This Month in Cybersecurity News [June 2018]

I’ve been neglectful on posting cybersecurity news lately. To make up for it, here are some of the hot cybersecurity events that occurred this month.

The New OnePlus 6 Smartphone – Serious Bootloader Vulnerability

The Chinese smartphone manufacturer, OnePlus, just released the all new OnePlus 6 smartphone last month. With its high-end specifications, glass-design, large storage features, and Android software, it’s said to rival some of the features in the more popular Samsung Galaxy S9 and the iPhone X. The newest generation of Android and Apple smartphones cost anywhere between $700 to $1000; however, depending on the storage amount, the OnePlus 6 costs between $529 and $579, making it an affordable alternative.

OnePlus6.jpeg

But, a serious vulnerability was discovered in the OnePlus 6’s bootloader, which is a piece of the device’s firmware. The bootloader is the low-level code that runs before the actual operating system boots up. Think of it as the instructions that tell the device how to startup.

The bootloader should be locked, but this isn’t true for the OnePlus 6. With physical access to the phone, an attacker can use this vulnerability to flash any modified boot image, which gives the attacker full access (or superuser privileges) to the device. To exploit the vulnerability, the attacker needs physical access to the phone, be able to connect it to his/her computer, restart the phone into Fastboot mode, and transfer over the modified boot image.

This might be something to worry about if your OnePlus 6 is ever stolen. Until then, OnePlus 6 users must wait until OnePlus rolls out a security update to fix this bootloader vulnerability.

Russia Bans VPNs and Anonimizers

Russia has had a long history of Internet censorship, with its first nationally judicial censorship occurring in 2012. Internet censorship in Russia despends on a blacklist to restrict what the country’s Internet users can access online. This blacklist includes domain names, URLs, and IP addresses. Although Russia’s Internet censorship was originally intended to restrict access to sites promoting drug distribution, suicide, and child pornography, it has been amended to include anything that promotes extremism or anything that might violate the order in the country.

vpn diagram.jpg

A new bill will now ban all web sites that host anonymizing software, such as VPNs, which circumvent Russia’s censorship restrictions. Normally, a VPN would encrypt an online user’s communication and route it to through alternative locations using a server in another country. This would allow an online user to access banned web sites while staying anonymous, which is what many Russian citizens do.

However, with this new bill, search engines will be fined if they continue to provide links to banned web sites or links to VPN providers. Individuals who are caught can face a fine of up to $80, which is about 5,000 rubles. Any Russian officials caught breaking the law face 10 times that amount at $800, which is 50,000 rubles.

Facebook Exposes 14 Million Users (Again)

As if Facebook hasn’t already seen enough trouble with the whole Cambridge Analytica incident, Facebook is receiving more unwanted criticism after a software bug publicly exposed 14 million Facebook users.

To clarify, when a Facebook user posts a status on their wall, the default setting for the post is set to a “Friends only”  audience. However, a technical error unintentionally caused this default setting to change to the “Public” audience setting.

facebook image.jpg

The bug was live between May 18 and May 22, so it’s possible that your own Facebook post during this 4-day window could’ve been publicly posted even though it was intended to be seen by your friends-only. Facebook did fix this bug and sent out a ‘Please Review Your Posts’ alert to affected Facebook users.

Flash Player Zero Day Discovered

Flash Player tends to be a popular attack vector for cybercriminals. Just last month, I was walking a friend through the steps of removing spyware that was installed through a fake Flash Player update on her Mac. In a security bulletin published June 7, Adobe released a security update for Adobe Flash Player 29.0.0.171 and earlier versions to address a zero day vulnerability that is currently being exploited in the wild.

A “zero day” is a previously unknown vulnerability. It is an unpatched security hole in the software and, because the software vendors don’t know about it yet, no patch exists to remediate it.

flashplayer exploit.png
Flash Player Zero Day Exploitation. Reprinted from “Adobe Issues Patch for Actively Exploited Flash Player Zero-Day Exploit,” by Kumar, M., (2018). 

This zero day is delivered when users open a specially crafted Excel spreadsheet. Once opened, malicious code and payloads are delivered by C2 servers based in the Middle East (this is the reason why the zero day has been primarily targeting users in the Middle East). Updating to Flash version 30.0.0.113 should prevent this zero day.

VPNFilter Malware is Worse Than We Thought

As many of us are already aware, an advanced Internet of Things (IoT) botnet with Russian ties was discovered last month by Cisco, dubbed the “VPNFilter malware.” Over 500,000 routers in 54 difference countries were compromised, but other reports are stating the number of infected devices are now in the millions. Popular router models and NAS devices from MikroTik, NETGEAR, TP-Link, ASUS, D-Link, Huawei, Ubiquiti, QNAP, UPVEL, and ZTE, were all discovered to be affected by the VPNFilter. This is a much bigger attack surface than previously reported.

