Today’s cyberspace includes computer resources, IT networks, and all the fixed and mobile devices which connect to the internet. Because of the borderless nature of the global internet, protection of critical infrastructure operations is emerging as a significant challenge. Hackers always look to exploit the vulnerability of an unsuspecting internet user. Hence, cybersecurity experts strive to combat these threats by inventing new anti-phishing solutions regularly. Here we present some of the latest news headlines from the cyber world.
Russian Group Turla Tries Modifying Chrome And Firefox
Russian hacking group Turla went ahead of contemporaries and attempted to achieve goals more significant than just exploiting the vulnerabilities in a web browser. It tried to fingerprint TLS-encrypted web traffic through modification of Chrome and Firefox.
How Does Turla Execute Its Scheme?
The Turla group initially infects systems with a remote access trojan (RAT) and then uses the same to make changes to the browsers. These modifications include installation of their certificates, (so that they can intercept TLS traffic from the host) and patching of the pseudo-random number generation that negotiates TLS connections. This scheme allows the hacking group to add a fingerprint to every TLS action and thereby, track encrypted traffic secretly.
The Turla group is believed to be working under the aegis of the government of Russia. It has successfully attacked Russia and Belarus in the past. The history explains how it manages to evade phishing prevention measures so swiftly.
Cryptojacking Malware Targets Windows Users
Lemon_Duck – a cryptojacking malware campaign is rampantly spreading as per security researchers. The malware is propagating via repeated up-gradation of its attack scripts through open-source repositories. It spreads through organization networks via file-less script execution and through controlling CPU resources.
What Is The Modus-Operandi Of Lemon_Duck?
With roots in Asia, the malware is now a cause of concern throughout the world. Lemon_Duck makes use of scheduled tasks to continually check on targeted Windows-based machines, while the PowerShell attack scans for listening ports and generates IP addresses randomly. Upon finding a remote computer with a responsive script, Lemon_Duck launches brute-force attacks to win control over it. It simultaneously checks for the EternalBlue exploit. Lemon_Duck spreads fast as it replicates and validates itself on an attacked machine as soon as the PowerShell malware campaign successfully downloads.
However, this isn’t the end of the process; the malware then quickly operates and uses the first machine; it attacks a network as a beachhead to spread itself in devices. Phishing attacks of this kind can be ensured by changing passwords from time to time and by blocking the latest scripts through intrusion detection and signature prevention measures.
Employee Induced Data Breach At American Express
American Express recently spotted a data breach that was possibly carried out to perform identity theft by creating fake accounts at financial institutions. This breach was, however, not a result of some security flaw exploited by adversaries. It was a result of the unauthorized access and use of the customer details by an American Express employee.
The Extent Of The Damage
The breached information includes the full name, physical and billing address, Social Security numbers, birth dates, and the credit card number of the members. Ever since the discovery of this breach by the employee, American Express extended its full support and cooperation to the law enforcement agencies. They are conducting investigations in this regard to prevent phishing attacks in the future.
Controlling The After-effects Of The Breach
American Express sent out “Notice of Data Breach” notifications to all affected users and warned them to look out for any unusual activity in their accounts. Furthermore, it also extended free credit monitoring through Experian Identity Works to all affected users. Since the issue involves a criminal investigation, American Express hasn’t disclosed much information. It only said that the employee is no longer associated with them and is undergoing legal proceedings.
New Malware Capable Of Attacking Encrypted TLS Traffic
Researchers discovered a new malware called ‘Reductor’ which is capable of attacking even encrypted TLS traffic. Its other functions include trojan activities and manipulation of digital traffic. Reductor comes as a replacement to certified installers by infecting them with corrupt ones and decoding encrypted TLS traffic. It evades standard anti-phishing tools and attacks software distributions like Internet Downloader Manager and WinRAR. It also attacks via COMPfun malware which can download files on compromised hosts.
How Reductor By-passes The Security Checks?
