Cyber Pulse: Edition 47

4 January 2019

Lloyd's of London Denies Hack Claims, As 9/11 Docs Posted Online

Lloyd's of London denied it has been hacked after confidential litigation documents belonging to the leading insurance platform were posted online by a figure calling themselves 'The Dark Overlord'. A sample cache of confidential documents, including some linked to the September 11 2001 terrorist attacks, was posted on the Pastebin site on New Year's Eve along with threats, and demands to pay a Bitcoin ransom. A Lloyd's spokesperson told Computer Business Review in an emailed statement: 'Lloyd's has no evidence to suggest that the Corporation's networks and systems have been compromised by the hacker group.' It is understood the documents the hackers have shown so far were stolen during the hack of a specialist law firm in the United States last April. The incident is understood to be being treated by Lloyd's of London as a fresh extortion attempt, rather than a fresh hack. The specialist insurance market added: 'We remain vigilant with a number of protections in place to ensure the security and safety of data and information held by the Corporation.' The spokesman added: 'Lloyd's will continue to monitor the situation closely, including working with managing agents targeted by the hacker group.' The incident is understood to be being treated by Lloyd's of London as a fresh extortion attempt, rather than a fresh hack. The specialist insurance market added: 'We remain vigilant with a number of protections in place to ensure the security and safety of data and information held by the Corporation.' The spokesman added: 'Lloyd's will continue to monitor the situation closely, including working with managing agents targeted by the hacker group.'

New Android malware hit more than 100,000 users in 196 countries

Researchers spotted a new Android malware hidden behind six different Android applications that were available for download in Google Play. The six apps include Flappy Birr Dog, Flappy Bird, FlashLight, Win7Launcher, Win7imulator, and HZPermis Pro Arabe. Out of these six apps, five have been removed from Google Play since February 2018. However, these applications have been downloaded at least 100,000 times by users across 196 countries with the majority of victims residing in India. The affected countries include India, Russia, Pakistan, Bangladesh, Indonesia, Brazil, Egypt, Ukraine, Turkey, United States, Sri Lanka, Italy, Germany, Saudi Arabia, United Kingdom and more. Researchers from TrendMicro detected spyware dubbed as ANDROIDOS_MOBSTSPY which is capable of stealing information such as user location, call logs, SMS conversations, and clipboard items. The malware uses Firebase cloud messaging to send information to its C2 server. Once the malicious application is installed and launched, the malware first checks for the device's network availability. The malware then reads and parses an XML configuration file from its C2 server. Then, the malware collects device information such as the language used, its registered country, package name, device manufacturer, and more. It then sends the collected information to its C2 server. Once executed, the malware waits and then performs the command received from its C2 server. The malware can steal call logs, SMS conversations, contact lists, user location etc based on the command it received from its C2 server.

Popular Mac Clean-Up Software Ridden With Flaws That Allow Local Root Access

A passel of privilege-escalation vulnerabilities in MacPaw's CleanMyMac X software would allow a local attacker to gain root access to an Apple machine in various ways. CleanMyMac X is a cleanup application for MacOS that optimizes the drives and frees up space by scanning for unused, redundant or unnecessary files and deleting them. No fewer than a dozen flaws plague 4.0 earlier versions of the software, all of them in the package's helper protocol. 'The application is able to scan the system and user directories, looking for unused and leftover files and applications,' explained Cisco in the advisory, issued Wednesday. 'The application also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.' As such, the helper functions run as root functions; the flaws arise from the act that they can be accessed by applications without validation - thus giving those applications root access. Users should update to CleanMyMac X version 4.2.0, which patches the flaws. Three flaws allow attackers to cross a privilege boundary and delete files from the root file system: The 'removeItemAtPath' function (CVE-2018-4034); the 'truncateFileAtPath' function (CVE-2018-4035); and the 'removeKextAtPath' function (CVE-2018-4036). Other helper protocol functions allow a non-root user to delete the main log data from the system: CVE-2018-4037 exists in the 'removeDiagnosticsLogs' function; CVE-2018-4041 exists in the 'enableLaunchdAgentAtPath' function; and CVE-2018-4042 is present in the 'removeLaunchdAgentAtPath' function.

