FinSpy spyware evolves to eavesdrop calls and messages sent via SMS

A new version of FinSpy spyware has been discovered by security researchers recently. The malicious surveillance tool has evolved to work on both iOS and Android devices, including the capability to monitor activities on almost all popular messaging services. Discovered by security researchers from Kaspersky, the latest version of the FinSpy spyware comes with additional surveillance functionalities. This spyware variant is capable of eavesdropping on calls and messages sent via secure messaging services like Signal, Telegram, Threema, WhatsApp, Facebook Messenger, Viber and more. Among its other capabilities, this new version of FinSpy can now hide signs of jailbreak on Apple phones (using iOS 11 and older versions). In Android, the malware can allow attackers to gain root privileges. Based on the information from Kaspersky, attackers need to have physical access in order to infect both Android and iOS devices. This becomes simpler if attackers get access to already jailbroken or rooted device. This can be achieved via phishing through SMS messages, emails, or push notifications. Kaspersky predicts that the malware variant has infected several dozen mobile devices over the past year. The creators of FinSpy are constantly monitoring security updates for mobile platforms in order to modify the malicious operations of the spyware. "We observe victims of the FinSpy implants on a daily basis, so it’s worth keeping an eye on the latest platform updates and install them as soon as they are released. Regardless of how secure the apps you use might be, and how protected your data, once the phone is rooted or jailbroken, it is wide open to spying,” wrote the researchers from Kaspersky.

 

St John Ambulance hit with ransomware attack

St John Ambulance, the nation’s leading first aid charity suffered a ransomware attack compromising the data belonging to individuals who undertook a training course. St John Ambulance became aware of the ransomware infection on July 2, 2019. Upon which, the first aid charity temporarily blocked access to the infected system. The charity organisation confirmed that the attack did not impact its operational systems. St John Ambulance notified the Information Commissioner's Office (ICO), the Charity Commission, and the police authorities about the incident. It has hired third-party cyber experts to enhance its security mechanism in order to protect its data systems. The organisation confirmed that the issue was resolved immediately within half an hour. “We work as hard as we can to protect our data systems from these types of attacks and employ a range of third party partners and cyber-crime solutions to continually update our protection,” St John Ambulance said. The incident has impacted everyone who opened an account, booked or attended a St John Ambulance training course until February 2019. The data includes names of those who booked and attended the course, course details, contact information, costs, invoicing details, and driving license data. However, no credit card details or customer passwords were compromised. “The only data that has been affected relates to our training course delivery. It does not cover supplies, events, ambulance operations, volunteering, volunteer, data, employee data, clinical data or patient data,” St John Ambulance said.

 

Unprotected database exposes 188 million records of personal data from Pipl.com and LexisNexis

Security researcher Bob Diachenko along with Comparitech uncovered an unprotected MongoDB database that contained almost 188 million records of personal data from Pipl.com and LexisNexis. The records from Pipl.com included personal data such as names, dates of birth, gender, race, religion, email addresses, physical addresses, phone numbers, social media profiles, past and current employers, skills, automobiles and properties owned, court and bankruptcy notes, and political affiliations. Almost 800,000 records originated from LexisNexis which included names, addresses, gender, parental status, a short biography, family members, redacted emails, and information about the individual’s neighbors including full names, dates of birth, reputation scores, and addresses. The researcher analyzed the ‘dataSource’ fields in the database and noted that the creators of the API either scraped or purchased the data from Pipl and LexisNexis. According to Comparitech, data brokers like Pipl obtain personal information from a variety of public and proprietary sources without people’s consent. It is most common for people living in the US to find their data available on data broker and people search websites like Pipl, ZabaSearch, WhitePages.com, Wink, and PeekYou. “The Github repo gives examples of how the API could have been used, for example, to look up people by their name or what car they own. It was last updated on June 18, 2019. It lists an email for users to request “bulk data purchases and/or access to more data/requests,” Comparitech said in a report. The open database was first indexed by search engines on June 17. Diachenko and Comparitech traced the database back to a Github repo for a people search API called ‘thedatarepo’ and notified the database owner about the issue. The database was then taken offline and secured on July 3, 2019.