Reductor functions mysteriously by decoding the data, and it evades the watchful eyes of administrators. By compromising the pseudo-random number generation (PRNG), the attacker can estimate how traffic will be encrypted when a TLS connection establishes. It also makes Reductor send essential data to its command-and-control (C2) server post the data decoding.
However, researchers suspect that the hacking group Turla is the mastermind behind Reductor as it has striking similarities with the COMPfun malware.
Android Users Vulnerable To An Israeli Surveillance Dealer Attack
Google recently warned the world of a vulnerability in Android devices and its own Pixel 1 and 2 devices. Security researcher Maddie Stone from Google described the vulnerability as a ‘kernel privilege escalation bug’. It gives an attacker deeper access into a machine, making him the controller of the Android operating system. This bug makes the attacker capable of altering all data stored on the device, thereby compromising user privacy beyond describable limits. Stone added that the vulnerability is active against targets of the Israeli spyware dealer NSO Group.
Patches And New Devices To Remove The Vulnerability
Android phones such as the Google Pixel 1 and 2, Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Moto Z3, Oreo LG phones and the Samsung S7, S8, S9 models are the ones spotted without a patch of the vulnerability. However, researchers are striving to ensure protection from phishing attacks and shall soon launch Pixel 3 and 3a devices which are free from this vulnerability. Google shall also launch patches for the Pixel 1 and 2 devices in its October Security Release. The other android devices too are likely to be extended the patch soon after.
Players Of Fifa 20 Global Series Face Privacy Breach
In what appears to be a privacy flaw on the part of EA Sports, the names, dates of birth and email addresses of over 1600 people got compromised. Investigations continue in this regard as the company behind the Fifa video games tries to understand why the personal information of some of the players was visible to other gamers.
As it turns out, the fans who signed up for the new Fifa 20 Global Series could see the details of other people in the fields of the online registration form. While the victims of this seemingly minor breach included commoners, it also had some of the renowned online gaming live-streamers as its victims.
The Situation Is Under Control – EA Sports
In its defence, EA Sports said that it was concerned about the privacy of its players and that it strived to ensure phishing protection. It apologized for the unintentional blunder and added that they have the situation under control now.
Ransomware Attack Hits Spanish City Jerez De La Frontera
A ransomware attack recently hit the Spanish city of Jerez de la Frontera. The hacker seized their computer systems and is demanding an undefined amount of Bitcoin as a ransom to get their files unlocked. The attack caused much disruption in the city.
Security Experts Flown In
As an anti-phishing protection measure, three computer experts were sent to Jerez de la Frontera by the interior ministry of Spain. They would look into the matter and attempt to undo the damages. Meanwhile, the mayor of the city announced that the site would become functional only after they are 100% certain that it is secure against any further phishing attacks.
8.7 Million Customer Details Of Russian ISP ‘Beeline’ Exposed
The Russian telecommunications company Beeline underwent a data breach way back in 2017 which wasn’t made public in spite of them catching the culprit. Now, two years later, data belonging to about 8.7 million customers were sold and shared online, and Beeline admitted to the breach.
Russian Beeline Customers Are The Worst Affected
The data sold includes the personal details of customers, such as full names, addresses, and mobile and home phone numbers. Beeline has a customer base in Russia, Australia and Asia. However, as per their claims, only the Russian customers who applied for home broadband connections before November 2016 were victims of the breach. The company added that those customers whose details got revealed are no longer associated with Beeline. Also, the offence doesn’t affect customers in Australia, New Zeeland, Kazakhstan, Armenia, or other countries where Beeline operates.
Iranian Hackers After Trump 2020 Campaign
Microsoft recently informed that a group called Phosphorous with links to Iran was trying to gain access to the email accounts of its users illegally. These people have associations in some way with the 2020 reelection campaign of President Trump.
It was first brought to light by a group of researchers from the Microsoft Threat Intelligence Center. They also found that the official campaign website of Trump has its account linked to Microsoft’s cloud email service. It is the only competing body to use this facility.
