Here is our cyber security round-up of the week:
Darkweb exposes BMW customer database
A database base with personal details of 384,319 BMW car owners in the UK is being offered for sale on an underground forum by the Kelvin Security Team hacking group, according to researchers. The hacking group, which last week tried to sell databases related to US business consulting firm Frost & Sullivan, made the BMW data available, including initials and last names, emails, addresses, vehicle numbers and dealer names, among other information.
Kelvin Security Team has been highly active on underground forums, offering 16 databases, including data related to US government contractors and Russian military weapons development, for sale in June 2020 alone. In addition, the group reportedly dumped for free 28 databases affecting entities in Mexico, Iran, the US, Australia, Sweden, France and Indonesia. Researchers also found a database of owners offered for sale on an underground forum.
The threat actor claimed that the BMW data came from a “call centre” that manages customers of different car suppliers. KELA said it obtained the database and found that it contains almost 500,000 customer records from 2016 to 2018, also affecting UK owners of other car manufacturers, including Mercedes, SEAT, Honda and Hyundai, among others.
Fake “DNS Update” emails targeting site owners and admins
Attackers are trying to trick web administrators into sharing their admin account login credentials by urging them to activate DNSSEC for their domain. The scam was spotted by researchers, when the admin of their own security marketing blog received an email impersonating WordPress and urging them to click on a link to perform the activation. The link took them to a “surprisingly believable” phishing page with logos and icons that matched their service provider (WordPress VIP), and instructed them to enter their WordPress account username and password to start the update.
“The scam then shows you some fake but believable progress messages to make you think that a genuine ‘site upgrade’ has kicked off, including pretending to perform some sort of digital ‘file signing’ at the end,” researchers explained.
Finally, either intentionally or by mistake, the victim is redirected to a 404 error page. The malicious link in the email contained encoded banner and URL information that allowed researchers (and attackers) to customise the scam phishing page with different logos, to impersonate numerous different hosting providers. The attackers check HTTP headers for information about the target’s hosting provider and customise the scam email and the phishing site accordingly.
Users who fall for the scam and enter their login credentials into the phishing site and who don’t have 2-factor authentication turned on are effectively handing control of their site to the scammers.
US authorities share insight on the Tor network
The US government's Cybersecurity Security and Infrastructure Security Agency has shared some insights into the Tor network, warning – for those who have been living under a rock – "cyber threat actors can use Tor software and network infrastructure for anonymity and obfuscation purposes to clandestinely conduct malicious cyber operations."
Tor (aka The Onion Router) is software that allows users to browse the web anonymously by encrypting and routing requests through multiple relay layers or nodes. This software is maintained by the Tor Project, a non-profit organisation that provides internet anonymity and anti-censorship tools. While Tor can be used to promote democracy and free, anonymous use of the internet, it also provides an avenue for malicious actors to conceal their activity because identity and point of origin cannot be determined for a Tor software user.
Using the Onion Routing Protocol, Tor software obfuscates a user’s identity from anyone seeking to monitor online activity (eg nation-states, surveillance organisations, information security tools). This is possible because the online activity of someone using Tor software appears to originate from the Internet Protocol (IP) address of a Tor exit node, as opposed to the IP address of the user’s computer.
Possible remediation ranges from issuing an outright block on both incoming and outgoing traffic from the IP address of all known Tor nodes, to simply collecting and keeping on hand a list of nodes so that they can be blocked as needed.
Zoom completes 90-day security plan
Zoom CEO Eric Yuan said his video-conferencing wunderkind has officially concluded its 90-day security overhaul program in which it brought in a number of outside organisations and consultants to shore up its defences after a number of privacy and security slip-ups.
Zoom stated: “We have made significant progress defining the framework and approach for a transparency report that details information related to requests Zoom receives for data, records, or content,” said Yuan in his blog. “We look forward to providing the fiscal Q2 data in our first report later this year.” A Zoom spokesperson declined to comment when asked for more detail about the planned release timeline. Looking ahead, the CEO said Zoom will carry out regular audits and continue its enhanced bug bounty program, among other measures.
