Ethical Hacking

We vaguely talked about a vulnerability or vulnerabilities at this point in sim card which allows attackers to compromise cell phones. From thehackernwes.com I was able to track down the article which talks about it. Known as “SimJacker” the threat lies in the SIM toolkit which can be exploited no matter what type of cellphone users have. This particular type of SIM card is used in over 30 countries and more than a few dozen big operators use that. The freaky part is according to the article – “What’s worrisome? A specific private company that works with governments is actively exploiting the SimJacker vulnerability from at least the last two years to conduct targeted surveillance on mobile phone users across several countries.” The article explains what exactly the SimJacker does and how it works.

“Disclosed by researchers at AdaptiveMobile Security in new research published today, the vulnerability can be exploited using a $10 GSM modem to perform several tasks, listed below, on a targeted device just by sending an SMS containing a specific type of spyware-like code.

Retrieving targeted device’ location and IMEI information,

• Spreading mis-information by sending fake messages on behalf of victims,
• Performing premium-rate scams by dialing premium-rate numbers,
• Spying on victims’ surroundings by instructing the device to call the attacker’s phone number,
• Spreading malware by forcing victim’s phone browser to open a malicious web page,
• Performing denial of service attacks by disabling the SIM card, and
• Retrieving other information like language, radio type, battery level, etc.”

Kind of a long read but worth it. Alarming imo!

Source Link: https://thehackernews.com/2019/09/simjacker-mobile-hacking.html

The weakest link in security are humans. Iranian hackers launch credential-stealing phishing attacks against universities resulting in the theft of intellectual property and research data.

Universities in the US, UK and Australia are being targeted by the Colbalt Dickens hacking group who are linked to the Iranian government. It is speculated these attacks are in response to recent government sanctions and Iranian academic talent leaving for countries for collaborative academic research purposes.

The phishing emails look legitimate, and appear to come from online library services at the university. The email content claims the user’s account has been deactivated, and to reactivate, they follow a spoofed URL link and provide credentials. In addition to their phishing tactics, the group uses publicly available tools and code taken from GitHub instead of using malware. This tactic allows them to remain undetected by security software.

I have found that user education in the form of anti-phishing campaigns and enabling multi-factor authentication are crucial in combating phishing attacks.

https://www.zdnet.com/article/iranian-hackers-credential-stealing-phishing-attacks-against-universities-around-the-world/

I remember reading about this power grid attack against Ukraine in 2016, and experts were puzzled as to why the attack just accomplished a temporary outage. Some speculated that is was just probing the power grid for a more complex attack at a later date. This article has a different theory. The malware Russia used to overload the electric transmission station, just north of the city of Kiev, was “Crash Override” (https://www.us-cert.gov/ncas/alerts/TA17-163A). The malware interacts/attacks electric industrial equipment by sending multiple commands using  four different protocols to open circuit breakers causing mass power outages.

Researches recently discovered that the malware also attacked a vulnerability in a piece of Siemens equipment (protective relay) used as an electric grid fail safe. The disabling of the protective relays would be unknown to the first responders trying to restore power to the grids. Researchers now believe that the intention was for grid engineers to quickly respond to this outage and restore power to the failed equipment manually. The danger here is while restoring power to the grid, and without the protective relay fail-safes in place, a critical overload of electrical current to  transformers and power lines could have caused catastrophic damage to the electrical grid equipment, caused physical harm to workers, and  would have caused significant downtime of the electrical grid.

https://www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/

There is a new type of specific malware in the web environment today which basically “specializes” in theft of cryptocurrency. Yes, you read that right. The malware comes packed with Trojan capabilities as one of the article mentioned and will infect itself once it has identified sources of cryptocurrency wallet data. So you may wonder how does it spread? Phishing! It is developed on .net and gets sent out via phishing emails with attachments or even drive by downloads. As soon as the malware has made it entrance onto your machine, “it will make a copy of itself and hide it in the AppData directory before writing a Base64 encoded PE file in memory to execute the main functionality of the Trojan. In the quest for cryptocurrency, InnfiRAT will scan for information relating to cryptocurrency including Bitcoin (BTC) and Litecoin (LTC) wallets by checking for %AppData%\Litecoin\wallet.dat and %AppData%\Bitcoin\wallet.dat. If they are present, the malware will siphon existing data that can be used to compromise these wallets and potentially steal virtual funds.”  Check out the link to find out more about it. Looks pretty interesting and scary! (source link: https://www.zdnet.com/article/innfirat-malware-lurks-in-your-machine-to-steal-cryptocurrency-wallet-data/)

Last week Google disclosed a large-scale hacking effort that it said targeted users of Apple devices. It was a bombshell story.

But now Apple has gone on the attack – angry in public, and absolutely incensed in private at what is being seen as something of a stitch up. Google is standing by its research.

In a statement posted on Friday, Apple took issue with Google’s characterization that this was a broad attack on all iPhone users.

“Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised,” it reads.

“This was never the case.”

Apple’s bone of contention isn’t so much about what Google’s Project Zero team included in its report. Rather, Apple is upset about what was left out. The view from Cupertino is that Google’s business interests in China led it to pull back on describing the attack as being targeted at the persecuted Uighur community.

Link: https://www.bbc.com/news/technology-49617081

After what has been a summer of “crippling ransomware attacks,” there has now been some respite courtesy of the city of New Bedford, Massachusetts, which has proven that the playing field can be leveled. The city was hit back in July, with its data held hostage, ransomed for more than $5 million in bitcoin. But as the attackers waited for their payment, the city’s law enforcement agencies and technology teams had other ideas.

No types of organizations are immune from these types of attacks these days,” Mayor Jon Mitchell told reporters. The city government, he said, had been taking steps to strengthen our defenses—but any network is only one keyword click away from an attack. Thankfully, he acknowledged, “the attack could have been much worse.” It hit on the July 4 holiday when many systems were shut down.

“The attack was a variant of the RYUK virus,” Mitchell confirmed. “The victim needs to make a ransom payment to acquire the decryption key from the attacker.” The attack did not affect all systems or disrupt all services, and on the return to work on July 5, the city kept systems turned off as they isolated the attack.

Link. https://www.forbes.com/sites/zakdoffman/2019/09/07/greedy-cyberattackers-beaten-by-us-city-lose-huge-53m-ransomware-payment/

Beware! Billion of Android users can easily be tricked into changing their devices’ critical network settings with just an SMS-based phishing attack.

Whenever you insert a new SIM in your phone and connects to your cellular network for the very first time, your carrier service automatically configures or sends you a message containing network-specific settings required to connect to data services.

While manually installing it on your device, have you ever noticed what configurations these messages, technically known as OMA CP messages, include?

Well, believe me, most users never bother about it if their mobile Internet services work smoothly.

But you should worry about these settings, as installing un trusted settings can put your data privacy at risk, allowing remote attackers to spy on your data communications, a team of cyber security researchers told The Hacker News.

https://thehackernews.com/2019/09/just-sms-could-let-remote-attackers.html?m=1