DHS warns of Chinese-made drones stealing sensitive data
Drones contain components that can steal sensitive data and share on a server accessed beyond the company itself.
An industry analysis has revealed that nearly 80% of the drones used in the US and Canada are from DJI, which is headquartered in Shenzhen, China.
The US Department of Homeland Security warns that Chinese-made drones might be sharing sensitive flight data to its manufacturers on a server accessible to the Chinese government.
Contents of the alert
The US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has warned that drones are a “potential risk to an organization’s information” and that it contains components that can steal sensitive data and share on a server accessed beyond the company itself.
“Those concerns apply with equal force to certain Chinese-made (unmanned aircraft systems)-connected devices capable of collecting and transferring potentially revealing data about their operations and the individuals and entities operating them, as China imposes unusually stringent obligations on its citizens to support national intelligence activities,” the alert read, CNN reported.
Which drone manufacturers are suspect?
The alert did not specify any manufacturer. However, industry analysis has revealed that nearly 80% of the drones used in the US and Canada are from DJI, which is headquartered in Shenzhen, China.
Users are warned to be cautious while purchasing drones from China and to take security measures like turning off the device’s internet connection and removing secure digital cards to avoid data theft.
It is a hybrid of two other pieces of malware, Nymaim, and Gozi.
The first of these is what is known as a “dropper”, software that is designed to sneak other malware on to a device and install it. Up until 2015, Nymaim was used primarily to get ransomware on to devices.
Gozi has been around since 2007. Over the years it has resurfaced with new techniques, all aimed at stealing financial information. It was used in concerted attacks on US banks.
Combining the two created what one expert called a “double-headed monster”.
Analysis: Anna Holligan, BBC Hague correspondent
US attorney for the Western District of Pennsylvania, Scott Brady stood alongside prosecutors and cyber-crime fighters from five other nations inside Europol’s high-security headquarters, to announce the takedown of what he described as a “global conspiracy”.
The suspected ringleader used GozNym malware and contracted different cyber-crime services – hard to detect bulletproof hosting platforms, money mules and spammers – to control more than 41,000 computers and enable cyber-thieves to steal and whitewash an estimated $100m from victims’ bank accounts.
Gang members in four countries have been charged – a coup for cyber-crime fighters who say the discovery of this sophisticated scam demonstrates the borderless nature of cyber-crime and need for cross border co-operation to detect and disrupt these networks.
Among them, two are critical and six are of high importance.
A busy month for Cisco router owners got busier yesterday when the networking giant introduced 31 new advisories and alerts. These announcements came on top of 11 high- and medium-impact vulnerabilities announced earlier in the month.
Of the 31 alerts, 23 are of medium impact, six are of high impact, and two are of critical impact to the organization and its security team.
Most of the medium-impact alerts are for cross-site scripting vulnerabilities, denial-of-service vulnerabilities, or vulnerabilities affecting unauthorized users and access. These were found on devices ranging from LAN controllers to wireless network access points to Cisco’s new Umbrella security framework.
The two critical alerts are for two very different vulnerabilities. In one, a vulnerability in Cisco IOS and IOS XE could allow an attacker to reload the system on a device (potentially replacing the legitimate system with one containing malicious code), or remotely execute code at a privilege level above the level of the user being spoofed to gain access.
This vulnerability is found in the Cisco Cluster Management Protocol (CMP) and was discovered when the documents in the infamous Vault 7 disclosurewere analyzed. That’s bad news because those documents have been available to hackers around the world for more than two years. And the news gets worse: Researchers at Cisco Talos have published a blog post showing this vulnerability has been exploited in the wild as part of a DNS hijacking campaign dubbed “Sea Turtle.”
Cisco already has released a software patch for this critical vulnerability, which has no operational workaround for successful remediation.
The second critical vulnerability could allow a remote attacker to gain access to applications running on a sysadmin virtual machine (VM) that is operating on Cisco ASR 9000 series Aggregation Services Routers. This vulnerability, Cisco says, was found during internal testing and has not yet been used in the wild. The source of the vulnerability – insufficient isolation of the management interface from internal applications – has been fixed in a pair of Cisco IOS XR software releases and does not, therefore, warrant a separate update, Cisco says.
Between the medium and critical vulnerabilities are six high-importance vulnerabilities that affect systems including telepresence video servers, wireless LAN controllers (three separate vulnerabilities), Aironet wireless access points, and the SNMP service.
