Cyber Victor – a leading blog on cyber security

Over 9 million security cameras, digital video recorders (DVRs), and network video recorders (NVRs) manufactured by Hangzhou Xiongmai Technology Co., Ltd. contain vulnerabilities that can allow a remote attacker to easily take over devices, security researchers at EU-based SEC Consult revealed on October 10, 2018. But end users won’t be able to tell whether they are using a hackable device, because the company doesn’t sell any product with its name on it. Rather, it ships all equipment as white label for other companies to put their name on it. Over 100 companies using Xiongmai devices have been identified so far.

The vulnerability is caused by the devices, creating a secure tunnel with a cloud account. These cloud accounts haven’t been sufficiently protected. The accounts and their passwords can be easily guessed.

Read more about it here.

The United States Department of Homeland Security (DHS) has issued an alert of ongoing activity from an advanced persistent threat (APT) actor targeting global managed service providers (MSPs).

Managed services is the practice of outsourcing on a proactive basis certain processes and functions intended to improve operations and cut expenses. It is an alternative the outsourcing model.

The alert says: “The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs).” The alert provides some mitigation steps.

Read more about it here.

According to a report published by Bloomberg News, China implanted a tiny chip, the size of a grain of rice, on computer equipment manufactured for US companies and government agencies. The attack reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain. The micro chip was inserted on equipment manufactured in China for US based Super Micro Computer Inc., one of the world’s biggest suppliers of server motherboards.

Amazon discovered the tiny chips when it was about to acquire software firm Elemental, and conducted in 2015 a security assessment of equipment made for Elemental by Supermicro. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community.

Read more about it here.

Facebook notified users on Sep. 28, 2018 that it discovered a security issue affecting almost 50 million accounts. A vulnerability in the “View As” feature, a feature allowing Facebook users to see how their profile looks to someone else, allowed cyber thieves to steal access tokens.

The affected users have been logged out of their account by Facebook, forcing users to generate new access token upon subsequent login. Users who use Facebook to login to other accounts and services may also be impacted. Facebook has temporarily disabled the “View As” function, while it is completing a thorough security investigation.

Read more about it here.

According to Akamai’s latest State of the Internet report on credential stuffing, credential stuffing continues to be a growing threat, with financial services companies being the major target.

Credential stuffing attacks occur when botnets try login credentials usually obtained through phishing attacks and data breaches. The bots then attempt the same credentials on banks and retailers web sites. This kind of attack is efficient, due to the bad habit of users to reuse the same username and password over multiple services and accounts.

8.3 billion malicious login attempts were detected from bots in May and June 2018, up from 6.3 billion in March and April 2018.

Read more about it here.

Electronic retailer Newegg has been hacked by Magecart, the same cybercrime group that hacked into British Airways.

Security companies Volexity and RiskIQ have conducted a joint investigation on the hack.

Magecart group managed to hack into the Newegg web site and steal credit card information of all customers who made purchases between August 14 and September 18, 2018.

The hackers were able to inject 15 lines of malicious JavaScript code into the checkout process at Newegg. The code collected data and sent it back to the hackers. They used a domain called neweggstats.com, which they registered just the day before the attack started.

Read more about it here.

According to an announcement made on their web site, personal and payment card information of 380,000 British Airways customers were stolen from users making bookings on its website and app from 22:58 BST August 21, 2018 until 21:45 BST September 5, 2018.

The stolen information included name, address, email address and credit card information; it did not include travel or passport details

The airline confirmed that the breach has been resolved, and its services are now operating normally.

In March 2015, British Airways Executive Club member accounts were hacked, however that wasn’t considered a data breach, because hackers used information available in the underground.

Read more about it here.

A Man-in-the-Disk attack can occur when an Android app stores on the mobile device’ external storage, that is shared by all apps. A malicious app could tamper with files stored on the external storage.

In this case, the Fortnite app installer stored the install file on external storage, and then runs that install file. Another app already installed can observe that, replace the file with its own, and cause any code to run.

Epic Games has released a fix.

Read more about it here.

T-mobile announced on August 24 that on August 20, 2018, hackers accessed certain unauthorized information on their servers. The information included customers’ name, billing zip code, phone number, email address, account number, and account type (prepaid or postpaid). The incident affected more than 2 million customers, or 3 percent of its 77 million customers.

The hackers were able to exploit an internal API (application programming interface) on its servers that handled personal information. Luckily, the API doesn’t provide financial data or sensitive information.

Affected customers have been contacted by T-Mobile.

Read more about it here and here.

Check Point Research discovered multiple vulnerabilities in the most popular messaging app in the world, WhatsApp, allowing attackers to alter the content of messages sent in both private as well as group chats.

The flaws allow attackers to abuse the “quote” feature in a WhatsApp group conversation, to alter the identity of the sender, to alter the content of members’ reply to a group chat, or to send private messages to one of the group members disguised as a group message.

Check Point was able to discover these flaws by decrypting the communications between the mobile and desktop version of WhatsApp.

The security experts pointed out that the flaws could not be exploited to access the content of end-to-end encrypted messages, because in order to exploit them, the attackers must already be part of group chats.

Read more about it here.