Search This Blog

Showing posts with label CERT. Show all posts

Facebook :"Is that you?" 500,000 People Were Victims of this Phishing Scam

 

Facebook has often been a favorite hunting ground for cybercriminals who delight in preying on the naive members of the internet community. While addressing a very prevalent fraud known as "Is that you?" cybernews has conducted research. It's a type of video phishing scam in which the attacker delivers a link to a fictitious video in which the victim appears. When you click, the trouble begins as soon as you enter some personal information and log in. 

Researchers were recently rewarded for such diligence when they received a warning from fellow cyber investigator Aidan Raney – who originally contacted them after the original results were released – that malicious links were being sent to users. Upon further investigation, it was discovered that thousands of these phishing links had been circulated via a devious network spanning the social media platform's back channels. If left unchecked, hundreds of thousands of naive social network users might fall prey to the shady connections - the "Is That You?" scam was said to have ensnared half a million victims before researchers discovered it. 

Raney explained, "I worked out what servers did what, where code was hosted, and how I might identify additional servers." "I then used this information, as well as urlscan.io, to seek for more phishing sites with similar features to this one." 

A thorough examination of the servers linked to the phishing links revealed a page that was transmitting credentials to devsbrp. app. A banner believed to be attached to a control panel was discovered with the wording "panelfps by braunnypr" printed on it. A second search using keywords led the study team right to the panel and banner designer, whose email address and password variations were also identified  neatly turning the tables on fraudsters who prey on unwary web users' credentials. 

Cybernews accessed a website which proved to be the command and control hub for most of the phishing assaults linked to the gang, known to include at least 5 threat actors but could have plenty more, using the threat actor's personal details. This gave our brave investigators a wealth of information about the culprits of the Facebook phishing scam, including the likely country of residence  the Dominican Republic.

"We were able to distribute the user list for everyone who has signed up for this panel," the Cybernews researcher explained. "We started unearthing the identities with as many people on the list as we could using the usernames on the list, but there is still more work to be done." Researchers provided the appropriate information to the Dominican Republic's Cyber Emergency Response Team (CERT) at the time, as evidence suggested that the campaign had started there as well.

Millions of Loan Applicant's Data is Leaked via an Anonymous Server

The security team at SafetyDetectives, led by Anurag Sen, revealed the specifics of a misconfigured Elasticsearch server that exposed the personal information of millions of loan applicants. The information primarily came from individuals who applied for microloans in Ukraine, Kazakhstan, and Russia. 

The server was identified randomly on December 5th, 2021, while monitoring specific IP addresses. Since the anonymous server lacked authentication mechanisms, it was left vulnerable and unprotected, resulting in the loss of over 870 million records and 147GB of data. 

SafetyDetectives couldn't identify the server's host. Customers' logs from a variety of microloans providers' websites were stored on a server, however, the majority weren't financial services like lenders or banks, but rather third-party intermediates who operate as a link between the loan firm and the applicant. The majority of the data in the server's logs were in Russian which led experts to conclude that the server is owned by a Russian corporation. 

Different types of personal information (PII) and sensitive user data were revealed in this leak, according to SafetyDetectives researchers, including details of users' "internal passports" and other types of data. Internal passports are used to substitute for national IDs in Russia and Ukraine. They are only valid within the country's borders. 

The internal passport details revealed in the exposed data include Marital status Gender, Birthdate, location, physical address, full name, including first, middle, and patronymic names. Number of passports, issue/expiration dates, and serial number. Some of the disclosed information, including cities, names, addresses, and issued by places, was written in Cyrillic script, which is generally utilized in Asia and Europe.

This vulnerability is estimated to affect around 10 million users. Most INNs belonged to Ukrainians, but several server logs and passport numbers belonged to Russians. The server was based in the Dutch city of Amsterdam. 

On December 14th, 2021, SafetyDetectives contacted the Russian CERT, and the Dutch CERT on December 30th, 2021. Both, though, declined to assist. On January 13th, 2022, the server's hosting company was informed, and the server was secured the same day. Given the scope and type of the data exposed, the event might have far-reaching consequences.

