Cybersecurity is a dynamic arena with some event or the other never ceasing to take place. While cybersecurity measures reach unmatched levels of sophistication and ultra protection, cyber attacks make an equal stride. Thus the stifle between the good and the bad actors of the cyber world is never-ending. However, anyone interested in these affairs would want to keep track of all phishing prevention measures that have been possibly invented. Keep yourself updated about the latest activities from the cybersecurity world as we bring you the major events from the past week:
Malware Attack On Rheinmetall Branches In Three Nations
Rheinmetall AG, Düsseldorf based German corporation, was recently attacked by a malware that has caused much disruption and distress in the plants of the company in three countries. Rheinmetall is one of the biggest defense contractors in the world, manufacturing armored fighting vehicles, tanks, ammunition, and various electronic systems. The malware infected their plants in Brazil, Mexico, and the US. Although the specifics of the attack have not been disclosed by the company yet, Rheinmetall expects the malware to have a lasting impact in the long run.
They are confident that they would be able to assure deliverability in short term, however, the exact length of the disruption stands undefined, but it possibly would range from two to four weeks. The attack is expected to adversely affect operating results between €3 million and €4 million per week from the second week. As it turns out, many more such attacks have happened on various other companies in the past one year, and Rheinmetall is not the only company to have suffered because of a malware infection defying phishing protection measures.
New Malware Hits Pcs In The US & Europe, Identity Dubious
Thousands of PCs in the United States and Europe have been affected by a new malware which has been identified by Microsoft and Cisco Talos and named as “Nodersok” and “Divergent” respectively by both companies. The malware operates by turning systems into proxies for performing malicious activities. In spite of having its components, Nodersok/ Divergent makes use of existing tools to conduct its malicious work. It operates by leveraging the Node.js framework and WinDivert to convert the systems of victims into proxies. However, Microsoft and Cisco Talos have very different takes on the malware and its operation.
While Microsoft says that Nodersok turns machines into proxies and uses them as a relay to access other network entities; Cisco Talos feels that the proxies created by the malware are used to conduct click fraud. Cisco Talos further adds that the malware is still under development.
Nodersok launches a two-stage attack that downloads multiple components on a user’s PC. It gets loaded when victims run an HTA file. As an anti-phishing measure, Microsoft suggests that users must not run HTA files found on their systems, particularly those whose origin cannot be tracked down.
Yet Another Sim Card Attacker Found, Also A Detector Invented
A sim card attacker similar to Simjacker has been recently identified by researchers, which is known as “WIBattack”. This lets malicious actors track the devices of users by abusing the lesser-known apps running on SIM cards. WIBattack and Simjacker have similar commands and operate similarly. However, they differ in their target apps: Simjacker runs against the S@T Browser app while WIBattack runs against the Wireless Internet Browser (WIB) app. These browsers support similar commands such as: getting the location data, sending an SMS, starting a call, sending SS and USSD requests, launching an internet browser with a specific URL, displaying some text on the device, playing a tone, etc.
Researchers claim that WIBattack was located by them way back in 2015 when they found Simjacker, but they chose to keep this from the public then. They found that there are perhaps hundreds of millions of devices SIM cards with a WIB app. But other researchers are skeptical of these figures. Experts from SRLabs have developed two apps, viz., SIMTester, and SnoopSnitch. SIMTester is a desktop app that can be used to test SIM cards for security flaws, and SnoopSnitch is an Android app that can check smartphones for various SIMs, mobile networks, and OS security flaws. These apps come as great anti-phishing tools that can be used by curious users to check whether their SIM card runs the S@T or WIB apps.
New Korean Malware Eyeing Indian Financial Institutions
Kaspersky identified a new active malware in some of the Indian financial institutions, which is capable of stealing confidential information like transaction details from the system. The malware is supposedly a creation of the Lazarus group which is under North Korea’s primary intelligence bureau.
A banking malware called ATMDtrack has been tracked by researchers in the Indian banks, which once planted in the ATMs can read and store the data of cards inserted into the ATMs. Over 180 new malware samples with code sequences similar to the ATMDtrack were found. The malware ATMDtrack was also spotted last year in its attempt at infiltrating Indian ATMs and stealing customer card data.
The new spyware Dtrack uploads and downloads files to the device of the victim records keystrokes and conducts other malicious remote administration tool (RAT) actions. Dtrack gives the attackers complete control over infected devices to perform their malicious activities like uploading and downloading files and executing key processes. The systems that are infected with Dtrack have weak network security policies and password standards. Once successfully installed, Dtrack lists all the available files and running processes, keylogging, browser history, and host IP addresses. What makes Track all the more dangerous and hard for anti-phishing services to track is the fact that the threat might seemingly disappear, but it can be revived in a new disguise and attack new targets at any time.
Encrypted PDF Files No Longer Safe
A new attack comes to the top, which can access even encrypted PDF files. Known as ‘PDFex’, the malware seems to outsmart all major PDF viewers such as Adobe Acrobat, Foxit Reader, Evince, Nitro, and Chrome and Firefox’s built-in PDF viewers. PDFex operates in two forms: Data exfiltration and CBC Gadgets.
PDFex exfiltrates data from encrypted Portable Document Format (PDF) files and gives the attacker access to the encrypted files for manipulation, even without having the corresponding passwords. This happens because PDF encryption uses the Cipher Block Chaining (CBC) encryption mode, which allows almost anyone to create self-exfiltrating ciphertext parts using CBC gadgets.
Attackers exploit the phishing protection flaw in PDF apps that do not encrypt a PDF file completely, giving attackers the leeway to alter the unencrypted fields, add unencrypted objects.
