Daily Archives: October 12, 2019

Leafly Cannabis information platform suffered a data leak

Leafly, a cannabis information platform, suffered a data leak that exposed the personal information of some of its customers.

Leafly, the world’s leading cannabis resource, informed its customers via email that has suffered a data leak. On September 30, the company discovered that customer

The company discovered on September 30 that a secondary database was exposing customer information from July 2, 2016.

Exposed records include user’s email addresses, usernames and encrypted passwords, fortunately, no financial data was collected by the company.

For some users, the database also leaked names, ages, gender, location, and mobile numbers.

“On September 30, we teamed that a set of Leafly user records dated July 2, 2016 held in a secondary Leafly database was disclosed without permission. Your email address was in that file,” reads the notification email sent to the impacted customers. Leafly does not collect credit card information or national identification numbers,”

Leafly Cannabis Website

The company hired a forensic security firm to help its staff in the investigation. The company recommends users to reset the password and use a unique password for each service online.

“However, it is a good idea to ensure that you use a unique password on Leafly and other services you use. If you share passwords across services and haven’t updated them recently, and you haven’t reset your Leafly password, we recommend you do SO DOW,” continues the notification mail.

“Please accept our sincere apology for any concern this has caused. If you have any questions, please reach out to our customer support team at support@leafly.com,” states Leafly.

At the time it is not clear the number of impacted users. 

Pierluigi Paganini

(SecurityAffairs – privacy, data leak)

The post Leafly Cannabis information platform suffered a data leak appeared first on Security Affairs.

FIN7 Hackers group is back with a new loader and a new RAT

FireEye Mandiant discovered that the FIN7 hacking group added new tools to its cyber arsenal, including a module to target remote administration software of ATM vendor.

Security experts at FireEye Mandiant discovered that the FIN7 hacking group has added new tools to its arsenal, including a new loader and a module that hooks into the legitimate remote administration software used by the ATM maker NCR Corporation.

The group that has been active since late 2015 targeted businesses worldwide to steal payment card information. Fin7 is suspected to have hit more than 100 US companies, most of them in the restaurant, hospitality, and industries.

In August 2018, three members of the notorious cybercrime gang have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

The new loader is able to drop the malware directly in memory, it was dubbed BOOSTWRITE and allows threat actors to load several malicious codes, including the Carbanak backdoor.

Researchers also spotted a new RAT tracked as RDFSNIFFER that is dropped by the BOOSTWRITE loader.

“The first of FIN7’s new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. One of the analyzed BOOSTWRITE variants contained two payloads: CARBANAK and RDFSNIFFER.” reads the Mandiant report. “While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators.”

BOOSTWRITE implements the DLL search order hijacking technique to load its DLLs into the target’s memory that allows it to download the initialization vector (IV) and the decryption two embedded payload DLLs.

Before decrypting the embedded PE32.DLLs payloads the loader performs sanity checks on the results, then load them into memory.

The researchers analyzed several samples of BOOSTWRITE, one of them that was uploaded to VirusTotal on October 3 was signed with a code signing certificate issued by MANGO ENTERPRISE LIMITED.

fin7 detection

The loader was observed delivering the RDFSNIFFER DLL which allows an attacker to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions.

RDFSNIFFER hooks the process of NCR Corporation’s RDFClient, it runs every time the legitimate software for remote administration is executed on the compromised machines.

The malicious code is designed to run man-in-the-middle attacks on connections made using RDFClient, it also allows attackers to upload, download, execute and/or delete arbitrary files.

Below the list of supported commands:

Command NameLegit Function in RDFClientRDFClient Command IDDescription
UploadFileMgrSendFile107Uploads a file to the remote system
DownloadFileMgrGetFile108Retrieves a file from the remote system
ExecuteRunCommand3001Executes a command on the remote system
DeleteRemoteFileMgrDeleteFile3019Deletes file on remote system
DeleteLocalDeletes a local file

In March, the group carried out attacks delivering a previously unseen malware tracked as SQLRat that drops files and executes SQL scripts on the host. The messages sent to the victims were also dropping the backdoor DNSbot that primarily operates over DNS traffic.

In April 2018, FIN7 hackers stole credit and debit card information from millions of consumers who have purchased goods at Saks Fifth Avenue and Lord & Taylor stores.

“While these incidents have also included FIN7’s typical and long-used toolsets, such as CARBANAK and BABYMETAL, the introduction of new tools and techniques provides further evidence FIN7 is continuing to evolve in response to security enhancements.” concludes the report.

“Barring any further law enforcement actions, we expect at least a portion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns.”

Pierluigi Paganini

(SecurityAffairs – FIN7, hacking)

The post FIN7 Hackers group is back with a new loader and a new RAT appeared first on Security Affairs.

15 Easy, Effective Ways to Start Winning Back Your Online Privacy

NCSAM

NCSAM

Someone recently asked me what I wanted for Christmas this year, and I had to think about it for a few minutes. I certainly don’t need any more stuff. However, if I could name one gift that would make me absolutely giddy, it would be getting a chunk of my privacy back.

