[Cybersecurity News] 8 Jul - 15 Jul
School Vandals Caught When Smartphones Connect to Wi-Fi
https://slate.com/technology/2019/07/glenelg-high-school-graffiti-wifi-login.html
Four students who spray-painted hateful symbols on their school were caught, despite covering their faces, when their phones automatically connected to the schools wireless. School administrators simply checked for who had authenticated during the night of the incident. The article goes into a lot of detail on wireless snooping and tracking, but it also highlights the importance of authentication and attribution.
Monroe College (New York) Hit with $2 Million Ransomware
https://www.nydailynews.com/new-york/nyc-crime/ny-monroe-college-hacked-bitcoin-20190711-uhmv5a4mz5gxja6od7lme37h7e-story.html
No information has been released yet on whether the college intends to pay the ransom, or if it has backups in place that it can recover from. As these attacks continue to hit large organizations, a group of US mayors adopted a resolution to refuse to pay hackers responsible for ransomware attacks: https://www.zdnet.com/article/us-mayors-group-adopts-resolution-not-to-pay-any-more-ransoms-to-hackers/
GE Aviation Passwords, Source Code Leaked
https://threatpost.com/ge-aviation-passwords-jenkins-server/146302/
In aviation news, a server was inadvertently exposed to the internet via a misconfiguration in DNS. This exposed numerous pieces of sensitive information, including passwords, source code, private keys, and more. It’s not clear how a DNS entry could have exposed this server, but highlights the importance of layered security. Even systems that should never be exposed externally should require authentication.
JetBlue Flight Evacuated After Picture of a Suicide Vest Sent to Every iPhone On Board
https://newsbreakinglive.com/2019/07/14/jetblue-flight-evacuated-after-picture-of-a-suicide-vest-sent-to-every-iphone-on-board/
An individual onboard a JetBlue flight, or in close proximity to the plane, airdropped a picture of a suicide vest to every iPhone. Airdrop, a method of sharing files between Apple devices, requires close physical proximity (approximately 30 feet). After the flight was evacuated and all luggage was inspection, it was found that no threat existed. Authorities are still trying to find the individual responsible.
Microsoft Path Tuesday (9 July)
https://krebsonsecurity.com/2019/07/patch-tuesday-lowdown-july-2019-edition/
https://blog.talosintelligence.com/2019/07/microsoft-patch-tuesday-july-2019.html
https://blog.rapid7.com/2019/07/09/patch-tuesday-july-2019/
Among the patches this month are fixes for two vulnerabilities already being exploited in the wild (zero-days). In addition to these, there are 16 critical vulnerabilities, 60 important, and only one moderate. Both of the zero-day vulnerabilities are “local privilege elevation” which would allow an unprivileged user to elevate themselves to an administrator (or higher) status. These flaws are CVE-2019-0880 and CVE-2019-1132.
Zoom for Mac Made It Easy for Hackers to Access Webcams
https://arstechnica.com/information-technology/2019/07/zoom-makes-it-too-easy-for-hackers-to-access-webcams-heres-what-to-do/
https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
https://arstechnica.com/information-technology/2019/07/silent-mac-update-nukes-dangerous-webserver-installed-by-zoom/
A “feature” of Zoom (similar to GoToMeeting or WebEx) “allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.”. Zoom purposefully built a local webserver into its macOS client to prevent a user from having to click an additional “accept” dialog and to create a “seamless experience in joining a meeting with microphone and video automatically enabled.” Unfortunately, this could be abused by an attacker to automatically activate video and spy on users. Even after uninstalling Zoom, the local web server remained silently running and could be used to re-install Zoom. Zoom has since patched this “feature”, and Apple released a silent update that removed the web service.
US Coast Guard Issues Safety Alert for “Cyber Incidents”
https://www.tripwire.com/state-of-security/government/us-coast-guard-cybersecurity-commercial-vessels/
In a headline straight out of the movie “Hackers,” the US Coast Guard released a warning after a large ship experienced “a significant cyber incident impacting their shipboard network.” The Coast Guard stated that “the vessel was operating without effective cybersecurity measures in place, exposing critical vessel control systems to significant vulnerabilities.” The crew did maintain control of the ship. However, it’s an interesting reminder of how interconnected the world has become and how reliant we are on computer systems.
Hackers Can Spend as Much as $1 Million on Attacks
https://www.darkreading.com/attacks-breaches/apt-groups-make-quadruple-what-they-spend-on-attack-tools/d/d-id/1335229
I wanted to include this as it’s an interesting look into how much attackers can spend on tools and software. One thing to note is that while the tool or malware required for the initial infection may cost several thousand dollars, once inside attackers “tend to rely heavily on legitimate, publicly available tools and custom products rather than Dark Web tools. […] Legal utilities for administration, such as Sysinternals Suite, and remote access tools, like TeamViewer, Radmin, and AmmyAdmin, are all popular as well.”
Android Apps Accessing Sensitive Information
https://nakedsecurity.sophos.com/2019/07/10/android-apps-sidestepping-permissions-to-access-sensitive-data/
It’s important to restrict the permissions of Android Apps to only what they need, but you should also remove apps that aren’t needed and avoid installing unnecessary apps. Numerous apps were found gathering and transmitting information they shouldn’t have access to. They did this primarily by sending data to other applications (covert channel) or by accessing information stored in more than one area (side channel). “For example, apps are meant to request access to the phone’s GPS if they want location data. However, the researchers found apps accessing the MAC address of the Wi-Fi base stations that the phone connected to by reading a locally stored, unprotected cache. That gave the apps the location data that they needed.”
Magecart Hackers Infect 17,000 Sites Through Misconfigured Amazon S3 Buckets
https://thehackernews.com/2019/07/magecart-amazon-s3-hacking.html
Magecart, a generic term for cyber-attacks that inject code used to skim credit cards into websites, has hit tens of thousands of sites. Attackers are scanning the internet for open Amazon S3 Buckets and injecting the credit card skimming code into the bottom of every JavaScript file they can find. It’s very hard to protect yourself against this kind of attack, since legitimate and well-known businesses can be infected.
Other “Stories of the Week”
https://nakedsecurity.sophos.com/2019/07/15/monday-review-the-hot-22-stories-of-the-week-34/