Skype vulnerability allows you to bypass Android's phone lock

Skype's Android app has a new vulnerability that could allow criminals to access the contacts, gallery, and even browser windows by bypassing Android's phone passcode screen. Florian Kunushevci, a bug hunter discovered this vulnerability and reported it to Microsoft. Explaining the flaw, he said that this flaw allows anyone possessing someone's phone to receive a Skype call and answer it without unlocking the phone. Once the person picks up the call, they can go to the gallery, access contacts, type and send a message, and access the browser by clicking on the links sent in the message. Such a flaw could allow criminals or pranksters to access a lot of private data on the phone without having to unlock it with the passcode. The flaw is demonstrated in this video shared on YouTube. Akin told The Register, 'For the specific bug that I have found on Skype, it is more of a bad design and also a bug in coding. I think to put it all together, humans make mistakes'. The researcher informed Microsoft of the bug in the Skype app and waited before going public until the issue was fixed in the version of Skype released on December 23, 2018. It is to be noted that this vulnerability affects Skype on all Android versions. All builds of the Skype app with a version number over 8.15.0.416 for different Android versions include the patch for this bug. Meanwhile, Microsoft has not issued any official comment on the matter.

TripAdvisor, MyFitnessPal among 21 popular apps secretly share users' data with Facebook

At least 21 out of 34 popular apps have been found collecting and sharing sensitive data with Facebook without users' permission. To make it worse, these apps were even sharing the data of those users who do not have a Facebook account. Privacy International, a UK-based campaign group, conducted a review of 34 popular Android apps and found that at least 21 apps - 61 percent - were collecting personal information from users as soon as they opened an account. These apps include the name of MyFitnessPal, Duolingo, Family Location GPS Tracker, Kayak, Muslim Pro, MyTalkingTom, Shazam, Period Tracker Clue, Spotify, Yelp, TripAdvisor, Qibla Connect, VK, and Turbo Cleaner. Once the apps are installed on a user's device, it initiates the Facebook Software Development Kit (SDK) in the background. This lets the Facebook know the name of the app being used by the user along with other details such as the number of times it was opened by the user, the device information, and the screen resolution. The apps were found sharing a variety of details with Facebook. This includes Google Advertising IDs, genders, interests, religion, health, routines and behaviors of users. 'For example, an individual who has installed the following apps that we have tested, Qibla Connect, Period Tracker Clue, Indeed, My Talking Tom, could be potentially profiled as likely female, Muslim, jobseeker and parent,' said Privacy International, the Daily Mail reported. The report highlighted that some apps such as Kayak were sending users' travel details which includes departure/arrival dates, city and airport names as well as the class of tickets. In a response to Privacy International, Facebook has said that it did not add the option to disable the transmission of the 'SDK initialized' data before June. However, it has now removed such signals from the SDK. 'Following the June change to our SDK, we also removed the signal that the SDK was initialized for developers that disabled automatic event logging,' Facebook told Privacy International in an email, Mashable India reported. Facebook is also planning to implement a suite of changes to address Privacy International's privacy-related concern.

Hacker posts ransom demand on Dublin's Luas tram system site

The website of Luas, the tram system in Dublin, Ireland, was hacked on January 3, 2019, by attackers who also claimed to have gained access to the customers' private data stored in the system. The attackers hacked the website and published a malicious message on the website threatening to expose customers' private data thereby demanding one bitcoin as ransom. Upon learning about the incident, Luas warned its customers in a Twitter post not to access its website due to an ongoing issue. 'Due to an ongoing issue, please do not click onto the Luas website. We currently have technicians working on the issue. We will be using this forum only for travel updates should the need arise,' the Tweet read. Attackers have hacked the website of Luas, Dublin's tram system and published a malicious note on the website demanding one bitcoin as ransom within 5 days. If the ransom demand is not met, the attacker threatened to leak all private data of customers and send emails to customers. The attacker also attached his bitcoin address in the message. As per the report by ZDNet, the malicious message read as follows: 'You are hacked. Some time ago I wrote that you have serious security holes, you didn't reply. The next time someone talks to you, press the reply button. You must pay 1 bitcoin in 5 days otherwise I will publish all data and send emails to your users. btc address: 3FsR4CTUmumBJK12Zk8QRwdpPTJEY11aSX' Later, Luas tweeted that its website was compromised. 'The Luas website was compromised this morning, and a malicious message was put on the home page. The website has been taken down by the IT company who manage it, and their technicians are working on it. Luas are informed this may take the day to resolve,' the tweet read. However, the bitcoin address provided by the attacker has not received any funds yet, which means Luas has not paid the ransom.

