Researchers discover flaws in software-based Router Network Isolation

A research team at the Ben-Gurion University of the Negev discovered multiple methods to transfer data across two segregated network segments operating on the same hardware. The researchers used direct or timing-based covert channels to exfiltrate data across networks. The team tested the techniques on seven routers from multiple vendors. Though the method does not allow transfer of large amounts of data, it nonetheless demonstrates critical flaws in software-based network isolation through routers. The research findings are published in the paper named "Cross-Router Covert Channels" which was presented at the 13th USENIX Workshop on Offensive Technologies (WOOT '19). Software-based network isolation through routers is generally considered an effective method to prevent data exfiltration between the networks by attackers. It is a common feature in many modern routers. This is also how many companies divide their internal networks into guest and host networks. This network separation is performed through the router software rather than by using separate hardware. This type of network insulation prevents access to sensitive or critical systems from any unauthenticated users or users with lower privileges. However, this new research shows that multiple modern routers can be targeted by attackers to break this arrangement and access sensitive systems. The researchers tested devices from multiple vendors including TP-Link, D-Link, Edimax, and Belkin.

 

Hy-Vee suffers security breach on its Point-of-Sale systems

Hy-Vee detected unauthorized activity on some of its PoS systems. Upon which, the organization hired leading cybersecurity firms and immediately launched an investigation on the incident. The incident has impacted some of its payment processing systems that are focused on transactions at some Hy-Vee fuel pumps and drive-thru coffee shops. Restaurants including Market Grilles, Market Grille Expresses and the Wahlburgers locations were also impacted. However, the payment cards that were swiped at Hy-Vee’s front-end checkout lanes, pharmacies, customer service counters, wine & spirits locations, floral departments, clinics, and all other food service areas were not impacted. Hy-Vee’s grocery stores, drugstores, and convenience stores were not impacted as these locations have different point-of-sale systems that use point-to-point encryption technology for processing payment card transactions. Furthermore, payments made through Aisles Online were also not impacted. Hy-Vee has taken the appropriate steps to stop the unauthorised activity on its payment processing systems. It has notified federal law enforcement authorities and the payment card networks about the unauthorised activity. The organisation has also requested its customers to review their payment card statements for any suspicious activity.

 

New variant of Bolik banking trojan distributed via Fake NordVPN Website

The latest variant of Bolik banking trojan dubbed ‘Win32.Bolik.2’ is distributed via cloned NordVPN website. Earlier, the trojan was distributed via the website of free multimedia editor VSDC. Now, operators behind the banking trojan have switched their tactics to create website clones in order to distribute the trojan. “The hacker behind Bolik banker worm is back. This time the malware is distributed via fake sites pretending to be NordVPN, Invoicesoftware360 and Clipoffice,” Doctor Web malware analyst Ivan Korolev tweeted. The banking trojan is now distributed via the cloned website (nord-vpn[.]club) of the official nordvpn.com site. This cloned site also has a valid SSL certificate issued by open certificate authority. This malspam campaign executed via fake NordVPN website was launched on August 8, 2019, and targets English-speaking users. Users visiting the cloned website in search of a download link for the NordVPN client will be infected with NordVPN installers that install the NordVPN client while dropping the Trojan malicious payload in the background. The actor is interested in english speaking victims (US/CA/UK/AU). However, he can make exceptions if the victim is valuable. The trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus. Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.

 

MoviePass customer credit card records found exposed on unprotected servers

Thousands of personal credit-card numbers and customer card information belonging to the popular movie-ticket subscription service, MoviePass was found unprotected in a critical server database. The exposed online database was left without any password protection or data encryption. The exposed records consisted of more than 160 million personal credit card details and more than 50,000 MoviePass customers' card numbers, which are used to store cash balances. According to a TechCrunch report, security researcher Mossab Hussein of Dubai-based SpiderSilk discovered that the database on a MoviePass subdomain containing some 161 million records was left exposed on the internet. Out of the identified records, more than half of the MoviePass customer card numbers were unique. The records revealed details such as debit card numbers, expiry date, customer card balance, and their card activation date. Researchers also said that more than 58,000 records contained customer card data and the customer count was growing by every minute. Security researchers from TechCrunch pointed out that these MoviePass customer cards are like normal debit cards: they’re issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalogue of movies. For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for the movie at the cinema. Additionally, researchers also found personal credit card information from customers. Details such as expiry date, billing information, names and postal address relating to the personal credit cards were also found unprotected. The database also contained email addresses, incorrectly typed passwords and records of failed login attempts, all in plaintext format. None of the records in the database were encrypted.