Like most people, the internet knows way too much about me — my age, address, phone numbers and job titles for the past 10 years, my home value, the names and ages of family members  — and I’d like to change that.

But there’s a catch: Like most people, I can’t go off the digital grid altogether because my professional life requires me to maintain an online presence. So, the more critical question is this:

How private do I want to be online?  

The answer to that question will differ for everyone. However, as the privacy conversation continues to escalate, consider a family huddle. Google each family member’s name, review search results, and decide on your comfort level with what you see. To start putting new habits in place, consider these 15 tips.

15 ways to reign in your family’s privacy

  1. Limit public sharing. Don’t share more information than necessary on any online platform, including private texts and messages. Hackers and cyber thieves mine for data around the clock.
  2. Control your digital footprint. Limit information online by a) setting social media profiles to private b) regularly editing friends lists c) deleting personal information on social profiles d) limiting app permissions someone and browser extensions e) being careful not to overshare.NCSAM
  3. Search incognito. Use your browser in private or incognito mode to reduce some tracking and auto-filling.
  4. Use secure messaging apps. While WhatsApp has plenty of safety risks for minors, in terms of data privacy, it’s a winner because it includes end-to-end encryption that prevents anyone in the middle from reading private communications.
  5. Install an ad blocker. If you don’t like the idea of third parties following you around online, and peppering your feed with personalized ads, consider installing an ad blocker.
  6. Remove yourself from data broker sites. Dozens of companies can harvest your personal information from public records online, compile it, and sell it. To delete your name and data from companies such as PeopleFinder, Spokeo, White Pages, or MyLife, make a formal request to the company (or find the opt-out button on their sites) and followup to make sure it was deleted. If you still aren’t happy with the amount of personal data online, you can also use a fee-based service such as DeleteMe.com.
  7. Be wise to scams. Don’t open strange emails, click random downloads, connect with strangers online, or send money to unverified individuals or organizations.
  8. Use bulletproof passwords. When it comes to data protection, the strength of your password, and these best practices matter.
  9. Turn off devices. When you’re finished using your laptop, smartphone, or IoT devices, turn them off to protect against rogue attacks.NCSAM
  10. Safeguard your SSN. Just because a form (doctor, college and job applications, ticket purchases) asks for your Social Security Number (SSN) doesn’t mean you have to provide it.
  11. Avoid public Wi-Fi. Public networks are targets for hackers who are hoping to intercept personal information; opt for the security of a family VPN.
  12. Purge old, unused apps and data. To strengthen security, regularly delete old data, photos, apps, emails, and unused accounts.
  13. Protect all devices. Make sure all your devices are protected viruses, malware, with reputable security software.
  14. Review bank statements. Check bank statements often for fraudulent purchases and pay special attention to small transactions.
  15. Turn off Bluetooth. Bluetooth technology is convenient, but outside sources can compromise it, so turn it off when it’s not in use.