Cisco ranks the severity of vulnerabilities using the Common Vulnerability Scoring System (CVSS) Version 3. Vulnerabilities with a CVSS score of 9.0 to 10.0 are critical, those in the range of 7.0 to 8.9 are high, and a score of 4.0 to 6.9 warrants a medium label. Anything ranking below medium is given an informational alert only.
Fraudsters are preying on the goodwill of people everywhere by using the tragic fire of Notre Dame to their advantage.
According to research by security company ZeroFOX, cyber-criminals are “spreading misinformation about the disaster,” which includes fake donation pages and launching new phishing campaigns. The company says in a blog post that “preying on the sympathy of those wanting to help victims is nothing new, but the technical underpinnings of the internet and its social media platforms allow hackers and spammers to scale their efforts at an unprecedented rate.”
The blog goes onto explain that these threat actors use a variety of tactics, such as:
Using bots on Twitter to spread donation links leading to spam or malware sites
Impersonating websites and social media accounts of legitimate charity organizations
Sending fraudulent charity emails with bad links or attachments
Registering domains related to the disaster
Creating fake donation campaigns on crowdfunding sites
Using fraud messaging that includes vague victim stories, pressure to act quickly or promises of high payouts for a company involved in cleanup
Most worryingly, the crowdfunding tactics might work more than anything else. There is a rise of raising money this way for help people in need, especially around tragic events such as this. Sites such as JustGiving might be copied to set up fake donation sites. “People looking to donate quickly may easily mistake a fraudulent donation page for the real page – losing their money and putting money in the hands of bad actors, not those in need,” says the blog post.
One example the ZeroFox Alpha Team found was on justgiving.com, where an anonymous user created this crowdfunding campaign supporting “Friends of Notre-Dame De Paris Inc.” “Based on the information provided (and lack of details) in the post, any supporter should be hesitant to donate to this particular fundraising effort,” the post goes on to say.
Another tactic targets social media users who follow trending hashtags.
“In the case of the Notre Dame disaster, we have seen multiple instances of posters using the hashtag #NotreDameCathedralFire looking to capitalize on the tragedy,” explains the post.
“[This example of one such post] is looking to sell ‘services’ using the Notre Dame fire hashtag.” Users need to be be careful, it goes on, of any seller using hijacked hashtags, as they are “typically associated with scams and malicious links.
Example of potential crowdfunding scam – note the warning signs.
When it comes to avoiding scams related to this disaster, ZeroFOX recommends the following:
stepstorecovery.com emailed via their published email address.
March 24, 2019
Hosting provider for ElasticSearch database notified.
March 25, 2019
Hosting provider confirms server owner has taken down the exposed server.
March 28, 2019
A follow email sent to stepstorecovery.com, asking if they intended to notify their impacted users, no reply.
April 15, 2019
A follow email sent, no reply.
Recently I discovered an improperly secured ElasticSearch database that contained personally identifiable information (PII) related to individuals who had received medical treatment at an addiction treatment center. This data appears to cover patient data from mid 2016 – late 2018, and amounts to roughly 4.9 million rows of data. Following notification, the hosting provider of the database took prompt action to notify the owner of the database, but Steps to Recovery has yet to reply to any inquiries. To the best of my knowledge, the treatment center has not notified their patients regarding this leak of their PII.
While searching Shodan I recently discovered yetanotherElasticSearch database that was exposed to the Internet without any form of authentication. Based on a quick review of the data it quickly became apparent that the database contained medical information and PII related to patients of some type of rehab center. Based on the name of the database and additional information in the database it appears this was patient data from Steps to Recovery, an addiction treatment center located in Levittown, PA. I initially notified Steps To Recovery regarding the data leak, but also notified the hosting provider given the sensitivity of the data. To date I have not received any reply from Steps To Recovery, but the hosting provider notified their customer who then promptly took action to disable access to the database. It is unclear if Steps To Recovery took this action, or if someone may have been running this database on their behalf.