Proactive anti-scam message from Three
A subset of Three UK users have received an SMS message warning them about text message-based spam – complete with a short link and textual urgings to click it and learn more. The message, when checked out in a sandboxed environment, goes to an insecure http-only page that warns of suspicious text messages and a video telling recipients not to tap on any links.
This message has all the hallmarks of a smishing (SMS phishing) message. As UK.gov-backed website Get Safe Online explained, such messages "instruct you to either go to a website or make a phone call to a specified number… They play on your basic human emotions and needs, such as trust, safety, and fear of losing money, getting something for nothing, eagerness to find a bargain or desire to find love or popularity/status."
As even Three itself warns, you really shouldn't pay attention to smishing messages: "If you've received a suspicious message, don't click on any links. Get in touch with the company it's supposed to be from, first. They'll let you know if it's genuine or not. Until then, don't click on any links or follow any of the instructions." The cautious telco added: "Would the supposed sender really contact you like this?"
Three reported: "We regularly and proactively contact our customers with guidance on how to avoid smishing fraud. This includes linking to a genuine website where we communicate about our safety measures. We inform all our customers that the website links we use, and are therefore safe to click on, are 3.uk and three.co.uk. More than 500,000 customers have read the guidance and now have a better understanding of how to protect themselves as a result.”
F5 Networks Big-IP vulnerability
Researchers discovered that exploit code for the pair of nasty vulnerabilities in F5 Networks' BIG-IP application delivery controllers is now doing the rounds, so make sure you're all patched up. Attackers are scanning the internet for machines to attack, judging from reports running honeypots. Any vulnerable kit facing the 'net is likely to be probed at some point this week, if not already, to see if it can be hijacked.
The flaws in question, CVE-2020-5902 and CVE-2020-5903, lie within the controllers' Traffic Management User Interface. Successful exploitation results in full admin control over the device. Now exploit code is being merged into the Metasploit framework for anyone to use, and proof-of-concept code to extract files or execute arbitrary commands, which neatly fits into a tweet, is being shared all over the web. The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network.
Admins are advised to update their firmware as soon as possible. The flaws are present in BIG-IP versions 11 through 15, and the updated versions, released this week, BIG-IQ and Traffix SDC products are not vulnerable.
Edited and compiled by QA's Director of Cyber, Richard Beck.
Subscribe to our weekly Cyber Pulse newsletter below.
Stay in the know
Subscribe to our monthly Learning Matters newsletter and stay up to date with QA's latest news, views, offers, must-go-to events and more.
And if you want to keep up with the latest cyber news, why not subscribe to our weekly Cyber Pulse newsletter.
Richard Beck is Director of Cyber at QA. He works with customers to build effective and successful security training solutions tailored for business needs. Richard has over 15 years' experience in senior Information Security roles.
Prior to QA, Richard was Head of Information Security for an organisation who underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts in the Defence, Financial Services and HMG. Richard sits on a number of security advisory panels and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI).
He is also a STEM Ambassador working to engage and enthuse young people in the area of cyber security. Providing a unique perspective on the world of cyber security to teachers and encourage young people to consider a career in cyber security.
More articles by Richard
Cyber Pulse: Edition 124 | 11 August 2020
Cyber Pulse: Edition 123 | 3 August 2020
Cyber Pulse: Edition 122 | 27 July 2020
Cyber Pulse: Edition 121 | 21 July 2020
Cyber Pulse: Edition 120 | 13 July 2020
Cyber Pulse: Edition 118 | 29 June 2020
Cyber Pulse: Edition 117 | 22 June 2020
Cyber Pulse: Edition 116 | 15 June 2020
Cyber Pulse: Edition 115 | 8 June 2020
Cyber Pulse: Edition 114 | 1 June 2020