Cyber Security Training from QA

Cyber Pulse: Edition 60

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


5 April 2019

Security experts fool a Tesla car into driving on wrong lanes

Tesla’s Autopilot feature has come under the scanner after white hats tricked one of its cars to drive into a wrong lane. Security researchers from Tencent’s Keen Security Lab experimented with the lane recognition technology in the Autopilot feature and found that it could be misled with the use of lane stickers laid out on the road. Furthermore, the researchers remotely accessed the software in Autopilot and even controlled the steering system. Enhanced Autopilot in Tesla Model S 75 was tested in terms of both the related hardware and software. While the software ran 2018.6.1, the hardware version was 2.5. The researchers devised two approaches known as ‘Eliminate Lane attack’ and ‘Fake lane attack’ to trick the Autopilot feature. The former approach involved disturbing lane markings to make it look blurred. However, the lane recognition technology worked well under these circumstances. The latter approach involved placing three square-shaped stickers at an intersection. These would serve as interference patches. The Autopilot failed to realise that these were stickers and followed a wrong lane. The report also covered inaccuracies found in Tesla’s Auto Wipers, as well as in the steering system. The experts mention that adversarial examples were referred extensively to design the manipulation. “We used an improved optimisation on algorithm to generate adversarial examples of the features (autowipers and lane recognition) which make decisions purely based on camera data, and successfully achieved the adversarial example attack in the physical world,” the researchers wrote. Currently, Tesla has only acknowledged the remote access issue in the software and has fixed them with patches. However, it did not find the research credible enough since the lane attacks were performed in a controlled environment.

Bithumb cryptocurrency exchange hacked; $20 million worth EOS and Ripple cryptocurrencies stolen

Bithumb cryptocurrency exchange platform suffered a cyberattack on March 29, 2019. The cryptocurrency exchange stated in a security notification that it detected an abnormal cryptocurrency withdrawal on March 29, 2019, via its abnormal trading monitoring system. Attackers have stolen 3 million EOS worth $13.4 million and 20 million Ripple coins (XRP) worth $6 million. Bithumb disclosed that all the cryptocurrencies stolen were from the company’s wallet and members assets are secure in the cold wallet. An internal inspection revealed that the incident is an ‘accident involving insiders’.​ Upon detecting the abnormal transaction, Bithumb blocked any deposit or withdrawal requests and secured all cryptocurrency with a cold wallet. The company is working closely with KISA, Cyber Police Agency and security companies to conduct investigations on the incident. It is also working with big exchanges in order to recover the stolen cryptocurrencies. The cryptocurrency exchange is developing an internal workforce verification system to avoid such an incident from happening in the future. It is working in order to resume deposit and withdrawal as soon as possible. “Bithumb exchange is certified ISMS and applied to multi-signature withdrawal scheme. We constantly monitor and block external hacking. However, it was our fault that we only focused on defense of outside attack and lack of verification of internal staff,” Bithumb said.

JavaScript library caused a cross-site scripting vulnerability on Google Search

An XSS flaw has been discovered in a JavaScript library implemented in Google Search. The library, known as Closure, is used for building complex and scalable web applications. It is an open-source library developed and maintained by Google. The flaw was uncovered by security researcher Masato Kinugawa two days ago. Luckily, a formal fix has been released on GitHub which remediates the XSS flaw. The vulnerability was spotted back in 2018 and was actually addressed by Google in February this year. It was the result of a missing data sanitization feature in HTML, which was removed due to user interface issues. Attackers could have conducted phishing campaigns as well as launched XSS attacks by exploiting the flaw. On top of affecting Google Search, it is also believed that this XSS flaw is impacting other applications which use the same library. A video by LiveOverFlow details the vulnerability in depth and its cause. It notes how untrusted user inputs could lead to a live XSS attack. In addition, LiveOverFlow said that the flaw could be exploited in other applications that use Closure Library. On the other hand, Masato Kinugawa is yet to release more details on the flaw. “It’s unclear if Google has awarded a bug bounty for this vulnerability. 

