Silobreaker Daily Cyber Digest – 31 July 2019
FTC warns of fake Equifax settlement websites
- The US Federal Trade Commission (FTC) has warned of fake websites made to look like the official Equifax settlement website in the hopes of making money from the estimated 147 million potential claimants.
- The FTC encourages individuals to start their claims process via the official FTC Equifax page to ensure sensitive financial information is not handed to a fake website. In addition, the FTC notes that individuals will never be asked to pay a fee to claim their benefits.
Leaks and Breaches
Ameritas notifies customers of data breach
- Mutual insurance company Ameritas Life Insurance Corp. suffered a data breach in May and early June 2019 as a result of phishing scams on its employees. The company has not stated how many individuals were affected by the breach.
- Potentially exposed data includes names, addresses, email addresses, Social Security numbers and policy numbers.
OXID e-commerce platform release patch for remote takeover vulnerability
- OXID released a patch for CVE-2019-13026 on July 30th, 2019. The vulnerability affects OXID eShop Enterprise Edition, OXID eShop Professional Edition and OXID eShop Community Edition.
- The vulnerability could be exploited with a specially crafted URL and could be used to gain access to the administration panel. Successful attackers would then have full access to OXID eShop installations and could access shopping cart options, customer data and databases.
- OXID stated that there is no evidence that the flaw has been exploited in the wild.
Google Researchers discover five remote exploitation vulnerabilities found in Apple’s iOS platform
- Four of the vulnerabilities, tracked as CVE-2019-8646, CVE-2019-8660, CVE-2019-8647 and CVE-2019-8662, were patched with iOS 12.4 which was released on July 22nd, 2019.
- The fifth vulnerability, tracked as CVE-2019-8641, could allow a remote attacker to terminate applications or run arbitrary code. The vulnerability was not fully patched in iOS 12.4 and can still be exploited. Further details of the exploitation are withheld until a patch can be released.
- The researchers also discovered CVE-2019-8624 which affects Apple’s watchOS.
CAN bus network vulnerability can be used to target small aircrafts
- Patrick Kiley at Rapid7 discovered that CAN bus networks, which are fitted to small aircrafts and used to transfer system information to the pilot, can be tampered with and used to inject false data. A malicious actor wishing to perform this attack would need physical access to the aircraft’s wiring in order to attach a device or use an existing attached device to the aircrafts CAN bus.
- A successful attack could result in the pilot being sent incorrect measurement related to altitude, airspeed, angle of attack, attitude data, compass direction and engine telemetry. The autopilot system could also be tampered with via unauthenticated commands, an attacker could enable and disable autopilot and send false readings to the autopilot to alter its responses.
- Following publication of the report, the US Department of Homeland Security (DHS) published an alert. The DHS warned aircraft owners to restrict access to their planes and stated that manufacturers should review implementation of CAN bus networks in response to the systems physical weaknesses.
Telegram release global fix for voicemail hack used against Brazilian politicians
- The system that Telegram had in place to add new devices to an existing user’s account was easily exploited by attackers. To add a new device to an account Telegram gave users the option of receiving a one time password via voice message. After three failed attempts to directly contact the user, Telegram would deliver the code to the user’s voicemail.
- Hackers were using VoIP services to spoof the victims phone number and access the voicemail code. Consequently, they could add their own device to the target’s Telegram account and access their messages.
- The attack had been successfully carried out against Brazilian politicians, President Jair Bolsonaro, Justice Minister Sergio Moro, and Economy Minister Paulo Guedes. Telegram now requires that users who request a code via voicemail have two factor authentication enabled.
Apple’s AWDL contains multiple vulnerabilities
- Researchers at the Technical University of Darmstadt and Boston’s Northeastern University found that Apple Wireless Direct Link (AWDL) contains multiple security and privacy vulnerabilities. The vulnerabilities could allow attackers to track users despite MAC randomization, crash devices via DoS attacks and launch Man-in-the-Middle attacks by intercepting and modifying files transferred via AirDrop.
- The DoS vulnerability, tracked as CVE-2019-8612, was patched in May 2019 with the release of iOs 12.3, tvOS 12.3, watchOS 5.2.1 and macOS 10.14.5. The remaining flaws continue to be exploitable, as they require a redesign of some of their services.
- The researchers warned that the same bugs might also affect Android and other types of devices, as ADWL is used as the basis for Neighbor Awareness Network-ing (NAN).
Multiple US agencies offer recommendations to prevent ransomware attacks
- Following the recent wave of attacks on state and local governments, the Cybersecurity and Infrastructure Agency, Multi-State Information Sharing and Analysis Center, National Governors Association and the National Association of State Chief Information Officers are calling on its government partners to follow a number of recommendations to protect against further ransomware attacks.
Combolists-as-a-service being sold on underground forums
- Researchers at Digital Shadows discovered cybercriminals selling combolists-as-a-service on the forum cracked[.]to. The researchers discovered a service provider, named DataSense, promising up to date lists of high-quality databases. DataSense marketing material suggests that they have Amazon, EA Origin, Ubisoft’s uPlay, Netflix and Steam accounts, the service is available to criminals on a monthly $50 basis.
- A second combolists-as-a-service provider, named DatabaseHUB, uploads new lists daily. Users gain access to DatabaseHUB’s service by paying $10.99, which generates 5 combo lists per day for 30 days.
Source (Includes IOCs)
Cabarrus County loses over $1.7 million in BEC scam
- Cabarrus County in North Carolina has lost $1,728,082.60 after transferring $2,504,601 to scammers in a business email compromise (BEC) scam. The scammers pretended to be from contractors Branch and Associates Inc and informed the county that their bank account details had changed, resulting in the fraudulent payment.
- As banks could only recover $776,518.40 after being informed of the scam the county lost a total sum of $1,728,082.60. The county’s insurance policy only covered $75000 of the overall loss.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.