The ElasticSearch database contained two indexes, roughly 1.45GB in size, containing 4.91 million documents. These are not large numbers, but given the sensitivity of any PII leak I treated this as an urgent issue.
infcharges 906Mi 2.74M
infpayments 549Mi 2.17M
Data related to multiple distinct patients was observed, though (luckily) it did appear that the number of unique patients was likely far fewer than the number of documents in the database would suggest. As demonstrated by the screenshot below, a single PatientID could have multiple rows of data for different medical procedures. Based on a random sample of 5,000 rows of data from the “infcharges” index, I observed 267 unique patients – or roughly 5.34% were unique. Assuming this trend continues, that would suggest the database contained roughly 146,316 unique patients. To reiterate – it’s entirely possible this sample of 5,000 rows of data was not representative of the entire index of data though.
A leak of PII related to 146,316 unique patients would be bad on any day. It’s particularly bad when it is something as sensitive as a addiction rehab center. Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible.
What could a malicious user do with this data? Based on the patient name it was simple to locate all medical procedures a specific person received, when they received those procedures, how much they were billed, and at which specific facility they received treatment.
That’s just the tip of the iceberg though.
If you search on Google for the patient name and in the example included above “Ohio” where the addiction recovery center was located it becomes trivial to locate more information about this patient.
Sidenote: It’s unclear the connection between Steps to Recovery in Levittown, PA and this Ohio Addiction Recovery Center. My best guess is that the patient lived either near Levittown and had visited Ohio, or vice versa. Based on the additional information I was able to easily locate – I can say with confidence the patient almost certainly lives in Ohio.
I’ve heavily redacted the Google search below – but you can still get a sense for the extent of the information that was immediately located.
This is a creepy Google search.
I did not pay for any of these background reports. I had no interest in going that far.
After briefly reviewing just the freely available information though I could still tell you, with reasonably high confidence, the patient’s age, birthdate, address, past addresses, the names of the patient’s family members, their political affiliation, potential phone numbers and email addresses.
Please, please, please secure your data.
I hope that Steps to Recovery will acknowledge this leak of sensitive patient data. I hope they will promptly (it’s not prompt any more – it’s been a month) notify all of the patients they determine were impacted. I found this data leak purely by accident, but a malicious person could have also found this same data, and potentially used it as part of identity theft.
Russian hackers are targeting European embassies, according to new report
Russian hackers recently attacked a number of embassies in Europe by emailing malicious attachments disguised as official State Department documents to officials, according to a new report from Check Point Research.
The hackers targeted European embassies in Nepal, Guyana, Kenya, Italy, Liberia, Bermuda, and Lebanon, among others. They typically emailed the officials Microsoft Excel sheets with malicious macros that appeared to have originated from the United States State Department. Once opened, the hackers were able to gain full control of the infected computer by weaponizing installed software called Team Viewer, a popular remote access service.
“It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting,” the press release says, “since it was not after a specific region and the victims came from different places in the world.”
Government finance officials were also subject to these attacks, and Check Point notes that these victims were of particular interest to the hackers. “They all appear to be handpicked government officials from several revenue authorities,” the press release says.
The hackers appeared to be highly sophisticated, carefully planning out the attacks, using decoy documents tailored to their victim’s interests, and targeting specific government officials. At the same time, other stages of the attack were carried out with less caution leaving personal information and browsing history belonging to the perpetrator exposed.
Check Point identified several other similar attack campaigns, including some targeting Russian-speaking victims as well.
While Russian in origin, it’s unlikely that these attacks were state-sponsored. One perpetrator was traced back a hacking and carding forum and registered under the same username, “EvaPiks,” on both. EvaPiks posted instructions for how to carry out this kind of cyber attack on forums and advised other users as well.
Due to the attackers’ background in the illegal carding community, Check Point suggested that they could have been “financially motivated.”
Updated 4/22/19 at 12:20 p.m. EST: The previous headline suggested that the Russian hackers attacked U.S. embassies, when the attackers targeted European embassies. The article has been updated to clarify this.
Microsoft Office now the most targeted platform, as browser security improves
Microsoft Office has become cybercriminals’ preferred platform when carrying out attacks, and the number of incidents keeps increasing, Kaspersky Lab researchers said during the company’s annual conference, Security Analyst Summit, in Singapore. Boris Larin, Vlad Stolyarov and Alexander Liskin showed that the threat landscape has changed in the past two years and urged users to keep their software up-to-date and to avoid opening files that come from untrusted sources to reduce the risk of infection.
Today, more than 70% of all the attacks Kaspersky Lab catches are targeting Microsoft Office, and only 14% take advantage of browser vulnerabilities. Two years ago, it was the opposite: Web-based vulnerabilities accounted for 45% of the attacks, while Microsoft Office had a 16% share.
