Cyber Victor – a leading blog on cyber security

American software giant Citrix was notified by the FBI on March 6, 2019 that it has been hacked.

The FBI believes attackers used the “password spraying” technique to access the Citrix network. In this technique, a large number of accounts (usernames) are attempted to be accessed by a low number of commonly used password, such as “Password1” or “Summer2018”.

Once inside, the attackers worked to obtain more privileges. According to one source, 6TB of e-mails, documents and corporate secrets were stolen.

So far, there aren’t any indications that personal information was stolen.

Read more about it here.

Here are some of the highlights from the 2019 Hacker Report:

• $19 million in customer bounties earned in 2018, representing nearly the bounty totals for all preceding years combined.
• By the end of 2018, hackers had earned over $42 million.
• Some hackers earned $100K for one vulnerability.
• A 19-year-old that goes by the handle “@try_to_hack” became the first white hat hacker to surpass $1 million in bounty awards.
• The community has over 300,000 registered hackers.
• Over $100,000 valid vulnerabilities have been submitted.

Read more about it here.

According to a recent report, Finnish researcher Jouko Pynnönen discovered a cross-site scripting (XSS) vulnerability affecting Yahoo! Mail. This was the third time for Pynnönen to report an XSS flaw with Yahoo!. He discovered the flaw in December 2018, which he then reported to Yahoo!. In January, Yahoo! fixed the flaw and acknowledged Pynnönen’s efforts with a bug bounty of $10,000.

Read more about it here.

The Internet Corporation for Assigned Names and Numbers (ICANN) declared “an ongoing and significant risk” key parts of the Domain Name System (DNS) infrastructure. “There have been targeted attacks in the past, but nothing like this”. The attacks go back to 2017. “There isn’t a single tool to address this”, as ICANN called for an overall hardening of web defenses. ICANN urged broader implementation of DNSSEC to prevent traffic hijacking and to prevent internet users from being misdirected from intended websites.

Read more about it here.

Google recently began the rollout of the February 2019 Android security update, that addresses 42 issues. One of the vulnerabilities fixed could enable a remote attacker using a specially crafted PNG file to execute arbitrary code. That means, access to the device it is viewed on.

The vulnerability affects Android 7.0 and above versions. While Google has released a fix, the fix is currently available on for Pixel smartphones, the Pixel C tablet, and the Essential Phone.

What can you do in the meantime ? Don’t open an image, especially a PNG file received from an untrusted source. And apply the security update as soon as it becomes available.

Read more about it here.

According to the European Union Agency for Network and Information Security (ENISA) 2018 Threat Landscape Report, which was published on January 28, 2019, the cyber threat landscape changed significantly. The most important threat agent groups were cyber-criminals and state-sponsored actors. Monetization motives have contributed to the appearance of crypto-miners in the top 15 threats.

The main trends in the 2018’s cyberthreat landscape are:

• Mail and phishing messages have become the primary malware infection vector.
• Exploit Kits have lost their importance in the cyberthreat landscape.
• Cryptominers have become an important monetization vector for cyber-criminals.
• State-sponsored agents increasingly target banks by using attack-vectors utilised in cyber-crime.
• Skill and capability building are the main focus of defenders. Public organisations struggle with staff retention due to strong competition with industry in attracting cybersecurity talents.
• The emergence of IoT environments remains a concern, due to missing protection mechanisms in low-end IoT devices and services. The need for generic IoT protection architectures/good practices remains pressing.

Read more about it here.

Security experts at Check Point Research discovered several cybersecurity flaws in popular online battle game Fortnite. One of the flaws is an OAuth account takeover vulnerability that could allow a remote attacker to take over gamer accounts, tricking players into clicking a specially crafted link.

Due to three vulnerability flaws found in Epic Games’ web infrastructure, researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems at Facebook, Google+, Xbox Live and Sony PlayStationNetwork, to steal the user’s access credentials and take over their account.

Once the token has been obtained, the attacker could access personal information, buy in-game currency at the user’s expense, eavesdrop on and record players’ in-game chatter and background home conversations.

One way to minimize the thread of falling victim to such an attack is to use a two-factor authentication.

Checkpoint published a demo video of the attack:

Read more about it here.

Security experts at Pen Test Partners have discovered thousands of connected hot tubs are vulnerable to remote cyber attacks. Pen Test Partners, the UK security company that carried out the research, wrote: “Like most internet of things devices, the Wi-Fi module acts initially as in AP mode. The mobile app can connect as a client and control the tub locally. However, it can also configure the tub controller to be a client on your home network, so remote control from anywhere is possible through an API. The AP is open, no PSK, so anyone can stand near your house, connect their smart phone to your hot tub and control it. Your friendly neighbourhood hacker could control your tub.”

Pen Test Partners e-mailed the manufacturer, Balboa Water Group, already in November 2018. The manufacture promised a fix by the end of February 2019.

Read more about it here.

A vulnerability in the Guardzilla All-in-One home video surveillance system could be exploited by users to watch Guardzilla footage of other users.

The GZ501W camera model contains a shared, hard-coded credential for Amazon Web Services Simple Storage Service (S3), which stores video footage. This means that any user of the Guardzilla All-in-One video surveillance system could access other users’ saved home videos.

While waiting for a patch, users should disable the cloud based storage function, or disconnect the device.

Read more about it here.

A new report published by non-profit Amnesty International details how threat actors are able to bypass 2FA (Two-Factor Authentication) that leverages a text (SMS) message as the second authentication factor.

The process is automated and the 2FA can be cracked within seconds.

Typically in a 2FA, when you open an account, you give the service – Google, Twitter, etc. – your mobile phone number. When you later login with your password, the service sends you a text (SMS) message, which you are prompted to enter. This serves as the second form of authentication.

Amnesty International reported widespread phishing of Google and Yahoo! mail accounts in the Middle East and North Africa throughout 2017 and 2018.

The attackers sent to the victims fake alarms, informing them that their account has been compromised, and asking them to urgently change their password. The phishing e-mail included a link that redirected victims to a well-crafted Google or Yahoo! Mail phishing web site. After the users entered their password, they were prompted to enter the code that was sent to them via SMS.

Read more about it here.