Bug in the Skype Android app makes it automatically answer incoming calls

Android device owners are complaining about a bug in Skype that makes it automatically answer incoming calls. The Skype Android app has a setting called ‘Answer incoming calls automatically’ which is an accessibility feature for disabled users to automatically answer calls and for other users to remotely check on their children and pets when they’re away. However, users reported that the Skype Android app automatically answers incoming calls even when the feature is disabled. Users complained about the Skype Android app bug in Microsoft’s answers forum. A user complained that his Skype app automatically answered incoming calls after a few seconds even when his phone was in his pant pocket. The user noted that his Android device was paired with a smartwatch. Many other users also reported that calls were being answered automatically when their Android device is paired with a smartwatch. A user noted when his smartwatch pairing was disabled, Skype stopped answering calls automatically. However, it should be noted that not all users who faced this issue had a paired smartwatch. A Microsoft support agent started enquiring users who complained on the forum about the issue and promised that a fix is on the way. Microsoft updated the Skype for Android app at the end of March, but this update has not fixed the issue. Microsoft is already working on a fix and has already fixed the issue in the latest Skype preview app. Therefore, an official security update is expected to be released soon.​

JS-sniffers infect 2440 websites worldwide to steal customers’ payment card details

Group-IB, the cybersecurity firm, has released a comprehensive report on JavaScript-sniffers malware. The malware has been found to have infected 2440 online retail websites to steal customers’ payment card details. These websites are estimated to be visited by around 1.5 million unique users daily. JS-sniffers, also known as JavaScript-sniffers are specifically designed to compromise websites that run Magento, OpenCart, Shopify, WooCommerce and WordPress software. It is the online equivalent of a credit card skimmer. The attackers can use the malware family to target shoppers, banks, online stores, and payment systems. The cybercriminal inject the malicious JavaScript-sniffers into websites. The malware, once installed, intercepts the users’ input on the checkout page of the website and steal customers’ bank card numbers, names, addresses, login details and passwords in real time. Group-IB’s analysis revealed that more than half of the resources were attacked by MagentoName JS-sniffer family. This malware exploits vulnerabilities in the older versions of Magento CMS to inject malicious code. WebRank JS-sniffers and CoffeMokko were involved for infecting more than 13% and 11% of the sites. A significant number of dark web forums where JS-sniffers are put up for sale are Russian-speaking forums

Almost 540 million Facebook user records left exposed on Amazon cloud servers

Researchers from UpGuard uncovered two misconfigured Amazon cloud servers belonging to third-party companies that contained over 540 million Facebook user records. The first AWS S3 storage bucket belonged to a Mexican-based company named ‘Cultura Colectiva’. This server was 146GB sized and stored almost 540 million Facebook user records. The exposed Facebook records include users’ account names, Facebook IDs, comments, likes, and more. Upon discovering the leaky server, UpGaurd contacted Cultura Colectiva twice but received no response. Later, they notified Amazon Web Services about the unprotected server and received a response that the owner of the server has been made aware. However, the server was not secured. UpGuard then notified Bloomberg about the issue, who in turn contacted Facebook for comment. It was then the server was finally secured after almost 3 months. The second AWS S3 storage bucket belonged to ‘At the Pool’ Facebook game. This storage bucket stored Facebook records such as users’ Facebook ID, list of Facebook friends, likes, photos, groups, checkins, and user preferences like movies, music, books, and interests. The leaky server also contained passwords in plain text for almost 22,000 users. The server belonging to ‘At the Pool' had been secured even before UpGaurd sent a formal notification email. Despite Facebook having best of cyber-security experts and security-related features, date leaks related to Facebook occurs every other day. Even though data exposed by third-parties is beyond Facebook’s control, Facebook and the third-party app developers on Facebook should jointly take responsibility and work towards protecting users’ private data.

Newly discovered malware ‘Xwo’ scans for default credentials and exposed web services

Researchers from AT&T Alien Labs spotted a new malware dubbed ‘Xwo’ which is capable of scanning for default credentials and exposed web services. This malware is related to two other malware families namely MongoLock ransomware and XBash. This malware does not include any ransomware or exploitation capabilities. Researchers detected Xwo being served from a server with a file named xwo.exe. Upon execution, the malware performs an HTTP POST request with a random User-Agent from a hardcoded list of choices. It then receives instructions from its C&C server with an encoded public network range to scan. After scanning for services and collecting information, it sends back the collected information to its C&C server via an HTTP POST request. Researchers recommend network owners to avoid the use of default service credentials. Further, they should ensure that publicly accessible services are restricted when possible.​

 

Visit cyber.qa.com for more information on how QA can help solve the Cyber Security skills gap and subscribe to Cyber Pulse.

 

Useful links

Cyber Pulse: Edition 59

Cyber Pulse: Edition 58

Cyber Pulse: Edition 57

Cyber Pulse: Edition 56

Cyber Pulse: Edition 55

Cyber Pulse: Edition 54

Cyber Pulse: Edition 53

Cyber Pulse: Edition 52

Cyber Pulse: Edition 51

Cyber Pulse: Edition 50

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.