TripAdvisor deactivates passwords of members whose data has been affected in previous breaches

The popular travel guide and restaurant review website, ‘TripAdvisor.com’ will invalidate a member’s password if their email and password have been affected in previous data breaches. The step has been taken after the firm found out that some of its members’ passwords were revealed in several unauthorized disclosures. The firm believes that threat actors can misuse these stolen credentials to perform credential stuffing attack. The company has sent emails to the potential victims to warn them that their data has been found in the ‘lists of publicly leaked passwords’ and that they need to reset their passwords. The potential victims have been informed that their current passwords have been disabled and are required to change the same in order to recover their accounts. Tripadvisor is taking this affirmative step to prevent its members’ accounts from being compromised via credential stuffing attacks. “As part of our ongoing efforts to protect your security, TripAdvisor recently compared our member databases with lists of publicly leaked passwords. Unfortunately, your email and password were included on a list of leaked passwords. As a result, to protect your TripAdvisor account, we have invalidated your password,” reads TripAdvisor’s email notification, Z6Mag reported. TripAdvisor has also asked its users not to reuse the same password in other services. It has urged them to take additional steps to protect their online accounts. “Also, we recommend that you take additional steps for the safety of your other online accounts. If your discontinued TripAdvisor password is used on any other site or app, change your password on those sites/apps — and avoid using any password on more than one site,” they added.

 

New Silex malware renders IoT devices inoperable

A new malware affecting IoT devices has been spotted in the wild. Known as ‘Silex’, the malware is found to brick these devices in significant numbers. It is reported that the attacks leveraging Silex are still in progress. This new malware was discovered by security researcher Larry Cashdollar of Akamai. The researcher suggested that Silex was likely targeting Unix-like systems with default credentials. In a tweet, Cashdollar mentions that the Silex malware was corrupting the device’s storage, removed firewall rules, and network configurations and then proceeded to halt the device. It was also identified that the malware was a bot designed for bricking IoT devices. ZDNet found that around 2000 devices were inoperable in an hour after the malware’s discovery. The creator of this malware was linked to a hacker who went by the online name ‘Light Leafon’. He mentions that the malware began as a fun project which was eventually developed into a full-fledged bot. In an email to ZDNet, Cashdollar told that the source of the attacks was coming from a server based in Iran. “It appears the IP address that targeted my honeypot is hosted on a VPS server owned by novinvps.com, which is operated out of Iran,” Cashdollar said. However, the IP address was blacklisted on URLhaus project later. Devices bricked in the attacks could be brought back to operation by re-installing the device’s firmware since Silex primarily targeted the firmware.

 

New scam campaign disguised as Bitcoin and Ethereum giveaways targets cryptocurrency users

A new scam campaign disguised as cryptocurrency giveaway is underway that pretends to come from Tesla, Elon Musk, and John McAfee. A security researcher named Frost observed the re-emergence of the cryptocurrency giveaway scams. The researcher noted that these scams are being promoted on Twitter. This scam claims that if a cryptocurrency user sends them between 0.05 to 5 Bitcoins or 0.5 to 50 Ethereum, the giveaway will send them up to ten times back. The Twitter messages that promote this scam includes a link that redirects users to a fake Medium article page where they can learn more about the giveaway. The fake Medium articles contain links, which upon clicking redirects users to the giveaway scam page. The fake Medium article also includes fake comments stating positive reviews for the giveaway. The scam pages will show the list of transactions being sent to and from the cryptocurrency address as well as list how much cryptocurrency is left to giveaway. The McAfee Ethereum giveaway scam has received 4 payments totaling 0.96 Ethereum (USD $310). On the other hand, the Tesla Bitcoin giveaway scam has received approximately 0.418 bitcoins ( USD 4,473.60). Such types of scams involving cryptocurrency have re-emerged and continue to grow as cryptocurrency prices keep rising this year. Therefore, security experts advise users to not take part in cryptocurrency giveaways.

