Cyber Victor – a leading blog on cyber security

According to the European Union Agency for Network and Information Security (ENISA) 2018 Threat Landscape Report, which was published on January 28, 2019, the cyber threat landscape changed significantly. The most important threat agent groups were cyber-criminals and state-sponsored actors. Monetization motives have contributed to the appearance of crypto-miners in the top 15 threats.

The main trends in the 2018’s cyberthreat landscape are:

• Mail and phishing messages have become the primary malware infection vector.
• Exploit Kits have lost their importance in the cyberthreat landscape.
• Cryptominers have become an important monetization vector for cyber-criminals.
• State-sponsored agents increasingly target banks by using attack-vectors utilised in cyber-crime.
• Skill and capability building are the main focus of defenders. Public organisations struggle with staff retention due to strong competition with industry in attracting cybersecurity talents.
• The emergence of IoT environments remains a concern, due to missing protection mechanisms in low-end IoT devices and services. The need for generic IoT protection architectures/good practices remains pressing.

Read more about it here.

Security experts at Check Point Research discovered several cybersecurity flaws in popular online battle game Fortnite. One of the flaws is an OAuth account takeover vulnerability that could allow a remote attacker to take over gamer accounts, tricking players into clicking a specially crafted link.

Due to three vulnerability flaws found in Epic Games’ web infrastructure, researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems at Facebook, Google+, Xbox Live and Sony PlayStationNetwork, to steal the user’s access credentials and take over their account.

Once the token has been obtained, the attacker could access personal information, buy in-game currency at the user’s expense, eavesdrop on and record players’ in-game chatter and background home conversations.

One way to minimize the thread of falling victim to such an attack is to use a two-factor authentication.

Checkpoint published a demo video of the attack:

Read more about it here.

Security experts at Pen Test Partners have discovered thousands of connected hot tubs are vulnerable to remote cyber attacks. Pen Test Partners, the UK security company that carried out the research, wrote: “Like most internet of things devices, the Wi-Fi module acts initially as in AP mode. The mobile app can connect as a client and control the tub locally. However, it can also configure the tub controller to be a client on your home network, so remote control from anywhere is possible through an API. The AP is open, no PSK, so anyone can stand near your house, connect their smart phone to your hot tub and control it. Your friendly neighbourhood hacker could control your tub.”

Pen Test Partners e-mailed the manufacturer, Balboa Water Group, already in November 2018. The manufacture promised a fix by the end of February 2019.

Read more about it here.

A vulnerability in the Guardzilla All-in-One home video surveillance system could be exploited by users to watch Guardzilla footage of other users.

The GZ501W camera model contains a shared, hard-coded credential for Amazon Web Services Simple Storage Service (S3), which stores video footage. This means that any user of the Guardzilla All-in-One video surveillance system could access other users’ saved home videos.

While waiting for a patch, users should disable the cloud based storage function, or disconnect the device.

Read more about it here.

A new report published by non-profit Amnesty International details how threat actors are able to bypass 2FA (Two-Factor Authentication) that leverages a text (SMS) message as the second authentication factor.

The process is automated and the 2FA can be cracked within seconds.

Typically in a 2FA, when you open an account, you give the service – Google, Twitter, etc. – your mobile phone number. When you later login with your password, the service sends you a text (SMS) message, which you are prompted to enter. This serves as the second form of authentication.

Amnesty International reported widespread phishing of Google and Yahoo! mail accounts in the Middle East and North Africa throughout 2017 and 2018.

The attackers sent to the victims fake alarms, informing them that their account has been compromised, and asking them to urgently change their password. The phishing e-mail included a link that redirected victims to a well-crafted Google or Yahoo! Mail phishing web site. After the users entered their password, they were prompted to enter the code that was sent to them via SMS.

Read more about it here.

Marriott International Inc. announced it suffered a massive data breach, involving the theft of personal information from 500 million hotel guests. The breach lasted 4 years, possibly longer. Stolen information included a combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some of the guests, payment information may have also been breached. The Marriott brand includes hotel chains such as Starwood, Westin, Sheraton, W Hotels and more.

Marriott is still investigating the root cause of the breach.

In the meantime, investigators suspect China is behind the data breach.

Marriott offered to pay for new passports for guests experiencing fraud following the data breach.

Read more about it here.

Security experts from Symantec discovered a malware, named FastCash Trojan, that was used by the Lazarus APT Group, in a string of attacks against ATMs across Asia and Africa. The hackers exploited an outdated, unsupported, version of IBM AIX, a flavor of the popular Unix operating system.

Lazarus is considered responsible for the massive 2017 WannaCry ransomware attack, a string of SWIFT attacks in 2016, and the 2014 Sony Pictures hack.

“Once these servers are compromised, previously unknown malware (Trojan.Fastcash) is deployed. This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs.”

Read more about it here.

In what appears to be the world’s biggest airline data breach, Cathay Pacific announced on October 24, 2018 on Twitter that it has been hacked. Hackers accessed personal information of 9.4 million customers, including:

• Names, nationalities, dates of birth, telephone numbers, emails, physical addresses, passport numbers, identity cards and frequent-flier programs, and historical travel information.
• 403 expired credit card numbers
• 27 non-expired credit numbers with no CVV (Card Verification Value printed on the card)
• About 860,000 passport numbers
• About 245,000 Hong Kong IDs.

The breach took place in March 2018 and was confirmed by investigators in May, however it was disclosed only in October. Some local lawmakers criticized Cathay for taking so long to reveal the breach. Cathay responded, saying it wanted to have an accurate grasp on the situation, and it took immediate steps once the breach was discovered.

Read more about it here.

Over 9 million security cameras, digital video recorders (DVRs), and network video recorders (NVRs) manufactured by Hangzhou Xiongmai Technology Co., Ltd. contain vulnerabilities that can allow a remote attacker to easily take over devices, security researchers at EU-based SEC Consult revealed on October 10, 2018. But end users won’t be able to tell whether they are using a hackable device, because the company doesn’t sell any product with its name on it. Rather, it ships all equipment as white label for other companies to put their name on it. Over 100 companies using Xiongmai devices have been identified so far.

The vulnerability is caused by the devices, creating a secure tunnel with a cloud account. These cloud accounts haven’t been sufficiently protected. The accounts and their passwords can be easily guessed.

Read more about it here.

The United States Department of Homeland Security (DHS) has issued an alert of ongoing activity from an advanced persistent threat (APT) actor targeting global managed service providers (MSPs).

Managed services is the practice of outsourcing on a proactive basis certain processes and functions intended to improve operations and cut expenses. It is an alternative the outsourcing model.

The alert says: “The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs).” The alert provides some mitigation steps.

Read more about it here.