After knowing the intents of the adversaries, Microsoft researchers kept an eye on the activities of Phosphorus for a period of 30 days stretching from August to September. They found that Phosphorus made over 2,700 attempts at identifying consumer email accounts that belonged to individual targeted Microsoft customers. Then, they attempted attacking 241 of these accounts.
U.S Official Campaigns Not The Only Target
Hence, Microsoft confirmed that Phosphorus was indeed after the accounts linked to the U.S. presidential campaign, and current and former U.S. government officials. It also targeted journalists covering global politics and prominent Iranians not residing in Iran. Microsoft further notified that the Phosphorus made more successful attempts in the past to breach accounts that are not related to the U.S official campaigns – current or former. However, Microsoft says it already took measures to secure the infected accounts.
Well-Researched Attacks By Phosphorous
What comes out as a peculiar trait of Phosphorus from these attacks is that the hackers put in a lot of effort at making the attacks precise. The attacks are not necessarily technologically advanced. But, hackers researched thoroughly, and targeted people only post conducting a significant amount of research about the prospective victim. Researchers concluded that the Phosphorus group is exceptionally motivated and is ready to invest a considerable amount of time, energy and resources in gathering relevant information. It helps them defy anti-phishing services swiftly. Their research included collecting data that could be used to reset passwords or use account-recovery features while they are on the process of taking over the target’s account.
Data Breach At New Zealand’s Commerce Commission (Comcom)
A lot of confidential information handled by the Commerce Commission (ComCom) of New Zealand was compromised. It seems like a data breach induced by the theft of a laptop more than a flaw in the security network. Among the affected data were more than 200 meeting and interview transcripts. Although the affected transcripts date back to early 2016 and hold confidential information that businesses and individuals provided to the Commission, yet the Commission’s network stands unaffected by the breach.
Theft Under Section 100 Of The Commerce Act
Chief executive of ComCom – Adrienne Meikle said that they are aware of the theft and are quite confident that they will be able to recover the laptop. They extended cooperation to the police in this regard and notified that a part of the compromised information falls under a confidentiality order issued by the Commission under section 100 of the Commerce Act.
It hints at the legal proceedings that might befall the thief when he gets caught. Although the laptop belonged to an external provider, Meikle apologized for the breach and said people were boycotting the Commission. She said that the offence might be a result of the incompetence of the external provider or the vicious intents of the attacker. But, it was their duty to safeguard the sensitive information of the users.
The Commission Taking Measures To Control The Damage
As a phishing attack prevention measure, the Commission approached its suppliers, asking for security assurance. In addition to that, it also conducted a couple of independent reviews in this regard. All those people who worry whether they were affected in the breach are advised to connect with ComCom immediately.
India’s Justdial Exposed 156 Million Users’ Details
The local Indian search app JustDial got inflicted with a severe flaw that gave attackers access to any of the 156 million users accounts of JustDial. It is a recent security flaw discovered by security researcher Ehraz Ahmed. The attackers could access information such as names, phone numbers, and email addresses, and gained access to the financial details. These include balance and transactions of any account linked to JustDial Pay – the company’s payment service. The flaw exploited the site’s Register API used for sign-ups.
Ahmed explained in a video that an attacker could use a person’s phone number as a user name and get into his/her account through the flaw. This bug also enabled hackers to change account details for JD Pay so that the money sent to that account gets redirected. But it did not allow the attackers to send cash as that action would need an additional PIN.
Our Users Are Safe With Us – JustDial
In its defence, JustDial said that they take security and privacy of users very seriously. They claimed that though a bug existed in one of their APIs which could help an attacker gain access into the user account, they have now fixed the bug. JustDial boasts of having an association with several security researchers who help the company ensure protection against phishing by strengthening their platform. It further said that no there was no data loss because of the mentioned bug and that their users are safe.