Is it possible to keep ourselves and our children off the digital grid and lock down our digital privacy 100%? Sadly, probably not. But one thing is for sure: We can all do better by taking specific steps to build new digital habits every day.

~~~

Be Part of Something Big

October is National Cybersecurity Awareness Month (NCSAM). Become part of the effort to make sure that our online lives are as safe and secure as possible. Use the hashtags #CyberAware, #BeCyberSafe, and #NCSAM to track the conversation in real-time.

The post 15 Easy, Effective Ways to Start Winning Back Your Online Privacy appeared first on McAfee Blogs.

SIM cards used in 29 countries are vulnerable to Simjacker attack

Security researchers at Adaptive Mobile who discovered the SimJacker issue have published the list of countries where mobile operators use flawed SIM cards.

Exactly one month ago, researchers at AdaptiveMobile Security disclosed a critical vulnerability in SIM cards dubbed SimJacker that could be exploited by remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

The SimJacker vulnerability resides in the S@T (SIMalliance Toolbox) Browser dynamic SIM toolkit that is embedded in most SIM cards used by mobile operators in many countries. The experts discovered that that the exploitation of the vulnerability is independent of the model of phone used by the victim.

Now Adaptive Mobile published the list of countries where local mobile operators are using SIM cards affected by the Simjacker flaw, anyway the company did not name the impacted mobile phone carriers.

“This varies by country and region. From our analysis we could identify 61 Mobile Operators (excluding MVNOs) in the 29 countries that use this technology.” reads the report. “Based on public reported information the cumulative subscriber numbers of these S@T Browser-using Operators comes to ~861 million mobile connections (SIM cards).” “Not all SIM cards in the operator may use this technology. In discussions with a few operators in the LATAM region we were informed that the majority of SIM Cards (>90%) in their network had it.”

Below the full list of countries published by the experts:

Central America:
Mexcio
Guatemala
Belize
Dominican Republic
El Salvador
Honduras
Panama
Nicaragua
Costa Rica

South America:
Brazil
Peru
Colombia
Ecuador
Chile
Argentina
Uruguay
Paraguay

Africa:
Ivory Coast
Ghana
Benin
Nigeria
Cameroon

Europe:
Italy
Bulgaria
Cyprus

Asia:
Saudi Arabia
Iraq
Lebanon
Palestine

The S@T Browser application is installed on multiple SIM cards, including eSIM, as part of SIM Tool Kit (STK), it enables the SIM card to initiate actions which can be used for various value-added services.

Since S@T Browser implements a series of STK instructions (i.e. send, call, launch browser, provide local data, run command, and send data) that can be executed by sending an SMS to the phone.

The Simjacker attack involves an SMS containing commands that instruct the SIM Card in the phone to ‘take over’ the phone.

The attacker could exploit the flaw to

  • Retrieve targeted device’ location and IMEI information,
  • Spread mis-information by sending fake messages on behalf of victims,
  • Perform premium-rate scams by dialing premium-rate numbers,
  • Spy on victims’ surroundings by instructing the device to call the attacker’s phone number,
  • Spread malware by forcing victim’s phone browser to open a malicious web page,
  • Perform denial of service attacks by disabling the SIM card, and
  • Retrieve other information like language, radio type, battery level, etc.

On October 3rd, the experts presented their research at VB2019 conference in London and they published a technical paper on the attack. The paper shows how the flaw is being exploited by threat actors and privides technical details on technologies used in the attacks.  report.

The experts explained that the attack is transparent to the users, the targets are not able to notice any anomaly.

Adaptive Mobile revealed that a private surveillance firm was aware of the zero-day flaw since at least two years and is actively exploiting the SimJacker vulnerability to spy on mobile users in several countries.

“Within the report we outline why we think it is a surveillance company that developed this exploit.” read a FAQs page published by the experts. “However, we have not named the specific company that we believe is responsible, as to do so, we would need to release some additional proof. That proof would also reveal specific methods and information that would impact our ability to protect subscribers.”

Experts also added that the vulnerability has been likely exploited by nation-state actors for targeted attacks on persons of interests.

After the flaw was publicly disclosed, the researchers at SRLabs developed an Android app, named SnoopSnitch, that can detect Simjacker-like attacks. The SnoopSnitch app only runs on rooted Android mobile phones with a Qualcomm chipset. SRLabs researchers also updated their SIMTester app to include Simjacker.

Experts at Adaptive Mobile also analyzed the impact of the recently disclosed WIBattack and explained that it impacts a smaller number of users compared with SimJacker. Experts estimated that only 8 operators in 7 countries are using SIM cards vulnerable to the attack.

“WIB is a propriety SIM card technology like S@T which reports show could also be exploited via ‘Simjacker-like’ attacks. However, it’s important to state that we haven’t seen any attacks involving WIB.” concludes the report. “The WIB technology itself seems less prevalent that the S@T Browser (see diagram below and section 7 of the report), and available publicly information doesn’t indicate that WIB has the same apparent oversight in recommended security level.”

The following graph shows the number of Vulnerable Countries & Operators for S@T Browser and WIB.

“This has important implications for all Mobile Operators if they wish to deal with attacks from threat actors like this in the future.” concludes the report.”It means that previous ways of relying on recommendations, with no operational investigation or research won’t be enough to protect the mobile network and its subscribers, and what’s worse, will give a false sense of security.”

Pierluigi Paganini

(SecurityAffairs – SimJacker, hacking)

The post SIM cards used in 29 countries are vulnerable to Simjacker attack appeared first on Security Affairs.

SIM Cards in 29 Countries Vulnerable to Remote Simjacker Attacks

Until now, I'm sure you all might have heard of the SimJacker vulnerability disclosed exactly a month ago that affects a wide range of SIM cards and can remotely be exploited to hack into any mobile phone just by sending a specially crafted binary SMS. If you are unaware, the name "SimJacker" has been given to a class of vulnerabilities that resides due to a lack of authentication and

Weekly Update 160

Weekly Update 160

Australia! Geez it's nice to sit amongst the gum trees and listen to the birds, even if it's right in the middle of some fairly miserable weather. I'll continue to be here for the foreseeable future too, at least in one state or another. But being back here hasn't stopped me talking about European laws being handled by a local American website nor commentating on the (now well and truly over) debate about the usefulness of visual identity indicators in browsers. But hey, at least the discussion keeps in providing entertaining material!

Weekly Update 160
Weekly Update 160
Weekly Update 160

References

  1. I tweeted about not liking having content blocked when I'm in Europe (no, it doesn't mean I don't like privacy, it means I don't like the choice being taken away from me!)
  2. Is there an elephant in the room? (Or are some people just still fighting a battle for visual indicators that's already been lost?)
  3. But folks pretty quickly ripped into it (sanity prevails, let's treat it as a fruitless attempt to reverse the attitude of most of the major browser vendors)
  4. And just to nail that coffin shut, the thread here is good (it'd be hard to find many people better versed in this stuff than @sleevi_)
  5. Sponsored by Resistance DEX - Privacy-Focused Decentralized Trading - Download it Now!