Where data goes: 12 attacks, hacks and leaks
Facebook and Cambridge Analytica, Specter and Meltdown panic, fake news is just the tip of the 2018 iceberg. Last year was hot for information security specialists and for many users who had to change passwords in a hurry. We in the Binary District compiled a collection of 12 exemplary hacks, hacks and data leaks that occurred in 2018.
On the list are stories about vulnerability that has gotten Google+, too talkative Alexa, treacherous headphones, a brazilian Brazilian admin, a synergy of bugs on Facebook and unprecedented DDoS.
What happened. In August 2018, over seven hours, hackers carried out over 15,000 illegal operations with Indian Cosmos Bank accounts through ATMs, and the next day several large transfers via SWIFT.
What is the reason. In the first phase of the operation, many cloned bank cards were used, created due to an unknown vulnerability in the systems of one of the issuers. With their help, hackers accomplices removed cash at ATMs. In the second phase, probably, a new version of the DYEPACK malware was applied, which allows you to bypass the authorization of transfers in banking networks and hide the reports on their execution.
The details were not disclosed for the purpose of investigation, but the attack is linked to the North Korean hacker group APT38, which specializes in SWIFT hacking.
What consequences. Cosmos Bank losses amounted to about $ 13 million, two of them were on the account in one of the Hong Kong banks, the rest - in the form of cash in the hands of "money mules". The arms race between SWIFT and hackers continues, and in 2019 we will certainly have new messages about attacks on banks.
What happened. The scandal around the elections in the USA did not have time to calm down, when in September 2018 it became known that hackers managed to access data from millions of Facebook users.
What is the reason. Hacking would not have been possible if it were not for the combination of bugs in the video downloader, which uses Single Sign-On single sign-on technology, and the function “View as”. With their help, hackers massively collected the tokens that the mobile application generates, so that when loading web pages with social networking modules, they do not need to be re-authorized.
What consequences. Hackers received information about 30 million accounts. Leaked phone numbers and e-mail addresses, the data specified in the profile, data on the types of devices from which the user logs into the social network, the last 10 marked places and 15 search queries.
Tokens could be used to access any network resources where authorization is applied through Facebook. The FBI did not disclose the details of the investigation, but judging by the available information, the hackers did not have time to implement their plans. After the invasion was discovered, the vulnerability was closed, and the Facebook team dropped authorization tokens for affected users (and another 60 million as a precautionary measure).
What happened. One of the largest and most complex schemes of online advertising fraud was discovered, including a network of 10,000 fake domains and a botnet that controlled more than a million IP addresses. At the peak, bots generated over 3 billion ad impressions daily.
What is the reason. To create a botnet, hackers used Miuref and Boaxxe trojans, attacks targeting BGP, the border gateway protocol, as well as mobile applications with embedded bookmarks. They developed several attack vectors for ad networks and changed them as they were discovered by Google. In addition, bots successfully imitated human behavior by simulating mouse movements and random clicks.
What consequences. Hackers found, they are formally charged , but the financial losses of the advertising industry have yet to be assessed.
Google calls to pay attention to the potential vulnerability of ad networks to abuse and step up work on the creation and adoption of industry standards such as ads.txt. The company has removed from Google Play applications participating in this scheme, which used the mechanisms of click injection and / or click flooding, including one of the most popular third-party keyboards - Kika Keyboard with 200,000 installations.
What happened. In June 2018, hackers compromised the accounts of site employees and got access to several unnamed systems, Reddit source codes, documentation, parts of user email addresses and old backups.
What is the reason. Administrators used to authorize a two-factor authentication system via SMS. The attack was carried out by intercepting the confirmation code. Hackers could duplicate SIMs, deceive employees of a telecom operator and reissue cards or attack the outdated SS7 protocol.
What consequences. Access to the source code of the site may lead to new attacks. Reddit announced the revision of the internal rules of information security and the transition to 2FA-tokens, regularly generating a new confirmation code. Affected users received notifications, but we were again convinced of the imperfection of SMS authentication .
What happened. Identification numbers (analogue of INN) of 120 million Brazilian taxpayers - about 57% of the population - and personal information: addresses, telephone numbers, data on loans, etc., were in free access.
What is the reason. Incorrectly configured Apache HTTP Server, the administrator of which renamed the standard index.html to index.html_bkp. The culprit of the incident remains unknown. He probably just did not realize that he activated the directory listing for all the files in the directory.
What consequences. Brazil's tax identification numbers are required to open bank accounts, get loans and legal entities. It is a little social engineering - and such data turns into easy money. Probably, the base will soon be on sale in the darknet.