Researchers said that this is because hacking browsers has become more expensive, as browser security has improved. “Browser developers put much effort into different kinds of security protections and mitigations,” Liskin said. “Attackers were looking for a new target, and MS Office has become a star.”
Liskin added that there are plenty of reasons why cybercriminals choose to attack the popular suite. “Microsoft Office has a huge number of different file formats,” he said. “It is deeply integrated into the Windows operating system.”
He also argued that when Microsoft created Office, it made several decisions that, in hindsight, aren’t optimal security-wise and are currently difficult to change. Making such alterations would have a significant impact on all the versions of the products, Liskin said.
The researchers pointed out that the most exploited vulnerabilities from the past two years are not in MS Office itself, but rather in related components. Two of those vulnerabilities, CVE-2017-11882 and CVE-2018-0802, exploit bugs found in Equation Editor. Cybercriminals prefer to use them because they can be found in every version of Microsoft Word released in the past 17 years. Moreover, building exploits for them does not require advanced skilled, because the Equation Editor binary lacks modern protections and mitigations. These are simple, logical vulnerabilities, the researchers said.
Exploit uses Internet Explorer to hack Office
Another interesting vulnerability is CVE-2018-8174. In this unusual case, the vulnerability was actually in Internet Explorer, but the exploit was found in an Office file. “The exploit was delivered as an obfuscated RTF document,” researcher Larin said. “This is the first exploit to use a vulnerability in Internet Explorer to hack Microsoft Office.”
The infection chain has three steps. First, the victim opens the malicious document. As they do this, a second stage of the exploit is downloaded: an HTML page that contains a VBScript code. This then triggers the third step, ause after free (UAF) vulnerability, and executes shellcode. UAF bugs are a type of memory corruption vulnerability that have been very successful in the past for browser exploitation. The technique works by referencing memory after it has been freed, causing the software to crash or allowing an attacker to execute code.
Cybercriminals act fast on Microsoft exploits
What intrigues Larin, Stolyarov and Liskin the most about the cases they’ve studied is how fast cybercriminals operate. Most incidents start with a Microsoft Office zero-day that’s used in a targeted campaign. Once it becomes public, it’s only a matter of days until exploits appear on the dark web. Sometimes, it can even be faster, as has happened with CVE-2017-11882, the first Office Equation Editor vulnerability Kaspersky Lab researchers uncovered. The publication of the proof of concept was followed by a massive spam campaign that began on the very same day.
Microsoft Office vulnerabilities might become even more common in the near future, as attackers continue to target the suite. Larin advised users to keep their software updated, and to pay attention to the files they receive from dubious email addresses. “Our best recommendation is not to open links and files received from untrusted sources, and have installed security solutions with advanced detection of exploits,” Larin added.
Forcepoint is owned by U.S. defense contractor Raytheon and private equity firm Vista Equity Partners, and Crunchbase estimates its yearly revenue to be $600 million.
The system described in the patent appears to be a complex user behavior monitoring and management system. The system would aim to store data about electronically-observable user interactions and then use this data to identify known good, anomalous and malevolent user actions to enhance the system’s cybersecurity.
Some versions of the system employ blockchain technology, according to the patent:
“In certain embodiments, the association of the additional context may be accomplished via a blockchain block within a user behavior profile blockchain […] implemented with appropriate time stamping to allow for versioning over time. ”
Furthermore, the patent also provides the possibility of storing user behavior data on the blockchain directly, noting that advantages of the solution are immutability and tamper-evident.
Mueller report details how Russians reached millions of US Facebook and Twitter users and brought them out to real-life rallies
Special counsel Robert Mueller’s report released Thursday says Russia’s Internet Research Agency, or IRA, reached millions of U.S. users on Twitter, Facebook and Instagram leading up to the 2016 presidential election. Russian operatives also communicated with the Trump campaign under false identities “without revealing their Russian association” and interacted with prominent pro-Trump activists to arrange political rallies, “confederate” events and even a #KidsforTrump organization, the report says.
“IRA-controlled Twitter accounts separately had tens of thousands of followers, including multiple U.S. political figures, who retweeted IRA-created content,” the report says. Facebook has estimated that IRA-controlled accounts reached up to 126 million people, with Twitter notifying 1.4 million people they may have been in contact with a Russia-controlled account.
