Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for March 2019

Toyota Japan Hacked, Vietnam Office Suspects Breach

Toyota Japan Hacked, Vietnam Office Suspects Breach

After a security incident in February at its Australian subsidiary, Toyota Motor Corp. has suffered its second security breach in the last five weeks, with today's breach announced by the company's main offices in Japan.

"On March 29, 2019, it was announced in Japan that Toyota Motor Corporation (TMC) learned it had possibly been the victim of a cyberattack targeting Toyota Tokyo Sales Holdings Inc., a TMC sales subsidiary, and its affiliated enterprises. Additionally, three other independent dealers in Japan are possibly involved. Toyota Motor North America (TMNA) is monitoring the situation closely and is currently unaware of any compromise of TMNA systems associated with this incident or evidence that Toyota or Lexus dealers in the United States have been targeted," Toyota Motor North America said in a statement.

The company reportedly said hackers breached its systems, gaining unauthorized access to data belonging to several sales subsidiaries, all based in Tokyo. Toyota said the servers that hackers accessed stored sales information on up to 3.1 million customers that included names and dates of birth but no credit card information, though the investigation remains ongoing.

In addition, Toyota Vietnam said that it is possible the company was also hacked, according to Tinmoi. “Toyota Vietnam Motor Company (TMV) has discovered that the Company is likely to have been attacked by the network and some customer data may have been accessed. So far we do not have any concrete evidence and details about the lost data, and are currently in the process of investigation. We will share as soon as information is available,” TMV said according to a translation of a statement shared with Tinmoi.

"In light of the Toyota security breach, it’s clear that automotive manufacturers need to be aware that as their technology continues to evolve there are more responsibilities involved to protect the consumer," said Amir Einav, VP of marketing at Karamba Security. "As car manufacturers are set to collect more data than ever before on drivers and vehicle behavior there is more personal information at stake. Following Toyota’s second breach in the last five weeks, there is a greater sense of urgency in the automotive industry around the need to take preventive cybersecurity measures, from the cloud to the in-vehicle technology."

Source: Information Security Magazine

Magento Warns E-Commerce of SQL Injection Risk

Magento Warns E-Commerce of SQL Injection Risk

After researchers discovered an SQL injection vulnerability in Magento’s code, the company issued a security fix for more than 30 different vulnerabilities in its software, which reportedly has put more than 300,000 e-commerce sites at risk of card-skimming attacks.

Online businesses have been strongly urged to download the latest fix, warning that versions prior to 2.3.1 Magento code are vulnerable and being exploited in the wild.

According to the March 26 Magento advisory, "Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.3.1. To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can."

With a common vulnerability scoring system (CVSS) severity rating of 9.8, PRODSECBUG-2192 would allow "an authenticated user with privileges to create newsletter or email templates that can execute arbitrary code through crafted newsletter or email template code."

No proof of concept yet exists, but exploitation is relatively easy according to Satnam Narang, senior research engineer, Tenable."Magento site owners should upgrade to these patched versions as soon as possible. Magento e-commerce websites have been a popular target for cybercriminals for years, so the existence of an unauthenticated remote code execution bug certainly won’t go unnoticed."

Instead of credential dumps, criminals are using stolen credit card dumps that can result in immediate financial losses for consumers and fraud losses for merchants, said Ameya Talwalkar, co-founder and CPO, Cequence. "This is a unique case of an application vulnerability being exploited for business logic abuse. We’ve detected and blocked similar attacks to this that have targeted our own retail customers. This particular attack is very similar to credential checking attacks on login applications using malicious automation or bots."

"Normally retail applications do not allow for $0 transactions, but due to the newly discovered vulnerability in Magento, it allows these $0 transactions and opens the door for checking stolen credit and gift cards for validation."

Source: Information Security Magazine

Intel Microchip Intercepts Signals, Reads Memory

Intel Microchip Intercepts Signals, Reads Memory

At this week's Black Hat Asia 2019 conference, researchers from Positive Technologies revealed findings about an undocumented technology in Intel microchips that allow reading data from the memory of and intercepting the signals from peripherals.

On March 28, 2019, Positive Technologies experts Maxim Goryachy and Mark Ermolov spoke in Singapore, discussing the microchips in their session Intel VISA: Through the Rabbit Hole.

The PCH microchips (Platform Controller Hub) on modern Intel motherboards reportedly contain a logic signal analyzer called Intel Visualization of Internal Signals Architecture (VISA), which are disabled by default on commercial systems. However, the researchers discovered several different tactics an attacker could use to activate the technology that has access to virtually all the data on a computer. The researchers were able to intercept signals on displays, keyboards, and webcams.