New Zealand Banks and Post Offices Hit by a Cyber Attack

 

On Wednesday, the websites of a number of financial institutions in New Zealand, as well as the country's national postal service, were momentarily unavailable due to a cyber-attack, according to officials. A DDoS (distributed denial of service) attack targeting a number of organizations in the nation has been reported, according to the country's Computer Emergency Response Team (CERT). 

Minister David Clark, who is in charge of the digital economy and communications, said CERT has informed him that "a number" of organizations have been compromised. “At this time, efforts to ascertain the impact of this incident are ongoing. I won’t get ahead of this process,” Clark said, in a statement. “CERT assures me it is actively engaging with affected parties to understand and monitor the situation.” 

CERT's objective is to assist businesses and government agencies on how to respond to and prevent cyber-attacks. It also collaborates with other government institutions and law enforcement, such as the National Cyber Security Centre (NCSC). 

According to local media sources, Australia and New Zealand Banking Group's (ANZ.AX) New Zealand site and NZ Post were among the websites hit by the attack. ANZ informed clients through Facebook that it was aware that some of them were unable to use online banking services. "Our tech team are working hard to get this fixed, we apologize for any inconvenience this may cause," the post said. 

The "intermittent interruptions" on NZ Post's website were caused by a problem with one of its third-party suppliers, according to the company. Several Kiwibank clients took to social media to complain outages at the little institution, which is partially controlled by the New Zealand Post. In a Twitter post, Kiwibank apologized to clients and said it was trying to resolve "intermittent access" to its app, online banking, phone banking, and website. 

A DDoS assault overloads a website with more traffic than it can manage, causing it to fail. While the identity of the attacker and their motivation are unknown in this case, the goal might be to extract a ransom from the victim in order for the assault to be stopped. During the NZX assault, Minister for Intelligence Agencies Andrew Little expressed the government's advice: Don't pay the ransom.

New Windows and Linux Flaws: Provide Attackers Highest System Privileges

 

Two new vulnerabilities, one in Windows and the other in Linux, were discovered on Tuesday, allowing hackers with a presence in a vulnerable machine to circumvent OS security limits and access critical resources. 

Microsoft's Windows 10 and upcoming Windows 11 versions have been discovered to be vulnerable to a new local privilege escalation vulnerability that allows users with low-level permissions to access Windows system files, permitting them to decrypt private keys and uncover the operating system installation password. The vulnerability has been named "SeriousSAM".

CERT Coordination Center (CERT/CC) stated in a vulnerability note published, "Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY registry hive files. This can allow for local privilege escalation (LPE)." 

The operating system configuration files in question are as follows - 

c:\Windows\System32\config\sam 
c:\Windows\System32\config\system 
c:\Windows\System32\config\security 

Microsoft acknowledged the vulnerability, which has been assigned the number CVE-2021-36934 but is yet to offer a patch or provide a timeframe for when a fix will be released. 

The Windows makers explained, "An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” 

However, successful exploitation of the issue implies that the attacker has already gained a foothold and has the capacity to execute code on the target machine. In the meanwhile, users should restrict entry to sam, system, and security files and erase VSS shadow copies of the system disc, according to the CERT/CC. 

Since the release of Patch Tuesday updates on July 13, this is also the third publicly documented unpatched issue in Windows. Apart from CVE-2021-36934, two other vulnerabilities in the Print Spooler component have been identified, leading Microsoft to advise all users to halt and terminate the service to protect their computers from exploitation. 

"Sequoia" privilege escalation flaw affected Linux distros:

Remediations have been issued for a security shortcoming affecting all Linux kernel versions from 2014 that can be exploited by malicious users and malware already deployed on a system to gain root-level privileges. 

The vulnerability, nicknamed "Sequoia" by Qualys researchers, has been issued the identifier CVE-2021-33909 and affects default Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation installations. The issue also affects Red Hat Enterprise Linux versions 6, 7, and 8. 

The vulnerability is a size t-to-int type conversion flaw in the Linux Kernel's "seq file" file system interface, which allows an unprivileged local intruder to generate, install, and delete a deep directory structure with a total path length of more than 1GB, resulting in a privilege escalation on the vulnerable host. 

According to Qualys, unprivileged attackers could use a stack exhaustion denial-of-service vulnerability in the system (CVE-2021-33910) to corrupt the software suite and induce a kernel panic.

