Cyber Advisors Blog

In the Know - Cyber Security Update - Week of August 20th-August 27th

Posted by Eric Brown on Aug 28, 2017 8:19:01 AM
iStock-518729653 (1).jpg

Google removes 500 apps from the Play marketplace due to Trojan horse style spyware, iPhone 7/7Plus hacked, Facebook messenger spreads malware, another Amazon S3 bucket left open, this time exposing 1.8M Chicago voter records. And thousands of IoT device IP address and passwords exposed on Pastebin.

 

 

1. Google Play Removes 500 Apps because of spyware

According to security research firm Lookout, 500 apps, with over 100 million collective downloads on Google Play have been removed after review. The researchers discovered that the ‘Igexin’ advertising software development kit (SDK) embedded in the apps caused these to communicate with outside servers that had earlier spread malware. The bug in SDK was discovered when an app appeared to be downloading large, encrypted files from those servers.

Lookout identified two of the affected apps as Lucky Cash and SelfieCity, both of which were subsequently fixed. The firm did not reveal the other impacted apps, but said they included mobile games for teenagers, weather apps, online radio, photo editing, education, health, fitness, and home video camera apps.

More Details:
https://arstechnica.com/information-technology/2017/08/500-google-play-apps-with-100-million-downloads-had-spyware-backdoor/

2. $500 hacking device breaks iPhone 7 and 7 Plus security

According to popular YouTuber EverythingApplePro a vulnerability puts at risk all iPhone 7 and 7+ models running any version of iOS between 10.3.3 and 11 Beta.

A loop hole in a data recovery state allows these versions of iOS to not lock the phone after 10 failed password attempts. The hacking device when connected takes anywhere from 20 to 50 seconds per attempt and can brute force unlock a phone protected with a 4 digit code in a few days and about a week for a six digit password.

Video of device in action here:
https://www.youtube.com/watch?v=IXglwbyMydM

3. Facebook Messenger spreads Windows/Mac/Linux viruses 

Cyber security researchers at Kaspersky Lab have come across an ongoing cross-platform campaign on Facebook Messenger, where users receive a video link that redirects them to a fake website, luring them to install malicious software.

Although it is still unclear how the malware spreads, researchers believe spammers are using compromised accounts, hijacked browsers, or clickjacking techniques to spread the malicious link.

The attackers make use of social engineering to trick users into clicking the video link, which purports to be from one of their Facebook friends, with the message that reads "< your friend name > Video" followed by a bit.ly link.

The link points to a Google doc. The document has already taken a picture from the victim’s Facebook page and created a dynamic landing page, which looks like a playable movie.

The malware then takes the browser through a series of websites requiring clicks to continue.

The attack culminates with a website that displays a fake error message tricking the user to download a malicious Google Chrome extension from the Google Web Store.

Details (with pictures) of the attack:
https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-messenger/81590/

4. A misconfigured Amazon S3 bucket exposes 1.8M Chicago voter records

A voting machine company exposed 1.8 million Chicago voter records after misconfiguring a security setting on the server that stored them. Election Systems & Software (ES&S), the Nebraska-based voting software and election management company, confirmed the leak on Thursday. In a blog post, the company said the voter data leak contained names, addresses, birthdates, partial social security numbers and some driver’s license and state ID numbers stored in backup files on a server.

Details on the leak:
https://www.clickorlando.com/news/politics/18-million-chicago-voter-records-exposed-online

5.  8,2000+ credentials of IoT devices exposed on Pastebin

A large list of IP addresses and credentials was recently leaked to Pastebin. The list contains a validated list of 8,233 addresses and login credentials. 61% of the IP addresses are located in China. About a quarter of the addresses are accessible via telnet.

Many IoT devices included in the list have default and well-known credentials (i.e., admin:admin, root:root, or no authentication required).

Top five credentials were:

  • root:[blank]—782
  • admin:admin—634
  • root:root—320
  • admin:default—21
  • default:[blank]—18

Security researcher Victor Gevers analysis:
https://twitter.com/0xDUDE/status/901062772238274561/photo/1

Topics: Cyber Security