Massive SIM swap fraud spotted in the wild

SIM swap fraud is a type of account takeover fraud that enables the attackers to intercept the SMS authorization facility of several mobile users. The fraud leverages the weakness in two-factor authentication and two-step verification steps in order to port a telephone number to a new SIM. Researchers have found that cybercriminals are heavily relying on such type of frauds to steal money from users, especially in Brazil and Mozambique. In a detailed analysis, researchers at Kaspersky Lab have revealed that tricksters are using social engineering and simple phishing attack to take control of a victim’s phone. Once the attackers gain access to the customer’s phone number, they can use it to receive mobile money transactions or to collect banking-related OTPs. In Mozambique, the fraud is only limited to the users. However, this is not the case in Brazil. The fraud affects average citizens, politicians, ministers, governors and high-profile businessmen in the country. Researchers noted that one organized group in Brazil had managed to trick 5000 users using SIM swap frauds. The scam begins with fraudsters collecting details about the victim. It is done by phishing emails, or by buying information from organized crime groups or via social engineering or by obtaining information following data leaks. Once the fraudsters have gathered the necessary details, they contact the victim’s mobile phone operator. They convince the telephone company to port the victim’s phone number to the fraudsters’ SIM. As soon as the mobile number porting is complete, the victim loses the connection to its network and the fraudsters receive all the SMSes and voice calls intended for the victim. Researchers found that some of the processes used by mobile operators are weak and leave customers open to SIM swap attacks. In some cases, the target is the carrier and not the customer.

UK Home Office apologizes to 240 EU citizens for accidentally leaking their email addresses

The UK Home Office has inadvertently leaked the email addresses of almost 240 EU citizens who applied for the EU Settlement Scheme. While communicating with a small group of applicants via email, an administrative error was made. All the recipients’ email addresses were included in the CC field instead of BCC, which exposed the email addresses of the applicants to other applicants. The EU Settlement Scheme is a program through which EU citizens and their families will be able to apply to get either settled or pre-settled status. The UK Home Office has sent an apology email to the 240 EU citizens for accidentally leaking their email addresses. Danish citizen Natasha Jung who received the apology email shared it on Twitter and said that the UK is treating EU citizens as second class citizens. Upon learning about the incident, the UK Home Office has apologized to the 240 EU citizens. It has notified the Information Commissioner’s office and has informed the Departmental Data Protection Officer about the incident. Home Office is conducting an internal review to determine the details of the incident. The department has also taken necessary steps to ensure that the public’s personal data are protected. It has also implemented strict controls on the use of bulk emails when communicating with members of the public in order to avoid such an incident from happening in the future.

Hard-coded credentials in MyCar mobile app leave thousands of cars vulnerable to attacks

The MyCar controls mobile application for Android and iOS contains hard-coded admin credentials. These credentials can be used by attackers to communicate and send commands to the target user account’s server endpoint. Attackers can also retrieve data such as the target’s location from a target MyCar unit as well as gain unauthorized physical access to a target’s vehicle. The MyCar controls is a vehicle telematics mobile app that allows users to pre-warm or pre-cool their car’s cabin, lock or unlock their car doors, arm or disarm their car’s security system, open their car trunk, as well as track their car in a parking lot. This mobile application contains hard-coded admin credentials whichcan allow attackers to use the hard-coded credentials in place of a user’s username and password to communicate with the target user account. “The MyCar Controls mobile application contains hard-coded admin credentials (CWE-798) which can be used in place of a user's username and password to communicate with the server endpoint for a target user's account,” Carnegie Mellon University CERT Coordination Center said in a security alert. This vulnerability impacts all versions prior to 3.4.24 on iOS and prior to 4.1.2 on Android. Automobility Distribution, the company behind the MyCar app has released security updates for both Android and iOS apps to remove the hard-coded admin credentials from the apps. Users are advised to update to MyCar for iOS version 3.4.24 and MyCar for Android 4.1.2 to fix the vulnerability.

