My information Resource (blog.mir.net)

The 2019 NY Metro Joint Cyber Security Conference will take place on Thursday October 10^th. NYMJCSC is now in its sixth year; featuring keynotes, panels and sessions aimed at various aspects of information security and technology.

NYMJCSC is also offering a post-conference workshop on Friday, October 11^th
featuring in-depth full-day hands-on classroom-style educational
courses to expand your knowledge and foster security discussions.

We are pleased to announce Ron Ross, Fellow at the National Institute of Standards and Technology (NIST), as our 2019 conference keynote.


NYMJCSC:
Who We Are

The New York Metro Joint Cyber Security Conference is a collaborative
event cooperatively developed, organized and sponsored by the leading
information security industry organizations and chapters.

Organizational Partners:

• InfraGard Members Alliance – New York Metro Chapter
• Information Systems Audit and Control Association (ISACA) – New Jersey Chapter
• Information Systems Audit and Control Association (ISACA) – Greater Hartford CT Chapter
• High Technology Crime Investigation Association (HTCIA) – New York City Metro Chapter
• Internet Society (ISOC) – New York Chapter
• Information Systems Security Association (ISSA) – New York Chapter
• Association of Certified Fraud Examiners (ACFE) – New Jersey Chapter

Community Partners:

• (ISC)² – New Jersey Chapter
• Cloud Security Alliance (CSA) – New York Metro Chapter
• Association of Continuity Professionals (ACP) – New York City Metro Chapter

Driven by the collaboration between members of this coalition, the
strength of organizational membership, the provision of desirable CPE
credits and the concurrence of National Cyber Security Awareness Month,
the NYMJCSC promises — once again — to be well-attended by members of
the information technology, information security, audit, academic, and
business communities.

To learn more please go to  http://nymjcsc.org/

Cybersecurity researchers today revealed the
existence of a new and previously undetected critical vulnerability in
SIM cards that could allow remote attackers to compromise targeted
mobile phones and spy on victims just by sending an SMS.

Dubbed “SimJacker,” the vulnerability resides in a particular piece of software, called the S@T Browser (a
dynamic SIM toolkit), embedded on most SIM cards that is widely being
used by mobile operators in at least 30 countries and can be exploited
regardless of which handsets victims are using.

What’s worrisome?
A specific private company that works with governments is actively
exploiting the SimJacker vulnerability from at least the last two years
to conduct targeted surveillance on mobile phone users across several
countries.

S@T Browser, short for SIMalliance
Toolbox Browser, is an application that comes installed on a variety of
SIM cards, including eSIM, as part of SIM Tool Kit (STK) and has been
designed to let mobile carriers provide some basic services,
subscriptions, and value-added services over-the-air to their customers.

you can read the full  article

https://alienskills.com/contents/BewareRedAlertNewSIM_1279477829062.html

    Linux™ operating systems are sometimes overlooked as targets for malware due to the smaller pool of victims compared to more popular operating systems. With the reduced number of targets, the attacker is incentivized to direct their efforts towards a richer hunting ground. But despite that, the lilu (or lilocked) ransomware targets solely Linux based web servers. It has infected over 6000 servers so far and looks to continue for the foreseeable future.

    While the ransomware primarily targets Linux web servers, there is no evidence precluding the ransomware’s ability to infect other Linux systems. The web server’s infected status is visible to web crawlers whereas non-web server systems would not be as publicly visible. The lilu ransomware encrypts files on the victim’s system and leaves a “#README.lilocked” file in each folder in which encrypted files are located. The “#README.lilocked” file is a ransom note that directs the victim to a Tor page with a key to use on said Tor page. The key provides access to a second ransom note that directs the victim to purchase Bitcoin or Electrum to pay a ransom to decrypt the files.

    The ransom has been so far inconsistent and has reportedly requested from .01BTC to .03BTC. So far the ransomware has only encrypted non-essential files and has left the servers running. It targets a few kinds of file extensions such as HTML, SHTML, JS, CSS, PHP, INI, and other image file formats. 

   There has not been any success in the decryption efforts. But one victim, going by Jay Gairson on Twitter, claims that the ransomware uses an Exim exploit and that the ransomware persists despite the system being taken offline and replaced. Exim is an open-source mail transfer agent for Unix-like operating systems. The exploit that is suspected is tracked in CVE-2019-15846 and has since been patched and leads researchers to believe lilu only affects older versions of Exim. There has yet to be any evidence of paying the ransom being a successful method to decrypt one’s files as well, though the attacker is not incentivized to create a reputation of services not rendered.

