Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

Boomoji Databases Without Passwords Left Exposed

Boomoji Databases Without Passwords Left Exposed

An unprotected ElasticSearch server led to a potentially massive data leak for a popular avatar app maker, Boomoji. The app, which is based in China and has 5.3 million users across the globe, allows iOS and Android users to create 3D avatars.

The personal data of its entire user base was exposed after Boomoji reportedly left two ElasticSearch databases unprotected without a password, according to TechCrunch.

According to Anurag Kahol, CTO, Bitglass, “There are now tools designed to detect abusable misconfigurations within IT assets like ElasticSearch databases. Because of these tools (and the continued carelessness of companies when it comes to cybersecurity), abusing misconfigurations has grown in popularity as an attack vector across all industries.”

A database serving international users was based in the US, and another, which serves Chinese users, was based in Hong Kong in order to comply with China’s data security laws. The databases reportedly contained the usernames, gender, country, phone type, unique Boomoji ID, users’ schools, the geolocation for 375,000 users and the phone book entry of every user that allowed the app to access their contacts. 

Because the app also allows access to contact data, in addition to the data for 5.3 million users, contact information of an additional 125 million people who may not even know the app exists could have been compromised as well. Even if you did not use the app, if someone you know does and has your phone number stored on their device, the app more than likely uploaded your contact information onto Boomoji’s database.

“This exposure demonstrates how most enterprises – even hyper-scale providers – do not have adequate visibility into their entire infrastructure and assets to detect vulnerabilities and security gaps,” said Jonathan Bensen, acting CISO and director of product management, Balbix.

“Unsecured databases with no password protection is a simple enough problem to fix, if the companies are continuously monitoring all assets in order quickly identify and remediate priority issues.”

Source: Information Security Magazine

Extortion Email Causes Widespread Panic Across US

Extortion Email Causes Widespread Panic Across US

Law enforcement agencies across the country spent the better part of yesterday evening investigating a slew of bomb threats delivered by email to businesses and universities across the US and Canada. The hoax email warning that an explosive device was in the recipient’s place of work evoked fear among many Americans yesterday, according to KrebsonSecurity.

Different variations of the email were distributed with subject lines that read “Think Twice” or “–SPAM–My device is inside your building,” as seen in the image below. The emails demand payment in Bitcoin to have the bomb removed.

"We are aware of the recent bomb threats made in cities around the country, and we remain in touch with our law enforcement partners to provide assistance," an FBI statement read. "As always, we encourage the public to remain vigilant and to promptly report suspicious activities which could represent a threat to public safety."

In addition, the New York Police Department Counterterrorism Bureau asserted that the threats are not considered credible. Law enforcement agencies from Raleigh to Chicago and dozens of other cities also responded to threats, none of which have been substantiated.

“All it takes is one successful payout to make this scheme worthwhile for the perpetrator. This is a high-risk extortion attempt because there's no doubt it would garner significant attention from law enforcement,” said Tim Erlin, VP, product management and strategy at Tripwire.

“At this point, it's unclear if there's an additional motive beyond extortion. It is clear, however, that disruption has been a consequence. There will be an in-depth investigation into who is behind this campaign, and it's likely they'll be identified.”

The ease with which an attacker can craft such a large-scale disruption has ignited concern. “While these Bitcoin demands seem over the top, the disruption can cost millions in police time alone, and the potential for this to escalate with copycats is always alarming,” said Atiq Raza, CEO of Virsec. “As new extortion ideas get out there, the potential for serious, targeted attacks on high-value cyber-targets will only increases."

Mukul Kumar, CISO and VP of Cyber Practice at Cavirin, said that the incident should serve as a reminder to all organizations that they must conduct regular training of their employees as to the different types of threats.

"As with any trend, there is the genuine product, and there are copycats. What we have seen here would be the latter. However, given the availability of hacker tools for hire and personal data for low prices, it will become harder to separate the two. The bad guys continue to look for any vulnerabilities they can find in one’s security controls.  This is just another example, with the hope that a small percentage of the targets will act on the email.”

Source: Information Security Magazine

FEC Votes to Use Campaign Funds for Cybersecurity

FEC Votes to Use Campaign Funds for Cybersecurity

The Federal Election Committee (FEC) has voted that lawmakers are allowed to use leftover campaign funds to guard personal email accounts and devices from cyber threats.

In a proposed draft of its advisory opinion, the FEC responded to Sen. Ron Wyden’s question: “May a United States Senator use campaign funds to pay for the costs of cybersecurity measures to protect his personal electronic devices and accounts?”

The FEC responded, “Yes.”

“The Commission concludes that you may use campaign funds to pay for the costs of security measures to protect your personal devices and accounts without such payments constituting an impermissible conversion of campaign funds to personal use, under the Act and Commission regulations,” the FEC wrote.