New Mirai botnet variant uses modified encryption and new attack method to target new processors

A new variant of Mirai botnet that targets processors has been discovered recently. The new sample has been evolved to include a modified version of XOR encryption algorithm and a type of DDoS attack method. Unit 42 researchers have found that the newly discovered Mirai sample has been compiled to target Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. “This is not the first time Mirai has been expanded for new processor architectures, samples targeting ARC CPUs were discovered in January 2018. Yet this development shows that Mirai developers continue to actively innovate, targeting a growing array of IoT devices. The malware gained notoriety in 2016 for its use in massive denial of service attacks on Dyn and the website of security blogger Brian Krebs,” the researchers explained. The new sample contains the following new features: It uses eleven 8-byte keys, a modified version of the standard byte-wise XOR used in the original Mirai source code and it includes the SYN flood attack, which is a type of DDoS attack. Given the type of features included in the new sample, researchers believe that the new Mirai variant has been around since November 2018. Given that the Mirai source code is open source, it is highly likely that attackers can create a large number of variants to infect a wide range of embedded devices.

Flame 2.0 spyware found using strong encryption algorithm to avoid detection

Researchers have uncovered a new variant of Flame spyware recently. This new sample had first appeared in 2014 and likely remained active until 2016. Researchers at Alphabet’s Chronicle Security found that the operators behind the Flame spy malware had simply modified the code and added a strong encryption algorithm to make it harder for detection. “Nobody ever expected to see Flame again. We figured it was too old and expensive [for the attackers] to waste time retooling rather than … just build a whole new platform,” said Juan-Andres Guerrero-Saade, one of the Chronicle security researchers, MotherBoard reported. The researchers had managed to find Flame 2.0 using YARA rules. They crafted the YARA rules to search the VirusTotal archive for anything resembling Flame and found files that had been submitted by someone in late 2016. At that time, none of the antivirus scanners on the website were able to detect the files as malicious. Flame, which is believed to be have been created by Israel, was the first modular spy platform discovered in the wild. It included a lot of capability that was unique at the time of its discovery. It used a highly sophisticated technique to spread into victims’ machines. For this, the attackers first tricked Microsoft into issuing them a legitimate Microsoft certificate. This enabled them to distribute the malware by disguising it as real patches and software updates under the legitimate Microsoft certificate. During the infection process, the malware used a total of 80 command-and-control domains to communicate with a C2 server. The developers behind the Flame 2.0 have used a strong encryption algorithm, which the Chronicle researchers so far haven’t cracked. As a result, it is unknown as what can the new variant do once it infects machines.

New iOS version of Exodus spyware uncovered by researchers

At the Kaspersky Security Analyst Summit in Singapore, this week, researchers have presented the iOS version of the Exodus spyware. This new version disguises as legit iOS apps to target Apple device users. It has been used to target Italian and Turkmenistan users. The Exodus spyware came to light last month when Security Without Borders, a non-profit organization, found the spyware hidden inside multiple apps on the Play Store. The malware gained root-level access to infected Android devices and stole device information. A total of 25 variants of the spyware were used to infect customers of a local Italian Internet Service Provider (ISP). The Lookout security researcher Adam Bauer revealed that they discovered the iOS variant of the spyware during the analysis of Exodus samples last year. The sample is available for download through phishing sites that imitate Italian and Turkmenistani mobile carriers. In order to make it less suspicious, the Exodus-infected iOS apps included legit certificates issued by Apple. This enabled the victims to install malicious apps, even from outside the App Store. The iOS version of Exodus spyware is capable of stealing a lot of information stored on the Apple device. This includes stealing contacts, photos, videos, audio recordings, and GPS information. It can also perform on-demand audio recording operations on the infected device.

 

Visit cyber.qa.com for more information on how QA can help solve the Cyber Security skills gap and subscribe to Cyber Pulse.

 

Useful links

Cyber Pulse: Edition 60

Cyber Pulse: Edition 59

Cyber Pulse: Edition 58

Cyber Pulse: Edition 57

Cyber Pulse: Edition 56

Cyber Pulse: Edition 55

Cyber Pulse: Edition 54

Cyber Pulse: Edition 53

Cyber Pulse: Edition 52

Cyber Pulse: Edition 51