Akshay Shendarkar

Capture of sensitive information by Baidu Apps detected by Palo Alto Networks’ Researchers

Two popular Android apps from Chinese tech giant Baidu were temporarily unavailable on the Google Play Store in October after they were caught collecting sensitive user details.
The two apps in question—Baidu Maps and Baidu Search Box—were found to collect device identifiers, such as the International Mobile Subscriber Identity (IMSI) number or MAC address, without users’ knowledge, thus making them potentially trackable online.
The discovery was made by network security firm Palo Alto Networks, who notified both Baidu and Google of their findings, after which the search company pulled the apps on October 28, citing “unspecified violations.”
According to Palo Alto researchers, the full list of data collected by the apps include:
• Phone model
• Screen resolution
• Phone MAC address
• Carrier (Telecom Provider)
• Network (Wi-Fi, 2G, 3G, 4G, 5G)
• Android ID
• IMSI number
• International Mobile Equipment Identity (IMEI) number

Reference: https://thehackernews.com/2020/11/baidus-android-apps-caught-collecting.html

Three nation-states cyberattack groups are actively attempting to hack companies involved in COVID-19 vaccine and treatment research, as per reports by Microsoft. Russia’s APT28 Fancy Bear, the Lazarus Group from North Korea and another North Korea-linked group dubbed Cerium are believed to be behind these attacks.
The primary attack methods used are password spraying and brute forcing employee accounts. These employees have also been subjected to spear phishing attacks, where attackers have managed to masquerade these emails coming from WHO officials. Microsoft declined to speak about any compromise of data, however at least one breach has been confirmed.
Reference:
https://threatpost.com/russia-north-korea-attacking-covid-19-vaccine-makers/161205/

A review of the Phishing attacks for the Year 2020 has been summarized below:
A report by Interisle Consulting Group and Illumintel states some major facts about the phishing landscape in 2020.
First off, the exact size of the phishing problem remains unknown. However, the problem is bigger than it seems.
Most phishing is focused on a small number of domain registrars and registries and hosting providers.
Of all the maliciously registered domains, 65% is used within 5 days of registration.
Around 9% of phishing attacks are conducted on a small number of subdomain service providers.

The amount of phishing attacks discovered every year continues to increase. It takes advantage of our cognitive biases and fools us into giving away our details. When these biases are combined with clever tactics used by cybercriminals, the attacks become even more effective.

Reference: https://cyware.com/news/how-much-phishing-is-too-much-phishing-6de63298

This week’s reading article introduced us to the world of malware. The article provided a fundamental definition of malware as well as provided brief definitions of the types of malware.
It was interesting to read how the malware propagates through systems once they are infected. The article also provided history of malware in computer systems and concluded with a methodology of six basic steps which constitute a malware response plan.

Question:
What skills are needed for writing malware?

Tyler Technologies, Inc. is the largest provider of software to the United States public sector.
On September 23rd, Tyler Technologies announced they had suffered a ransomware attack and its customers reported finding suspicious logins and previously unseen remote access tools on their networks.
IT was reported that hackers breached the internal network of the company and deployed the malware.
Security researchers have speculated that, Tyler Technologies were exposed to ‘The RansomEXX’, which is a human-operated ransomware, this means that attackers manually infected the systems after gained access to the target network.
According to BleepingComputer, which cited a source informed on the event, Tyler Technologies paid a ransom of an unspecified amount to receive the decryption key and recover encrypted files.
It is speculated that the senior management of Tyler technologies reluctantly paid the unspecified ransom as many school districts, court systems, and local and statement governments in the United States uses Tyler Technologies software.

References: https://securityaffairs.co/wordpress/109334/cyber-crime/tyler-technologies-paid-ransom.html

Cyber criminals are exploiting Facebook’s offering of $100 million in cash grants to businesses affected by the coronavirus pandemic.
Potential victims see an article seemingly from CNBC, a world leader in business news with a monthly audience in the hundreds of millions, saying Facebook is giving grants to users hit by COVID-19 and including a link to apply for a grant. The grammar should give away the game, and the URL, which does not start with cnbc.com, is another suspicious element.
Those who turn a blind eye to the clumsy English and wrong URL are taken to another portal that bears more than a striking resemblance to the official site of Mercy Corps, a charity that helps victims of natural disasters and armed conflicts. However, the only topic on this one is Facebook grants, and the victim is asked to specify how many years they have been a user of the social network. Victims are asked for their Facebook username and password credentials which go straight to the cybercriminals. Then, to accept the application, the site requires a lot more information, supposedly to verify your account: your address, social security number (for US citizens), and even a scan of both sides of your ID. No fields can be left blank, and the site diligently prompts you about any omissions.

Reference: https://www.kaspersky.com/blog/facebook-grants/37181/?web_view=true

An interesting article has been written by SAM IoT Security Lab, regarding the VPN service being deployed using Fortigate’s VPN appliances.
A Shodan search turned up more than 230,000 vulnerable FortiGate appliances using the VPN functionality, researchers found. Out of those, a full 88 percent, or more than 200,000 businesses, are using the default configuration and can be easily breached in an MitM attack.
In the case of the FortiGate router, it uses a self-signed, default SSL certificate, and it uses the router’s serial number to denote the server for the certificate.
While the issue exists in the default configuration of the FortiGard SSL-VPN client, Fortinet does not consider the issue to be a vulnerability, because users have the ability to manually replace the certificate in order to secure their connections appropriately.

This week’s reading article introduces us to ‘Netcat’ which has proven to be a very important tool for IT security admins in maintaining the security of their networks. Netcat is a Linux utility program which is used for reading and writing data using TCP and UDP protocols across networks. Netcat is very strong in creating connections using port filtering, with network devices, hence it is also used as a network debugging tool. The article illustrates further on various uses or circumstances in which netcat can be used by security admins as well as the relevant syntax which is used for carrying out specific actions using this tool.

LockBit was first discovered in September 2019 under the name of .AbCD virus. They have evolved in leaps and bounds since then. A common methodology of this cyber crime gang is to target organizations which do not deploy two factor authentication or weak encryption algorithms for their VPN connectivity.
Another cybercrime gang, Maze, host some of the stolen data by LockBit on their servers, suggesting a collaboration between these two gangs. According to McAfee, LockBit mostly targets organizations located in the U.S., the U.K, France, Ukraine, Germany, India, China, and Indonesia.

References:
https://cyware.com/news/lockbit-a-new-entrant-taking-big-leaps-23850c68

This week’s reading article summarized, the importance of performing in house scanning of IT Systems by organizations for vulnerabilities, to be up to date with the ever-changing threat landscape. The tool chosen in this article is Nessus, because of the automation it brings to ensure security of IT systems.
Nessus is freeware and does not require much processing power for hardware, it can be deployed on several systems throughout the network to scan different segments. The article delineates further on the installation and setup of Nessus tool. The scanner finds all the vulnerabilities associated with the plugins which are set before the scan is run, hence appropriate attention should be given in configuring Nessus. Discovered vulnerabilities are generally indicators of flawed security practices and policies. Hence it is important to evaluate the results of these vulnerability scans and close these vulnerabilities as per the risk appetite of the organization. The article also emphasizes that even though automated scanning tools like Nessus can help organizations in finding and remediating knows exploits and vulnerabilities, however, it is the security policies and good practices followed in the organization which are most important in securing the information.