Sources:

 • https://www.bleepingcomputer.com/news/security/lilocked-ransomwareactively-targeting-servers-and-web-sites/ 

• https://www.zdnet.com/article/thousands-of-servers-infected-with-newlilocked-lilu-ransomware/ 

• https://fossbytes.com/lilocked-ransomware-infected-linux-servers/09

    Keeping track of your child’s whereabouts has never been easier. A quick search on Amazon shows thousands of entries for low-cost GPS trackers designed to be worn by children and linked to an app on the parent’s smartphone. However, the appeal of the low cost comes at a much larger price. Researchers from Avast found a handful of vulnerabilities in 29 models of GPS trackers made by Chinese company Shenzhen i365. The researchers found that an attacker with an internet connection can use the GPS to track the location of the wearer, spoof the location data of the device, and even access the microphone of the device to eavesdrop on the wearer. This is because the communication between the device, the cloud, and the companion mobile app use the unencrypted HTTP protocol. This allows for the exploitation of a man in the middle (MitM) attack where an attacker can listen in on the communication and alter the data being sent or received.

    In addition to this, the user account, which is associated with an ID number, comes shipped with a default password of 123456. The researchers found that the ID number is not assigned randomly, it is associated with the device’s IMEI number. An IMEI number is a 15-digit identifier given to mobile and satellite phones. With this knowledge, the researchers could log into the accounts of about 25% of the devices in the sequence of IMEI numbers. This would allow them to see the real-time location of the devices on that account.  Avast estimated that over half-a-million people are using GPS trackers affected by these vulnerabilities.

    Despite the manufacturer’s location in China, the researchers found that the GPS trackers were also widely used in the United States and elsewhere around the world. Avast attempted to privately contact the manufacturer about these vulnerabilities but have not received a response. A senior researcher stated that “we have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this public service announcement to consumers and strongly advise you to discontinue use of these devices.” When shopping for any IoT devices, it can be tempting to go with the low-cost, off-brand option, especially when that name-brand device can be so much more expensive. However, the cheaper option is often skimped on or has simply not included basic security measures to reduce the cost. The researchers advised consumers to do their research and buy from respected vendors. These devices are designed to provide peace of mind but in reality, they make the wearer more vulnerable, not less.

Sources

 • https://thehackernews.com/2019/09/gps-tracking-device-for-kids.html 

• https://decoded.avast.io/martinhron/the-secret-life-of-gps-trackers/ 

    When Turkish researcher Özkan Mustafa Akkuş publicly disclosed a Remote Code Execution (RCE) vulnerability in the Webmin application at DefCon this month, the Webmin developers went into emergency overdrive mode to fix this issue ASAP. While the ethics of Akkuş’ disclosure without notifying the Webmin team first are certainly questionable, the vulnerability itself is severe and had been hidden for over a year. Even more alarming, further investigation by the Webmin team revealed that it wasn’t a coding error but in fact a malicious backdoor injected into the codebase through a build server.

    Webmin is a popular open-source application allowing management of Unixbased systems over the web. This includes management of users and groups, databases, web servers, e-mail, firewall, backups: pretty much any administration of the system. The vulnerability, CVE-2019-15107, pertains to the password expiration function allowing admins to require a user to set a new password at a set interval. By adding a pipe command “|” to the old password field using POST requests, a remote attacker could run arbitrary commands as the root user on the system.

   The vulnerability was introduced into the system by a malicious attacker in April 2018 by exploiting a Webmin development build server and modifying the password_change.cgi script. After some users reported that the password expiration feature was encountering errors, the developers reverted to an older version of the file that turned this feature off by default and inadvertently corrected the vulnerability. However, the attacker once again modified the file in July 2018. Even though the build server was decommissioned in September 2018, the new server was built from a directory containing the modified file so the vulnerability persisted until its DefCon reveal.

    The Webmin development team stated that version 1.890 included the vulnerability and that the password expiration function is enabled by default, making this the most vulnerable version. Versions 1.900 through 1.920 also include the vulnerability but with the password expiration function disabled by default. Version 1.930 was released following the DefCon reveal, which contains fixes for this vulnerability as well as some Cross-Site Scripting (XSS) vulnerabilities. Webmin developers are taking steps to ensure this issue doesn’t happen again, including an updated build process to only use checked-in code from GitHub, rotating all passwords and keys, and an audit of all GitHub check-ins over the past year.

