Daily Archives: July 13, 2019

Security Affairs newsletter Round 222 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

newsletter Digging The Deep Web

Once again thank you!

Croatia government agencies targeted with news SilentTrinity malware
Customers of 7-Eleven Japan lost $500,000 due to a flaw in the mobile app
Hackers compromised a Canonical GitHub account, Ubuntu source code was not impacted
Backdoor mechanism found in Ruby strong_password library
Cyberattack shuts down La Porte County government systems
Experts uncovered a new Magecart campaign that hacked over 960 stores
Hackers are poisoning the PGP SKS keyserver network poisoned
Spotting RATs: Delphi wrapper makes the analysis harder
UK ICO fines British Airways £183 Million under GDPR over 2018 security breach
A new Astaroth Trojan Campaign uncovered by Microsoft
Flaw in Zoom video conferencing software lets sites take over webcam on Mac
Kaspersky report: Malware shared by USCYBERCOM first seen in December 2016
Maryland Department of Labor discloses a data breach
Prototype Pollution flaw discovered in all versions of Lodash Library
Adobe Patch Tuesday updates for July 2019 address only 5 minor flaws
Kali Linux is now available for Raspberry Pi 4
Microsoft released Patch Tuesday security updates for July 2019
Parents Guide for Safe YouTube and Internet Streaming for Kids
Severe vulnerabilities allow hacking older GE anesthesia machines
UK ICO proposes a $123 million fine for Marriott 2014 data breach
A new NAS Ransomware targets QNAP Devices
Agent Smith Android malware already infected 25 million devices
Intel addresses high severity flaw in Processor Diagnostic Tool
New FinFisher spyware used to spy on iOS and Android users in 20 countries
CVE-2019-1132 Windows Zero-Day exploited by Buhtrap Group in government attack
Exclusive, experts at Yoroi-Cybaze ZLab released a free decryptor for Loocipher Ransomware
Hackers stole $32 million from Bitpoint cryptocurrency exchange
New Miori botnet has a unique protocol for C2 communication
FTC approves a record $5 billion settlement with Facebook over Cambridge Analytica scandal
Magecart group infected over 17,000 domains via unprotected AWS S3 Buckets

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 222 – News of the week appeared first on Security Affairs.

For nearly a year, Brazilian users have been targeted with router attacks

Brazilian users have been targeted by a large number of router attacks aimed at modifying the configuration of their routers for malicious purposes.

This year, security experts at Avast have blocked more than 4.6 million cross-site request forgery (CSRF) attempts carried out by crooks to execute commands without the users’ knowledge.

The campaign uncovered by Avast aimed at silently modifying the Brazilian users’ Domain Name System (DNS) settings to redirect victims to malicious websites mimicking legitimate ones.

Crooks targeted users of many major organizations, including Netflix and large banks like Santander, Bradesco, and Banco do Brasil.

A router CSRF attack could be launched by tricking victims into visiting a compromised website with malicious advertising (malvertising) typically served through third-party ad networks to the site.

“Avast frequently observes malvertising infections on local Brazilian websites that host adult content, illegal movies or sports content. Just by visiting a compromised site, the victim is redirected to a malicious page where their router is automatically attacked without user interaction.” reads a blog post published by Avast.

Malware then guesses routers’ passwordswhich new research from Avast shows are often weak. In some cases the router is reconfigured to use rogue DNS servers, which redirect victims to phishing pages that closely look like real online banking sites. Most recently, Netflix became a popular domain for DNS hijackers.”

Avast researchers also observed crooks using DNS hijacking to deliver crypto mining scripts to users’ browsers.

Experts first observed the router attacks last summers, researchers from Radware and Netlab first reported them.

Experts at Qihoo 360 NetLab reported that between September 21 and 27, the GhostDNS campaign compromised more than 100,000 routers, most of them (87.8%) located in Brazil.

In April 2019, experts at Bad Packets uncovered a new wave of attacks mainly aimed at compromising D-Link routers, many of them hosted belonging to Brazilian users.  

According to Avast, in the first half of 2019, hackers have modified the DNS settings of over 180,000 Brazilian routers with even more complex attacks.

router attacks brazil

The router attacks involved an exploit kit that attempts to find the router IP on a network, then attempts to guess the password using common login credentials.

“The password “gvt12345”, for example, suggests that hackers target users with routers from the former Brazilian internet service provider (ISP) GVT, which was acquired by Teleônica Brasil, and is the largest telecommunications company in the country.” states the analysis published by Avast. “The password “vivo12345” is used on routers distributed by the ISP Vivo, which is also Telefônica Brasil brand.”

Experts explained that the GhostDNS variant Novidade was one of the most active in router attacks against Brazilian users.