United States Tops ITU's Global Cyber Security Index

 

The United Nations International Telecommunication Union (ITU) released its 2020 Global Cyber Security Index on 29th June 2021, which ranked the United States first overall, with the United Kingdom and Saudi Arabia tied for the second position. 

The index uses 82 questions prepared by a team of experts to rate countries. Members of the ITU are asked to select individuals to take part in the procedure and the organization performs desk research on nations that refuse to participate. The members of the ITU are then ranked on a scale of one to one hundred. 

In essence, the higher the rank, the more dedicated the country is to cybersecurity defense. However, it's a measure of a country's computer security. The report commences with a piece of positive news: the 2020 index's median score is 9.5 percent higher than the 2018 edition. 

Smaller countries fared well, and there were some notable improvements. Estonia, for instance, came in third place. South Korea, Singapore, and Spain tied for fourth place, while Russia, the United Arab Emirates, and Malaysia shared for fifth. Lithuania, Japan, Canada, France, and India made it to the top ten. India moved from 47th to tenth place. 

Another promising result from the Index is that many nations that have established a national computer incident response team (CIRT) have increased by 11% during 2018, implying that nearly half of ITU members now have CIRT or CERT. 

Sixty-four percent have established a new cybersecurity strategy (NCS), up from 58 percent last year, and 70 percent implemented cybersecurity awareness campaigns in 2020, up from 66 percent last year. 

Thirty-eight nations received a score of 90% or above. Individual training programs are also required in several areas, according to the Index. 

Despite a predicted global shortfall of half a million cybersecurity specialists by 2021, the report claims that nations are failing to establish sector-specific training. Over half of those surveyed do not have programs customized to specific sectors or professions, such as law enforcement, legal actors, SMEs, private firms, or government employees. 

Indices ranking national cybersecurity are like buses: none for a long time, then two at once — the International Institute for Strategic Studies, a British think tank, presented its own assessment earlier this week, concluding that the United States is the sole cyber superpower.

Tesla Car Hacked Remotely by Drone Via Zero-Click Exploit

 

Two researchers have shown how a Tesla and probably other cars can be remotely hacked without the involvement of the operator. 

Ralf-Philipp Weinmann of Kunnamon and Benedikt Schmotzle of Comsecuris conducted research last year that led to this conclusion. The investigation was conducted for the Pwn2Own 2020 hacking competition, which offered a car and other substantial prizes for hacking a Tesla, but the results were later submitted to Tesla via its bug bounty programme after Pwn2Own organizers planned to temporarily exclude the automotive category due to the coronavirus pandemic. 

TBONE is an attack that includes exploitation of two vulnerabilities in ConnMan, an internet connection manager for embedded devices. An intruder may use these bugs to take complete control of Tesla's infotainment system without requiring any user interaction. 

A hacker who exploits the vulnerabilities may use the infotainment system to perform any normal user task. This involves things like opening doors, adjusting seat positions, playing music, regulating the air conditioning, and changing the steering and acceleration modes. 

The researchers explained, “However, this attack does not yield drive control of the car”. They presented how an intruder could use a drone to launch a Wi-Fi assault on a parked car and open its doors from up to 100 meters away (roughly 300 feet). The exploit, they said, worked on Tesla S, 3, X, and Y models. 

“Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity. We did not want to weaponize this exploit into a worm, however,” Weinmann stated. 

Tesla apparently stopped using ConnMan after patching the vulnerabilities with an update released in October 2020. Intel was also notified because it was the original creator of ConnMan, but according to the researchers, the chipmaker believed it was not its responsibility. 

According to the researchers, the ConnMan component is commonly used in the automotive industry, suggesting that similar attacks may be launched against other vehicles as well. Weinmann and Schmotzle sought assistance from Germany's national CERT in informing potentially affected vendors, but it's uncertain if other manufacturers have responded to the researchers' findings. 

Earlier this year, the researchers presented their results at the CanSecWest meeting. A video of them using a drone to hack a Tesla is also included in the presentation. In recent years, several corporations' cybersecurity researchers have shown that a Tesla can be hacked, in most cases remotely.