FFT news digest July 10 2020

Credentials for sale

15 billion. Two for every person on the planet. That's the number of stolen credentials being traded on illicit marketplaces, and five billion of them are unique. Digital Shadows says it cost just $15.43 to buy the details of an average account, with many offered for nothing. At the top end, credentials for Active Directory domain administrator accounts were advertised for prices ranging from $500 to $95,000. Digital Shadow's findings are based on 18 months spent analysing criminal forums. Their conclusion; the number of stolen usernames and passwords in circulation has increased by 300% since 2018. They also estimate that, on average, we have around 191 services requiring a password, so (as we've said many times) the only practical solution is to use a password manager. Incidentally, Motherboard has revealed that US government agencies are among those buying stolen data. The aim is to help track down criminals. The by-product is information about billions of innocent computer users.

Scumwatch

The number of UK organisations to have suffered a cyber attack doubled in the past five years, according to research by Beaming. Five Years in Cyber Security found 1.5 million victims in 2019, with phishing and malicious software the most common methods. Among this week's scams;
Mac malware: More details on a rare example of malicious software targeting Macs. As well as encrypting files, ThiefQuest steals data and logs keystrokes. It spreads through pirated software. SentinelLabs has a decryption tool. Malwarebytes
Microsoft 365: It seems every ne'er do well wants to get hold of credentials for Microsoft 365. Microsoft is warning of attempts to persuade users to grant access to malicious apps which attackers can use to access accounts. Other tempting lures this week include fake Zoom and SurveyMonkey notifications. Abnormal Security
HSBC: Bogus text message tries to persuade target to visit a malicious website and enter their banking details. Griffin Law
Preinstalled: Researchers in the US have found another budget Android handset with malicious software preinstalled on it. We recommend caution with cheap phones, no matter how tempting the deal. Malwarebytes
Mobiles: Another bunch of text messages purporting to be from O2, EE etc. warning about a payment failure. The fake sender and the user's actual network often don't match. Aim is to steal credentials for mobile account.

Zoom fatigue

As a return to normal office work remains a distant prospect for many, we thought we should go over some basic precautions to keep your video conferencing as safe as possible.
Passwords: Calls without a password are doors without a lock. For access, attackers (whether malicious or not) simply have to try IDs until they find one that works.
Waiting rooms: Use a waiting room to review who's waiting to join the call. If the number of people is manageable, have a roll call so that everyone announces themselves.
File and screen sharing: Use host controls to limit the types of activity that are allowed during a call. File transfer and screen sharing have both been exploited by attackers and idiots.
Recordings: Do you really need to record a call? If you do, then obviously it's essential to protect it because it's likely to contain sensitive and possibly personal information.
Finally, some good news from Microsoft. It's rolling out new features designed to reduce the fatigue of multiple online meetings.

Bring your own

Do you use any of your own devices for work? We'd make a small wager you do because it has become so common. Unfortunately, so has a failure to implement any measures to secure that use. A survey by Bitglass found that 69% of organisations allowed personal devices to be used for work, and some extended this to external partners and suppliers. But, despite this, many respondents said they hadn't taken any coherent measures to protect themselves. The result is widespread concern over data leakage, unauthorised access to data and systems, and malware infections. In the rush to remote working, it's understandable corners may have been cut. Now is the time to examine how devices are being used, and to put in place mechanisms to protect the organisation...and the individual.

The Chinese challenge

How to deal with China's assertive geopolitics is becoming an increasingly pressing problem for governments, technology companies and educational establishments. This week, the BBC reported that UK universities are testing a new online teaching system that will limit the content students can see in order to comply with China's controls on internet access. Technology giants including Facebook, Google and Twitter say they will refuse law enforcement requests for user data in Hong Kong following Beijing's decision to impose a new national security law on the territory. Facebook said it took the decision “pending further assessment of the National Security Law, including formal human rights due diligence and consultations with international human rights experts.” And the UK government is beginning to realise how difficult it will be to remove Huawei from the country's 5G infrastructure within three years. "That would literally mean blackouts for customers on 4G and 2G, as well as 5G," BT's CTO told a House of Commons committee.

Online thieves

The scale of the threat to online shopping services is illustrated by research showing 570 sites in 55 countries have been affected by a single group seeking to 'skim' payment card details. Gemini Advisory says the three-year campaign mainly targeted the Magento content management system, but WordPress and Shopify were also hit. Many of the sites were operated by smaller retailers which are unlikely to enjoy the benefits of dedicated IT teams. A full list of the sites is here. In a separate report, Sansec says North Korea is behind a series of attacks over the past year, with claire's accessories as the highest profile victim. It's vital for anyone operating an online shopping site to make sure it's kept up to date. We suggest also doing everything possible to prevent malicious code being injected into the payment process. Mozilla has a guide to Subresource Integrity (SRI) which explains how to ensure any external resources fetched by a website are genuine.

In brief

Another warning about the gruesome state of security afflicting home routers. A study of 127 models from seven manufacturers found many have known vulnerabilities that remain unaddressed, and 46 of them haven't had a security update in the past year. This is a disaster waiting to happen. The cause lies in the heart of the low cost/low margin business model behind these devices; nothing will change until it does. FKIE

A series of patent applications point to grand plans by Apple to turn the iPhone into a replacement for paper/plastic passports, driving licences and other identity documents. What could possibly go wrong. Apple Insider

AWS appears to be harvesting customer data and storing it outside the region customers have selected. Among the affected services are CodeGuru Profiler, Rekognition, Transcribe, and Fraud Detector. The issue was discovered by a researcher who bothered to read all 15,000 words of the terms of service. CBR

Wise advice from the founder of the Internet Storm Center who stresses the importance of separating attacks that matter from "noisy" ones that would never have been successful. One thing Dr Johannes Ulrich suggests we should focus on is controlling the applications users can run. Help Net Security

The Mexican parliament has approved a law that makes it illegal to have a computing device repaired by anyone other than the manufacturer. The bill also gives the government extensive powers to control free speech. El Universal

Updates

F5: Renewed warning for users of BIG-IP devices after disclosure of serious vulnerability in a configuration utility. The issue is being actively exploited and some 6,000 devices are reported to be vulnerable. "If you didn’t patch by this morning, assume compromised," head of the US Cybersecurity and Infrastructure Security Agency, said on Sunday.

Citrix: Updates to address 11 security vulnerabilities in products, including Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP. There are reports of active efforts to exploit the issues.

Palo Alto Networks: And for a hat-trick of networking nasties, Palo Alto has released updates to fix a serious issue in PAN-OS GlobalProtect portal.

Zoom for Windows: Anyone using Zoom on Windows 7 should be aware of a serious vulnerability that has only just been discovered. It doesn't trigger a security warning and requires something as simple as opening a received document file. Zoom is working on a patch. Meanwhile, Acros Security has a fix (that requires registration).

Android: July update includes fixes for several critical vulnerabilities that could enable remote attacks

Firefox Send: Mozilla has switched off its (very useful) file sharing service following abuse by criminals. It is aiming to relaunch with enhanced security. Meanwhile, a security fix has been released for the Firefox browser.

iOS: Another black mark for Apple as iPhone users report battery drain issues that appear to be linked to high levels of background activity. The ongoing problems with iPhone updates are more than just a nuisance because they make users less likely to take releases that are essential to keep devices secure. If you've noticed shorter battery life, you can go to Settings | Battery and check Screen Off activity. If the graph shows this is higher than normal, then background activity may be affecting you. Unfortunately, there doesn't seem to be a fix, so it's a case of waiting until Apple lumbers into gear and releases an update.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217