Avast confirmed that Novidade attempted to infect its users’ routers over 2.6 million times in February alone, the experts observed at least three campaigns spreading the malware.

In the past three months, experts also uncovered three drive-by attacks from another exploit kit tracked “SonarDNS EK” because it was based on the SONAR JS framework.

“Users should be careful when visiting their bank’s or Netflix’s website, and make sure the page has a valid certificate, by checking for the padlock in the browser URL bar. Additionally, users should frequently update their router’s firmware to the latest version, and set up their router’s login credentials with a strong password.”  concludes Avast.

Pierluigi Paganini

(SecurityAffairs – router attacks, Brazil)

The post For nearly a year, Brazilian users have been targeted with router attacks appeared first on Security Affairs.

FTC approves a record $5 billion settlement with Facebook over Cambridge Analytica scandal

The United States Federal Trade Commission (FTC) has approved a record $5 billion settlement with Facebook over the Cambridge Analytica scandal.

Facebook will be obliged to pay a $5 Billion fine to settle the investigation conducted by the United States Federal Trade Commission (FTC) over the Cambridge Analytica scandal. In April 2018, Facebook revealed that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought.

“The Federal Trade Commission has approved a fine of roughly $5 billion against Facebook for mishandling users’ personal information, according to three people briefed on the vote, in what would be a landmark settlement that signals a newly aggressive stance by regulators toward the country’s most powerful technology companies.” reported The New York Times.

Facebook Cambridge Analytica scandal

The news is not a surprise for the expert, the settlement was anticipated by the media over the past months. The final approval will arrive in the coming weeks from the US Justice Department, that usually approves settlements reached by the FTC.

If approved, it would be the biggest fine assigned by the federal government against a tech firm.

The probe began more than a year ago, the agency found that the way Facebook manages user data violated a 2011 privacy settlement with the FTC. At the time, Facebook was accused of deceiving people about how the social network giant handled their data. The settlement obliged the company to review its privacy practices.

In the Cambridge Analytica privacy scandal, the company allowed to access to the personal data of around 87 million Facebook users without their explicit consent.

In April, Facebook disclosed its first quarter 2019 financial earnings report that revealed the company had set $3 billion aside in anticipation of the settlement with the FTC.

“This fine is a fraction of Facebook’s annual revenue. It won’t make them think twice about their responsibility to protect user data,” said Representative David Cicilline, a Democrat and chair of a congressional antitrust panel.

Recently the UK’s Information Commissioner Office (ICO) has also imposed a £500,000 fine on Facebook over the Cambridge Analytica scandal.

Pierluigi Paganini

(SecurityAffairs – Cambridge Analytica, Facebook)

The post FTC approves a record $5 billion settlement with Facebook over Cambridge Analytica scandal appeared first on Security Affairs.

Magecart group infected over 17,000 domains via unprotected AWS S3 Buckets

The Magecart continues to target websites worldwide, it infected over 17,000 domains by targeting improperly secured Amazon S3 buckets. 

The Magecart gang made the headlines again, according to a new report published by RiskIQ, it has infected over 17,000 domains by targeting improperly secured Amazon S3 buckets

A few days ago, security experts at Sanguine Security have uncovered a new large-scale payment card skimming campaign that already hacked 962 online stores running on the Magento CMS. Security expert Micham spotted another attack attributed to the Magecart gang, hackers injected a skimmer script in the The Guardian via old AWS S3 bucket and exploiting wix-cloud[.]com as a skimmer gate.

According to RiskIQ, since April 2018, Magecart hackers adopted a new tactic that relies on misconfigured Amazon S3 buckets. These buckets allow anyone with an active Amazon Web Services account to read or write them.

“However, the actual scale of this campaign and the number of sites affected is much larger than previously reported. The actors behind these compromises have automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets.” reads the analysis published by RiskIQ. “These buckets are un-secure because they are misconfigured, which allows anyone with an Amazon Web Services account to read or write content to them.”

The attackers scan the web for misconfigured buckets containing any JavaScript files, then download the files, modify them by appending the skimming code to the bottom, and overwrite the script on the bucket.

RiskIQ experts believe threat actors have already compromised a large number of S3 buckets affecting over 17,000 domains, including websites in the top 2,000 of Alexa rankings.

“However, the ease of compromise that comes from finding public S3 buckets means that even if only a fraction of their skimmer injections returns payment data, it will be worth it; they will have a substantial return on investment.” concludes RiskIQ.

“Perhaps most importantly, the widespread nature of this attack illustrates just how easy it is to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets.”

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify​​

Pierluigi Paganini

(SecurityAffairs – Magecart, hacking)

The post Magecart group infected over 17,000 domains via unprotected AWS S3 Buckets appeared first on Security Affairs.