 

Security flaw in LTE networks can let hackers send false presidential alerts

A vulnerability in LTE networks can be abused by hackers to launch spoofing attacks. The flaw can be exploited to send out spoofed AMBER alerts, and false presidential alerts. Security Researchers have published a paper which demonstrates a way to send a simulated spoofed panic alerts to every phone in a 50,000-seater football stadium. The researchers noted that their attack method of sending fake alerts has worked in nine out of ten cases. The researchers had managed to demonstrate the spoofing attack method by exploiting a flaw in the LTE network. The vulnerability was abused by creating a malicious cell tower channel using off-the-shelf hardware and open-source software. The malicious cell tower is later used to deploy an exploit. All the tests were performed in isolated RF shield boxes instead at the real playground. “We find that with only four malicious portable base stations of a single watt of transmit power each, almost all of a 50,000-seat stadium can be attacked with a 90% success rate,” the researchers wrote. “The true impact of such an attack would, of course, depend on the density of cell phones in range; fake alerts in crowded cities or stadiums could potentially result in cascades of panic,” they added. The researchers noted that the LTE networks in countries like Europe, the US and South Korea are the potential targets of the attack. The networks in these countries have systems designed with principles similar to that of CMAS. CMAS refers to the standard WEA (Wireless Emergency Alert) uses to send emergency alerts. The researchers have suggested adding digital signatures to each broadcast alert to authenticate the messages will make it difficult to send spoofed messages. However, the implementation of this method is not very easy. Fixing this problem will require a large collaborative effort from mobile carriers, government stakeholders and cell phone manufacturers.

 

Tesco Twitter account hacked to promote Bitcoin scam and obtain victims’ personal details

Tesco’s Twitter account has been hacked and used to promote Bitcoin cryptocurrency scam. The attacker behind the hack also changed Tesco's profile name to Bill Gates and tried to obtain followers’ personal details while impersonating Bill Gates. The hacked Tesco account promoted a Bitcoin cryptocurrency scam, asking Tesco followers to send bitcoins to a wallet and promising to send back twice the value.

“Bitcoin is on the rise again! One day, it will without a doubt replace first currencies. I’d like to give back to the community, therefore any bitcoin you send to this address, I will send back double! Comment your BTC address below when done. 3M3eTTJwkQkkL7GjSSSfrpfPJLyJztMAcY,” the tweet read, BleepingComputer reported. 

However, the wallet did not receive any funds, implying that no followers fell for the scam. The attacker behind the hack then changed Tesco's profile name to Bill Gates (@Billgatesmsc) and added Bill Gates current Twitter pic. The verification mark also disappeared from the account. The hacker also replied to the complaining Tesco customers, asking their personal details such as full name, home address and postcode, in order to resolve the issue. “Hello Sarah, thanks for getting in touch. I’m so sorry for the poor quality oranges. Can you please DM your full name, home address and postcode so I can take a look for you? May thanks - Eilish,” the hacker replied to one of the complaining customers. Tesco managed to recover its hacked Twitter account and the tweets have now been deleted. The company has also restored its profile pic and header photos.

 

Critical vulnerabilities in VLC Media Player could allow an attacker to perform arbitrary code execution

A security researcher from Pen Test Partners, Symeon Paraschoudis uncovered a critical double-free vulnerability in VLC media player that could allow an attacker to execute arbitrary code on target systems. The double-free vulnerability tracked as CVE-2019-12874 is marked as a high-severity bug with a CVSS v3 score of 9.8. The vulnerability resides in the zlib_decompress_extra function of VLC media player that could be triggered during the parsing of a malformed MKV file type within the Matroska demuxer. In order to trigger the vulnerability in zlib_decompress_extra() (demux/mkv/utils.cpp), an attacker requires to create a specially crafted malicious file. The second vulnerability which was reported through the HackerOne bug bounty program is a buffer overflow vulnerability. The vulnerability tracked as CVE-2019-5439 resides in the ReadFrame (demux/avi/avi.c) function. This buffer overflow vulnerability could allow an attacker to trigger either a crash of VLC or an arbitrary code execution. The vulnerability arises from the issue that the ReadFrame function uses a variable obtained directly from the file without any strict check being performed before the memory operation (memmove, memcpy). This issue allows the buffer overflow to be triggered. However, to trigger the vulnerability, an attacker requires to create a specially crafted file ( avi or mkv files) and trick a user into opening the malicious file. VideoLAN has released patches in the latest version VLC 3.0.7 that addresses both the vulnerabilities. “The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied,” VideoLAN recommends in the advisory.

