Cyber Pulse: Edition 120 | 13 July 2020

Here is our cyber security round-up of the week:

Backdoors identified in tens of C-Data fibre broadband devices

Security researchers have discovered backdoors impacting a total of 29 Fibre-To-The-Home (FTTH) Optical Line Terminal (OLT) devices from Chinese vendor C-Data. The company’s OLTs are available for purchase under various brands, including BLIY, OptiLink, V-SOL CN and C-Data, delivering connectivity to numerous clients (up to 1,024 in some cases), with some of the affected devices even supporting multiple 10-gigabit uplinks. The FD1104B and FD1108SN OLTs are impacted by several vulnerabilities, including a telnet server accessible from both the WAN and the FTTH LAN interfaces.

An attacker with backdoor access to the OLT can extract administrator credentials through the command-line interface (CLI), the researchers also discovered. The attacker can then leverage the working CLI access to execute commands as root and exfiltrate information using the embedded webserver. During their investigation, the researchers discovered that a telnet server running on the device and accessible from the WAN interface can be abused to remotely restart the appliance, without authentication.

Furthermore, they found it was possible to extract web and telnet credentials and SNMP communities without authentication, and that credentials were stored in clear-text. An encryption algorithm used to store passwords uses XOR with a hardcoded value, and SSL/TLS connections are not supported for remote management.

The vulnerabilities were identified in December 2019, and the researchers decided to disclose their findings publicly this week, as they believe some of the backdoors were “intentionally placed by the vendor".

Australia one of the most hacked countries in the world

Australia is one of the world’s most hacked countries, according to a list compiled by security security researchers. Coming in at equal sixth in the world as targets of “significant” cyber attacks, Australia has reported 16 major incidents since 2010. The US tops the list with 156 incidents – three times more than the UK, which recorded the second-most significant cyber attacks at 47.

Created using data from the Center for Strategic and International Studies (CSIS) – which regularly updates a timeline of major cyber incidents – the list once again highlights Australia’s prevalence as a target for cyber warfare at a time of heightened awareness about cyber risks. The CSIS list of “significant” incidents focuses on times when bad actors have targeted government agencies, defence or high-tech companies, and incidents with an economic cost above US$1 million.

Starting in 2010 with a hack attempt on Rio Tinto, the listed Australian incidents show a decade-long pattern of cyber espionage targeting mining companies, defence contractors, and government agencies.

Ten years ago, the Australian Signals Directorate warned of a spike in attacks on Australian government and business systems – a warning that was repeated by the Prime Minister last month. In the decade that followed, hackers stole the blueprints for the new Australian Security Intelligence Organisation (ASIO) headquarters, tried to hack the plans for Australia’s new submarine fleet, successfully attacked the Bureau of Meteorology, breached the Australian National University twice, and broke into Australia’s parliamentary networks.

Revenge hack on US security firm

A hacker claims to have breached the backend servers belonging to a US cyber-security firm and stolen information from the company's "data leak detection" service. The hacker says the stolen data includes more than 8,200 databases containing the information of billions of users that leaked from other companies during past security breaches. The databases have been collected inside DataViper, a data leak monitoring service managed by Vinny Troia, the security researcher behind Night Lion Security, a US-based cyber-security firm.

A data leak monitoring service is a common type of service offered by cyber-security firms. Security companies scan the dark web, hacking forums, paste sites, and other locations to collect information about companies that had their data leaked online. They compile "hacked databases" inside private back ends to allow customers to search the data and monitor when employee credentials leak online, when the companies, themselves, suffer a security breach.

New variant of Joker malware for Android

Android is faced with a multitude of hostile malware families that try to find their way back in from time to time. One such malware strain happens to be the Joker, which has also been previously caught tricking users into subscribing to premium services without their consent.

This time, it’s back to do the same albeit with a different technique to evade Google’s security filters. This is alarming for Android users since just yesterday it was reported that a dangerous Cerberus banking Trojan was also found on Google Play Store. Reported by Checkpoint, the new variant makes use of a couple of components to do its job – a notification listener service which is a part of the legitimate applications, and a “dynamic dex file” that it retrieves from its C2 server in order to make users successfully subscribe.

According to the researchers, a new technique at play in this variant is that it “now hides the malicious dex file inside the application as Base64 encoded strings, ready to be decoded and loaded.” One can verify if they have installed any such app by going through the package names. For users that have, it is recommended to uninstall the application and also check your credit/debit card statements for any unauthorised charges.

Concluding, for the future, neither do we nor does Google have any answers on how to prevent evolving malware from penetrating legitimate applications, despite increasing security in place. The only solution seems to be user vigilance, which we’ve pointed out quite a lot of times before.

Zoom scam targeting home-workers

Two new Zoom scams are making the rounds online, targeting home-workers and naive employees, according to the Chartered Trading Standards Institute (CTSI). In one scam, the victim receives a fake email from the sender “Zoom Mail”. The message states that the individual has received a “Zoom voicemail” and directs them to call a premium rate number to listen to the recording. According to the CTSI, calling the number costs approximately $7.50, plus standard network rates.

The second scam sees the victim invited into a bogus Zoom conference call. The message links to a fake login page through which scammers scrape victims' login credentials. "Everyone receiving messages like these should take precautions. A legitimate message will never ask you to pay money to access voicemails, and messages received outside of the specified platform should always be treated with healthy suspicion,” said Katherine Hart, Lead Officer at the CTSI. "This type of scam is by no means limited to the Zoom platform, and the public should apply the same precautions to all. If you receive these kinds of emails, report them to the National Cyber Security Centre and your organisation's Head of IT."

More than half of all Canadians admit to being victims of cybercrime

The pandemic impacted more than just our way of living. As the world slowly adapted to social distancing and a work-from-home environment, our view on digital privacy and cybersecurity has emerged as a leading challenge. With much of our daily routines shifting online, Internet users experience unprecedented challenges from cybercriminals that have stepped up their game, readjusting to the new normal.

According to a report published by the Cybersecure Policy Exchange at Ryerson University in Toronto, 57% of Canadians said they have been a victim of some form of cybercrime. The findings highlight a significant increase from 2017, when only 36% of the respondents reported such attempts. “Internet users around the world are reporting greater levels of concern about their online privacy than they were a year ago”, researchers said. “More access points, increased connectivity, and therefore more opportunities for threats to target weak spots.”

The survey was organised in mid-May, and polled 2,000 citizens in an attempt to “understand Canadians’ experiences, choices and priorities toward their cybersecurity and digital privacy”. Among the self-reported cybercrime experiences, the unintentional install or download of malware was mentioned by 31% of the respondents. 28% claimed to have experienced a data breach that exposed personal information, and 22% had an online account hacked. Surprisingly, only 13% admitted to have been a victim of a phishing attack, and 8% unintentionally installed or downloaded ransomware on their computers.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber security courses.