"With VISA, we succeeded in partially reconstructing the internal architecture of PCH and, within the chip, discovered dozens of devices that are invisible to the user yet are able to access certain critical data," the researchers wrote. In their talk, the experts demonstrated "how to read signals from PCH internal buses (for example, IOSF Primary and Side Band buses and Intel ME Front Side Bus) and other security-sensitive internal devices."

Leveraging the previously identified vulnerability INTEL-SA-00086 in the Intel Management Engine (IME) discovered by researchers at Positive Technologies, Goryachy and Ermolov demonstrated that a malicious actor could attack the computers by injecting spyware in the subsystem’s code.

"ME can intercept and modify network packets as well as images on graphics cards; it has full access to USB devices. Such capabilities mean that if an attacker finds an opportunity to execute arbitrary code inside ME, this will spawn a new generation of malware that cannot be detected using current protection tools. Fortunately, only three (publicly known) vulnerabilities have been detected in the 17-year history of this technology," the researchers wrote.

"We found out that it is possible to access Intel VISA on ordinary motherboards, with no specific equipment needed," said Positive Technologies expert Maxim Goryachy, according to a press release. "With the help of VISA, we managed to partially reconstruct the internal architecture of the PCH microchip."

Source: Information Security Magazine

IT Security Pros Slam State-Backed Encryption Backdoors

IT Security Pros Slam State-Backed Encryption Backdoors

Most IT security professionals believe governments that mandate end-to-end encryption backdoors are exposed to a greater risk of nation state cyber-attacks, according to Venafi.

The security vendor polled over 500 industry professionals at the recent RSA Conference in San Francisco on a topic which continues to be hotly debated in the US and Europe.

Nearly three-quarters (73%) said they thought laws effectively forcing tech companies to enable law enforcers to read encrypted communications would make their nation less secure. Slightly fewer (70%) claimed governments shouldn’t be able to mandate private tech providers to make their code less secure.

Some 69% argued that such moves would also put a country at an economic disadvantage globally, presumably because it will no longer be seen as a safe place in which to do business.

“This is not rocket science; backdoors inevitably create vulnerabilities that can be exploited by malicious actors. It’s understandable that so many security professionals are concerned because backdoors are especially appealing to hostile and abusive government agencies and more governments are considering these mandates,” argued Venafi VP of security strategy and threat intelligence.

“We know that attackers don’t abide by restrictions; they don’t follow the rules or buy products in controlled markets. Countries that enact these near-sighted restrictions harm law abiding businesses and court economic damage as well as intrusions focused on sovereign government processes.”

Last December Australia passed new laws which could force tech providers to engineer de facto backdoors into their end-to-end encryption products. In so doing, it joined the UK, whose Investigatory Powers Act has widely been viewed as one of the most intrusive surveillance regimes of any western democracy.

However, with most global tech firms based in the US, these powers are unlikely to be tested on the world’s most popular services. That makes the US a key battleground for privacy advocates.

Law enforcers and some lawmakers have long argued for such powers, claiming erroneously that backdoors could be provided to allow police access to encrypted comms only in specific cases, without making the entire ecosystem less secure for all customers.

Increasingly exasperated by this talk, the world’s leading cryptography experts last year backed demands for FBI director, Christopher Wray, to explain the technical basis for his repeated claims that backdoors can be engineered without impacting user security.

Source: Information Security Magazine

Ex-NSA Contractor Pleads Guilty to Top Secret Data Theft

Ex-NSA Contractor Pleads Guilty to Top Secret Data Theft

A former NSA contractor has pleaded guilty to stealing top secret government documents over a two decade period, putting national security at risk.

Harold Martin III, of Glen Burnie, Maryland, confessed to “willful retention of national defense information,” having previously denied all charges against him, and will now serve nine years behind bars, according to the Department of Justice.

Former US Navy man Martin worked at multiple private contracting companies from December 1993 to August 27, 2016, gaining clearance to handle Top Secret and Sensitive Compartmented Information (SCI).

He’s thought to have taken as much as 50TB of data over a 20-year period starting in the late 1990s and ending with his arrest in 2016, storing them at home and in his vehicle.

It has been reported that Martin may have been linked in some way to the infamous Shadow Brokers data dump of classified NSA hacking tools.

He is alleged to have tried to communicate over Twitter with Russian AV firm Kaspersky Lab, sending five cryptic private messages requesting a meeting with founder Eugene Kaspersky, stating what he had to discuss had a “shelf life” of three weeks.

Just 30 minutes after the messages were sent, the Kremlin-linked Shadow Brokers began PR-ing their haul, according to Politico.

Kaspersky tipped off the FBI about the messages, which resulted in a major raid on Martin’s home in which were found the stolen classified documents — apparently including some of the same hacking tools leaked by the Shadow Brokers.

“This case shows that there is still work to be done when it comes to stopping criminals before they have a chance to actually steal large amounts of data over extended periods,” said Mohan Koo, Dtex Systems founder and CTO.

