Several toys that were tested have been found lacking authentication measures
Which? and security researchers from NCC Group have tested smart toys from several toy brands such as Mattel and Spinmaster, and found that many of the toys have missing authentication when connecting to a device for pairing. This authentication makes sure that the toys are connecting to a legitimate source. When it is missing, the toy could potentially be open to a variety of attacks that may endanger a child's privacy and safety.
During their research, it was found that a walkie-talkie toy could be effortlessly paired and used to communicate with the child – within reasonable distance. Another flaw they found was that some toys required logging into certain websites for updates or downloading certain features. These websites were missing encryption and consequently exposing account and session data to being intercepted. Researchers also found that these websites indicated whether a username or email address was already registered, which could potentially allow attackers to launch brute-force attacks to obtain registered usernames and email addresses.
Researchers have spotted a new variant of the Snatch ransomware
Security researchers from Sophos Labs found a new variant of the Snatch ransomware. The variant technique forces the Windows machines to reboot into Safe Mode to skip endpoint protection. In the Safe Mode, most software, including security software, doesn’t run, and the ransomware encrypts the hard drives in the infected system. This malware was written in Go programming language and cannot run under multiple operating systems. The malware contains a ransomware component, a data stealer component, along with several publicly available tools. The attacks are usually of the "active automated attack model" type, which means brute force attacks are launched against vulnerable networks, and then the penetration happens. Most of the attacks were observed to be on networks that allowed uninhibited access for several days.
Security researchers recommend monitoring networks and periodically hunting for threats. And to prevent this ransomware from impacting your network, organisations must implement multifactor authentication – especially for those accounts with more privileges – regularly scan for and patch vulnerabilities, and prevent exposing Remote Desktop interface to the unprotected internet.
Android phones are affected by a Binder vulnerability
The SideWinder APT group were found actively abusing a Binder vulnerability in at least three apps found in the Google Play Store. The three malicious apps were Camera, FileCrypt and callCam. The malicious apps were disguised as photography and file manager tools and had been active since March 2019. These apps may be attributed to SideWinder as the C&C servers it uses are suspected to be part of SideWinder’s infrastructure. In addition, a URL linking to one of the apps’ Google Play pages is also found on one of the C&C servers, explained Trend Micro researchers in their blog post.
The flaw, tracked as CVE-2019-2215, affects several Android devices, including Pixel 1 and 2 phones. The flaw can allow an elevation privilege from an application to the Linux kernel. It does require either the installation of a malicious local application or a separate vulnerability in a network-facing application. Upon discovery, Google has removed these apps from its Play Store.
Pulse Secure VPN flaw has been rated "highly" critical
The Register reports that security researcher Kevin Beaumont has found at least two organisations have been compromised through exploiting the Pulse Secure VPN flaw. The flaw has been adopted by cybercriminals to push ransomware. Among those believed to be affected in the ongoing campaign is Travelex – a travel insurance and currency exchange provider. This forced the company to take all of its systems offline and resort to manual operations at branches nationwide.
The flaw was tracked as CVE-2019-1150 and has been labelled "highly" critical. This arbitrary read file vulnerability affects multiple versions of Pulse Connect Secure and Pulse Policy Secure. It gives remote attackers a way to connect via HTTPS to an enterprise network without the requirement of any valid username or password. Attackers can use the flaw to view logs and files, turn off multifactor authentication, download arbitrary files and execute malicious code on enterprise networks.
Edited and compiled by cyber security specialist James Aguilan.
Subscribe to our weekly Cyber Pulse newsletter below.
Stay in the know
Subscribe to our monthly Learning Matters newsletter and stay up to date with QA's latest news, views, offers, must-go-to events and more.
And if you want to keep up with the latest cyber news, why not subscribe to our weekly Cyber Pulse newsletter.
James Aguilan works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
More articles by James
Cyber Pulse: Edition 105
Cyber Pulse: Edition 104
Cyber Pulse: Edition 102
Cyber Pulse: Edition 101
4 things you need to know about cyber security in 2020
How does Ransomware-as-a-Service work?
Phishing Campaigns: Defending organisations against phishing
Is Mr Robot a good representation of real-life hacking and hacking culture?
Safeguarding your Digital Footprint
How do organisations demonstrate accountability for GDPR compliance?