VPNFilter Malware.png
VPNFilter Malware Stages of Infection and Attack. Reprinted from “Destructive and MITM Capabilities of VPNFilter Malware Revealed,” by Khandelwal, S., (2018). 

The way in which the VPNFilter infects a home router is by exploiting a publicly-known vulnerability, such as default credentials or known exploits. Infecting the device is Stage 1. From there, VPNFilter contacts a C2 server to download modules that will help it to deliver malicious payloads.

During Stage 2, VPNFilter uses these modules to deliver its main payload, which includes file collection, command execution, remote device management, and a capability that allows the attackers to “brick” the device.

In Stage 3, VPNFilter can perform Man-in-the-Middle (MitM) attacks on web traffic destined to port 80 through an additional module called “ssler.” Similar to sslstrip, attackers can intercept https traffic flowing through the router and downgrade it to http traffic, which leaves your web traffic unencrypted and and viewable to others. This allows the attackers to steal sensitive information, such as bank credentials, company credentials, payment card information, and so forth.

All affected users are advised to reboot their routers. The FBI was able to seize one of the C2 servers that control VPNFilter, but rebotting may not enough to completely clean your affected router or device. Rebooting the router will remove stage 2 and stage 3 modules, but it will not remove the malware’s presence that was established during stage 1. And, unfortunately, the attackers can just as easily reinstall the modules from stage 2 and stage 3, but it at least buys you some time to apply any patches, firmware updates, and change your device’s default credentials.

The only way to remove VPNFilter is a hard reset (factory reset) of the device. Keep in mind that all configuration details and credentials will be lost, so having a backup of the configuration file will come in handy. If not, it means you’ll have to re-configure your router’s settings, Wi-Fi SSID, password, and login credentials.

MyHeritage Suffers One of the Largest Data Breaches

Earlier this month, “MyHeritage,” the Isreal-version of ancestry.com, disclosed to the public that it was the victim of a data breach that occurred back in 2017, but did not know about the breach until June 4, 2018. MyHeritage learned about the breach when a security researcher discovered one of their databases on a server in another country.

The database iteself contained email addresses and hashed passwords of 92.3 million users. Importantly, the MyHeritage security team would like everyone to know that know family history or genetic data was included in this breach because all of this data is stored in a separate database.

Even though the passwords were hashed, they are still vulnerable to off-line password cracking attacks, so it’s a worth mentioning that all MyHeritage users change their passwords immediately and enable two-factor authentication. MyHeritage is still investigating how the breach occurred and is currently working with a third-party cybersecurity firm to discover the answer.

Baby Monitor Hacked to Spy on South Carolina Mom

If you’re keeping up with IoT security concerns, or even some of my own posts on IoT hacking, you won’t be surprised by this next piece of news. A mother in South Carolina claims that her baby monitor was hacked and used to spy on her when she noticed the camera was moving on its own and aiming towards her bed. When the police came to her door, the app that controlled the baby monitor locked up.

baby monitor.jpg

IoT devices aren’t typically built with security in-mind, and with the influx of IoT devices coming from China, it’s difficult to know the full extent of the product. Sometimes, these products are built with backdoors during their manufacture. But, most times, IoT devices are exploited through default credentials or weak passwords.

 

References

Khandelwal, S. (2018). Destructive and MITM Capabilities of VPNFilter Malware Revealed. The Hacker News. Retrieved from https://thehackernews.com/2018/06/vpnfilter-router-malware.html

Khandelwal, S. (2018). Facebook Bug Changed 14 Million Users’ Default Privacy to Settings to Public. The Hacker News. Retrieved from https://thehackernews.com/2018/06/facebook-privacy-setting.html

Khandwelwal, S. (2018). MyHeritage Says Over 92 Million User Accounts Have Been Compromised. The Hacker News. Retrieved from https://thehackernews.com/2018/06/myheritage-data-breach.html

Kumar, M. (2018). Adobe Issues Patch for Actively Exploited Flash Player Zero-Day Exploit. The Hacker News. Retrieved from https://thehackernews.com/2018/06/flash-player-zero-day-exploit.html

Kumar, M. (2018). OnePlus 6 Flaw Allows to Boot Any Image Even With Locked Bootloader. The Hacker News. Retrieved from https://thehackernews.com/2018/06/oneplus6-bootloader-root.html

Kumar, M. (2018). Russia to Fine Search Engines for Linking to Banned VPN Services. The Hacker News. Retrieved from https://thehackernews.com/2018/06/russian-vpn-services.html

Symantec. (2018) VPNFilter: New Router Malware with Destructive Capabilities. Symantec Corporation. Retrieved from https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

Threatpost. (2018). Baby Cam Creeper Actively Watched New Mom. Threatpost. Retrieved from https://threatpost.com/baby-cam-creeper-actively-watched-new-mom/132606/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: