Cyber Pulse: Edition 114 | 1 June 2020

Here is our cyber security round-up of the week:

Beware: Social media platform Mitron, a TickTok lookalike, contains critical vulnerability

Mitron, video social platform, recently caught headlines when the Android app crazily gained over 5 million installations and 250,000 5-star ratings in just 48 days after being released on the Google Play Store. Researchers have learned that the Mitron app contains a critical and easy-to-exploit software vulnerability that could let anyone bypass account authorisation for any Mitron user within seconds.

The security issue resides in the way the app implemented the "login with Google" feature – which asks users' permission to access their profile information via their Google account while signing up – but, ironically, doesn't use it or create any secret tokens for authentication. In other words, one can log into any targeted Mitron user profile just by knowing his or her unique user ID, which is a piece of public information available in the page source, and without entering any password.

In separate news, it turns out that the Mitron app – promoted as a homegrown competitor to TikTok – has not been developed from scratch; instead, someone purchased a ready-made app from the Internet and simply rebranded it. While reviewing the app's code for vulnerabilities, Rahul found that Mitron is actually a re-packaged version of the TicTic app. Besides Mitron's owner, more than 250 other developers have also purchased the TicTic app code since last year, potentially running a service that can be hacked using the same vulnerability.

In short, since:

• the vulnerability has not yet been patched,
• the owner of the app is unknown,
• the privacy policy of the service doesn't exist, and
• there are no terms of use,

... it's highly recommended you simply do not install or use the untrusted application and revoke this from your Google profile.

6 Cisco backend servers hacked

Cisco announced that some of its Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) backend servers were hacked by exploiting critical SaltStack vulnerabilities patched last month. As detailed by the company, the hackers were able to compromise six backend infrastructure servers: us-1.virl.info, us-2.virl.info, us-3.virl.info, us-4.virl.info, vsm-us-1.virl.info, and vsm-us-2.virl.info.

The hacked servers were updated and remediated by Cisco on 7 May 2020, by applying patches that address the authentication bypass vulnerability (CVE-2020-11651) and the directory traversal (CVE-2020-11652) impacting SaltStack servers. The company released security updates that patch the CML and VIRL-PE products, and also provide a workaround for customers who can't immediately update their installations. CML allows users to simulate Cisco and third-party devices, while VIRL-PE enables them to design and test virtual networks within development and test environments. Attackers actively exploiting the SaltStack vulnerabilities. CVE-2020-11652 allows reading files outside the intended directory and, combined with CVE-2020-11651, it makes it provide unauthenticated attackers with full read and write access and enables them to steal the secret key needed to authenticate to the salt-master server as root.

Cisco is not the first organisation to announce a security breach caused by exploiting the SaltStack flaws, with digital security firm DigiCert, LineageOS, Vates (Xen Orchestra creators), and the Ghost blogging platform also reporting intrusions. While most of the organisations that got hacked this way said that the end goal of the attacks was to use the compromised servers for illicit coin mining, the possibility of other more insidious objectives like the deployment of more dangerous malicious payloads or the theft of sensitive information can't be ruled out.

Phishing scam mimicking AWS email puts millions of customers at risk

It’s a fact that phishing scams are evolving and stealing credentials to obtain sensitive business data has remained the foremost target of hackers since day one, and to achieve this they can go to any lengths.

Pursuing the same goal, hackers are now distributing fake Amazon Web Services (AWS) notifications to steal employee credentials and fulfil their nefarious objectives. According to researchers at Abnormal Security, cybercriminals are trying to monetise from the Covid-19 led lockdowns and quarantine restrictions that have forced businesses to conduct operations online using cloud-based applications and collaboration programs.

In their latest campaign, attackers are sending out emails impersonating AWS automated notifications. To make them appear legit, attackers have included authentic AWS links in the anchor text. However, the hyperlink takes the recipient to an entirely different URL than the original AWS login page. Unsuspecting users are most likely to enter the required credentials on this fake page as it is identical to the real AWS login page.

Researchers have uncovered two severe vulnerabilities in the PageLayer WordPress plugin

These vulnerabilities could allow hackers to hijack websites that employ its design features. The affected plugin is used to build custom web pages via a simple drag-and-drop mechanism – a boon for users without programming expertise – and is deployed across more than 200,000 websites. Identified by security firm Wordfence, the two bugs could also be manipulated by cybercriminals to inject rigged code, meddle with existing website content, and even perform a total content erasure.

