Security bug in Microsoft Hyper-V could impact its Azure cloud services

A security flaw that was discovered in Microsoft’s RDP has been found to impact another product of the tech giant. The flaw, uncovered by researcher Eyal Itkin of Check Point this year, also affects virtualization software Hyper-V and is a path traversal bug. It could lead to remote code execution(RCE) on the virtual machines connected to Hyper-V. A proof-of-concept (PoC) exploit demonstrated by the researcher showed how a file delivered on the host connected to a malicious virtual machine could allow remote execution after a system reboot. Dubbed as “Poisoned RDP vulnerability,” Microsoft also mentions that the flaw allows attackers to exploit clipboard redirection in RDP. The vulnerability is tracked as CVE-2019-0887. In a case study, Microsoft suggests that Hyper-V, which uses RDP is affected by the latter’s security flaws. The RCE vulnerability in RDP could be used to escape a virtual machine in Hyper-V. This resulted in a sandbox escape vulnerability. After finding it was affecting Hyper-V, Microsoft patched the flaw in its July 2019 security update. The tech giant indicated that there were no active exploits leveraging this bug. Microsoft stated that it worked with Itkin to devise solutions in order to detect attacks carried out through this flaw.

 

Vulnerabilities in WhatsApp can allow attackers to intercept and manipulate user messages

Researchers from Israeli security company Check Point have identified three attack modes in WhatsApp which can be exploited to intercept and manipulate users’ messages. Apparently, these security issues were revealed to WhatsApp last year. However, they remain exploitable even after one year. The three possible attack modes leverage social engineering tricks to fool users and to spread false information to different WhatsApp groups. These security issues could have various consequences such as: The attackers can disguise a private message as a public message and send it to a participant of a group. This causes the ‘private’ response from the targeted individual to be visible to everyone in the conversation. The attackers can use the ‘quote’ function of a group conversation to change the identity of the message sender, who is not even a member of the group. The attacker can alter someone’s reply or message and add bogus data into it. WhatsApp has only fixed the first issue. It is believed that threat actors can leverage the other two flaws to spread online scams, rumors, and fake news. Stuart Peck, director of the cybersecurity strategy at ZeroDayLab, claims that WhatsApp flaws pose a serious security issue given that it still hasn’t been addressed. He further added that "the integrity of messages received from trusted sources is vital if users are going to trust encrypted messaging services like WhatsApp."

 

Hackers demand 300 BTC from Binance cryptocurrency exchange over KYC data leak

A hacker who claims to have stolen Binance KYC (Know Your Customer) data from thousands of customers, demanded 300 BTC from the cryptocurrency platform to not release the data. An attacker threatened Binance cryptocurrency exchange to release KYC information of 10,000 users if the company did not pay 300 Bitcoins which is worth approximately $3.5 million. “We would like to inform you that an unidentified individual has threatened and harassed us, demanding 300 BTC in exchange for withholding 10,000 photos that bear similarity to Binance KYC data,” Binance said in a statement. In response to the exchange not co-operating with the attacker’s demand, he began distributing the data online and to media outlets. The attacker created a Telegram group and shared over 400 photos of people holding passports and identity documents from France, Turkey, the United States, Japan, Russia, and other nations across the world. Binance said that there are inconsistencies when comparing the leaked customer data to the data in their system. The cryptocurrency exchange also noted that the leaked images of KYC data do not contain the digital watermark imprinted by their system. The exchange is offering a reward of 25 bitcoins which is worth over $290,000 to anyone who provides information related to the identity of the attacker.

 

Monzo security glitch exposes customers’ PINs to engineers

Digital-only bank platform, Monzo has requested around 480,000 customers to change their PINs as their PINs were stored incorrectly. Monzo usually stores customers PINs in a secure part of their systems, however, on August 02, 2019, they determined that some customers’ PINs were stored in encrypted log files of their internal systems. These log files were accessible by Monzo engineers. Upon discovering the security glitch, Monzo made the immediate changes to close the exposure and disable access to the engineers. The bank officials also deleted all the information that was stored incorrectly, over the weekend. “By 5:25am on Saturday morning, we had released updates to the Monzo apps. Over the weekend, we then worked to delete the information that we’d stored incorrectly, which we finished on Monday morning,” Monzo said. If you’re a Monzo customer, then you need to update your Monzo apps for Android and iOS to the latest versions, 2.59.0 for iOS and 2.59.1 for Android. Impacted customers should head to a cash machine to change their PIN to a new number. If anyone notices any suspicious activity on their Monzo accounts, they should immediately report to their bank. Monzo thoroughly reviewed all the impacted accounts and confirmed the no information has been exposed outside and that the compromised information hasn’t been used to commit any fraud.

