WHATSAPP NOT SO SECRETIVE
This past week a vulnerability in WhatsApp was discovered that could enable hackers to misuse and manipulate user documents and photos without the users knowledge; Linkdin is the Social Media champion for phishing emails; Facial recognition scanning ‘endemic in UK; Sandbox services are ‘honeypot‘ for hackers; a data breach causes travel delays, ransomware compromises the first day of school, and small businesses are enduring an unprecedented number of data breaches......
This Past Week’s Top Dark Web Exploits:
Top Source Hits: ID Theft Forums
Top Compromise Type: Domain
Top Industry: Education & Research
Top Employee Count: 1-10 Employees
Vulnerability in WhatsApp and Telegram for Android™ Discovered*:
WhatsApp and Telegram media files could be exposed and manipulated by malicious actors according to new research by Symantec’s Modern OS Security team, focused on the protection of mobile endpoints and operating systems. The security flaw, dubbed “Media File Jacking”, affects WhatsApp for Android by default, and Telegram for Android if certain features are enabled. It stems from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume. This critical time lapse presents an opportunity for malicious actors to intervene and manipulate media files without the user’s knowledge. If the security flaw is exploited, a malicious attacker could misuse and manipulate sensitive information such as personal photos and videos, corporate documents, invoices, and voice memos. Attackers could take advantage of the relations of trust between a sender and a receiver when using these IM apps for personal gain or to wreak havoc. However, as we’ve mentioned in the past, no code is immune to security vulnerabilities. The Media File Jacking threat is especially concerning in light of the common perception that the new generation of IM apps is immune to content manipulation and privacy risks, thanks to the utilization of security mechanisms such as end-to-end encryption. Users generally trust IM apps such as WhatsApp and Telegram to protect the integrity of both the identity of the sender and the message content itself. This is in contrast to older apps/protocols such as SMS, which are known to be ‘spoofed’ easily. (SMS spoofing is a technology which uses the SMS available on most mobile phones and personal digital assistants, to set who the message appears to come from by replacing the originating mobile number {Sender ID} with alphanumeric text) No code is immune to security vulnerabilities. While end-to-end encryption is an effective mechanism to ensure the integrity of communications, it isn’t enough if app-level vulnerabilities exist in the code. What the Media File Jacking research found demonstrates is that attackers may be able to successfully manipulate media files by taking advantage of logical flaws in the apps, that occur before and/or after the content is encrypted in transit. Android apps can store files and data in two storage locations: internal and external storage. Files saved to internal storage are accessible only by the app itself, meaning other apps cannot access them. Files saved to an external storage public directory are world-readable/writeable, so they can be modified by other apps or users beyond the app's control. By default, WhatsApp stores media files received by a device in external storage. if a user enables the “Save to Gallery” feature, under the assumption that this is safe and without understanding its indirect ramifications, Telegram will similarly store files in public directories. The apps load the received files from the public directories for users to see in the chat interface, when they enter the relevant chat. The fact that files are stored in, and loaded from, external storage without proper security mechanisms allows other apps with write-to-external storage permission to risk the integrity of the media files. Write-to-external storage (WRITE_EXTERNAL_STORAGE) is a common permission requested by Android apps, with over a million apps in Google Play having this access. In fact, based on internal app data, nearly 50% of a given device’s apps have this permission. As discussed, the WRITE_EXTERNAL_STORAGE permission is very common among Android apps and users generally don’t hesitate to grant the permission as part of the on-boarding process. It’s therefore possible a user could unknowingly install the aforementioned malware as opposed to installing another app that asks for more aggressive permissions (such as critical device sensors or resources access) - in this case, a user may be more cautious before agreeing to install. Additionally, the Media File Jacking vulnerability points to a bigger issue of app developers’ non-secure use of storage resources. In 2018, researchers discovered a similar flaw related to how some Android apps utilize external storage, opening the door to data manipulation by attackers. A so-called “Man-In-The-Disk” attack can occur when developers fail to take security precautions when storing files in external storage. It can result in silent installation of potentially malicious apps and denial of service for apps. (Man-in-the-Disk attacks are made possible when applications are careless about their use of External Storage, a resource that is shared across all applications and does not enjoy Android’s built-in Sandbox protection) Failing to employ security precautions on their own leaves applications vulnerable to the risks of malicious data manipulation.