What happened. The developers of Sennheiser HeadSetup and HeadSetup Pro, software for making calls through the network, came to the same rake as Dell and Lenovo several years ago. They used insecure root certificates.
What is the reason. Together with HeadSetup, a pair of root certificates was installed on the computer. Private keys are stored in the SennComCCKey.pem file, from where they are easy to extract . Thus, attackers could use them to fake certificates, legitimate sites, and so on.
What consequences. Sennheiser has released updates to its programs , but all systems that were installed with HeadSetup versions 7.3, 7.4 and 8.0 in the past remain vulnerable to man-in-the-middle attacks. Programs can be upgraded or deleted, but getting rid of the certificates themselves valid until 2027 and 2037 is not so easy. They remain in the Trust Store operating system and require manual removal.
What happened. Amazon, in response to a request for a GDPR law, sent 1,700 audio recordings from a smart speaker to the wrong person. Having listened to them, it was possible to identify the owner and his household, to find out the address and many details, like musical preferences.
What is the reason. A company representative in a conversation with journalists Business Insider describes this as an isolated case and refers to the human factor.
But similar situations are not uncommon. Thus, in the framework of the “Law on the Freedom of Information Dissemination” in force in the United States, designed to increase the transparency of the work of officials, anyone can request specific data from government agencies. Internet activist Matt Chapman in response to such a request, the City Council of Seattle, along with the metadata of 32 million letters, sent 256 first characters from each message . Among them were the names and passwords of users, credit card numbers, social security cards and driver's licenses, police reports, FBI investigation data and other confidential information. And the Swedish government accidentally revealed the personal data of the participants in the witness protection program and a number of law enforcement officers.
What consequences. Compared to the cases described above, an incident with Amazon is relatively harmless. However, it makes you wonder about whether it is worthwhile to let smart devices into the house at all, especially those who can listen, and how useful GDPR can be for a hacker who has already gained access to your account.
What happened. One of the employees of SafetyDetective discovered a chain of critical vulnerabilities in Microsoft web services , which in seven steps allowed access to success.office.com and sent letters with phishing links on behalf of the company.
What is the reason. The access point was a non-working Azure web application. Taking control of the success.office.com domain with it, the researcher used OAuth verification errors to circumvent the authorization mechanism and get someone else's tokens using phishing. A victim of such a hacking would hardly have guessed a trick, since a dangerous link would have an official URL of the type: login.live.com.
What consequences. Finding a vulnerability, SafetyDetective contacted Microsoft in June 2018. The company responded and corrected the situation in November 2018. Security experts believe that the vulnerability affected about 400 million users and allowed access to all Microsoft accounts, from Microsoft Outlook to Microsoft Store.
What happened. During the year, Google experts found a couple of vulnerabilities in a dying social network. One of them , which allowed to find out the login age, gender, email address and place of work of the user, existed since 2015 and affected about 500 thousand accounts, the second appeared in the code relatively recently , in November 2018, but revealed much more confidential data: under attack there were 52.5 million accounts.
What is the reason. A security audit showed that both vulnerabilities were caused by errors in the Google+ API API that opened up unauthorized access to user data for connected applications.
What consequences. Google cannot confidently answer the question of whether the first vulnerability was exploited, since API logs are stored for no more than two weeks. The second vulnerability was noticed and fixed 6 days after the appearance, but the company still decided to speed up the closure of Google+. APIs will be disabled on March 7, 2019. The social network will completely stop working in April of this year.
What happened. On February 28, 2018, hackers launched a record attack with a capacity of 1.35 Tb / s on GitHub servers , but already on March 5, 2018, analysts reported that the record was broken. In the course of the new attack, the network of one of the American providers was subjected to a load that reached a peak of 1.7 Tb / s.
What is the reason. This is due to the vulnerability in Memcached code known since 2014 - software for caching data in the server's RAM. In the fall of 2017, a way was found to use the vulnerability to implement DRDoS attacks with traffic multiplication through vulnerable reflector servers.
What consequences. The record is likely to be broken, as there are still quite a lot of resources on the network that use the incorrect vulnerable Memcached settings. To protect against such attacks, Cloudflare recommends restricting or blocking at all UDP for port 11211.
The number of incidents in the field of information security is only growing. In this brief excursion we collected only a part of the spectrum of possible threats, many of which are yet to be discovered. If you want to protect your service or become Sherlock Holmes in a white hat, experts from the Cybersecurity Academy BI.ZONE together with the Binary District will conduct for you an intensive web application security and cyber attack investigation for business . Courses will be held February 16-17 at the Digital October site.