 

IKEA inadvertently exposed over 400 email addresses due to human error

Swedish furniture giant IKEA has accidentally exposed over 400 email addresses to other customers due to a human error. The company has sent out an apology email to all its customers after the incident. A spokesperson for IKEA Singapore revealed that the incident occurred on August 1, 2019. It made an error of inserting 410 individual email addresses in the ‘To’ field in an IKEA service delivery promotion email sent to other customers. This made the email addresses visible to all recipients of the mailers. In its haste to send notifications to the customers about the incident, the firm made another mistake by sending half the recipients an internal draft of the apology notice. "In our haste to notify the customers as quickly as possible, we again made a mistake by sending half the recipients an internal draft of the apology notice instead, an oversight that we are embarrassed about," IKEA said, The Straits Times reported. IKEA claims to take customers’ personal data integrity seriously. It notified the Personal Data Protection Commission of Singapore (PDPC) regarding the incident. This the third breach by retailers in two weeks. Last week, international beauty retailer Sephora said it suffered a data breach that exposed the personal information of online customers in South Asia countries like Singapore, Malaysia, Indonesia, Thailand, Philippines, New Zealand, and Australia. Apart from this, electricity retailer Geneco is being investigated by the PDPC for exposing the email addresses of more than 350 of its potential customers.

 

Leaked code exposed several vulnerabilities in Boeing 787 internal systems

Last year, a security researcher Ruben Santamarta had uncovered a fully unprotected server on Boeing’s network. This server contained code used to run on the company’s giant 737 and 787 passenger jets. Now nearly a year later, IOActive industrial cybersecurity expert Ruben Santamarta claims that the leaked code can be used to conduct cyberattacks on Boeing 787 Dreamliner systems. At the Black Hat security conference in Las Vegas, Santamarta revealed that there are multiple serious security flaws in the code for a component of the 787 known as Crew Information Service/Maintenance System (CIS/MS). The CIS/MS is responsible for applications like maintenance systems and the electronic flight bag. Santamarta found that the CIS/MS module of Boeing 787 Dreamliner is affected by a slew of memory-corruption vulnerabilities. These vulnerabilities can be abused by an attacker to send malicious commands to far more sensitive components that control the plane’s safety-critical systems, including its engine, brakes, and sensors. The vulnerabilities found in the CIS/MS sandwiched between the Open Data Network (ODN) and Common Data Network (CDN). Boeing’s 787 models also come with various communication channels, including satellite devices and wireless connections. These communications channels are used to receive and send information about the plane’s arrival and departure. An attacker could hack into the network via the internet or another network link to the plane to give the maintenance engineer false information about a system function. Boeing investigated the Santamarta’s claim and concluded that they do not represent serious threats for cyberattacks.

 

AT&T employees bribed with over $1 million to unlock 2 million mobile phones

A fraudster paid AT&T employees hundreds of thousands of US dollars to unlock mobile phones and install unauthorized tools and devices on the company's internal network for over five years between 2012 and 2017. The fraudster named Mohamed Fahd, 34, of Pakistan recruited AT&T employees at the customer service center in Bothell to disable the company’s protection against unlocking phones. This resulted in millions of mobile phones being removed from AT&T’s service or payment plans. Disabling protection against unlocking phones can be done via IMEI numbers provided by the fraudster to the employees. Apart from this, the malicious software installed on AT&T computers will collect the required information to create additional malware that would be used to “process fraudulent and unauthorized unlock requests” from remote servers. Additionally, the hardware devices installed on AT&T’s internal network gave the fraudster unauthorized access to the company’s computers. The fraudster totally paid over one million USD to AT&T employees to unlock over 2 million phones. One of the co-conspirators received $428,500 through the five-year-long illegal deal. While three of the co-conspirators pleaded guilty for taking bribes, some of them were terminated by the company. The fraudster, Muhammad Fahd has been arrested in Hong Kong on February 4, 2018, and extradited to the U.S. on August 2, 2019, for committing wire fraud, accessing a protected computer, and violating the Travel Act and the Computer Fraud and Abuse Act (CAAA). For these charges, he is expected to receive up to 20 years of imprisonment.

 

Edited and compiled by cyber security specialist James Aguilan.