 

Unsecured MongoDB Database exposes 7 million student records belonging to K12.com

K12.com, an online education platform, had inadvertently exposed almost 7 million student records due to a misconfigured MongoDB database. The records were available online for more than one week before the database was secured. Comapritech along with security researcher Bob Diachenko uncovered the leaky MongoDB database on June 25, 2019. The information contained in the database included: Primary personal email address, Full name, Gender, Age, Birthdate, School name, Authentication keys for accessing ALS accounts & presentations and other internal data. It was found that the information was held in an old version of MongoDB (2.6.4), which has been withdrawn since October 2016. Furthermore, the researchers had found that the Remote Desktop was enabled but not secured. “As a result, the database was indexed by both the Shodan and BinaryEdge search engines. This means the records contained on the database were visible to the public,” said Paul Bischoff of Comparitech. The indexed data is believed to have been exposed to the public since June 23, 2019. It remained publicly accessible until the database was closed on July 1, 2019. It is unclear whether or not any malicious parties accessed the data during the exposure. Diachenko had contacted the K12 representatives to inform them about the issue. The online education platform was quick at addressing the issue and responded with the following statement. “K12 takes data security very seriously. Whenever we are advised of a potential security issue, we investigate the problem immediately, and take the appropriate actions to remedy the situation,” the company stated.

 

Agent Smith malware infects nearly 25 million Android devices

Close to 25 million Android devices have been infected with a new, unique malware called “Agent Smith”. The malware leverages Android vulnerabilities for infection and replaces legitimate apps with malicious versions riddled with ads. Discovered by security experts from Check Point Research, Agent Smith has targeted victims mainly in India (over 15 million devices) as well as other countries in South Asia. The malware campaign has also targeted users in the US and the UK. In a detailed analysis report, security researchers indicate that Agent Smith malware goes through three phases for infecting Android devices. Firstly, the victims are lured by a malicious app either in the form of photo utility, games, or an adult app. Upon the app’s installation, the core malware APK is decrypted and installed. This is then disguised as Google Updater, Google Update for U, or “com.google.vending”. In fact, the malware app’s icon is now hidden from users’ view. Next, it extracts the device’s installed app list and checks apps in another list that are either hard-coded or drawn from a command-and-control (C2) server. If the apps in both the lists match, the malware extracts the base APK of the target app on the device, patches the APK with malicious ad modules, re-installs the APK, and replaces the original one as an update. Agent Smith malware is spread through a malicious app present in a third-party app store ‘9apps.com’. Check Point’s experts suggest that the malware might be used for other activities apart from just pushing ads. “In this case, ‘Agent Smith’ is being used for financial gain through the use of malicious advertisements. However, it could easily be used for far more intrusive and harmful purposes such as banking credential theft,” wrote the experts in their report. The experts also found that 11 apps on Google Play were dropping Agent Smith. Upon notifying Google, the apps were immediately removed from the platform.

 

Magecart group compromised 17,000 sites through misconfigured Amazon S3 buckets

A recent Magecart campaign has impacted over 17,000 websites. This campaign leveraged unsecured Amazon S3 buckets for infecting the sites with card skimming code. Some of the affected websites are also listed in Alexa’s top 2000 rankings. According to RiskIQ, which came across this campaign in May this year, the attackers behind this campaign have shifted their focus from carrying out targeted attacks to a new approach for a wide reach of victim sites. RiskIQ suggests that threat actors behind this campaign scanned for misconfigured Amazon S3 buckets for infection. These exposed S3 buckets allowed anyone with an Amazon Web Services (AWS) account to view and edit the files they contained. After finding an unsecured S3 bucket, the attackers looked for JavaScript files. Upon encountering these files, they downloaded them and appended card-skimming code. After that, they overwrote the original scripts. With this method, Magecart compromised more than 17,000 websites through misconfigured S3 buckets. In his blog, security researcher Yonathan Klijnsma of RiskIQ opines on why the Magecart group went with more reach than accuracy by targeting S3 buckets. “The actors used this technique to cast as wide a net as possible, but many of the compromised scripts do not load on payment pages. However, the ease of compromise that comes from finding public S3 buckets means that even if only a fraction of their skimmer injections returns payment data, it will be worth it; they will have a substantial return on investment,” wrote Klijnsma.

 

Edited and compiled by cyber security specialist James Aguilan.