On the list are stories about vulnerability that has gotten Google+, too talkative Alexa, treacherous headphones, a brazilian Brazilian admin, a synergy of bugs on Facebook and unprecedented DDoS.
Four hacker attacks
Just space, or how to lose 13 million dollars
What happened. In August 2018, over seven hours, hackers carried out over 15,000 illegal operations with Indian Cosmos Bank accounts through ATMs, and the next day several large transfers via SWIFT.
What is the reason. In the first phase of the operation, many cloned bank cards were used, created due to an unknown vulnerability in the systems of one of the issuers. With their help, hackers accomplices removed cash at ATMs. In the second phase, probably, a new version of the DYEPACK malware was applied, which allows you to bypass the authorization of transfers in banking networks and hide the reports on their execution.
The details were not disclosed for the purpose of investigation, but the attack is linked to the North Korean hacker group APT38, which specializes in SWIFT hacking.
What consequences. Cosmos Bank losses amounted to about $ 13 million, two of them were on the account in one of the Hong Kong banks, the rest - in the form of cash in the hands of "money mules". The arms race between SWIFT and hackers continues, and in 2019 we will certainly have new messages about attacks on banks.
Facebook bad luck
What happened. The scandal around the elections in the USA did not have time to calm down, when in September 2018 it became known that hackers managed to access data from millions of Facebook users.
What is the reason. Hacking would not have been possible if it were not for the combination of bugs in the video downloader, which uses Single Sign-On single sign-on technology, and the function “View as”. With their help, hackers massively collected the tokens that the mobile application generates, so that when loading web pages with social networking modules, they do not need to be re-authorized.
What consequences. Hackers received information about 30 million accounts. Leaked phone numbers and e-mail addresses, the data specified in the profile, data on the types of devices from which the user logs into the social network, the last 10 marked places and 15 search queries.
Tokens could be used to access any network resources where authorization is applied through Facebook. The FBI did not disclose the details of the investigation, but judging by the available information, the hackers did not have time to implement their plans. After the invasion was discovered, the vulnerability was closed, and the Facebook team dropped authorization tokens for affected users (and another 60 million as a precautionary measure).
Frode is big
What happened. One of the largest and most complex schemes of online advertising fraud was discovered, including a network of 10,000 fake domains and a botnet that controlled more than a million IP addresses. At the peak, bots generated over 3 billion ad impressions daily.
What is the reason. To create a botnet, hackers used Miuref and Boaxxe trojans, attacks targeting BGP, the border gateway protocol, as well as mobile applications with embedded bookmarks. They developed several attack vectors for ad networks and changed them as they were discovered by Google. In addition, bots successfully imitated human behavior by simulating mouse movements and random clicks.
What consequences. Hackers found, they are formally charged , but the financial losses of the advertising industry have yet to be assessed.
Google calls to pay attention to the potential vulnerability of ad networks to abuse and step up work on the creation and adoption of industry standards such as ads.txt. The company has removed from Google Play applications participating in this scheme, which used the mechanisms of click injection and / or click flooding, including one of the most popular third-party keyboards - Kika Keyboard with 200,000 installations.
Reddit hacked
What happened. In June 2018, hackers compromised the accounts of site employees and got access to several unnamed systems, Reddit source codes, documentation, parts of user email addresses and old backups.
What is the reason. Administrators used to authorize a two-factor authentication system via SMS. The attack was carried out by intercepting the confirmation code. Hackers could duplicate SIMs, deceive employees of a telecom operator and reissue cards or attack the outdated SS7 protocol.
What consequences. Access to the source code of the site may lead to new attacks. Reddit announced the revision of the internal rules of information security and the transition to 2FA-tokens, regularly generating a new confirmation code. Affected users received notifications, but we were again convinced of the imperfection of SMS authentication .
Three annoying fakapu
Apache brazilian
What happened. Identification numbers (analogue of INN) of 120 million Brazilian taxpayers - about 57% of the population - and personal information: addresses, telephone numbers, data on loans, etc., were in free access.
What is the reason. Incorrectly configured Apache HTTP Server, the administrator of which renamed the standard index.html to index.html_bkp. The culprit of the incident remains unknown. He probably just did not realize that he activated the directory listing for all the files in the directory.
What consequences. Brazil's tax identification numbers are required to open bank accounts, get loans and legal entities. It is a little social engineering - and such data turns into easy money. Probably, the base will soon be on sale in the darknet.
Sennheiser Certificates
What happened. The developers of Sennheiser HeadSetup and HeadSetup Pro, software for making calls through the network, came to the same rake as Dell and Lenovo several years ago. They used insecure root certificates.
