Tuesday, September 17, 2019

#Beware #RedAlert: New SIM Card Flaw Lets Hackers Hijack Any Phone Just By Sending SMS

Cybersecurity researchers today revealed the existence of a new and previously undetected critical vulnerability in SIM cards that could allow remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

Dubbed "SimJacker," the vulnerability resides in a particular piece of software, called the S@T Browser (a dynamic SIM toolkit), embedded on most SIM cards that is widely being used by mobile operators in at least 30 countries and can be exploited regardless of which handsets victims are using.

What's worrisome? A specific private company that works with governments is actively exploiting the SimJacker vulnerability from at least the last two years to conduct targeted surveillance on mobile phone users across several countries.

S@T Browser, short for SIMalliance Toolbox Browser, is an application that comes installed on a variety of SIM cards, including eSIM, as part of SIM Tool Kit (STK) and has been designed to let mobile carriers provide some basic services, subscriptions, and value-added services over-the-air to their customers.


you can read the full  article

https://alienskills.com/contents/BewareRedAlertNewSIM_1279477829062.html

LULU ransomware encrypts files on Linux systems

    Linux™ operating systems are sometimes overlooked as targets for malware due to the smaller pool of victims compared to more popular operating systems. With the reduced number of targets, the attacker is incentivized to direct their efforts towards a richer hunting ground. But despite that, the lilu (or lilocked) ransomware targets solely Linux based web servers. It has infected over 6000 servers so far and looks to continue for the foreseeable future.


    While the ransomware primarily targets Linux web servers, there is no evidence precluding the ransomware’s ability to infect other Linux systems. The web server’s infected status is visible to web crawlers whereas non-web server systems would not be as publicly visible. The lilu ransomware encrypts files on the victim’s system and leaves a “#README.lilocked” file in each folder in which encrypted files are located. The “#README.lilocked” file is a ransom note that directs the victim to a Tor page with a key to use on said Tor page. The key provides access to a second ransom note that directs the victim to purchase Bitcoin or Electrum to pay a ransom to decrypt the files.

    The ransom has been so far inconsistent and has reportedly requested from .01BTC to .03BTC. So far the ransomware has only encrypted non-essential files and has left the servers running. It targets a few kinds of file extensions such as HTML, SHTML, JS, CSS, PHP, INI, and other image file formats. 

   There has not been any success in the decryption efforts. But one victim, going by Jay Gairson on Twitter, claims that the ransomware uses an Exim exploit and that the ransomware persists despite the system being taken offline and replaced. Exim is an open-source mail transfer agent for Unix-like operating systems. The exploit that is suspected is tracked in CVE-2019-15846 and has since been patched and leads researchers to believe lilu only affects older versions of Exim. There has yet to be any evidence of paying the ransom being a successful method to decrypt one’s files as well, though the attacker is not incentivized to create a reputation of services not rendered.

Sources:

 • https://www.bleepingcomputer.com/news/security/lilocked-ransomwareactively-targeting-servers-and-web-sites/ 

https://www.zdnet.com/article/thousands-of-servers-infected-with-newlilocked-lilu-ransomware/ 

https://fossbytes.com/lilocked-ransomware-infected-linux-servers/09

Does Anyone Else Know Where Your Children Are

    Keeping track of your child’s whereabouts has never been easier. A quick search on Amazon shows thousands of entries for low-cost GPS trackers designed to be worn by children and linked to an app on the parent’s smartphone. However, the appeal of the low cost comes at a much larger price. Researchers from Avast found a handful of vulnerabilities in 29 models of GPS trackers made by Chinese company Shenzhen i365. The researchers found that an attacker with an internet connection can use the GPS to track the location of the wearer, spoof the location data of the device, and even access the microphone of the device to eavesdrop on the wearer. This is because the communication between the device, the cloud, and the companion mobile app use the unencrypted HTTP protocol. This allows for the exploitation of a man in the middle (MitM) attack where an attacker can listen in on the communication and alter the data being sent or received.

    In addition to this, the user account, which is associated with an ID number, comes shipped with a default password of 123456. The researchers found that the ID number is not assigned randomly, it is associated with the device’s IMEI number. An IMEI number is a 15-digit identifier given to mobile and satellite phones. With this knowledge, the researchers could log into the accounts of about 25% of the devices in the sequence of IMEI numbers. This would allow them to see the real-time location of the devices on that account.  Avast estimated that over half-a-million people are using GPS trackers affected by these vulnerabilities.

    Despite the manufacturer’s location in China, the researchers found that the GPS trackers were also widely used in the United States and elsewhere around the world. Avast attempted to privately contact the manufacturer about these vulnerabilities but have not received a response. A senior researcher stated that "we have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this public service announcement to consumers and strongly advise you to discontinue use of these devices." When shopping for any IoT devices, it can be tempting to go with the low-cost, off-brand option, especially when that name-brand device can be so much more expensive. However, the cheaper option is often skimped on or has simply not included basic security measures to reduce the cost. The researchers advised consumers to do their research and buy from respected vendors. These devices are designed to provide peace of mind but in reality, they make the wearer more vulnerable, not less.