Yet more WordPress plugin flaws undermine website security. This buggy WordPress plugin allows hackers to lace websites with malicious code. According to the researchers responsible for the discovery, the pair of vulnerabilities stem from unprotected AJAX actions, nonce disclosure, and a lack of measures to safeguard against Cross-Site Request Forgery (CSRF).

Hackers could reportedly exploit these oversights to perform all manner of malicious activities, including creating admin accounts, funnelling visitors to dangerous domains and invading a user’s computer via the web browser. However, despite three weeks having passed since the patch was issued, only roughly 85,000 users have updated to the latest version, leaving circa 120,000 still at risk. To safeguard against site takeover, PageLayer users are advised to update the plugin to the latest version immediately.

GitHub supply chain attack uses Octopus Scanner malware

According to the GitHub incident response team, Octopus Scanner is a new malware used to compromise 26 open source projects in a massive GitHub supply chain attack. While GitHub users, as developers, should be concerned about this malware using developers for propagation, this particular technique is extremely rare.

When Octopus Scanner lands on a machine, it looks for signs indicating the NetBeans IDE is in use on a developer's system. If it doesn't find anything, the malware takes no action. If it does, it ensures that every time a project is built, any resulting JAR files are infected with a dropper. When executed, the payload ensures persistence and spreads a remote access Trojan (RAT), which connects to C2 servers. The malware continues to spread by infecting NetBeans projects, or JAR files. This way, it backdoors healthy projects so when developers release code to the public, it contains malware.

The goal of Octopus Scanner is to insert backdoors into artefacts built by NetBeans so the attacker can use these resources as part of the C2 server. Octopus Scanner also tries to prevent any new project builds from replacing the infected one. This ensures the malicious build components remain in place. While researching the infected repositories, GitHub found four different versions of affected NetBeans projects. It is interesting the attackers specifically chose to target the NetBeans build process, especially because it's not the most common Java IDE.

Because the primary users of these repositories are developers, a successful intrusion could give attackers access to the same resources that developers use. These may include additional passwords, production environments, database passwords, and other sensitive assets. For developers, the challenge is knowing their dependencies and knowing when they need to be patched. GitHub aims to help with this through Dependency Graph, which helps users better understand their projects' dependencies and provides security alerts when a dependency has a vulnerability. On GitHub, maintainers can create a security.md file with their reporting and disclosure policy, create fixes when needed, and publish security advisories. 

Super hacker VandaTheGod linked to Brazil individual

A super hacker by the name of VandaTheGod, who has hacked governments, corporations and individuals since 2013, has been linked with high certainty to a specific Brazilian individual from the city of Uberlândia. Researchers at Isreali cybersecurity firm Check Point said they have relayed the findings to law enforcement agencies to enable them to take further action, adding that the social media activities on profiles associated with VandaTheGod came to a halt towards the end of 2019.

Since 2013, many official websites belonging to governments worldwide were hacked and defaced by an attacker who self-identified as "VandaTheGod". The hacker targeted governments in numerous countries, including Brazil, the Dominican Republic, Trinidad and Tobago, Argentina, Thailand, Vietnam and New Zealand.

“Many of the messages left on the defaced websites implied that the attacks were motivated by anti-government sentiment, and were carried out to combat social injustices that the hacker believed were a direct result of government corruption,” Check Point said on Thursday.

VandaTheGod didn’t just go after government websites, but also launched attacks against public figures, universities, and even hospitals. In one case, the attacker claimed to have access to the medical records of 1 million patients from New Zealand, which were offered for sale for just $200.

“Most of VandaTheGod’s attacks against governments were politically motivated, but a closer look at some tweets shows the attacker also trying to achieve a personal goal: hacking a total of 5,000 websites,” said researchers. The goal was nearly reached, as there are currently 4,820 records of hacked websites linked to VandaTheGod. “VandaTheGod has proven, with numerous successful attacks against reputable websites, that hacktivism often crosses a line into further criminal activity, such as credentials and payment-card theft,” said Check Point.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber security courses.