LinkedIn Accounts For More Than Half Of Social Media Phishing Emails In Q2 2019*:
The provider of the world’s largest security awareness training and simulated phishing platform, reviewed the results of tens of thousands of simulated phishing tests over the course of Q2 2019 and found that more than 50 percent of those related to social media had “LinkedIn” in the title. With this information, organisations need to train their users how to recognise and manage phishing emails that come into the corporate network. The analysis shows that of social media phishing tests those with “LinkedIn” in the subject line totaled more than 56 percent, more than all other social media phishing tests combined. This isn’t surprising as social media phishing attacks are growing at a remarkable rate of 75 percent in 2019. When combined with Shadow IT concerns that prevent IT and security departments from managing and monitoring services and apps users bring into the corporate environment – such as social networks on their mobile phones – it becomes more important than ever that users are educated about how to avoid a phishing or social engineering attack. “It feels good to ‘join my network’ or connect with someone in some way – that’s why social media phishing attacks are so successful - Users innately trust their ‘verified’ contacts so are more apt to click on a link that come from someone they know. It’s becoming harder to identify phishing attacks, but our users are smarter than the bad guys think and can absolutely be trained to identify and avoid phishing and social engineering attacks.”
The top clicked social media phishing tests identified are: • LinkedIn: 56% • Login alert for Chrome on Motorola Moto X: 9% • 55th Anniversary and Pizza Party: 8% • Your Friend Tagged a Photo of You: 8% • Facebook Password Reset Verification: 8% • Your password was successfully reset: 6% • New Voice Message At 1:23 AM: 5% *Capitalisation and spelling are as they were in the phishing test subject line.
In addition to examining phishing subject lines related to social media, the researchers found that phishing tests that focused on password management were successful, with 35 percent of users clicking. Additionally, in-the-wild attacks – those that were actual phishing emails and testing emails – found greatest success when they asked for action from the recipient, such as being invited to share an Outlook calendar or being assigned a task in a Microsoft platform. Businesses need to understand that users are an organisation’s last line of defense and are most successful when they are consistently trained and tested on the latest phishing threats.
Facial Recognition “endemic” across UK private sites.*
Facial recognition is being extensively deployed on privately owned sites across the UK, according to an investigation by civil liberties group Big Brother Watch. It found an "epidemic" of the controversial technology across major property developers, shopping centers, museums, conference centers and casinos in the UK. The investigation uncovered live facial recognition in Sheffield's major shopping centre Meadowhall. Site owner British Land said: "We do not operate facial recognition at any of our assets. However, over a year ago we conducted a short trial at Meadowhall, in conjunction with the police, and all data was deleted immediately after the trial." The investigation also revealed that Liverpool's World Museum scanned visitors with facial recognition surveillance during its exhibition, "China's First Emperor and the Terracotta Warriors" in 2018. The museum's operator, National Museums Liverpool, said this had been done because there had been a "heightened security risk" at the time. It said it had sought "advice from Merseyside Police and local counter-terrorism advisors" and that use of the technology "was clearly communicated in signage around the venue". A spokesperson added: "World Museum did not receive any complaints and it is no longer in use. Any use of similar technology in the future would be in accordance with National Museums Liverpool's standard operating procedures and with good practice guidance issued by the Information Commissioner's Office." Big Brother Watch said it also found the Millennium Point conference centre in Birmingham was using facial-recognition surveillance "at the request of law enforcement". In the privacy policy on Millennium Point's website, it confirms it does "sometimes use facial recognition software at the request of law enforcement authorities". It has not responded to a request for further comment. Earlier this week it emerged the privately owned Kings Cross estate in London was using facial recognition, and Canary Wharf is considering following suit. The UK Information Commissioner has since launched an investigation, saying she remains "deeply concerned about the growing use of facial recognition technology in public spaces, not only by law enforcement agencies but also increasingly by the private sector". The Metropolitan Police's use of the tech was recently slammed as highly inaccurate and "unlawful", according to an independent report by researchers from the University of Essex. Silkie Carlo, director of Big Brother Watch, said: "There is an epidemic of facial recognition in the UK. "The collusion between police and private companies in building these surveillance nets around popular spaces is deeply disturbing. Facial recognition is the perfect tool of oppression and the widespread use we've found indicates we're facing a privacy emergency. "We now know that many millions of innocent people will have had their faces scanned with this surveillance without knowing about it, whether by police or by private companies. "The idea of a British museum secretly scanning the faces of children visiting an exhibition on the first emperor of China is chilling. There is a dark irony that this authoritarian surveillance tool is rarely seen outside of China." Carlo urged Parliament to follow in the footsteps of legislators in the US and "ban this authoritarian surveillance from public spaces".
Sandbox services are bursting with sensitive info from unwitting companies*
Top tip: Don't upload your confidential biz files to free malware-scanning websites – everything is public Companies are inadvertently leaving confidential files on the internet for anyone to download – after uploading the documents to malware-scanning websites that make everything public. These file-probing websites open submitted documents in secure sandboxes to detect any malicious behavior. Businesses forward email attachments and other data to these sites to check whether they are booby-trapped with exploits and malware, not knowing that the sandbox sites publish a feed of submitted documents. Researchers at infosec outfit Cyjax today raised the alarm that when IT staff, security researchers, and other folk submit attachments to free malware scanning services to check for malware, they are unaware the files are viewable to everyone. "These services allow anyone to upload a file and then generate a report about what happens when the file is opened; they then give an indication as to whether the file is malicious or benign," Cyjax's Cylab team explained. "The services chosen all have public feeds and do not require payment in order to download or view the public submissions." By passively observing three such services over the course of three days earlier this month, Cylab hackers were able to collect more than 200 documents, mostly things like purchase orders and invoices. In some cases, they were also able to spot more sensitive information – think legal paperwork, insurance forms, and government documents that contained personal information. "The volume of sensitive documents collected in only three days was staggering," the team noted. "In a month, a threat actor would have enough data to target multiple industries and steal the identities of multiple victims. "Even the mundane files, like purchase orders, could reveal enough of a company's inner workings to give an identity thief or hacker enough reconnaissance to carry out a targeted attack. "By examining the invoices, we were able to determine who was using the software, as well as the contact details of those responsible for purchasing in each organisation," the Cylab report explained. "This is extremely useful information for a threat actor conducting a spear phishing or BEC [business email compromise] fraud campaign." The Cylab team noted that in every case where the uploader of the file could be reached, the organization had no idea their documents were open to any and all. Some panicked at the news, and others contacted the sandbox site to get the files pulled. The conclusion of the report is pretty straightforward: users and their employers seem to have no idea that these "sandbox" sites are exposing their data. As for what can be done, administrators need to step up and let users know not to use the site, while the companies themselves should consider either providing and mandating a their own scanning tool, or at least spring for a private account that hides scanned files.
THREAT FOCUS: New Zealand Institute Of Directors - NEW ZEALAND*
Exploit: Unauthorized database access New Zealand - New Zealand Institute of Directors: Professional organization supporting company directors in New Zealand Risk to Small Business: 1.666 = Severe: Hackers exposed a vulnerability in the organization’s website, defacing the homepage with anti-government propaganda. In response, the website was brought offline until the security incident could be contained and repaired. Furthermore, all employees were asked to change their passwords to further protect their data integrity. Individual Risk: 2.428 = Severe: While the institute described the possibility that employee data was compromised as “highly unlikely,” it’s possible that employee email addresses and passwords were compromised. All employees should reset their passwords, and they should avoid using these credentials on other accounts Customers Impacted: Unknown Impact On Customers: Cybercriminals are continually looking for vulnerabilities, which can result in embarrassing or highly destructive data breaches. Therefore, businesses should prioritize security awareness to identify and repair cybersecurity vulnerabilities before they are exploited by bad actors. Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: Air New Zealand - NEW ZEALAND*
Exploit: Phishing attack Air New Zealand: Flag carrier airline of New Zealand
Risk to Small Business: 1.666 = Severe Risk: Two Air New Zealand employees fell for a phishing attack that compromised customer data. The company is enduring significant online criticism for their management of the data breach, meaning that they are now responsible for improving their cybersecurity standards while they also work to restore their customers’ confidence.
Individual Risk: 2.285 = Severe Risk: In total, the breach compromised the personal information for 3.5% of the airline’s customers. The company notified customers their account passwords and payment details were not compromised. However, other sensitive information, including passport numbers, names, addresses, phone numbers, job titles, employer details could be compromised. Therefore, victims should closely monitor their personal accounts for unusual activity, and credit and identity monitoring services can provide long-term oversight of personally identifiable information.
Customers Impacted: 112,000
Effect On Customers: Phishing attacks can give hackers unprecedented access to a company’s IT infrastructure. They are cheap to deploy, and they can frequently avoid detection by screening software. Fortunately, phishing attacks are also entirely defensible. Comprehensive awareness training can equip employees to detect phishing attacks, effectively rendering them useless. The increasing, holistic cost of a data breach makes deploying these services an obvious priority for every company.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: Oyster Transport Card - UNITED KINGDOM*
Exploit: Credential stuffing attack
Oyster: Travel smart-card system for UK public transportation
Risk to Small Business: 2.111 = Severe Risk: Hackers accessed more than 1,000 Oyster user accounts by applying login credentials from other platforms to their Oyster login. This technique, known as a credential stuffing attack, uses stolen data from other websites and compounds the damage by applying that data logins across the internet. To prevent further access, the smart-card system was taken offline for two days, creating delays to the public transit system while damaging their reputation as users took to social media to voice their frustrations about the delays.
Individual Risk: 2.428 = Severe Risk: Oyster is notifying customers who had their accounts compromised, and those users should assume that all available information was compromised in the breach. Moreover, because their accounts were accessed using credential stuffing, users should ensure that they use strong, unique passwords across all accounts..
Customers Impacted: 1,200
Effect On Customers: With credential stuffing attacks can be difficult to defend because they rely on users choosing strong, unique passwords across all of their accounts. However, businesses can get ahead of the threat by adopting the monitoring services necessary to know if their customers’ credentials might be compromised.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: Indian Prairie District School District 204 - UNITED STATES*
Exploit: Unauthorized database access
Indian Prairie School District 204: Public school district providing educational services in Aurora, Illinois
Risk to Small Business: 2 = Severe Risk: A data breach at Pearson Clinical Assessments has trickled down to Indian Prairie School District, compromising the personal information of tens of thousands of staff and students. The district believes the information was put up for sale the Dark Web, and they are offering free credit monitoring services for everyone impacted by the breach. In this case, a security vulnerability at a third-party contractor requires the district to pick up the heavy cost of credit monitoring services for thousands of former students. In a sector already strapped for cash, this expense alone is reason enough to prioritize cybersecurity initiatives pertaining to the contract work and beyond.
Individual Risk: 2.428 = Severe Risk: The data breach includes data from staff and students from the years 2001 - 2016, and it includes first and last names, school email addresses, and birth dates. Personal data can travel quickly on the Dark Web, and those impacted by the breach should enroll in the credit monitoring services offered by the district.
Customers Impacted: 49,000
Effect On Customers: Data breaches that compromise people’s personally identifiable information are always concerning, especially when they involve minors. Providing the supportive services necessary to recover from a data breach is the most important, and identity and credit monitoring services is the first place to start. These programs provide people the peace-of-mind necessary to successfully navigate the recovery process.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: Presbyterian Health Services - UNITED STATES*
Exploit: Phishing attack
Presbyterian Health Services: Private, not-for-profit healthcare system and provider
Risk to Small Business: 1.777 = Severe: Beginning on May 9th, hackers gained access to employee email accounts that contained copious amounts of patient data. The employees fell for a phishing scam that compromised their accounts, which criminals accessed for nearly a month before the healthcare provider discovered the breach. While Presbyterian Health Services secured their employee accounts after discovering the unauthorized access, cybercriminals had plenty of time to exploit this vulnerability. Healthcare data breaches are incredibly expensive, and Presbyterian Health Services will incur the immediate cost of identity and credit monitoring services as well as increased regulatory scrutiny because patient data was involved.
Individual Risk: 2.142 = Severe: Hackers accessed patients’ names, dates of birth, Social Security numbers, and other healthcare related data. This information can quickly spread on the Dark Web, and those impacted by the breach need to attain the services necessary to protect this information.
Customers Impacted: 183,000
Effect On Customers: Every organization wants to avoid the high cost of a data breach, so succumbing to defensible attacks like a phishing scam is uniquely frustrating. Phishing scams are cheap and easy to execute, and they are frequently making their way into employees’ inboxes. Therefore, comprehensive awareness training is a must-have element for every organization’s cybersecurity initiatives.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: Broken Arrow Public Schools - UNITED STATES*
Exploit: Ransomware
Broken Arrow Public Schools: Public school district in Broken Arrow, Oklahoma
Risk to Small Business: 2.555 = Moderate Risk: A ransomware attack compromised the school district’s network, making it briefly inaccessible to all personnel. Fortunately, the school district maintained comprehensive backups that were not impacted by the data breach, and they were able to restore normal operations without paying a ransom. The attack came as school was preparing to begin, and it temporarily put critical services like scheduling, bus routes, and even the first day of school at risk
Individual Risk: No personal information was compromised in the breach.
