Android Optimization: Not really!

Of the different phones available, android phones clearly are targeted more often, due to many reasons. These malware examples are regularly detected and reverse engineered. One of the recent examples focused on stealing the user’s PayPal funds. 

Latest Example

This latest excursion into malware was discovered in November 2018 by ESET. The malware is presented as a battery enhancement application. This naturally would attract people to download the app, as most want longer battery length. The app itself is titled Android Optimization. In theory, the app would optimize the device’s battery life. This actually was coded to steal $1k euros in 5 seconds through PayPal. What makes this interesting, other than the coding, is this was being circulated by third parties. Although this appears to be mildly novel, this does allow the application to bypass the Google Play Store and the associated checks on the app and code. 

Operations 

The malware sample was coded to exploit Google’s Accessibility Services. The Accessibility Services generally are used to assist those with disabilities. This instead lures the users to give the attackers control over a portion of the phone. The overt control takes place when the user opens specific applications. These applications primarily are PayPal, Google Play, WhatsApp, Skype, Gmail, and a few other banking apps. This uses two functions to attack the user. The first is a pop-up window, which activates the malicious app. The second is a phishing window placed over legit apps to phish for credit card details and gmail login credentials. 

The interesting part is, with the overlay, these are displayed in the lock foreground screen. The user can’t remove it with the home or back buttons. The only way to remove this is to enter the username and password. Fortunately this accepts whatever the user enters. The user could enter completely false data and still use the phone. The attack fails only when there is not the $1k balance in the PayPal account and no credit card is attached to the account. The malware is activated whenever the PayPal app is opened. 

Nuance 

A majority of the malware in the environment works to steal credentials, which are used in the various forms at a later point. This malware on the other hand does ot focus on this, but simply waits in the background for the user to do the work and log into PayPal. This is coupled with the phishing function. 

There are also different variants to this. This may be coded to intercept and send SMS messages, delete SMS messages, and change the SMS application, secure the user’s contact list, make and forward calls, secure the list of installed apps, and install and run apps. 

Resources

EHacking News. (2018, December 13). Android malware steals 1,000 euros in around 5 seconds via paypal. Retrieved from http://www.ehackingnews.com/2018/12/android-malware-steals-1000-euros-in.html 

The Paypers. (2018, December 29). Android malware steals money fast via paypal. Retrieved from https://www.thepaypers.com/digital-identity-security-online-fraud/android-malware-steals-money-fast-paypal/776413-26 

We Live Security. (2018, December 11). Android trojan steals money from paypal accounts even with 2FA. Retrieved from https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/

Yet another AWS issue! Capital One breached

Capital One-Yet Another Breach

Charles Parker, II

#

There is a saying that we are our own worst enemy. While we may have the best intentions, at times we may create our own issues which act to our own detriment. This has been notable with a single-use case. The focal point has been with AWS and misconfigured servers. This has created so many issues for the data owners and managers. The latest victim is Capital One due to its misconfigured AWS. This certainly won’t be the last incident through the industry.

Breach

To note this was massive would be an understatement. This is one of the biggest data breaches involving a financial services company. There were 106M persons involved. The affected persons were not only in the US, however, were also located in Canada. The breach was open for an extended period of time, from March 19 through July 17, 2018.

Method

The focal point for the attack was the cloud servers rented from AWS. There was an issue with the cloud configuration. The attack was exceptionally successful due to a misconfigured WedApp firewall. The attackers used a special command to extract the files in the Capital One AWS. Oddly, on June 16, 2019, the attacker posted on Twitter exactly how it was done. This was a very odd event. Generally, if you are going to gain unauthorized entry, you don’t want everyone to know exactly who you are. In this case, the attacker did just this.

Data

The data was related to credit card applications filed between 2005 and early 2019. This is a rather large set of time to exfiltrate data for. The attacker accessed credit applications, social security numbers (approximately 40k in the US and 1M Canada social insurance numbers), bank account numbers (approximately 80k), names, addresses, dates of birth, and financial information (e.g. self-reported credit scores). Fortunately, no credit card account numbers or logins were exposed in the breach. Altogether, the total amount of data was approximately 30GB. Somehow, the attacker was able to exfiltrate this data over months, without anyone or an app examining the login or data access for an extended period.