 

Free online sandbox services can expose companies’ confidential documents, new study warns

Some companies have unknowingly exposed their confidential files after uploading documents to malware scanning websites. A study conducted by CYJAX over the course of three days period has revealed that sandboxes services are bursting sensitive info from unwitting companies. Companies are unknowingly leaving several confidential files on the internet for anyone to download - after uploading them to malware-scanning websites. According to CYJAX, these file-probing websites open the uploaded files in secure sandboxes to detect any malicious behavior. However, as these sandbox services check for the bobby-trapped attachments for organisations, they publish a feed of submitted documents on the internet that are viewable to everyone. The study was conducted on three unnamed popular online sandbox services. Due to the high volume of files submitted, CYJAX focused on .pdf and .msg/.eml files that were marked as suspicious or clean. During its three days of investigation, CYJAX found that there were over 200 malicious documents related to invoices and purchase orders. By examining invoices, CYJAX was able to determine the contact details of those responsible for purchasing in each respective company. These invoice receipts also gave details about the software being sold. With such info openly available on the internet, it can create a roadmap for a threat actor hoping to commit BEC scam or spear-phishing scams. CVs and professional certificates were two other prevalent documents that were uploaded to the online sandbox services. These documents exposed files containing ID photographs, addresses, and passport copies. Threat actors can misuse these details to conduct identity theft and other scams. The experts also discovered a large number of insurance certificates that exposed various personally identifiable information (PII) such as names, phone numbers, postal and email addresses. One of the files uploaded to malware analysis sandbox appeared to be a U.S. CENTCOM requisition form for use of military aircraft. The form included information such as names and contact details of travelers, along with their journey details. Apart from the documents, CYJAX also monitored a URL scanning service over the three days. It was found that many of the URLs submitted to the service pointed to sensitive data hosted on the file sharing service WeTransfer and cloud storage services such as Google Drive.

 

Hackers target website of World's second oldest amusement park Tivoli Gardens

Tivoli Gardens, an amusement park, had its ‘My Tivoli’ website compromised allowing hackers to gain access to Tivoli products and guest information. My Tivoli site enables guests to log in and access Tivoli products, annual cards, and their past purchases. This site was hacked resulting in the compromise of personal information of guests’ including their names, date of birth, e-mail addresses, phone numbers, addresses, previous purchases, as well as credit card details. The amusement park’s website administrators became aware of the hack after they noticed an unusual spike in customer logins. Guests who tried to log in to their account, received a notification from Tivoli informing them that their My Tivoli account had been logged onto from a different device. Jonas Buhl Gregersen, Tivoli’s director of IT and Business Development, noted that during this attack on My Tivoli there was a maximum of three logins with the same email address and a maximum of two with the wrong password. Upon discovery, the amusement park reported the incident to the police and the Danish Data Inspectorate. Tivoli’s IT department took the necessary immediate steps and secured the website. All the impacted guests were notified about the hack attack.

 

Hackers can eavesdrop your conversation through smartphones while you are typing on your laptop

Malicious actors can now silently steal your data and private conversation while you are typing on your laptop. Apparently, this is even possible while you are working with your device in a crowded place. Devised by researchers from SMU's Darwin Deason Institute for Cybersecurity, the attack is possible through acoustic signals or sound waves that are produced when a user is typing on a computer keyboard. These signals are then picked up by smartphone sensors including the microphone, the accelerometer, and the gyroscope. While the microphone detects the sounds made by keystrokes, the accelerometer, and the gyroscope is used to capture the faint vibration that reverberates through a table when someone types. The SMU team tested their hypothesis using an iPhone app built using artificial intelligence & Swift and Apple's open-source programming language. Using the app, they had managed to detect 41.8% of keystrokes and 27% of typed words correctly. This accuracy includes the data collected even in a noisy environment. "We found that increasing the number of smartphones used causes overall accuracy to increase up to about 4 phones, but adding any more than 4 phones causes only minimal accuracy increases with our technique," confirmed Mitchell Thornton, a professor of electrical and computer engineering at Southern Methodist University (SMU), Forbes reported. Despite the success, the security researchers found two major challenges for this attack: The first is that each type of keyboard is like a different drum with a specific sound; The second is that not all table vibrate the same.

 

Edited and compiled by cyber security specialist James Aguilan.