“We work with public and private sector organizations daily to help them prevent insider threats from getting out of hand. The ones that place equal emphasis on illegal activity detection and investigations experience fewer data theft incidents.”

Source: Information Security Magazine

Mutli-Cloud Poses Backup Management Woes

Mutli-Cloud Poses Backup Management Woes

Though backup is a known best-practice approach to IT risk management, many companies are overwhelmed by the number of sites that need to be backed up, according to a new survey released today by Barracuda Networks.

The study, Closing Backup and Recovery Gaps, asked more than 1,000 IT professionals, business executives and backup administrators about their data protection strategies and found that despite a desire for business continuity, organizations still struggle to take all of the necessary steps to fully secure their business' data.

According to the report, the rise of multi-cloud and multi-site environments has resulted in 57% of respondents saying they have to back up more than two sites for their organization, while 7% of respondents manage backups for more than 26 sites.

"When you combine this data with the new push for multi-cloud deployments, it’s clear the simpler days of companies managing a single site and on-premises architecture are a thing of the past. This makes remote management a key consideration for any backup and recovery solution, to help save valuable IT time and effort during day-to-day tasks and urgent recovery efforts," the report said.

When looking at the number of small to medium-size businesses (SMBs), over 60% have migrated to Office 365. Of those, 40% are not using backup tools because they assume their cloud provider handles backup and disaster recovery.

Databases (91%), email (68%) and proprietary application data (62%) are the most common types of data that respondents said they are backing up, but the report found that, "Increasingly, everything is deemed mission critical."

A large number of respondents (37%) are backing up multimedia data, and more than a quarter (28%) back up research and development data. "However, of some concern is the small number of respondents (16%) wanting to back up their SaaS data. This inaction is putting their business continuity at risk," the report said.

Despite the risk management capabilities of cloud backup, over half (59%) of respondents do not plan to migrate on-premise services to the cloud, with only 18% of respondents reporting that they are currently migrating.

Source: Information Security Magazine

Vuls in Pydio 8 Allow Escalated Admin Access

Vuls in Pydio 8 Allow Escalated Admin Access

In a coordinated vulnerability disclosure released today, researchers at SecureAuth said they had found multiple vulnerabilities in Pydio 8 (version 8.2.2) that would grant access to a malicious actor who could then escalate privileges and get administrator access. Pydio reportedly released a fixed version last week.

With privileged access to the application, the attacker could then leverage a separate vulnerability. Using the privileges of the user account running the web server, an attacker could perform OS command injection in ImageMagick plugin. In addition, SecureAuth found a cross-site scripting in file view feature and two information disclosure vulnerabilities in unauthenticated Pydio and PHP libraries.

An attacker with administrator access and exploiting the OS command injection could access any file being synchronized and shared.

According to the advisory, the privilege escalation vector, CVE-2019-10049, is based in multiple vulnerabilities, and "by chaining vulnerabilities it is possible for an attacker with regular user access to the web application to attempt to trick an administrator user to open a link shared through the application."

Security researcher Ramiro Molina from SecureAuth security consulting services discovered the vulnerabilities, and Leandro Cuozzo from SecureAuth advisories team coordinated with Pydio in the publication of the disclosure.

"While important to productivity, file-sharing services that host, store, share or synchronize files across devices are targets for attackers due to the highly sensitive data that these files often contain – including business plans, financial information and even passwords," said Leandro Cuozzo, security researcher, SecureAuth.

"Research from McAfee shows file-sharing services store 39 percent of all corporate data uploaded to the cloud including highly sensitive information. Even though 64 percent of documents in file sharing services are not shared, they are still accessible by administrators. In this case, an attacker with administrator access and exploiting the OS command injection could access any file being synchronized and shared in a Pydio implementation.

"In addition to applying the latest patches, organizations should implement adaptive authentication to improve security and limit access to sensitive information in file-sharing services."

Source: Information Security Magazine

Risks in Hidden UC Browser for Android Feature

Risks in Hidden UC Browser for Android Feature

More than 500 million Android users have been put at risk of a man in the middle (MITM) attack resulting from a popular web browser's ability to secretly download auxiliary components from the internet, according to blog posts from both Tripwire and Dr.Web.

Researchers noted that UC Browser for Android and UC Browser Mini for Android applications have the hidden ability to download and install extra modules from their own servers using unprotected channels and bypassing Google Play's servers altogether, a clear violation of the rules of the Google Play store.

"The browser receives commands from the command and control server and downloads new libraries and modules, which add new features and can be used to update the software," the Dr. Web blog stated.

"During our analysis, UC Browser downloaded an executable Linux library from a remote server. The library was not malicious; it is designed to work with MS Office documents and PDF files. Initially, this library was not in the browser. After downloading, the program saved the library to its directory and launched it for execution. Thus, the application is actually able to receive and execute code, bypassing the Google Play servers. This violates Google's rules for software distributed in its app store."