Sources:

•  https://thehackernews.com/2019/08/webmin-vulnerability-hacking.html

 • https://www.zdnet.com/article/backdoor-found-in-webmin-a-popular-web-based-utility-for-managing-unix-servers/ 

• http://www.webmin.com/exploit.html

    The Syrk ransomware, first reported by researchers at Cyren Security, disguises itself as a cheating device for the multiplayer Hunger Games style video game Fortnite. It proclaims the ability to provide aim assistance as well as player location revealing abilities. It doesn’t provide any of these capabilities and instead installs an open source ransomware, Hidden-Cry with a .syrk extension.
   
    Hidden-Cry was shared on git-hub at the end of last year and is still openly available. The ransomware goes through a ten step process which consists of contacting a command & control (CC) server, disabling common defenses, executing a payload, encrypting files with a .Syrk extension, establishing persistence, preventing termination, periodically deleting files to establish a threat, and finally propagating itself malicious versions of files within connected USB drives. This particular malware is relatively benign. The decrypting tool is readily available with the files downloaded and is easily extracted and used to decrypt the ransomed files. The malware also creates .txt files to be sent to the CC server so that the attacker may provide a password to the victim once the ransom is paid. It’s possible for a criminal to simply not send anything once payment is rendered. But if they intend to propagate via USB drive, it’s likely that the first victim would be in contact with the next, and creating a reputation where payment brings no benefit would only prevent further payment. What’s surprising is that the ransomware creates the file with the password right on the victim’s computer. It even includes a Delete.exe that removes all traces of itself from the victim’s computer (not USB drives) and even removes the start up file, making good on its promise after the password is entered.

    This attack is clearly targeted towards either the weak willed or the less informed. Children are particularly susceptible to the temptation to even the playing field to match the older or more dexterous peers in the game. The disguise as a tool for cheating already shows that the attacker intends to target those who would try to use shortcuts to achieve success over the effort of getting better at the game. While desire to win doesn’t make a vulnerable target, the lack of experience with scams and pressure to perform despite the limitations of age combine to make a particularly vulnerable demographic. The malware itself may not be as dangerous or complex as others, but it’s target is particularly susceptible to such machinations.

Sources:

• https://www.cyren.com/blog/articles/open-source-ransomware-targetsfortnite-users

• https://www.kaspersky.com/blog/ransomware-in-fortnite-cheats/28104/

• https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbotgame-hack/147549/

The Cybersecurity and Infrastructure Security Agency (CISA) warns users to
remain vigilant for malicious cyber activity targeting Hurricane Dorian disaster
victims and potential donors. Fraudulent emails commonly appear after major
natural disasters and often contain links or attachments that direct users to
malicious websites. Users should exercise caution in handling any email with a
hurricane-related subject line, attachment, or hyperlink. In addition, users
should be wary of social media pleas, texts, or door-to-door solicitations
relating to severe weather events.

To avoid becoming victims of malicious activity, users and administrators
should review the following resources and take preventative measures:

• Staying
  Alert to Disaster-related Scams
• Before
  Giving to a Charity
• Staying
  Safe on Social Networking Sites
• Avoiding
  Social Engineering and Phishing Attacks

If you believe you have been a victim of cybercrime, file a complaint with
the Federal Bureau of Investigation Internet Crime Complaint Center at www.ic3.gov.

Researchers at CheckPoint unveiled a method that could allow malicious actors to exploit programs that query SQLite databases. The findings were presented at the DEFCON cybersecurity conference last weekend by Omer Gull, a vulnerability researcher at CheckPoint. The researchers found that by overwriting a non-malicious SQLite database with a specially crafted malicious one, they can achieve remote code execution. SQLite is a C-language library that enables a fully self-contained SQL database engine. SQLite is used extensively by multiple operating systems such as iOS and Android, and applications such as Chrome, Firefox, Safari, and Dropbox. The researchers state that this attack technique allows for the exploitation of code that queries an SQLite database that an attacker can modify.