New version of NRSMiner found leveraging EternalBlue exploit kit for propagation

An updated version of NRSMiner cryptocurrency mining malware has been spotted targeting vulnerable systems. The malware uses the EternalBlue exploit kit for propagation. According to a detailed report from a cybersecurity firm F-Secure, Vietnam is highly affected by the new version of NRSMiner. The latest variant of the malware can propagate into a system in two ways. The first method includes the download of the updater module onto a system that was earlier infected with a previous version of NRSMiner. The second method involves the use of unpatched systems. The miner looks out for the systems that are not patched with the security update MS17-010. The new version of NRSMiner uses the XMRig Monero CPU miner to generate units of the Monero cryptocurrency. Apart for being used for mining currencies, the malware can download updated modules and delete the files and services installed by its previous versions. Disable SMBv1 to reduce the attack surface. Installing MS17-010 security update is also recommended to address the flaws in SMBv1. Moreover, you can configure your firewall to block the in-and-outbound traffic - of port number 445 - from spreading within the local network.

FBI, UK's National Crime Agency and the Dutch national police force seized control of 15 DDoS-for-hire services websites

The FBI has seized control of 15 websites that let people pay to knock individuals and other sites offline. The so-called booters sought to swamp targets with huge amounts of data in what are known as distributed-denial-of-service (DDoS) attacks. Three US men have been charged with allegedly offering DDoS services. 'DDoS-for-hire services such as these pose a significant national threat,' US Attorney for Alaska Bryan Schroder said in a statement. The FBI says more than 200,000 attacks have been launched via just one booter site. The Department of Justice said David Bukoski, from Alaska, and Matthew Gatrel and Juan Martinez, from California, had been charged in connection with the booter services, Customers could use the sites to pick targets and then pay to have the domain, web business or individual taken offline. Generally, the bigger the payment, the more data traffic was pointed at a target. Banks, large corporations, web retailers, government agencies and many others have been hit by DDoS attacks over the past few years.The services advertised their ability to find individuals' net addresses so the data barrages could be tightly targeted. Also, many people have turned to booter services to punish others who have beaten them in online games. The FBI had help from the UK's National Crime Agency and the Dutch national police force, as well as tech firms Cloudflare, Flashpoint and Google, when investigating who was behind the 15 domains. In April 2018, Europol took down a similar booter site called Webstresser.org that was believed to have launched more than four million cyber-attacks around the world. Six people allegedly part of the gang behind the site were arrested and computers seized in the UK and the Netherlands.

Security firms hacked High-profile Twitter accounts to highlight security risk

Insinia Security hacked several high-profile Twitter accounts in order to publicize Twitter's vulnerability. The vulnerability could allow attackers to send messages from accounts they do not control, just by knowing a person's phone number. Insinia has repeatedly warned Twitter to fix the issue saying the vulnerability could be exploited to send fake news or spread disinformation. Additionally, the vulnerability could also be used by attackers to send direct messages to trusted contacts in the victim's network tricking them into clicking links that will install advanced malware to remotely control devices. Insinia Security hacked several high-profile Twitter accounts to highlight security vulnerability in the social media network. Insinia's spoofed messages read: 'This account has been temporarily hijacked by Insinia Security'. Inisina explained in its blog that it had managed to inject its messages onto the targeted victims' accounts by analyzing the way Twitter interacted with smartphones when messages are sent. The security firm revealed that knowledge about the process, coupled with publicly available information on Twitter's text message policies and a target's phone number allowed them to post messages that appeared to come from the account's real owner. Mike Godfrey, chief executive of Insinia, said his firm had only 'passive interaction' with the Twitter accounts it targeted and denied it had broken the law. 'We have not had access to any Twitter account and have not seen any of their direct messages. Nothing has been maliciously hacked,' Godfrey told the BBC. 'There's nothing unethical or irresponsible about what we did,' Godfrey added. Further, Insinia Security recommends users to remove their phone number from their Twitter accounts as a precaution. Due to its unconventional method, Insinia Security is facing some flak from the security community and the affected account owners for its attempt to highlight Twitter's security issue. Travel journalist Calder confirmed to the BBC that the attack had been done without his permission and described it as a 'tedious' and 'annoying' experience that had left him feeling unimpressed.

PayPal phishing scam posted as a promoted tweet on Twitter

On 1 January 2019, a PayPal phishing scam was posted in Twitter as a promoted tweet targeting users' financial data through a lucky draw scam. The scam said, to be in with a chance of winning, you must log in to your accounts and verify your details. The phishing scam from @PayPalChristm promoted a new year sweepstake event. While it didn't explicitly say what the prizes were, the poster holds images of a new car and an iPhone.The phishing scam left behind few minor clues that confirmed it to be a fake scam. Mathew Hughes, a journalist from Liverpool, England logged in with fake login credentials. Upon login, the page redirected to another legitimate looking page which asked to confirm payment card details such as debit/credit card holder name, card number, card expiry date, CSC number, and billing address. This confirms that the PayPal phishing scam is not just keen on accessing PayPal accounts but also aims in targeting victims' financial details and sensitive information. This kind of scams are becoming popular and are using promoted tweets as a part of their campaigns.

