloaded binaries in the last 24h, and did not
check the integrity of the files, do it immediately. If the hashes do not
match, do NOT run what you downloaded. If you have already run them, transfer
the funds out of all wallets that you opened with the (probably malicious)
executables immediately, using a safe version of the Monero wallet (the one
online as we speak is safe — but check the hashes).”

The investigation has so far only revealed that the
binary had a simple coin stealer, but the developers are still working on
determining how the breach occurred.