Researchers at Tripwire disagreed in part with Dr. Web's reporting noting that with the UC Browser, an attacker could take control of the browser developer’s servers and load malicious software using this hidden feature. However, with the UC Browser Mini, "this ability threatens 100 million Google Play users with the risk of a malware infection. It does not, however, enable criminals to conduct a MITM attack as with UC Browser."

That is not the only way that bad actors could exploit the browser, said Usman Rahim, digital security and operations manager at The Media Trust.

“Bad actors can insert their code through insecure third-party code suppliers. Browsers and other apps are being developed within ever shorter timescales and with a traditional security mindset where the security deficiencies of a product are determined after it has been designed, not before and during. Third parties are often not carefully vetted for security capabilities. Moreover, security considerations fail to receive the priority and resources they require and are, instead, treated as unnecessary costs—that is, of course, until a breach happens.”

Source: Information Security Magazine

Microsoft Hails “Significant” Disruption of Iranian APT Group

Microsoft Hails “Significant” Disruption of Iranian APT Group

Microsoft is claiming its attempts at disrupting a well-known Iranian state-sponsored APT group have had a “significant impact.”

Unsealed court documents reveal the work of Microsoft’s Digital Crimes Unit (DCU) in targeting the Tehran-linked APT35 group, also known as Charming Kitten and Phosphorous, according to VP of customer security and trust, Tom Burt.

A court order allowed the unit to take control of 99 phishing domains — including,,, and — which were used to harvest victims’ credentials.

“The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crimes Unit’s sinkhole. The intelligence we collect from this sinkhole will be added to [Microsoft Threat Intelligence Center] MSTIC’s existing knowledge of Phosphorus and shared with Microsoft security products and services to improve detections and protections for our customers,” explained Burt.

“Throughout the course of tracking Phosphorus, we’ve worked closely with a number of other technology companies, including Yahoo, to share threat information and jointly stop attacks.”

Burt thanked these other tech firms for their assistance, as well as the domain companies that were required to transfer websites registered by APT35 to Microsoft, under the court order.

While these efforts will certainly not put an end to the state-backed group’s activities, it will help the white hats discomfort their opponents a little whilst obtaining some valuable intelligence on their activities.

The group has been detected in the past targeting businesses, government agencies, activists and journalists with information-stealing raids.

It’s a similar tactic used by Microsoft to disrupt the notorious Russian APT28 (aka Strontium) group, which has been blamed for info-stealing attacks on Democratic Party officials ahead of the 2016 US presidential election.

Burt claimed Microsoft had used the approach 15 times, controlling 91 spoofed websites registered by the Kremlin-backed group.

Source: Information Security Magazine

Hackers Queue Up to Exploit WinRAR Bug

Hackers Queue Up to Exploit WinRAR Bug

Security researchers have warned of a new wave of attacks on Middle Eastern companies from APT33, a group with links to Iran.

Known as “Elfin” and “Refined Kitten,” the group has been in operation since 2015, using a combination of custom malware, commodity malware, and open-source hacking tools.

In a new wave of attacks in February, the group tried to exploit a known vulnerability (CVE-2018-20250) in popular file archiving utility WinRAR. Having gone undetected for nearly two decades, the bug is particularly dangerous as there’s no automatic update mechanism for WinRAR, which is installed on hundreds of millions of machines around the globe.

“If successfully exploited on an unpatched computer, the vulnerability could permit an attacker to install any file on the computer, which effectively permits code execution on the targeted computer,” Symantec explained.

The Elfin group usually begins its attacks with a classic spear-phishing email, and then proceeds to download and use a combination of custom and widely available malware/tools. These include the Autolt backdoor; RATs such as Remcos, DarkComet and Quasar; and credential stealers like Mimikatz and SniffPass.

Saudi Arabian targets account for 42% of total attacks since 2016, but the US is a close second with 34% before a big drop off with Belgium (6%) in third.

That WinRAR vulnerability, discovered in February, has also been exploited in multiple campaigns spotted by FireEye.

These include one using a phishing email impersonating an educational accreditation council; an attack on an Israeli military company; and a possible attack against an individual in Ukraine using a PDF letter from former president Viktor Yanukovych and the Empire backdoor as primary payload.

“We have seen how various threat actors are abusing the recently disclosed WinRAR vulnerability using customized decoys and payloads, and by using different propagation techniques such as email and URL,” warned FireEye research scientist Dileep Kumar Jallepalli.

“Because of the huge WinRAR customer-base, lack of auto-update feature and the ease of exploitation of this vulnerability, we believe this will be used by more threat actors in the upcoming days.”

Source: Information Security Magazine