In submitting his request to the FEC, Sen. Wyden acknowledged that he had not experienced any personal threats thus far, but he argued that the cyber threats elected officials face include "attacks by sophisticated state-sponsored hackers and intelligence agencies against personal devices and accounts."

In the advisory opinion, the FEC acknowledged that both Dan Coats, director of National Intelligence, and Michael Rogers, former director of the National Security Agency (NSA), agreed that the personal accounts of lawmakers are at risk of cyber-attacks.

“It’s become increasingly clear in recent years that foreign attackers view institutions that underpin democracy as high-value targets. From election equipment to the elected representatives themselves, malicious actors will systematically look for access,” said Ben Johnson, co-founder and CTO, Obsidian Security.

“The ruling by the FEC allowing leftover campaign funds to purchase additional cybersecurity detection and protection has kept the conversation about election protection going. We need to ask whether cybersecurity should have to rely on unpredictable leftover funds or if it should be a key component to candidates’ campaign machinery. Personal devices and personal accounts are coupled with corporate and government security,." said Johnson.

"That trend is only going to increase. A stronger approach to personal cybersecurity hygiene can help provide a critical extra layer of defense against attackers looking to influence or access US government systems. Put simply: anything that makes our personal identities safer will benefit our professional identities."

Source: Information Security Magazine

UK Retailers Braced for Attacks This Christmas

UK Retailers Braced for Attacks This Christmas

Unpatched security vulnerabilities remain the biggest threat to UK retailers as they increase spending to mitigate risk during the busy Christmas shopping period, according to Infoblox.

The security vendor polled 3000 consumers and retail IT professionals across Europe and the US to better understand their attitudes to data security during December.

In the UK, the largest number of IT pros (28%) claimed unpatched flaws were the main source of attacks, followed by consumer or end-user error (25%), supply chain vulnerabilities (22%) and unprotected IoT devices (21%).

Given these risks, it’s no surprise that 63% of UK retailers have increased spending on cybersecurity during the busy period.

Although it was unclear in which areas they’re spending, a rise in social engineering attacks is seen as a major threat (34%). It would therefore appear that phishing attempts aimed at both consumers and retail employees is high on the list of concerns.

However, ID fraud (16%) and data security (13%) are far less important for UK consumers than delivery (55%). That might explain why a fifth of them take no proactive measures to protect their data — higher than in any other country surveyed.

Despite this apparent complacency, consumers are far from convinced that the stores they shop in are capable of keeping their personal data secure. Just one third (34%) said they trust retailers to hold their data.

“It’s interesting to read that so few consumers around the world are actively concerned with the protection of their own data when shopping online, particularly when two thirds of those we surveyed had little trust in how retailers held that data,” said Infoblox technical director for Western Europe, Gary Cox.

“More education is clearly required of the risks that online shoppers face, especially over Christmas, and the steps they can take to better protect their own data and identity from those intent on theft and fraud.”

According to the British Retail Consortium’s 2016 Retail Crime Survey, 53% of all fraud in the industry comes from cyber, amounting to estimated losses of £100 million.

Source: Information Security Magazine

Cyber-Criminal Gets 20 Months After Using Home-Made Fraud Device

Cyber-Criminal Gets 20 Months After Using Home-Made Fraud Device

A convicted cyber-criminal once dubbed “the acid house king” has been sentenced to 20 months behind bars for a new fraud campaign which saw him use a bizarre home-made device.

Tony Muldowney-Colston, aka Tony Colston-Hayter, of Brighton, pleaded guilty to nine counts of possession of an article for use in fraud and two counts of making or supplying an article for use in fraud.

Metropolitan Police officers had launched an investigation into his activities in January, before obtaining a search warrant for an address linked to the fraudster in June.

While searching the property they found a hard drive containing passport and identity card data, 32 credit cards, and a spreadsheet containing names, addresses, e-mail addresses and phone numbers linked to a private members’ club in central London.

More surprisingly, police found a strange home-made contraption which Muldowney-Colston apparently used to distort his voice whilst on the phone to banks in an attempt to impersonate legitimate customers.

The machine reportedly also played pre-recorded bank messages to trick victims.

These unconventional methods enabled him to access funds of over £500,000 from the accounts he was able to pry open.

“The scam carried out by Muldowney–Colston affected hundreds of people across the UK, and had the potential to affect many more. He is an audacious criminal who only recently was released from prison for carrying out very similar offences,” said detective inspector Philip McInerney, from the Met’s Cyber Crime Unit (MPCCU).

“He shows no concern for the welfare of any individual or organization, and has made it clear he will use a range of methods to achieve significant financial gain for himself. I am very grateful to our partners in the banking industry who have worked closely with us on this and a number of investigations.”

