Cyber Pulse: Edition 103

Several toys that were tested have been found lacking authentication measures

Which? and security researchers from NCC Group have tested s​mart toys from several toy brands such as Mattel and Spinmaster, and found that many of the toys have missing authentication when connecting to a device for pairing. This authentication makes sure that the toys are connecting to a legitimate source. When it is missing, the toy could potentially be open to a variety of attacks that may endanger a child's privacy and safety.

During their research, it was found that a walkie-talkie toy could be effortlessly paired and used to communicate with the child – within reasonable distance. Another flaw they found was that some toys required logging into certain websites for updates or downloading certain features. These websites were missing encryption and consequently exposing account and session data to being intercepted. Researchers also found that these websites indicated whether a username or email address was already registered, which could potentially allow attackers to launch brute-force attacks to obtain registered usernames and email addresses.

Researchers have spotted a new variant of the Snatch ransomware

Security researchers from Sophos Labs found a new variant of the Snatch ransomware. The variant technique forces the Windows machines to reboot into Safe Mode to skip endpoint protection. In the Safe Mode, most software, including security software, doesn’t run, and the ransomware encrypts the hard drives in the infected system. This malware was written in Go programming language and cannot run under multiple operating systems. The malware contains a ransomware component, a data stealer component, along with several publicly available tools. The attacks are usually of the "active automated attack model" type, which means brute force attacks are launched against vulnerable networks, and then the penetration happens. Most of the attacks were observed to be on networks that allowed uninhibited access for several days.

Security researchers recommend monitoring networks and periodically hunting for threats. And to prevent this ransomware from impacting your network, organisations must implement multifactor authentication – especially for those accounts with more privileges – regularly scan for and patch vulnerabilities, and prevent exposing Remote Desktop interface to the unprotected internet.

Android phones are affected by a Binder vulnerability

The SideWinder APT group were found actively abusing a Binder vulnerability in at least three apps found in the Google Play Store. The three malicious apps were Camera, FileCrypt and callCam. The malicious apps were disguised as photography and file manager tools and had been active since March 2019. These apps may be attributed to SideWinder as the C&C servers it uses are suspected to be part of SideWinder’s infrastructure. In addition, a URL linking to one of the apps’ Google Play pages is also found on one of the C&C servers, explained Trend Micro researchers in their blog post.

The flaw, tracked as CVE-2019-2215, affects several Android devices, including Pixel 1 and 2 phones. The flaw can allow an elevation privilege from an application to the Linux kernel. It does require either the installation of a malicious local application or a separate vulnerability in a network-facing application. Upon discovery, Google has removed these apps from its Play Store.

Pulse Secure VPN flaw has been rated "highly" critical

The Register reports that security researcher Kevin Beaumont has found at least two organisations have been compromised through exploiting the Pulse Secure VPN flaw. The flaw has been adopted by cybercriminals to push ransomware. Among those believed to be affected in the ongoing campaign is Travelex – a travel insurance and currency exchange provider. This forced the company to take all of its systems offline and resort to manual operations at branches nationwide.

The flaw was tracked as CVE-2019-1150 and has been labelled "highly" critical. This arbitrary read file vulnerability affects multiple versions of Pulse Connect Secure and Pulse Policy Secure. It gives remote attackers a way to connect via HTTPS to an enterprise network without the requirement of any valid username or password. Attackers can use the flaw to view logs and files, turn off multifactor authentication, download arbitrary files and execute malicious code on enterprise networks.

Edited and compiled by cyber security specialist James Aguilan.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber security courses