Perpetrator

The FBI has arrested a person in this case. The speedy arrest was greatly due to the attacker letting everyone know who they are, and not trying to hide anything. The attacker previously worked as an Amazon Web services (AWS) engineer. The attacker’s name of record is Paige A. Thompson. Given her lack of intuitiveness, she is certainly a nominee for the Darwin Award. She bragged about the breach and crime on GitHub and social media. She tried to share the data online and not on the DarkWeb. To top off the award nomination, she used her full first, middle, and last name. She also stored the data in a GitHub account for the user “Netcrave”. The GitHub site also happened to have Paige’s resume (oops). She also used the alias “erratic”.

The criminal complaint was filed in the Western District of Washington. The hearing was on August 1, 2019. To further support the allegation with yet more evidence, the FBI executed a search warrant and seized electronic storage devices. The storage devices contained a copy of the data.

Mitigation

The AWS configuration has been corrected. They stated it was not likely the data was used fraudulently. It is very easy to state this, but exceptionally difficult to guaranty. They did promise to provide 12 months of credit monitoring for affected parties. They also are recommending for the affected parties to watch for phishing emails.

Resources

Corcoran, J. (2019, July 30). Former AWS engineer arrested as capital one admits massive data breach. Retrieved from https://threatpost.com/aws-arrest-data-breach-capital-one/146758/

Krebs, B. (2019, July 19). Capital one data theft impacts 106M people. Retrieved from https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/

McLean, R. (2019, July 30). A hacker gained access to 100 million capital one credit card applications and accounts. Retrieved from https://www.cnn.com/2019/07/29/business/capital-one-data-breach/index.html

U.S. Attorney’s Office. (2019, July 29). Seattle tech worker arrested for data theft involving large financial services company. Retrieved from https://www.justice.gov/usao-wdwa/pr/seattle-tech-worker-arrested-data-theft-involving-large-financial-services-company

DirtySoc-Vulnerability does not sound like fun

Ubuntu and other Linux distributions are used worldwide. These offer many functions and attributes the other primary options don’t. These also happen to be open source. While beloved, these still may add aggravation and headaches when installing or attempting other tasks. While there has not been a multitude of attacks against this, as with the Windows monumental franchise, there was recently added one more-DirtySock.

DirtySock Vulnerability (CVE-2019-7304)

The researcher (Chris Moberly) published the proof-of-concept (PoC) code for this exploit. The research discovered the issue near the end of January 2019. As a responsible party, Moberly did work with Canonical to fix the issue.

Operates

Snapd are applications which “contain” the files, libraries, and programs required for an application to process and work. The vulnerability in the code does not allow the attacker to compromise the system. What it, however, does allow is the attacker greater access once the attacker finds and gains access to an unpatched system. This flaw is in the local privileges allows or this significant privilege escalation. In summary, this allows attackers to create root-level user accounts, when unauthorized to do so, which is a very bad option for the administrators. The vulnerability lies with the snapd daemon. The issue is a default with the recent Ubuntu version. The Snapd daemon manages the “snaps” beginning in 2014. This allows the user to download apps and install them in the .snap file format. The vulnerability allows access to a local REST API server. This allows the attackers to overwrite the UID variable and access any API function. This server interacts with the snap package during the installation process. The code allows the attacker to work-around the access control restrictions used by the API server. To authenticate this, the researcher provided two exploits as examples, which may be used for vulnerability.

Mediation

Ubuntu is open source, however, in certain instances, there is a license required. The licensing business, or parent company, is Canonical. They have issued a patch for the issue. Canonical continues to show their focus on updates to the OS. This was addressed in Snapd version 2.37.1. They also released security updates for Ubuntu Linux OS.

Resources

Abrams, L. (2019, February 13). Canonical snapd vulnerability gives root access in linux. Retrieved from https://bleepingcomputer.com/news/security/canonical-snapd-vulnerability-gives-root-access-in-linux

PenTest Tools. (2019, February 14). Snapd flaw lets attackers gain root access on linux systems. Retrieved from https://pentesttools.net/snapd-flaw-lets-attackers-gain-root-access-on-linux-systems/

Sowells, J. (2019, February 13). Attackers gain root access on linux system via dirty sock vulnerability. Retrieved from https://hackercombat.com/attackers-gain-root-access-on-linux-systems-via-dirty-sock-vulnerability/

There's always a new attack tool: JungleSec

For better or worse, InfoSec researchers are seemingly always seeking new methods to attack systems. There’s always something new for targets, methods, and data on the target. This industry is not static by any means due to this and also the new publications and journals showing the techniques used. This may even be termed as being dynamic. This attribute can both be a positive, and negative. 