Muldowney-Colston was jailed in 2014 for over five years for masterminding a cyber-attack on computers at branches of Barclays and Santander that netted the gang £1.3m.

Prior to that he shot to fame by popularizing rave culture in the 1980s, something that earned him the nickname of the acid house king.

Source: Information Security Magazine

Texas Hospital Discloses Third-Party Breach

Texas Hospital Discloses Third-Party Breach

The payment information of more than 47,000 patients was potentially compromised after the Baylor Scott & White Medical Center in Frisco, Texas, suffered a third-party data breach, according to the hospital’s notice of a data security incident.

The hospital disclosed that it had sent letters to more than 47,000 patients and guarantors, alerting them to the possibility that their payment information, which could include partial credit card information, might have been compromised. “Medical-related data breaches are lucrative because malicious actors can try to sell data to advertisers based on health conditions,” said Justin Jett, director of audit and compliance for Plixer.

The disclosure notice states: “On September 29, 2018, the hospital discovered an issue with a third-party vendor’s credit card processing system. The hospital immediately notified the vendor and terminated credit card processing through them. An investigation determined the inappropriate computer intrusion occurred between September 22-29, 2018. There is no indication the information has been further disclosed or misused by any other unauthorized individuals or entities.”

While the hospital’s information and clinical systems were not impacted and no medical information was compromised, the data that might have been accessed includes names, address and date of birth, as well as medical record numbers and the dates of service. Insurance provider information and account numbers, along with the last four digits of the credit card, account balances and invoice numbers, could also be among the information compromised in the data breach.

“The Baylor Scott and White Medical Center-Frisco felt firsthand the effects of a third-party breach, as they were forced to notify over 47,000 patients that their payment information had been exposed,” said Fred Kneip, CEO, CyberGRX. “We are at a pivotal point in the evolution of cyber-attacks, where organizations are called to move beyond previous, static approaches to third-party cyber-risk management that are unable to scale with our growing ecosystems. As a result, the industry must foster collaboration across the board, where organizations work with their third parties to mitigate risk before they become a target for attackers.”

Source: Information Security Magazine

Android Malware Steals from PayPal Accounts

Android Malware Steals from PayPal Accounts

What happens when you combine a remotely controlled banking Trojan with an abuse of Android Accessibility services? According to new research from ESET, you get an Android Trojan that steals money from PayPal accounts, even with 2FA on.

The malware reportedly disguises itself as a battery optimization tool, and threat actors distribute it via third-party apps. “After being launched, the malicious app terminates without offering any functionality and hides its icon. From then on, its functionality can be broken down into two main parts,” researchers wrote.

In a video recording, researchers demonstrated an attempt to steal money from a PayPal account after the user had logged into the app. While the researchers were analyzing the malware, the PayPal app attempted to send €1,000, which failed when the app requested that the user link a new card due to insufficient funds.

The malware also attempted to steal login credentials and used phishing screens in overlay attacks on Google Play, WhatsApp, Skype, Viber and Gmail. “The malware’s code contains strings claiming the victim’s phone has been locked for displaying child pornography and can be unlocked by sending an email to a specified address. Such claims are reminiscent of early mobile ransomware attacks, where the victims were scared into believing their devices were locked due to reputed police sanctions,” researchers wrote.  

According to Will LaSala, director of security solutions, security evangelist, OneSpan, the attack against the PayPal app highlights the vulnerabilities of installing apps from unknown sources and demonstrates how easily an overlay attack can hijack a strong application.

“What is concerning is that this malware app can download other applications, so even though today’s attack is against PayPal, this attack could easily be repurposed to attack any other application on the users mobile device.  What’s new for this malware is that it is not focused on phishing for the users credentials, although it appears to attempt to phish for the user’s credit card information, instead it attempts to directly attack the transaction by creating an instant money transfer to the attacker’s account.”

Source: Information Security Magazine

China’s MSS Linked to Marriott Breach

China’s MSS Linked to Marriott Breach

The Chinese government is responsible for the massive breach recently disclosed by Marriott International, according to new reports.

Two people briefed on the ongoing investigation told the New York Times that the attackers are suspected of working for China’s sprawling Ministry of State Security (MSS).

The hack, it is claimed, was part of a major intelligence gathering operation that also included the notorious breach of the Office of Personnel Management (OPM). Its aim is to build up detailed profiles on US executives and government officials with security clearance.

With the passport information stolen as part of the trove, Chinese spies could theoretically keep tabs on the movements of such individuals more easily. Marriott is said to be a favorite hotel provider for US government and military personnel.

Combined with the information from the OPM, it’s thought that the hotel data could help the MSS identify possible US spies and even recruit their own agents, as well as the Chinese citizens that may have been helping them.