The researchers stated that the idea of an SQLite attack came from its role in command-and-control (C2) servers utilized by password-stealing malware. While reverse-engineering the malware, the researchers determined that most of them work in the same way. They state that “after the malware collects these SQLite files, it sends them to its C2 server where they are parsed using PHP and stored in a collective database containing all of the stolen credentials”. Using the specially crafted SQLite database, the researchers were able to gain a web shell on a C2 server in a lab environment by simulating the upload of a database.

In addition to exploiting a C2 server, the researchers provided another scenario where this vulnerability can be exploited. Within the iOS operating system, the “AddressBook.sqlitedb” file is one of the most common database files. This file is used for contact storage and is often referenced by either Apple apps or third-party messaging apps. By replacing this file with a malicious version, the researchers say that they can gain code execution. Normally persistence on iOS devices is difficult to achieve due to Apple’s Secure Boot feature. This security feature mandates that all executable files must be signed. However, SQLite database files are not signed, which allow for their modification.
While the researchers privately disclosed the vulnerabilities (CVE-2019-8600, CVE2019-8598, CVE-2019-8602, CVE-20198577) that were then patched in the latest SQLite version along with the latest iOS version (iOS 12.3), they said there are numerous other scenarios where this vulnerability can be exploited. “SQLite is one of the most deployed software in the world. However, from a security perspective, it has only been examined through the lens of WebSQL and browser exploitation,” said Omer Gull. SQLite attack scenarios should be considered a “major cyberthreat.” As always, keeping programs and operating systems up to date with the latest patches is one of the best ways to prevent the exploitation of these vulnerabilities.

Sources

• https://threatpost.com/sqlite-exploits-iphone-hack/147203/ 

• https://research.checkpoint.com/select-code_execution-from-usingsqlite/ 

    The Armis research team recently revealed 11 vulnerabilities, ranging from denial of service to remote code execution, affecting the VxWorks operating system. VxWorks is a real time operating system used in millions of embedded devices, from consumer electronics to medical devices. The vulnerabilities discovered bypass most forms of security and can even be used on the devices designed to secure the infrastructure if they utilize VxWorks.
The most critical vulnerabilities found allow for remote code execution on the target devices. Five of the critical vulnerabilities found require no interaction on the target system and are exploitable no matter how the device is configured. The sixth vulnerability requires the VxWorks internal DHCP client to parse a specially crafted response from an IP address allocation request. While this may seem like a difficult attack scenario, DHCP requires no authentication during these requests. This means an attacker can just wait, listening on the network until a request is made, and then spoof a malicious response before the real server. These vulnerabilities could allow for full takeover of a target network that used VxWorks based firewalls, making them especially dangerous.
Besides the critical vulnerabilities, there were also five lower impact, but still impactful, vulnerabilities found. One of the vulnerabilities allows for a complete denial of service which can be triggered by an attacker outside of the network. The other denial of service vulnerabilities discovered require the attacker to be in network proximity of the vulnerable device but can still prevent the vulnerable device from functioning if triggered.

    Armis describes three attack scenarios in their release document. The first scenario is based on the attacker being outside of the target network. VxWorks is used in a number of firewall devices and are immediately able to be exploited because they handle all network traffic. The second attack scenario is similar to the first in that the attack is outside of the network but are able to attack devices inside the network that can be reached from the outside. The third attack scenario is by an attacker positioned inside the network, such as on wifi or a guest network.

   VxWorks is sold and supported by Wind River, who was notified about the vulnerabilities. Wind River posted a security advisory covering the vulnerabilities and updates for affected customers. It is critical that affected devices are patched as soon as updates for them are available to prevent exploitation of these flaws.
Sources: 
• https://www.threatpost.com/urgent-11-critical-infrastructureeternalblue/146731/

• https://armis.com/urgent11/

The Internal Revenue Service (IRS) has issued a warning about a new email
scam in which malicious cyber actors send unsolicited emails to taxpayers from
fake (i.e., spoofed) IRS email addresses. The emails contain a link to a
spoofed IRS.gov website that displays fake details about the targeted
recipient’s tax refund, return, or account. The emails instruct the recipient
to access their refund information by entering a provided password on the
spoofed website. By entering the password, the victim unintentionally downloads
malware that could enable the malicious cyber actors to take control of the
affected system or obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users
and administrators to review the IRS
news release and the CISA Tip on Avoiding Social Engineering
and Phishing Attacks for more information.