Tool

There is a new ransomware variant in the wild. This began to be noted in November 2018, and has been named JungleSec. The attack vector with this variant is through the unsecured intelligent platform management interface (IPMI). This began with people using Windows, Linux, and Mac systems. After an investigation, discovered the users were infected via an unsecured IPMI device. The IPMI cards allow administrators to remotely manage a computer, power cycle the system, secure system information, and gain access to a KVM. 

Installation

As a rule of thumb and best practice, the admin or user should always change the default password. In certain instances where this is not done, unauthorized access to the system may occur. There may also be other avenues into the system through these sources. Once the attackers have access, the attackers would reboot the system into a single user mode. The attacker then is able to gain root access. At this point, the encryption program was downloaded. The attacker then manually executes the encryption on the victim’s files, and the attackers would enter the passcode. The attackers also have tried to mount VM drives and encrypt them, unsuccessfully. With this ransomware piece, the attackers have included a back door on port 6432. 

For the User

The ransomware leaves the user with an empty feeling in their stomach. When the user attempts to do work on the system, they receive the infamous message (aka ransom note) instructing the user to contact the attacker an email address, and pay 0.3 bitcoins to their address for the decrypt key. 

There are numerous problems with this. After payment, they may or may not actually receive the key. The attackers may also install their own additional back doors, so they can gain access again at a later point in time. Without a tested set of back-ups, however, this may be your only avenue towards getting the systems up and running. 

It is always a good idea to properly configure the equipment and system. There are manuals, tutorials, and peers to assist with this. To not do this is equal to inviting an issue. 

Resources

Abrams, L. (2018, December 26). JungleSec rnasomware infects victims through IPMI remote consoles. Retrieved from https://www.bleepingcomputer.com/news/security/junglesec-ransomware-infects-victims-through-ipmi-remote-consoles/ 

Paganini, P. (2018, December27). Hackers infect linux servers with junglesec ransomware via IPMI remote console. Retrieved from https://securityaffairs.co/wordpress/79219/malware/junglesec-ransomware-ipmi.html 

NASA servers compromised!

From a young age, we become acquainted with NASA through its missions to the Moon, Mars, Saturn, Pluto, and it’s other missions. The iconic astronauts in their suits have been etched into our minds. In short, space exploration is their mission. While this is their primary focus, and their engineers are very good at this, the organization still needs the other work groups to support this. One of these pertinent workgroups is Info- or Cyber-security. Without this in place with a strong team, there could be immediate issues. In an incident from late 2018, it appears as though not enough attention has been paid to this.

Compromise

The breach occurred in October 2018. Once this was detected, NASA moved to contain the issue, which is a great action to take given the attackers actions. Unfortunately, nothing substantial has been published regarding the method for the attack. Granted NASA would have corrected this already, however, it would have been a great learning experience to understand how this attack leading to a compromise occurred. This would have allowed others to learn from the NASA oversight.

This is not the first time the potential for a compromise has been noted as an issue. For example, in November 2017 the Inspector General noted NASA’s InfoSec issues. In the two years prior to this report, there were over 3k computer security issues and incidents of unauthorized access. Fortunately, there were no missions impacted by this. The number of cybersecurity issues was rather substantial. From a CISO’s perspective, seemingly one would want to start to fix the critical issues and move down the list from this.

Data

The servers targeted unfortunately held PII, which is a bad set of circumstances for the affected parties. This included the social security numbers and other PII data for current and prior NASA employees. This concerns the employees on-boarded from July 2006 to October 2018. This is a rather large number of persons involved.

Notifications

As the employees PII was included, the notification had to be made. The NASA HR Department, on behalf of Bob Gibbs (Assistant Administrator, Office of the Chief Human Capital Offices) forwarded a memo on December 18, 2018. This noted the cybersecurity personnel had started an investigation of their systems, which were compromised. It is notable that the breach occurred in October 2018, yet NASA waited until December 18, 2018, to notify persons. This was intentional, as law enforcement was still investigating and did not want to let the attackers know.