Vulnerability in Guardzilla's indoor surveillance system is exposing users' recordings

Researchers spotted a vulnerability in Guardzilla's indoor surveillance system. Researchers say that the vulnerability could allow attackers to access users' stored files or videos. The bug was discovered during the 0DAYALLDAY research event at the end of September and was reported to Guardzilla the following month. The researchers confirmed that the security flaw in the smart home security system was caused due to a firmware issue. Researchers from Rapid7 spotted a vulnerability in Guardzilla's home security video camera. They discovered that all of the security cameras use the same hardcoded keys and that it was easy for the attackers to hack passwords by exploiting the bug. Guardzilla used an Amazon S3 bucket to store customer data that was captured by their security cameras. Researchers noted that accessing these S3 storage credentials is trivial for a moderately skilled hacker. They also said that the vulnerability in Guardzilla's wireless security surveillance system could allow attackers to access and view any other user's video footage, downloaded from their account. 'We've tried several avenues to get in touch with Guardzilla, but they have not acknowledged the report,' said Tod Beardsley, Research Director at Rapid7. 'They could update the keys and update the firmware, but that just means they'll be rediscovered again by the same techniques. The only way I can think of to fix this completely is to change the keys, stand up a proxying service and update the firmware to use this proxying service with unique-per-device accounts,' Beardsley told TechCrunch.

Popsugar's Twinning app was found exposing users' uploaded photos

Popsugar's Twinning app is a photo-matching tool which compares users' uploaded photos with celebrities photos and gives a twinning percentage for top five look-alikes. The results can also be shared on Facebook and Twitter. It is to be noted that hundreds of users' uploaded photos were found to be leaked in Google's search results even before the users shared it on Facebook or Twitter. The users who uploaded their photos or selfies to the Twinning app were found to be easily accessible. The uploaded photos are stored in a storage bucket and the web address of the storage bucket is found in the code of the Twinning app's website thereby exposing users' uploaded photos. All the photos and selfies uploaded on the Popsugar's Twinning app were stored on a storage bucket hosted by Amazon Web Services. The web address of the storage bucket could be found in the code of the Twinning app's website. Researchers noted the storage bucket to be locked down in some time. However, Mike Patnode, Vice President of engineering at Popsugar confirmed in an email to Techcrunch that 'the bucket permissions weren't set up correctly.' Threat actors often take advantage of viral mobile app trends to create malicious apps which steal user data or inject malware into their devices. In May 2018, a set of photo editor apps were found to be hiding malware. Such cases are unfortunately quite frequent. In order to stay secure, it is always recommended to be cautious when using free apps such as quiz, games, photo editor tool etc. as to what information you provide and what access permissions you grant to such apps.

Windows' latest zero-day vulnerability could allow hackers to overwrite 'pci.sys' file

A new zero-day vulnerability in the Windows operating system has been discovered recently. This is the fourth Windows zero-day discovered in last five months and it could allow attackers to overwrite a targeted file with random data.The exploit code of the vulnerability is published on GitHub by a security researcher who goes by the name of SandboxEscaper. By running the Proof-of-Concept (PoC), the researcher had managed to overwrite 'pci.sys' - by collecting software and hardware problems through the Windows Error Reporting (WER) event-based feedback infrastructure. 'Pci.sys' is a system component that helps in correctly booting the operating system. The exploit code published on GitHub works with some limitations. The researcher said that zero-day vulnerability discovered does not affect the CPU and that it takes a while to produce an effect on targeted systems. Explaining the reason behind this delay, SandboxEscaper said the bug relies on a race condition and other operations for the executing an attack. The impact of the vulnerability was confirmed by Will Dorman, a vulnerability analyst at CERT/CC, after he was able to reproduce the bug on a Windows 10 system - build 17134. Since the target is 'pci.sys', SandboxEscaper highlights that the vulnerability can further be used to conduct a denial-of-service attack on a machine. It can also be used to disable third-party AV software. SandboxEscaper has informed Microsoft Security Response Center(MSRC) about the new bug. This is the second bug discovered by the researcher in this month. On December 19, SandboxEscaper had published a PoC of third zero-day vulnerability that could allow hackers to read protected files.

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

Useful links

Cyber Pulse: Edition 46

Cyber Pulse: Edition 45

Cyber Pulse: Edition 44

Cyber Pulse: Edition 43

Cyber Pulse: Edition 42

Cyber Pulse: Edition 41

Cyber Pulse: Edition 40

Cyber Pulse: Edition 39

Cyber Pulse: Edition 38

Cyber Pulse: Edition 37