Oyo Leaves Customer Data Exposed Due To Security Flaw
The Ritesh Agarwal founded hospitality chain OYO leaves customer data unprotected and exposed because of a security flaw. This was pointed out by an independent researcher Jay Sharma in August. Sharma was required to furnish his booking ID and phone number to access the hotel’s WiFi after he had checked-in to an OYO hotel and made the bells ring in his head. He researched and found that the “http” & “ssh” ports were open, without any rate limit for the IP which was hosting this. The researcher posted about this on Linkedin where he said that guest data including booking IDs, phone numbers, the number of people staying in a room, the date of the booking, and location from the past few months could be easily accessed online.
While Oravel Stays (parent company of OYO Hotels & Homes) has rewarded Sharma with a sum of Rs 25,000; he has asked users not to use the app until OYO fixes the issue. The hotel, on the other hand has claimed that the vulnerability is only restricted to that particular property and has been fixed immediately. They reassured about the quality of phishing protection service they employed and said that they are meticulous about the safety of their customers and take even the slightest of security threats very seriously.
Major Ransomware Attack Hits Victorian Hospitals, Proceedings Delayed
A major ransomware attack hit the computer networks in at least seven major regional hospitals. This has brought down the booking systems, delayed surgeries, and put patient information security at stake. Several hospitals in Gippsland Health Alliance and South West Alliance of Rural Health, along with hospitals in Warrnambool, Colac, Warragul, Sale, and Bairnsdale, were affected in this attack. Following are the repercussions at some of the major hospitals in the chain:
- Geelong’s Major University Hospital: The computer systems at the hospital have been shut down, making them switch back to the manual mode of recording details.
- West Gippsland Hospital: There are high chances that the computer booking and record-keeping systems at the West Gippsland Hospital could be down for over two weeks.
- Barwon Health and University Hospital: It is uncertain as to how many elective surgeries will be delayed as a result of the attack at Barwon Health facilities and University Hospital. Barwon Health handles a massive number of patients every year, with 86,000 patients being admitted in the previous financial year.
- Gippsland: The attack has made the aged care at Warrnambool and radiation services in Gippsland suffer.
Premier Daniel Andrews said that it might take several weeks to restore the network, but there is no indication of patient information being accessed by attackers, but in case it is unearthed later, the patients would be immediately informed of the same. Although the attack has created much havoc, the hospitals have not let it affect the emergency surgery and emergency departments.
They are now working with the Victoria Police and experts from the Australian Cyber Security Centre to secure their system and get to the roots of the attack. What makes the attack less pitiable for viewers is the fact that the attack was imminent. The Auditor-General of the state had warned way back in May that Victoria’s health databases contain some severe security flaws. It is because of the authorities choosing to ignore the warnings and failing to adopt any anti-phishing solutions that the attack occurred in the first place!
Jill Slay of La Trobe University says that the attack comes as a lesson for the authorities to act while there is still time. This also means that not having your systems protected would make it all the more easier for attackers to execute phishing scams, since such mails can easily get into the inbox of employees, and a mere click by an employee is enough to bring down an entire system!
Former Yahoo Engineer Penalized For Hacking Into 6000+ User Accounts
The U.S. Department of Justice charged a former Yahoo software engineer, who illegally hacked into the personal accounts of thousands of Yahoo users in search of sexual images and videos. The 34 years old engineer Reyes Daniel Ruiz from Tracy, California, confessed to having misused his knowledge and position to get into over 6,000 Yahoo accounts. He cracked user passwords and accessed internal Yahoo systems to gain access.
He also accessed the iCloud, Facebook, Gmail, DropBox, and other online accounts of users, particularly the accounts of younger women in search of private images and videos. He didn’t even spare his colleagues and friends. He had copies of their pictures and videos saved on his home network and later destroyed the computer and hard drive when Yahoo grew suspicious of his conduct.
Currently, he is facing a charge of five years in prison and has to pay a fine of $250,000.
Sportswear Brand Asics Becomes Victim Of Pornographic Cyber Attack
The world witnesses an innovation in pornographic cyber attacks with the recent invasion of major sportswear brand Asics. Asics undergoes an attack different from the usual ones with fake claims of having captured victims while accessing illicit sites and then demanding money for not exposing their conduct. In the said attack, large storefront display screens of Asics played pornographic videos for nine hours from about 1 a.m. at 10 a.m. This happened at a major high street in Auckland, New Zealand, last Sunday.
Asics apologized for the blunder on Facebook since even children were the viewers of the dishonorable screening of the adult video, which was allegedly because of a “cyber attack”. They added that measures are being adopted to ensure phishing attack prevention in future. The police have been informed about the attack, and they too are investigating the attack.
Data Breach Exposes Details Of 20 Million Russians
Bob Diachenko, A top Security Researcher, discovered a database with records of over 20 million Russians. The details contained therein consisted of the names, addresses, residency statuses, passport numbers, phone numbers, Tax ID numbers, employer names and tax amounts of citizens. This database was left exposed and unprotected, and anybody with a simple web browser could easily access the personal records of millions of Russians (particularly those based around Moscow) dated between 2009 and 2016.
Although the databases were brought down last May, they were out on the web for anybody to access for over 16 months. It cannot be said for sure whether anybody founded the records online before they were brought down, but it’s wise for Russians to be on guard and try to identify and ensure protection from phishing attacks. With the basic personal information leaked, attackers could easily impersonate tax officials of other services and launch a phishing scam in the near future. Hence, it is recommended that the Russians stay vigilant!