 

New OSX/Linker malware found abusing zero-day flaw in macOS Gatekeeper protection for propagation

Threat actors are actively exploiting a recently disclosed macOS Gatekeeper flaw to deploy a new malware named OSX/Linker. The new malware has been tied to the same group that operates the OSX/Surfbuyer adware. In late May, security researcher Filippo Cavallarin had disclosed a bug in Gatekeeper that would allow an attacker to execute a malicious binary with being scanned by Gatekeeper protection. The trick involved packing a symbolic link inside an archive file and getting a victim to download it. This symlink is linked back to an attacker-controlled Network File System (NFS) server. Cavallarin found that Gatekeeper would not scan these types of files and would easily allow users to execute the symlinks. It is believed that attackers can send malicious files through symlinks. All macOS versions including the latest 10.14.5 are affected by the flaw and Apple is yet to release a patch to address it. During the investigation, Joshua Long, Chief Security Analyst for Mac security software maker Intego, found the first known use of Cavallarin’s vulnerability. It was found that the OSX/Linker malware samples were distributed using disk image files. These disk images are disguised as Adobe Flash Player installers, which is one of the most common ways to distribute malware on Mac systems. Intego has observed four samples of OSX/Linker malware that were uploaded to VirusTotal on June 6. All these samples were linked to one particular application on an internet-accessible NFS server. While the first sample was uploaded from an IP address located in Israel, the other three samples appeared to be uploaded from the United States. “Since each successive file was uploaded a short time after each previous one, it seems reasonable to speculate that all four files may have been uploaded by the same person, who forgot to mask his or her IP address until after uploading the first sample,” added Long.

 

Unprotected AWS S3 bucket exposed sensitive data about apprentices

A privacy advocate from UK, Gareth Llewellyn uncovered an Amazon Web Services S3 bucket that was publicly accessible without any password protection. The database is linked to an Australian non-profit called MEGT which provides recruitment and training services to local businesses. The leaky server contained offer letters and emails received by MEGT. The S3 bucket contained almost 143,000 entries that dated back to 2014. It also contained several documents related to invoices and work placement documents belonging to apprentices recruited by MEGT. The documents included sensitive data about apprentices such as passport scans, visa details, employment agreements and performance warnings. MEGT does not own or manage the storage bucket. However, it has hired a third-party service provider to manage its data, who has set up the AWS S3 bucket. Upon discovery, Llewellyn reported the leaky server to the Australian Signals Directorate and the bucket was secured restricting public access. “The MEGT breach is notable both for the sensitivity of the information it appeared to contain and its scale. More than 143,000 items were in the S3 bucket. Not all of the items are documents: some filenames indicated they were copies of software,” Computerworld said.

 

Security holes in EA Origin platform exposed 300 million gamers to account takeover attacks

Origin, the digital distribution platform by video game company Electronic Arts (EA), was found containing numerous vulnerabilities that could have led to account takeover attacks on its users. The vulnerabilities were identified by security researchers from Check Point Research and CyberInt. According to the researchers, certain Azure cloud services used for the platform could be exploited for account takeovers. Researchers identified a subdomain, eaplayinvite.ea[.]com, that can be hijacked by any Azure users. Once compromised, a trust mechanism present in the subdomain could be abused for manipulation of the OAuth protocol implemented by EA. The protocol is used for authenticating users in the platform. After exploitation, it could allow a complete takeover of accounts belonging to users. The researchers hint that attackers could have used the user’s credit card information to make purchases on behalf of the user. In a detailed blog, the researchers described proof-of-concept (PoC) exploits that can successfully perform account takeovers. The researchers mention how the Azure services had a vulnerable subdomain. “The CNAME redirection of eaplayinvite.ea.com allows us to create a new successful registration request at our own Azure account and register ea-invite-reg.azurewebsites.net as our new web application service. This allowed us to essentially hijack the subdomain of eaplayinvite.ea.com and monitor the requests made by EA valid users,” the researchers wrote. EA has fixed these vulnerabilities, which were notified by CyberInt and Check Point. Both the firms assisted EA in resolving them.

 

Edited and compiled by cyber security specialist James Aguilan.