The revelations are likely to cause extra turbulence for the Sino-US trade deal currently being hammered out and the 90-day ‘truce’ agreed by the two presidents in Buenos Aires.

It also presages a new swathe of action from Washington designed to open the kimono on Chinese cyber-espionage activity.

It’s predicted we’ll see a fresh round of indictments of Chinese military and intelligence operatives, and possibly the declassificiation of an US intelligence report detailing Beijing’s concerted attempts to build a huge data lake of American citizens’ information.

The indictments are thought to be linked to “Cloud Hopper” (APT10), a group that has spent years targeting the managed service providers of large companies.

An official with knowledge of the plans said they could also include making it harder for Chinese telecoms firms to get hold of key components. Any such move would likely enrage Beijing and only accelerate its cyber-espionage-fuelled efforts to become self-sufficient in tech.

Sam Curry, CSO at Cybereason, argued that Washington is rapidly changing its stance on China.

“The appropriate response is one that is on the political, diplomatic, economic, and military domains where cyber is a factor and not the only star,” he added. “Cyber is both a domain in its own right and a component of all the others. So the administration needs to plan a response to the political situation, using cyber as a tool."

Source: Information Security Magazine

Over 40,000 Stolen Government Logins Discovered

Over 40,000 Stolen Government Logins Discovered

Over 40,000 credentials for accounts on government portals around the world have been leaked online, and are most likely up for sale on the dark web.

Russian security firm Group-IB said usernames and cleartext passwords were available for various local and national government entities across more than 30 countries.

It’s not clear exactly how they were discovered, although the firm claims readily available keyloggers and info-stealing malware enabled the hackers responsible to harvest the info over time. It’s thought they may be part of an even bigger trove of sensitive data which has been refined for sale.

Hundreds of accounts on the websites of the US Senate, the Internal Revenue Service, the Department of Homeland Security and NASA were among those affected, according to Bloomberg.

Also hit were portals of the Israel Defense Forces, the Italian defense and foreign ministries, and Norway’s Directorate of Immigration, as well as government sites in France, Poland, Romania, Switzerland and Georgia.

Over half (52%) of victims were in Italy, followed by Saudi Arabia (22%).

Attacks in the US reportedly took place in the past year while other countries have been targeted since June 2017.

Group-IB has informed the authorities in the relevant countries, aware of the potentially serious national security implications of the leak.

Andrea Carcano, co-founder of Nozomi Networks, claimed the attackers likely used phishing attacks to spread the info-stealing malware.

“It is therefore extremely important that government organizations dedicate time and resources into training employees not to click on links, attachments and fraudulent emails that are professionally manufactured to target specific individuals,” he added.

“While it is unclear how much data the compromised login details will provide attackers, the governments affected should still try to do everything possible to limit their access. The first step would be to update login and password information for employees affected.”

Source: Information Security Magazine

Apache Misconfig Leaks Data on 120 Million Brazilians

Apache Misconfig Leaks Data on 120 Million Brazilians

The identity numbers of 120 million Brazilians have been found publicly exposed on the internet after yet another IT misconfiguration.

The data relates to Cadastro de Pessoas Físicas (CPFs): ID numbers issued by Brazil’s central bank to all citizens and tax-paying residents. The size of the leak represents data on over half the population of South America’s biggest country.

Researchers at InfoArmor’s Advanced Threat Intelligence Team found the database exposed on an Apache web server in March, after a simple internet search.

“Upon closer examination of the server that was discovered by InfoArmor’s researchers, it was found that someone had renamed the ‘index.html’ to ‘index.html_bkp,’ revealing the directory’s contents to the world. Anyone who knew the filename or navigated to it would have unfettered access to all the folders and files within,” its report explained.

“Two simple security measures could have prevented this: not renaming the main index.html file or prohibiting access through .htaccess configuration. Neither of these basic cybersecurity measures were in place.”

Only weeks later, after the firm unsuccessfully tried to contact the SQL host, did the issue get fixed.

“What was originally misconfigured to be accessible by IP address was reconfigured as a functional website with an authenticated domain that redirected to its login panel,” it explained.

“Although InfoArmor cannot be sure that was responsible for the leak, it appears they were somehow involved, likely in a hosting-as-a-service function.”

The security firm warned that “it is safe to assume” either a nation state or cybercrime group now has the leaked information.

Ilia Kolochenko, CEO of High-Tech Bridge, said a thorough investigation is required by the Brazilian government.

“The major question here is how did this highly sensitive and confidential data go online on a third-party server in a flagrant violation of all possible security, compliance and privacy fundamentals? Who else has access to this data and its copies?” he argued.

Source: Information Security Magazine