Weekly Magazine - 24.07.2020

Cyber News JULY 24th, 2020 | #10 HIGHLIGHTS A malicious Android app steals your data Cyber criminals demand $7.5M from Argentinian internet service provider 3 security vulnerabilities found in AvertX IP cameras Phishing scam mimics legitimate Tesco England leading supermarket chain New phishing campaign uses organizational cloud services such as Microsoft Azure, Microsoft Dynamics and IBM Cloud 2 cyber-attacks against Israeli water infrastructures Iran: Revolutionary Guard hacker training team forgets to secure 40GB of data about their activities 1 million registered students’ details exposed by online learning sites 7 VPN providers responsible for leaking 1.2 Terabyte of data on their services’ users Twitter: hackers downloaded data from 8 recently hacked accounts CYBER ATTACKS AND VULNERABILITIES: Malicious Android app steals your data The malicious “Welcome Chat” app which claims to be for transferring secure messages entices Android users to download and use it. But bottom line, it steals users’ data. Researchers shared these details in a post on a blog, and described how they caught the app out as part of a massive internet advertising event. An analysis of the app’s original code exposed the presence of code lines that enable spying. The researchers therefore concluded that the app is stealing user data while providing the functionalities expected of it. www.helena-sec.com Helena-sec Helenasec [email protected]

CYBER ATTACKS AND VULNERABILITIES: Cyber criminals demand $7.5M from an internet service provider in Argentina A gang of cyber criminals made use of ransomware for financial gains, taking control of the internal network run by Telecom Argentina, one of the largest internet service providers in that country. Currently the gang is demanding a $7.5M ransom to open locked encrypted files. The hack occurred over the weekend of Saturday, 18 July, and is considered one of the largest cyber events Argentina has experienced. Parties within the internet provider said that the hackers caused serious damage to the company’s network after managing to take control of an internal admin domain. From there, the ransomware spread and installed onto more than 18,000 work stations. The hack did not cause any slowdown to the network or prevent its activities, nor did it impact telephonic or cable services. Nonetheless, many of the official Telecom Argentina websites crashed as of Saturday. Once the ISP discovered the hack, it ordered its employees to limit their interactions with the organizational network and not connect to its internal VPN, nor open emails containing attachments. 3 security vulnerabilities found on AvertX IP cameras AvertX are tracking cameras intended to be used outside and employ infrared technology and object identification. These vulnerabilities allowed the hackers to conduct various activities such as: Remote changing of the user name on the IP camera account, which made attacks easier. Access the camera using the default password since the installation process does not demand a default password change. Hackers with physical access to the UART (universal asynchronous receiver-transmitter), can zero the configuration and even switch the camera into inactive mode. AvertX published a fix to these vulnerabilities, removed the UART connector, and disabled the interface in the last production batch. www.helena-sec.com Helena-sec Helenasec [email protected]

CYBER ATTACKS AND VULNERABILITIES: Phishing scam faking a legitimate advertisement from Tesco, Britain's leading supermarket chain The fraud began with a Facebook page that looked official but was a fake. Titled “Tesco Britain,” it shared images of new TVs in their boxes, claiming to be in a Tesco warehouse. The phishing scam used the fake Facebook page, text messages and email, all aimed at deceiving consumers into entering personal details and payment details that were then stolen. The announcement alongside the advertisements said: “We have around 500 TVs in our warehouse that are about to be binned as they have slight damage and can't be sold. However, all of them are in fully working condition, we thought instead of binning them we’d give them away free to 500 people who have shared and commented on this post by July 18”. Users shared the post enthusiastically, helping its spread, before receiving an email offering them a chance of “receiving your prize.” A button in the message redirected the victims to a landing page where they entered their names, home addresses, phone numbers and bank details. A new phishing campaign uses the three organizational cloud services Microsoft Azure, Microsoft Dynamics and IBM Cloud when attempting to steal login details A new phishing campaign claimed to be from the “servicedesk.com” company, mimicking formulations that use IT service providers in organizational environments. The email sends a “quarantined email” message sometimes sent in workplaces through secure products in email and spam filters, and asks the user to “release” messages stuck in the queue. Instances of phishing for users in legitimate cloud infrastructures is on the rise since they add legitimacy to phishing attacks and provide SSL certificates for free, thereby increasing their reliability and blurring the victim’s ability to discern them as fraudulent. www.helena-sec.com Helena-sec Helenasec [email protected]

