Jun 18, 2017 9:50:21 PM | Education In The Know - Cyber Security Update - Week of June 12th 2017

Cyber Advisors Cyber Security Update - Week of June 12th 2017 $1.9M phishing scam, Mac Malware, Power Grid Compromise, Foscam vulnerabilities, Cisco Prime

1.  Mac Ransomware as a service and Mac spyware released

As Macs become more popular with both consumers and corporate users, Mac targeted malware is on the rise.  This week, two variants of Mac malware are circulating the internet. MacSpy claims to be able to record keystrokes, access iPhone photos, and take screenshots. The second, MacRansom, offered as a free ransomware as a service (RaaS) platform, reportedly will encrypt MacOS files requiring a payment of .25 bitcoin ($~$675) for the unlock code.  Reports say the software may not decrypt the files after payment.  Any good malware protection should prevent infection.  More information here.

2.  Southern Oregon University looses $1.9M in an email scam

 The university fell for a social engineering and email spoofing scam used to trick the university into sending funds to the wrong bank account. In this case the university was working with Anderson Construction on some infrastructure projects. The scammers posed as the construction firm, and sent an email to the university accounting office with bank account changes to be used for future payments.

The FBI reports Business Email Compromise scams are targeting more small and medium sized businesses that may be less prepared to recover from the loss of a scam and offers the following advice (Alert I-050517-PSA):

Verify the request is legitimate by contacting an individual at the known and previously used telephone number of the company requesting the change in bank account info.

Establish procedures that include a means to authenticate requests to update any existing vendor financial information.

Look closely at the domain of the e-mail address that contains instructions for payment change and make sure it matches the actual domain of the vendor. Be aware that e-mail spoofing may be used.

 Email encryption of any sensitive information is highly recommended.

3.  Global power grids could be susceptible to attack

An industrial control virus targeting power grids dubbed crash override was discovered by ESET and Dragos.   The current variant was successfully exploited in the Ukrane last December. Experts believe that this cyber weapon was developed by a nation state, and could be deployed against electrical grids in Europe, the Middle East, Asia, and the United States.  More details here.

4.  Foscam, maker of security cameras and baby monitors, has products with a long list of vulnerabilities -including hard coded passwords

F-Secure discovered a number of vulnerabilities with Foscam cameras, and Foscam manufactured cameras rebranded under other names including Opticam. Flaws include hard coded remote access passwords, a hard-coded blank file transfer password, hidden Telnet access, remotely changeable configuration files, and remote factory reset. These cameras are particularly dangerous on corporate networks, as they are susceptible to being infected with remote access malware, allowing an attacker access to resources on the corporate network. Foscam made devices include Chacon, Thomson, 7links, Opticam, Netis, Turbox, Novodio, Ambientcam, Nexxt, Technaxx, Qcam, Ivue, Ebode, Sab.

If you are running one of these cameras, consider placing it on an internal network with no access to other connected devices or the internet. F-Secure's full report.

5.  Cisco Prime Collaboration Provisioning Authentication Bypass

A vulnerability in the web interface for Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to bypass authentication and perform command injection with root privileges.

The vulnerability is due to missing security constraints in certain HTTP request methods, which could allow access to files via the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application. An exploit could allow the attacker to bypass authentication and perform command injection in Cisco Prime Collaboration Provisioning with root privileges.  Link to Cisco's advisory.

 

Written By: Eric Brown