Cyber Pulse: Edition 149 | 9 April

Here is our cyber security news round-up of the week:

Linux Bluetooth vulnerability exposed

A security researcher at Google has disclosed long-awaited details of zero-click vulnerabilities in the Linux Bluetooth subsystem that allow nearby, unauthenticated attackers “to execute arbitrary code with kernel privileges on vulnerable devices”. Dubbed BleedingTooth, the trio of security flaws were found in BlueZ, the open-source, official Linux Bluetooth protocol stack found on Linux-based laptops and IoT devices.

Google security engineer Andy Nguyen dropped a technical write-up on Twitter that exhaustively recounts how he discovered and chained the bugs to achieve remote code execution (RCE) on a Dell laptop running Ubuntu 20.04.1 without "victim" interaction. The most severe vulnerability was a high severity (CVSS score 8.3) heap-based type confusion issue dubbed BadKarma that was, said Nguyen, “quite easy to bypass”. Providing they know the victim’s Bluetooth device address, a remote attacker positioned a “short distance” from the vulnerable device can “send a malicious l2cap packet and cause denial of service or possibly arbitrary code execution with kernel privileges”, according to a Google advisory. The privilege escalation flaw (CVE-2020-12351), which arises due to improper input validation, was found in the Logical Link Control and Adaptation Protocol (L2CAP), one of a number of Bluetooth modules incorporated into BlueZ.

500 million LinkedIn users' data is being sold

An archive containing data purportedly scraped from 500 million LinkedIn profiles has been put up for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample by the post author. The four leaked files contain information about the LinkedIn users whose data has allegedly been scraped by the threat actor, including their full names, email addresses, phone numbers, workplace information, and more. The author of the post claims that the data was scraped from LinkedIn. Our investigation team was able to confirm this by looking at the samples provided on the hacker forum.

A statement from LinkedIn appears to confirm the latter: the company states that the data for sale was not acquired as a result of a data breach, and “is actually an aggregation of data from a number of websites and companies.”

“This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review.”

In addition, researchers have revealed that threat actors are using zip files to trick LinkedIn users into executing the More_eggs backdoor. According to eSentire’s blog post, threat actors are using zip files to target victims based on the job description on their LinkedIn profile. Once the zip file is opened the victim’s device gets infected with the More_eggs backdoor which is currently targeting Windows devices. Upon infection, the malware takes full control of a targeted system allowing hackers to remotely use it for malicious purposes including sending, receiving, deleting, and executing files.

Ransomware disrupted production at two manufacturing sites in Italy

A ransomware incident earlier this year temporarily shut down production for two days at a pair of manufacturing facilities in Italy. Kaspersky did not publicly identify the victim organisation. But Vyacheslav Kopeytsev, a researcher with the firm’s ICS-CERT unit, said in an email that the victim was a multinational firm headquartered in Germany that has factories in Italy. The hackers disguised a nascent strain of ransomware called Cring as the victim organisation’s anti-virus product before encrypting the computer servers that would cause the organisation the greatest damage, Kopeytsev and his colleagues said in a report. The attackers catered their hacking tools to the victim’s infrastructure, the researchers said.

Kaspersky ICS-CERT said the disruption at the Italian factories was one of multiple hacking incidents involving Cring ransomware and aimed at European industrial firms in the first quarter of 2021. Details on other victims were not immediately available. Swisscom, a big Swiss telecoms firm, alluded to the ransomware infections in a tweet in January.

Firmware is increasingly becoming a lucrative target for cyber attackers

According to a survey by Microsoft, cyberattacks against firmware are increasing rapidly and outpacing traditional cyber defences. The survey polled 1,000 security decision-makers based in Germany, China, Japan, the UK and the US. More than 80% of companies experienced at least one firmware attack in the last two years.

Even though firmware-based attacks are growing, only 29% of the security budget is reserved for firmware security. Most of the security investments were aimed at vulnerability scanning, security updates, and advanced threat protection solutions. Around 21% of decision-makers confirmed that their firmware data goes unmonitored. A vast majority, 82% of respondents, reported that they don’t have the resources to allot to more high-impact security work because they are spending more time on lower-yield manual work.

WhatsApp-based Android malware spotted on the Google Play Store

Cybersecurity researchers have discovered yet another piece of wormable Android malware – but this time downloadable directly from the official Google Play Store – that's capable of propagating via WhatsApp messages. Disguised as a rogue Netflix app under the name of FlixOnline, the malware comes with features that allow it to automatically reply to a victim's incoming WhatsApp messages with a payload received from a command-and-control (C&C) server.

The application is actually designed to monitor the user's WhatsApp notifications, and to send automatic replies to the user's incoming messages using content that it receives from a remote C&C server, Check Point researchers state in their analysis. A successful infection could allow the malware to spread further via malicious links, steal data from users' WhatsApp accounts, propagate malicious messages to users' WhatsApp contacts and groups, and even extort users by threatening to leak sensitive WhatsApp data or conversations. The app has since been purged from the Play Store, but not before attracting a total of 500 downloads over the course of two months.

Cisco fixes bug allowing remote code execution with root privileges

Cisco has released security updates to address a critical pre-authentication remote code execution (RCE) vulnerability affecting SD-WAN vManage Software's remote management component. The company fixed two other high-severity security vulnerabilities in the user management (CVE-2021-1137) and system file transfer (CVE-2021-1480) functions of the same product allowing attackers to escalate privileges. Successful exploitation of these two bugs could allow threat actors targeting them to obtain root privileges on the underlying operating system. The critical security flaw tracked a CVE-2021-1479 received a severity score of 9.8/10. It allows unauthenticated, remote attackers to trigger a buffer overflow on vulnerable devices in low complexity attacks that don't require user interaction.

"An attacker could exploit this vulnerability by sending a crafted connection request to the vulnerable component that, when processed, could cause a buffer overflow condition. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system with root privileges," Cisco explained.

The vulnerabilities affect Cisco SD-WAN vManage releases 20.4 and earlier. Cisco has addressed them in the 20.4.1, 20.3.3, and 19.2.4 security updates published today and advises customers to migrate to a fixed release as soon as possible.

533 million Facebook users' data leaked online

The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and – in some cases – email addresses.

While a couple of years old, the leaked data could provide valuable information to cybercriminals who use people's personal information to impersonate them or scam them into handing over login credentials, according to Alon Gal who first discovered the entire trough of leaked data online. Gal first discovered the leaked data in January when a user in the same hacking forum advertised an automated bot that could provide phone numbers for hundreds of millions of Facebook users in exchange for a price. Now, the entire dataset has been posted on the hacking forum for free, making it widely available to anyone with rudimentary data skills.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter Find out about QA's extensive cyber-security courses