Mitigation

NASA will offer through a vendor identity protection services and other resources. NASA and other federal cybersecurity partners are analyzing the breach for the forensic review. This, however, is only focused on the impacted systems. There may be the same or nearly the same issues on other systems, providing additional opportunity for the attackers. NASA is working, as a result of the compromise, to expand its network penetration testing program, work on a greater number of incident response (IR) assessments, broaden deployment of intrusion detection systems (IDS), and provide a greater level of web application securing scanning.

Resources

Boston, B.A. (2018, December 19). NASA reveals October security breach that exposed employee data. Retrieved from https://www.slashgear.com/nasa-reveals-october-security-breach-that-exposed-employee-data-19558631/  

NASA HQ. (2018, December 18). Potentially personally identifiable information (PII) compromise of NASA servers. Retrieved from http://spaceref.com/news/viewsr.?pid=52074

Vijayan, J. (2018, December 19). NASA investigating breach that exposed PII on employees, ex-workers. Retrieved from https://www.darreading.com/attacks-breaches/nasa-investigating-breach-that-exposed-pii-on-employees-ex-workers/

Elsevier Pwned!

When academics and students are writing papers, research is required. At times this research can be massive, depending on the subject. The more technical the more references may be used. These act as support for the researcher’s thoughts, ideas, applications, and work in general. For these references to be useful, they have to be from peer-reviewed journals. These peer-reviewed works indicate the work is not a sole person’s opinion but is accepted by the researcher’s peers. These journals provide the resource which has been analyzed and reviewed by other professions. This removes the opportunity for biased research and research-based on faulty methods. These articles are searchable through various sources. One of these respected tools used for the search is Elsevier.

Issue

As this service has been in use for an extended period of time, there should not have been a problem. Unfortunately, due to human error or other problems, one of their servers was left open to the public to peruse through. This server happened to hold the user email addresses and passwords. Yes, this is as bad as it sounds. The users included anyone having access, including those from universities and other educational institutions across the globe. Elsevier was not aware of how long this condition was in effect. They also did not know how many users or accounts were impacted. These aspects are odd, as the servers were under their control and someone should be able to figure out through a simple review of these numbers.

The problem at hand is with credential stuffing. The affected user may use the same email account and password for other services from other providers (e.g. same email and/or password for Panera Bread, Amazon, the interface to your vehicle). This could prove to make someone’s day very interesting.

Remediation

Once Elsevier was notified of this, as they did not discover the issue, the organization did correct the issue with the configuration. They are investigating what occurred for this to vulnerable. This does however simply appear to be human error. They did not believe the server or any data had been inappropriately used. The organization did notify the users and reset their accounts.

This shows the importance, again of proper configurations. Without this in place, the servers are open to anyone, which is not a good thing.

Resources

Beau HD. (2019, March 18). Education and science giant Elsevier left users’ passwords exposed online. Retrieved from https://it.slashdot.org/story/19/03/18/2052211/education-and-science-giant-elsevier-left-users-passwords-exposed-online

Brown University. (n.d.). Password leak at Elsevier. Retrieved from https://it.brown.edu/alerts/read/password-leak-elsevier

Cox, J. (2019, March 18). Education and science giant Elsevier left users’ passwords exposed online. Retrieved from https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-exposed-online

Drexel Library. (2019, March 21). Notice: Elsevier usernames & passwords accidentally exposed. Retrieved from https://www.library.drexel.edu/news-and-events/news/libraries-news/2019/March/Elsevier_Usernames/

Hashim, A. (2019, March 25). Elsevier exposed user credentials publicly through misconfigured server. Retrieved from https://latesthackingnews.com/2019/03/25/elsevier-exposed-user-credentials-publicly-through-misconfigured-server/

Stalfort, H. (2019, March 29). Notice: Elsevier data leak-action required. Retrieved from https://blogs.library.jhu.edu/2019/03/notice-elsevier-data-leak-action-required/

Vaas, L. (2019, March 20). Elsevier exposes users’ emails and passwords online. Retrieved from https://nakedsecurity.sophos.com/2019/03/20/elsevier-exposes-users-emails-and-passwords-online/