Here is our cyber security round-up of the week:
Backdoors identified in tens of C-Data fibre broadband devices
Security researchers have discovered backdoors impacting a total of 29 Fibre-To-The-Home (FTTH) Optical Line Terminal (OLT) devices from Chinese vendor C-Data. The company’s OLTs are available for purchase under various brands, including BLIY, OptiLink, V-SOL CN and C-Data, delivering connectivity to numerous clients (up to 1,024 in some cases), with some of the affected devices even supporting multiple 10-gigabit uplinks. The FD1104B and FD1108SN OLTs are impacted by several vulnerabilities, including a telnet server accessible from both the WAN and the FTTH LAN interfaces.
An attacker with backdoor access to the OLT can extract administrator credentials through the command-line interface (CLI), the researchers also discovered. The attacker can then leverage the working CLI access to execute commands as root and exfiltrate information using the embedded webserver. During their investigation, the researchers discovered that a telnet server running on the device and accessible from the WAN interface can be abused to remotely restart the appliance, without authentication.
Furthermore, they found it was possible to extract web and telnet credentials and SNMP communities without authentication, and that credentials were stored in clear-text. An encryption algorithm used to store passwords uses XOR with a hardcoded value, and SSL/TLS connections are not supported for remote management.
The vulnerabilities were identified in December 2019, and the researchers decided to disclose their findings publicly this week, as they believe some of the backdoors were “intentionally placed by the vendor".
Australia one of the most hacked countries in the world
Australia is one of the world’s most hacked countries, according to a list compiled by security security researchers. Coming in at equal sixth in the world as targets of “significant” cyber attacks, Australia has reported 16 major incidents since 2010. The US tops the list with 156 incidents – three times more than the UK, which recorded the second-most significant cyber attacks at 47.
Created using data from the Center for Strategic and International Studies (CSIS) – which regularly updates a timeline of major cyber incidents – the list once again highlights Australia’s prevalence as a target for cyber warfare at a time of heightened awareness about cyber risks. The CSIS list of “significant” incidents focuses on times when bad actors have targeted government agencies, defence or high-tech companies, and incidents with an economic cost above US$1 million.
Starting in 2010 with a hack attempt on Rio Tinto, the listed Australian incidents show a decade-long pattern of cyber espionage targeting mining companies, defence contractors, and government agencies.
Ten years ago, the Australian Signals Directorate warned of a spike in attacks on Australian government and business systems – a warning that was repeated by the Prime Minister last month. In the decade that followed, hackers stole the blueprints for the new Australian Security Intelligence Organisation (ASIO) headquarters, tried to hack the plans for Australia’s new submarine fleet, successfully attacked the Bureau of Meteorology, breached the Australian National University twice, and broke into Australia’s parliamentary networks.
Revenge hack on US security firm
A hacker claims to have breached the backend servers belonging to a US cyber-security firm and stolen information from the company's "data leak detection" service. The hacker says the stolen data includes more than 8,200 databases containing the information of billions of users that leaked from other companies during past security breaches. The databases have been collected inside DataViper, a data leak monitoring service managed by Vinny Troia, the security researcher behind Night Lion Security, a US-based cyber-security firm.
A data leak monitoring service is a common type of service offered by cyber-security firms. Security companies scan the dark web, hacking forums, paste sites, and other locations to collect information about companies that had their data leaked online. They compile "hacked databases" inside private back ends to allow customers to search the data and monitor when employee credentials leak online, when the companies, themselves, suffer a security breach.
New variant of Joker malware for Android
Android is faced with a multitude of hostile malware families that try to find their way back in from time to time. One such malware strain happens to be the Joker, which has also been previously caught tricking users into subscribing to premium services without their consent.
This time, it’s back to do the same albeit with a different technique to evade Google’s security filters. This is alarming for Android users since just yesterday it was reported that a dangerous Cerberus banking Trojan was also found on Google Play Store. Reported by Checkpoint, the new variant makes use of a couple of components to do its job – a notification listener service which is a part of the legitimate applications, and a “dynamic dex file” that it retrieves from its C2 server in order to make users successfully subscribe.
According to the researchers, a new technique at play in this variant is that it “now hides the malicious dex file inside the application as Base64 encoded strings, ready to be decoded and loaded.” One can verify if they have installed any such app by going through the package names. For users that have, it is recommended to uninstall the application and also check your credit/debit card statements for any unauthorised charges.