Customers Impacted: Unknown
Effect On Customers: A ransomware attack can come at any time, which means that a comprehensive response plan is an immediate and necessary element of every business or organization’s cybersecurity strategy. By planning for a ransomware attack, which could include everything from data backups to ransomware insurance, every business can put its best foot forward to thwart these increasingly common attacks.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: Ernin Finance - UNITED STATES*
Exploit: Malware attack Earnin: Mobile finance app offering cash advances on paycheck deposits
Risk to Small Business: 1.555 = Severe: A group of white hat hackers accessed Earnin’s network and discovered significant security vulnerabilities, including customers’ financial information stored in plain text. Although the data breach was limited to the white hat hackers, the company’s subpar security standards are producing significant bad press that could hinder their development moving forward.
Individual Risk: 2 = Severe: There is no indication that personal information was misused in this data breach, but significant amounts of user data was accessed, including names, bank account numbers, routing numbers, and payment statements. Because of Earnin’s poor security standards, users should closely monitor their accounts for unusual activity, and they should carefully consider their participation in platforms that don’t prioritize data security.
Customers Impacted: Unknown
Effect on Customers: In the past, tech startups operated with near impunity as they developed new platforms and services to meet our modern moment. Today, shifting consumer sentiments toward data privacy and a cadre of new privacy laws make this proposition more perilous. Instead, startups need to make cybersecurity a top priority from day one because failing to protect customer information can undercut their financial, regulatory, and customer-facing viability.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: City Of Naples - UNITED STATES*
Exploit: Phishing attack
City of Naples: Local government serving residents in Naples, Florida
Risk to Small Business: 2 = Severe: Spear phishing campaigns have evolved in sophistication, often relying on previously stolen credentials and inflicting greater damage than ever before. Therefore, awareness training is a critical element of any organization’s cybersecurity defense, since it can equip employees to successfully defend against all types of phishing campaigns that threaten company data and resources.
Individual Risk: No personal information was compromised in the breach.
Customers Impacted: Unknown
Effect on Customers: The cost of a data breach is higher now than ever before, which makes a preventable data breach even more egregious. Consequently, awareness training should be a top priority for every company. The expense of credit and identity monitoring services, repetitional damage, and IT upgrades far exceeds the awareness training that can prevent phishing scams from compromising customer data.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
POSTSCRIPT:
UK's Small Business Sector hammered by cyber attacks.*
Small businesses in the United Kingdom are the victims of repeated cyber-attacks with around 10,000 attacks occurring every day, according to the Federation of Small Businesses (FSB). The FSB is a UK-based organization that represents small and medium-sized businesses in the country. FSB stated, in its survey of more than 1,100 smaller firms, that one in five small firms in the UK accepted that it had been the victim of a data breach in the last two years. The survey also highlighted that more than seven million individual attacks are reported over the same period, which is 9,741 attacks a day. The annual cost incurred by the firms due to the attacks is estimated to be £4.5 billion and the average cost of an individual attack is valued at £1,300, according to the report. The study specified that companies based in the North West, South East, and West Midlands suffer the most cyber-attacks — 530,000 small firms reported phishing attacks; 374,000 firms reported malware incidences; there were 301,000 fraudulent payment requests, and 260,000 firms suffered ransomware attacks. Commenting on the scenario, the FSB Policy & Advocacy Chairman Martin McTague said, “These findings demonstrate the sheer scale of the dangers faced by small firms every day in the digital arena. The issue of business crime is overlooked too often – even more so of late in this climate of sustained political uncertainty and inaction. Meaningful steps must be taken to safeguard our small firms and by extension the wider. ”The mid market businesses in the UK have lost around (US$37 billion) in the past 12 months due to security breaches. A research from business and financial adviser Grant Thornton UK LLP discovered that cyber-attacks are a present danger for businesses in the UK. The research report, named Cyber Security – the Board Report, stated that businesses are not prepared to manage cyber risks. Grant Thornton stated they surveyed over 500 UK mid-market companies, in which half of them reported losses of up to 10 percent of their income over cyberattacks. The research revealed that 63 percent of the companies don’t have a cybersecurity team. Only 36 percent stated that they’ve provided cybersecurity training to their employees. And more than half of the businesses (59%) don’t have a cyber incident action plan, according to the research.
GermanWiper Ransomware Targets SMBs*
German SMBs are the target of a new ransomware that’s wreaking havoc on company data. The ransomware is delivered by a phishing campaign purporting to be from a potential job applicant, and the email contains an attachment that poses as a PDF resume from the sender. When users click on the attachment, it unleashes a ransomware attack that demands payment in Bitcoin to decrypt...
Disclaimer*: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.