CYBER ATTACKS AND VULNERABILITIES: 2 cyber attacks on Israel’s water system Two cyber attacks were carried out against Israeli water installations, intended for the Upper Galilee and the Mateh Yehuda pumping infrastructures. The Water Authority confirmed the cases and noted that neither event caused damage. “These are two small regional sewage systems in the agricultural sector. They were immediately and independently repaired by the local person in charge at the kibbutz and at the installation without any damage to services or actual impact,” the Water Authority advised. Daniel Lecker, manager of the Division for Water, Emergency Security and Cyber at the Water Authority, said that no real damage was caused by either event nor did consumers feel any operational impact on the supply of water or removal of sewage. As noted, on 24 and 25 April, a similar attack was made on Israel’s water and sewage systems. Fox News reported that Iran was responsible for that cyber attack. INFO LEAKS: Iranian hackers failed to check their server definitions and exposed 40GB of information about their activities IBM’s data security team recently discovered that it had obtained screen recordings from computers belonging to Iranian hackers from Iran’s APT35 cyber attack unit, also known as Charming Kitten. According to IBM researchers, these hacking groups are part of the Iran Revolutionary Guard and considered one of the most active in the world. Some 40 gigabyte of information found by the researchers included data that the hackers managed to access from their victims. The security team report revealed that information had been drawn from computers belonging to an American naval officer and a Greek military officer when the Iranians searched for data on upcoming military tactics of interest to them. The hacking groups also tried but failed to phish against the American State Department and an American Iranian philanthropist whose name they did not disclose. The researchers also found names and phone numbers of fictitious persons created by the group as a means of hiding its moves. www.helena-sec.com Helena-sec Helenasec [email protected]

CYBER ATTACKS AND VULNERABILITIES: One million student registrations exposed by online learning sites Almost one million registrations containing personal information of students was leaked following erroneous configurations on the cloud by five online learning platforms. Four AWS S3 buckets which were not correctly defined to allow encryptions and the unsecured Elasticsearch server caused the data leak and exposed the students’ details. Their personal information included full names, home addresses, emails, social security numbers, phone numbers, dates of birth, and information about their colleges and courses. Events of this kind are common in almost all fields, but the online learning sector has only recently begun flourishing due to the lockdown of schools resulting from the Covid-19 pandemic. 7 VPN providers responsible for a leak of 1.2 Terabyte of user data on their servers Seven VPN suppliers claimed that they are not saving user details in their services, such as user names, passwords and so on, but are responsible for the leak of data totaling some 1.2T. Passwords, personal information, and lists of user visited websites were found. The service providers had claimed outright that their services do not save logs and ensured that no user actions were saved on their servers. Nonetheless, the leaked data enables personal identifications including email addresses, passwords, IP addresses, home addresses, phone samples, device identifications, and other technical details. www.helena-sec.com Helena-sec Helenasec [email protected]

CYBER ATTACKS AND VULNERABILITIES: Twitter reveals that hackers downloaded data from eight recently hacked accounts The giant social media platform Twitter experienced one of the largest hacks in its history with several high profile persons’ accounts broken into. The social media giant confirmed that hackers had taken control of 130 accounts in the breach last week and that data had been downloaded from eight of them. Twitter explained that the company was a victim of “a coordinated social engineering attack” against its employees, which enabled the hackers access to its internal tools. All accounts were simultaneously hacked, and the hackers used them to advance a cryptocurrency scam. The hackers sent out messages urging followers of the hacked accounts to send money to a specific Bitcoin wallet address for the purpose of getting even larger sums back. Account details were downloaded through the “Your Twitter data” tool. Twitter stated that its response team acted immediately on discovering the hack and blocked access to the internal system in order to lock the attackers out. The company decided to share only several of the details on the internet about its repair process in order to protect its effectiveness. Twitter plans to provide additional technical details on the fix in the future. OUR WEEKLY RECOMMENDATION: Make sure your work environment is secured at home too, and not just in the workplace. How can you do that? Using several simple steps: - Make sure that you lock the computer and your mobile device when you aren't using them. When we work on important and sensitive data, we need to be sure they are safe. Locking devices safeguards your personal information as well as company information and data on people in your workplace’s contacts lists from prying eyes. - Never install programs from an unknown source. Often malware apps have the appearance of legitimate programs such as games, tools or even antivirus programs! Their goal is to mislead you and infect your computer or network with malware. - Play at “hard to get.” When you're facing enticing propositions, cyber criminals will usually offer you a monetary reward, will threaten you, or claim to be someone needing your help. Never fall into that trap. Guard your personal information and keep it as private as possible. Cyber criminals can also use social engineering with personal details of victims to try and persuade you to skip standard security procedures! www.helena-sec.com Helena-sec Helenasec [email protected]