Concluding, for the future, neither do we nor does Google have any answers on how to prevent evolving malware from penetrating legitimate applications, despite increasing security in place. The only solution seems to be user vigilance, which we’ve pointed out quite a lot of times before.
Zoom scam targeting home-workers
Two new Zoom scams are making the rounds online, targeting home-workers and naive employees, according to the Chartered Trading Standards Institute (CTSI). In one scam, the victim receives a fake email from the sender “Zoom Mail”. The message states that the individual has received a “Zoom voicemail” and directs them to call a premium rate number to listen to the recording. According to the CTSI, calling the number costs approximately $7.50, plus standard network rates.
The second scam sees the victim invited into a bogus Zoom conference call. The message links to a fake login page through which scammers scrape victims' login credentials. "Everyone receiving messages like these should take precautions. A legitimate message will never ask you to pay money to access voicemails, and messages received outside of the specified platform should always be treated with healthy suspicion,” said Katherine Hart, Lead Officer at the CTSI. "This type of scam is by no means limited to the Zoom platform, and the public should apply the same precautions to all. If you receive these kinds of emails, report them to the National Cyber Security Centre and your organisation's Head of IT."
More than half of all Canadians admit to being victims of cybercrime
The pandemic impacted more than just our way of living. As the world slowly adapted to social distancing and a work-from-home environment, our view on digital privacy and cybersecurity has emerged as a leading challenge. With much of our daily routines shifting online, Internet users experience unprecedented challenges from cybercriminals that have stepped up their game, readjusting to the new normal.
According to a report published by the Cybersecure Policy Exchange at Ryerson University in Toronto, 57% of Canadians said they have been a victim of some form of cybercrime. The findings highlight a significant increase from 2017, when only 36% of the respondents reported such attempts. “Internet users around the world are reporting greater levels of concern about their online privacy than they were a year ago”, researchers said. “More access points, increased connectivity, and therefore more opportunities for threats to target weak spots.”
The survey was organised in mid-May, and polled 2,000 citizens in an attempt to “understand Canadians’ experiences, choices and priorities toward their cybersecurity and digital privacy”. Among the self-reported cybercrime experiences, the unintentional install or download of malware was mentioned by 31% of the respondents. 28% claimed to have experienced a data breach that exposed personal information, and 22% had an online account hacked. Surprisingly, only 13% admitted to have been a victim of a phishing attack, and 8% unintentionally installed or downloaded ransomware on their computers.
Edited and compiled by QA's Director of Cyber, Richard Beck.
Subscribe to our weekly Cyber Pulse newsletter below.
Stay in the know
Subscribe to our monthly Learning Matters newsletter and stay up to date with QA's latest news, views, offers, must-go-to events and more.
And if you want to keep up with the latest cyber news, why not subscribe to our weekly Cyber Pulse newsletter.
Richard Beck is Director of Cyber at QA. He works with customers to build effective and successful learning solutions tailored for business needs, helping to solve business problems. Richard has designed and architected numerous enterprise and nationwide cyber programmes for QA customers. Responsible for the QA cyber portfolio, products, proposition and cyber partner community. He has over 15 years' experience in senior Information Security roles.
Prior to QA, Richard was Head of Information Security for an organisation who underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts in Defence, Financial Services and HMG. He holds a number of leading cyber professional certifications, including CISSP, CISM, CISA.
Richard sits on a number of industry boards and security advisory panels, and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI). He is the work stream lead for Cyber Skills & Diversity on the techUK Cyber Management Committee, in addition Richard is also supporting a work stream for the UK Cyber Security Council Formation project. Richard is a regular contributor for cyber insights and industry collaboration including speaker engagements.
He is also a STEM Ambassador working to engage and enthuse young people in the area of cyber security. Providing a unique perspective on the world of cyber security to teachers and encourage young people to consider a career in cyber security.
More articles by Richard
CISOs should prioritise the “human firewall” during Covid-19
Cyber Pulse: Edition 141 | 11 January 2021
Cyber Pulse: Edition 140 | 4 January 2021
Cyber Pulse: Edition 139 | 18 December 2020
Cyber Pulse: Edition 138 | 8 December 2020
Cyber Pulse: Edition 137 | 13 November 2020
Cyber Pulse: Edition 136 | 5 November 2020
Cloud Native Security – Accelerate Left or Get Left Behind
Cyber Pulse: Edition 135 | 27 October 2020
Cyber Pulse: Edition 134 | 21 October 2020