What is the reason. Together with HeadSetup, a pair of root certificates was installed on the computer. Private keys are stored in the SennComCCKey.pem file, from where they are easy to extract . Thus, attackers could use them to fake certificates, legitimate sites, and so on.
What consequences. Sennheiser has released updates to its programs , but all systems that were installed with HeadSetup versions 7.3, 7.4 and 8.0 in the past remain vulnerable to man-in-the-middle attacks. Programs can be upgraded or deleted, but getting rid of the certificates themselves valid until 2027 and 2037 is not so easy. They remain in the Trust Store operating system and require manual removal.
Alexa tells all about you
What happened. Amazon, in response to a request for a GDPR law, sent 1,700 audio recordings from a smart speaker to the wrong person. Having listened to them, it was possible to identify the owner and his household, to find out the address and many details, like musical preferences.
What is the reason. A company representative in a conversation with journalists Business Insider describes this as an isolated case and refers to the human factor.
But similar situations are not uncommon. Thus, in the framework of the “Law on the Freedom of Information Dissemination” in force in the United States, designed to increase the transparency of the work of officials, anyone can request specific data from government agencies. Internet activist Matt Chapman in response to such a request, the City Council of Seattle, along with the metadata of 32 million letters, sent 256 first characters from each message . Among them were the names and passwords of users, credit card numbers, social security cards and driver's licenses, police reports, FBI investigation data and other confidential information. And the Swedish government accidentally revealed the personal data of the participants in the witness protection program and a number of law enforcement officers.
What consequences. Compared to the cases described above, an incident with Amazon is relatively harmless. However, it makes you wonder about whether it is worthwhile to let smart devices into the house at all, especially those who can listen, and how useful GDPR can be for a hacker who has already gained access to your account.
A couple of vulnerabilities, (almost) killed services
Microsoft Achilles Heel
What happened. One of the employees of SafetyDetective discovered a chain of critical vulnerabilities in Microsoft web services , which in seven steps allowed access to success.office.com and sent letters with phishing links on behalf of the company.
What is the reason. The access point was a non-working Azure web application. Taking control of the success.office.com domain with it, the researcher used OAuth verification errors to circumvent the authorization mechanism and get someone else's tokens using phishing. A victim of such a hacking would hardly have guessed a trick, since a dangerous link would have an official URL of the type: login.live.com.
What consequences. Finding a vulnerability, SafetyDetective contacted Microsoft in June 2018. The company responded and corrected the situation in November 2018. Security experts believe that the vulnerability affected about 400 million users and allowed access to all Microsoft accounts, from Microsoft Outlook to Microsoft Store.
Google+ agony
What happened. During the year, Google experts found a couple of vulnerabilities in a dying social network. One of them , which allowed to find out the login age, gender, email address and place of work of the user, existed since 2015 and affected about 500 thousand accounts, the second appeared in the code relatively recently , in November 2018, but revealed much more confidential data: under attack there were 52.5 million accounts.
What is the reason. A security audit showed that both vulnerabilities were caused by errors in the Google+ API API that opened up unauthorized access to user data for connected applications.
What consequences. Google cannot confidently answer the question of whether the first vulnerability was exploited, since API logs are stored for no more than two weeks. The second vulnerability was noticed and fixed 6 days after the appearance, but the company still decided to speed up the closure of Google+. APIs will be disabled on March 7, 2019. The social network will completely stop working in April of this year.
One record DDoS
What happened. On February 28, 2018, hackers launched a record attack with a capacity of 1.35 Tb / s on GitHub servers , but already on March 5, 2018, analysts reported that the record was broken. In the course of the new attack, the network of one of the American providers was subjected to a load that reached a peak of 1.7 Tb / s.
What is the reason. This is due to the vulnerability in Memcached code known since 2014 - software for caching data in the server's RAM. In the fall of 2017, a way was found to use the vulnerability to implement DRDoS attacks with traffic multiplication through vulnerable reflector servers.
What consequences. The record is likely to be broken, as there are still quite a lot of resources on the network that use the incorrect vulnerable Memcached settings. To protect against such attacks, Cloudflare recommends restricting or blocking at all UDP for port 11211.
The number of incidents in the field of information security is only growing. In this brief excursion we collected only a part of the spectrum of possible threats, many of which are yet to be discovered. If you want to protect your service or become Sherlock Holmes in a white hat, experts from the Cybersecurity Academy BI.ZONE together with the Binary District will conduct for you an intensive web application security and cyber attack investigation for business . Courses will be held February 16-17 at the Digital October site.
Source: https://habr.com/ru/post/438100/