Sources

 • https://thehackernews.com/2019/09/gps-tracking-device-for-kids.html 

https://decoded.avast.io/martinhron/the-secret-life-of-gps-trackers/ 

Wednesday, September 4, 2019

Intentional Backdoor Webmin RCE Vulnerability

    When Turkish researcher Özkan Mustafa Akkuş publicly disclosed a Remote Code Execution (RCE) vulnerability in the Webmin application at DefCon this month, the Webmin developers went into emergency overdrive mode to fix this issue ASAP. While the ethics of Akkuş’ disclosure without notifying the Webmin team first are certainly questionable, the vulnerability itself is severe and had been hidden for over a year. Even more alarming, further investigation by the Webmin team revealed that it wasn’t a coding error but in fact a malicious backdoor injected into the codebase through a build server.

    Webmin is a popular open-source application allowing management of Unixbased systems over the web. This includes management of users and groups, databases, web servers, e-mail, firewall, backups: pretty much any administration of the system. The vulnerability, CVE-2019-15107, pertains to the password expiration function allowing admins to require a user to set a new password at a set interval. By adding a pipe command “|” to the old password field using POST requests, a remote attacker could run arbitrary commands as the root user on the system.

   The vulnerability was introduced into the system by a malicious attacker in April 2018 by exploiting a Webmin development build server and modifying the password_change.cgi script. After some users reported that the password expiration feature was encountering errors, the developers reverted to an older version of the file that turned this feature off by default and inadvertently corrected the vulnerability. However, the attacker once again modified the file in July 2018. Even though the build server was decommissioned in September 2018, the new server was built from a directory containing the modified file so the vulnerability persisted until its DefCon reveal.

    The Webmin development team stated that version 1.890 included the vulnerability and that the password expiration function is enabled by default, making this the most vulnerable version. Versions 1.900 through 1.920 also include the vulnerability but with the password expiration function disabled by default. Version 1.930 was released following the DefCon reveal, which contains fixes for this vulnerability as well as some Cross-Site Scripting (XSS) vulnerabilities. Webmin developers are taking steps to ensure this issue doesn’t happen again, including an updated build process to only use checked-in code from GitHub, rotating all passwords and keys, and an audit of all GitHub check-ins over the past year.

Sources:

•  https://thehackernews.com/2019/08/webmin-vulnerability-hacking.html

 • https://www.zdnet.com/article/backdoor-found-in-webmin-a-popular-web-based-utility-for-managing-unix-servers/ 

http://www.webmin.com/exploit.html

The Syrk ransomware

    The Syrk ransomware, first reported by researchers at Cyren Security, disguises itself as a cheating device for the multiplayer Hunger Games style video game Fortnite. It proclaims the ability to provide aim assistance as well as player location revealing abilities. It doesn't provide any of these capabilities and instead installs an open source ransomware, Hidden-Cry with a .syrk extension.
   
    Hidden-Cry was shared on git-hub at the end of last year and is still openly available. The ransomware goes through a ten step process which consists of contacting a command & control (CC) server, disabling common defenses, executing a payload, encrypting files with a .Syrk extension, establishing persistence, preventing termination, periodically deleting files to establish a threat, and finally propagating itself malicious versions of files within connected USB drives. This particular malware is relatively benign. The decrypting tool is readily available with the files downloaded and is easily extracted and used to decrypt the ransomed files. The malware also creates .txt files to be sent to the CC server so that the attacker may provide a password to the victim once the ransom is paid. It's possible for a criminal to simply not send anything once payment is rendered. But if they intend to propagate via USB drive, it's likely that the first victim would be in contact with the next, and creating a reputation where payment brings no benefit would only prevent further payment. What's surprising is that the ransomware creates the file with the password right on the victim's computer. It even includes a Delete.exe that removes all traces of itself from the victim's computer (not USB drives) and even removes the start up file, making good on its promise after the password is entered.

    This attack is clearly targeted towards either the weak willed or the less informed. Children are particularly susceptible to the temptation to even the playing field to match the older or more dexterous peers in the game. The disguise as a tool for cheating already shows that the attacker intends to target those who would try to use shortcuts to achieve success over the effort of getting better at the game. While desire to win doesn’t make a vulnerable target, the lack of experience with scams and pressure to perform despite the limitations of age combine to make a particularly vulnerable demographic. The malware itself may not be as dangerous or complex as others, but it's target is particularly susceptible to such machinations.


Sources:

https://www.cyren.com/blog/articles/open-source-ransomware-targetsfortnite-users

https://www.kaspersky.com/blog/ransomware-in-fortnite-cheats/28104/

https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbotgame-hack/147549/

Potential Hurricane Dorian Cyber Scams


Original release date: September 4, 2019

The Cybersecurity and Infrastructure Security Agency (CISA) warns users to remain vigilant for malicious cyber activity targeting Hurricane Dorian disaster victims and potential donors. Fraudulent emails commonly appear after major natural disasters and often contain links or attachments that direct users to malicious websites. Users should exercise caution in handling any email with a hurricane-related subject line, attachment, or hyperlink. In addition, users should be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events.

To avoid becoming victims of malicious activity, users and administrators should review the following resources and take preventative measures:


If you believe you have been a victim of cybercrime, file a complaint with the Federal Bureau of Investigation Internet Crime Complaint Center at www.ic3.gov.