Cyber Victor – a leading blog on cyber security

A vulnerability in the Guardzilla All-in-One home video surveillance system could be exploited by users to watch Guardzilla footage of other users.

The GZ501W camera model contains a shared, hard-coded credential for Amazon Web Services Simple Storage Service (S3), which stores video footage. This means that any user of the Guardzilla All-in-One video surveillance system could access other users’ saved home videos.

While waiting for a patch, users should disable the cloud based storage function, or disconnect the device.

Read more about it here.

A new report published by non-profit Amnesty International details how threat actors are able to bypass 2FA (Two-Factor Authentication) that leverages a text (SMS) message as the second authentication factor.

The process is automated and the 2FA can be cracked within seconds.

Typically in a 2FA, when you open an account, you give the service – Google, Twitter, etc. – your mobile phone number. When you later login with your password, the service sends you a text (SMS) message, which you are prompted to enter. This serves as the second form of authentication.

Amnesty International reported widespread phishing of Google and Yahoo! mail accounts in the Middle East and North Africa throughout 2017 and 2018.

The attackers sent to the victims fake alarms, informing them that their account has been compromised, and asking them to urgently change their password. The phishing e-mail included a link that redirected victims to a well-crafted Google or Yahoo! Mail phishing web site. After the users entered their password, they were prompted to enter the code that was sent to them via SMS.

Read more about it here.

Marriott International Inc. announced it suffered a massive data breach, involving the theft of personal information from 500 million hotel guests. The breach lasted 4 years, possibly longer. Stolen information included a combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some of the guests, payment information may have also been breached. The Marriott brand includes hotel chains such as Starwood, Westin, Sheraton, W Hotels and more.

Marriott is still investigating the root cause of the breach.

In the meantime, investigators suspect China is behind the data breach.

Marriott offered to pay for new passports for guests experiencing fraud following the data breach.

Read more about it here.

Security experts from Symantec discovered a malware, named FastCash Trojan, that was used by the Lazarus APT Group, in a string of attacks against ATMs across Asia and Africa. The hackers exploited an outdated, unsupported, version of IBM AIX, a flavor of the popular Unix operating system.

Lazarus is considered responsible for the massive 2017 WannaCry ransomware attack, a string of SWIFT attacks in 2016, and the 2014 Sony Pictures hack.

“Once these servers are compromised, previously unknown malware (Trojan.Fastcash) is deployed. This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs.”

Read more about it here.

In what appears to be the world’s biggest airline data breach, Cathay Pacific announced on October 24, 2018 on Twitter that it has been hacked. Hackers accessed personal information of 9.4 million customers, including:

• Names, nationalities, dates of birth, telephone numbers, emails, physical addresses, passport numbers, identity cards and frequent-flier programs, and historical travel information.
• 403 expired credit card numbers
• 27 non-expired credit numbers with no CVV (Card Verification Value printed on the card)
• About 860,000 passport numbers
• About 245,000 Hong Kong IDs.

The breach took place in March 2018 and was confirmed by investigators in May, however it was disclosed only in October. Some local lawmakers criticized Cathay for taking so long to reveal the breach. Cathay responded, saying it wanted to have an accurate grasp on the situation, and it took immediate steps once the breach was discovered.

Read more about it here.

Over 9 million security cameras, digital video recorders (DVRs), and network video recorders (NVRs) manufactured by Hangzhou Xiongmai Technology Co., Ltd. contain vulnerabilities that can allow a remote attacker to easily take over devices, security researchers at EU-based SEC Consult revealed on October 10, 2018. But end users won’t be able to tell whether they are using a hackable device, because the company doesn’t sell any product with its name on it. Rather, it ships all equipment as white label for other companies to put their name on it. Over 100 companies using Xiongmai devices have been identified so far.

The vulnerability is caused by the devices, creating a secure tunnel with a cloud account. These cloud accounts haven’t been sufficiently protected. The accounts and their passwords can be easily guessed.

Read more about it here.

The United States Department of Homeland Security (DHS) has issued an alert of ongoing activity from an advanced persistent threat (APT) actor targeting global managed service providers (MSPs).

Managed services is the practice of outsourcing on a proactive basis certain processes and functions intended to improve operations and cut expenses. It is an alternative the outsourcing model.

The alert says: “The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs).” The alert provides some mitigation steps.

Read more about it here.

According to a report published by Bloomberg News, China implanted a tiny chip, the size of a grain of rice, on computer equipment manufactured for US companies and government agencies. The attack reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain. The micro chip was inserted on equipment manufactured in China for US based Super Micro Computer Inc., one of the world’s biggest suppliers of server motherboards.

Amazon discovered the tiny chips when it was about to acquire software firm Elemental, and conducted in 2015 a security assessment of equipment made for Elemental by Supermicro. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community.

Read more about it here.

Facebook notified users on Sep. 28, 2018 that it discovered a security issue affecting almost 50 million accounts. A vulnerability in the “View As” feature, a feature allowing Facebook users to see how their profile looks to someone else, allowed cyber thieves to steal access tokens.

The affected users have been logged out of their account by Facebook, forcing users to generate new access token upon subsequent login. Users who use Facebook to login to other accounts and services may also be impacted. Facebook has temporarily disabled the “View As” function, while it is completing a thorough security investigation.

Read more about it here.

According to Akamai’s latest State of the Internet report on credential stuffing, credential stuffing continues to be a growing threat, with financial services companies being the major target.

Credential stuffing attacks occur when botnets try login credentials usually obtained through phishing attacks and data breaches. The bots then attempt the same credentials on banks and retailers web sites. This kind of attack is efficient, due to the bad habit of users to reuse the same username and password over multiple services and accounts.

8.3 billion malicious login attempts were detected from bots in May and June 2018, up from 6.3 billion in March and April 2018.

Read more about it here.