Cyber Advisors Blog

In the Know - Cyber Security Update - Week of July 23th - July 30th

Posted by Eric Brown on Jul 31, 2017 8:31:42 AM

A fish tank leaks data, Uber drivers defrauded by social engineering scam, over a billion smartphones susceptible to Wifi worm, malware campaigns turn to .iso files, and attackers use FruitFly to spy on Mac users. 

iStock-518729653 (1).jpg

1. An internet connected fish tank at a Casino leaks gigabytes of information to hackers.

Recently a fish tank has been added to the list of IoT (Internet of Things) connected devices that have fallen victim to cyber-attack, a report from Darktrace shows.  The fish tank had sensors connected to a PC to monitor water condition, and temperature. 

Attackers were able to connect to the IoT device, compromise one of these sensors and move to other vulnerable areas of the casino’s network and send out data. 

Darktrace Report:

https://www.darktrace.com/resources/wp-global-threat-report-2017.pdf

2. Social engineering scam defrauds Uber driver a day’s wages
Security researcher Renato Marinho writes about an Uber scam that occurred in New York City. A NYC Uber driver had his days’ wages stolen by an elaborate social engineering scam using Uber’s masked caller ID & Gmail’s 2 factor authentication process. 

Anatomy of the attack:

  • The attacker uses Uber’s app to request a driver.
  • Once the driver is en-route, the attacker uses the “contact driver” feature in the Uber app, making a masked call (to protect passenger identity) to the Uber driver.
  • The attacker claims to be from Uber – the driver doesn’t know because the phone number appears to come from Uber (because of the masking).
  • The attacker tells the driver that he knew he (the driver) was on his way to pickup a passenger but it was necessary for the driver to verify his account data in order for payment to be processed. And that the driver should not worry about the pickup, Uber would compensate him and send another driver to pick up the passenger.  Since the call came through the Uber app, the driver believed it to come from Uber.
  • The attacker asks for account information to confirm identity. “Please, I have to confirm your identity. Give me your e-mail address and phone number. Next, I’ll send you an SMS message and you’ll tell me the content.”
  • The attacker sends a Gmail account password reset request to Gmail.
  • Gmail password recovery procedure sends a validation code to the driver’s phone number.
  • The driver receives an SMS message and reads it back to the attacker (believing it to be Uber).
  • The attacker thanks the driver for validating their identity and hangs up.
  • The attacker resets the drivers Gmail account, Uber password, and request that days earnings transferred to a pre-paid card number.

More info:
https://isc.sans.edu/forums/diary/Uber+drivers+new+threat+the+passenger/22626/

3.  1 billion smartphones potentially impacted by vulnerability in Broadcom Wifi chipset
A now closed security flaw (patching of Android and Apple phones required) was demonstrated at Blackhat last week by Security researcher Nitay Artenstein in an attack Artenstein dubbed “Broadpwn.”

 The proof-of-concept attack code exploits a vulnerability in Broadcom Wifi chipsets.  The attack blasts out wifi probes requesting connections to nearby computing devices.  When the requests find a Broadcom BCM43xx family of wifi chipsets, the attack compromises the chip by rewriting its firmware.  The compromised chip then repeats the attack by sending out the same malicious code to other vulnerable devices.

Until Apple and Google released patches an estimated 1 billion devices were vulnerable to the attack. 

Full details here:

https://arstechnica.com/information-technology/2017/07/broadcom-chip-bug-opened-1-billion-phones-to-a-wi-fi-hopping-worm-attack/

4.  Some recent malware campaigns are delivering malicious payloads via .iso attachments

An .iso file, is a single file that's a perfect representation of an entire CD or DVD.  Windows 8 and 10 will automatically mount .iso files when opened.  Researcher Didier Stevens has published some findings that shows how the mounted .iso will expose the malware it contains, such as an exe or Office document file, bypassing native Windows defenses that would identify the item as coming from the internet. 

Video of how the attack could happen from Didier Stevens

https://youtu.be/eEDrSfIiyLo

5.  Mac computers silently infected with spyware for years – Recent discovery of FruitFly malware mutations dating back to 2014

Mac spyware dubbed FruitFly with unknown origins discovered earlier this year has a new Mutation - FruitFly 2.  The original FruitFly has perl code in it with references to Mac OS X 10.10 which was released in October of 2014, indicating it has been around for a while.

Both of the FruitFlys operate in the background, spy on users through the camera, capture screen images and log keystrokes. 

No system is immune to malware.  Regular patching, an anti-malware program and reliable backups are all necessary tools to protect your valuable data.

http://money.cnn.com/2017/07/24/technology/mac-fruitfly-malware-spying/index.html

 

Topics: Education