The Mueller document gives a fuller picture of how both technical and in-person intelligence operatives worked together to influence sentiment leading up to the 2016 election.
An odyssey that ramped up in 2014
Russian operatives had been dabbling in social media until around 2014, when they consolidated their efforts under a single program known internally as the “translator department,” according to the report. They later began sending operatives to the U.S. to further the election goals of the program.
In June 2014, four members of the department lied to the U.S. State Department, claiming to be “friends who met at a party.” Two of them, Anna Bogacheva and Aleksandra Krylova, received visas to enter the U.S. In 2016, other operatives were seen holding up signs at an event near the White House purportedly celebrating the birthday of Yevgeniy Prigozhin, a Russian tycoon alleged to have funded some of the interference campaigns and their associated social media ad buys.
On Twitter, the IRA program broke its operation into two strategies: creating real Twitter accounts meant to represent “individual U.S. personas,” and a separate, IRA-controlled network of automated Twitter bots “that enabled the IRA to amplify existing content on Twitter.”
One of the IRA accounts, which claimed to be that of a Trump supporter from Texas, had 70,000 followers. Another anti-immigration persona had 24,000 followers. A third, called @march_for_trump, organized a series of rallies in support of Trump across the U.S. The accounts posted 175,993 tweets, though the report says only 8.4% of those were election-related.
“U.S. media outlets also quoted tweets from IRA-controlled accounts and attributed them to the reactions of real U.S. persons,” the report says.
Influential conservatives also interacted with the accounts, including TV commentator Sean Hannity, Roger Stone, former U.S. Ambassador to Russia Michael McFaul and Michael Flynn Jr.
From Twitter to real life
“The Office identified dozens of U.S. rallies organized by the IRA,” the report says. “The earliest evidence … was a ‘confederate rally’ in November 2015. The IRA continued to organize rallies even after the 2016 U.S. presidential election.”
Many of the rallies drew few participants, while others drew hundreds. “The reach and success of these rallies was closely monitored” by the Russian team, the report says.
The report clarifies that in the cases in which a pro-Trump, IRA-organized rally also coordinated with Trump’s campaign, the campaign was not aware of the origins of the organizers. “The IRA’s contacts included requests for signs and other materials to use at rallies, as well as requests to promote the rallies and help coordinate logistics.”
“The investigation has not identified evidence that any Trump campaign official understood the requests were coming from foreign nationals,” the report says.
Another two-part campaign, against Hillary Clinton
As with the IRA’s Twitter strategy, Russia’s GRU intelligence agency broke its campaign of interference against Hillary Clinton’s presidential campaign into two parts. One group developed specialized malware — malicious software used, in this case, to monitor communications. A second group was charged with honing and launching mass spearphishing operations, meant to identify key targets within Clinton’s campaign and craft believable emails persuading them to click and, therefore, install the custom malware.
The GRU officers sent hundreds of these emails to Clinton staffers, including official campaign accounts and Google accounts used by staffers.
Spy on your smart home with this open source research tool
Researchers at Princeton University have built a web app that lets you (and them) spy on your smart home devices to see what they’re up to.
The open source tool, called IoT Inspector, is available for download here. (Currently it’s Mac OS only, with a wait list for Windows or Linux.)
In a blog about the effort the researchers write that their aim is to offer a simple tool for consumers to analyze the network traffic of their Internet connected gizmos. The basic idea is to help people see whether devices such as smart speakers or wi-fi enabled robot vacuum cleaners are sharing their data with third parties. (Or indeed how much snitching their gadgets are doing.)
Testing the IoT Inspector tool in their lab the researchers say they found a Chromecast device constantly contacting Google’s servers even when not in active use.
A Geeni smart bulb was also found to be constantly communicating with the cloud — sending/receiving traffic via a URL (tuyaus.com) that’s operated by a China-based company with a platform which controls IoT devices.
There are other ways to track devices like this — such as setting up a wireless hotspot to sniff IoT traffic using a packet analyzer like WireShark. But the level of technical expertise required makes them difficult for plenty of consumers.
Whereas the researchers say their web app doesn’t require any special hardware or complicated set-up so it sounds easier than trying to go packet sniffing your devices yourself. (Gizmodo, which got an early look at the tool, describes it as “incredibly easy to install and use”.)
One wrinkle: The web app doesn’t work with Safari; requiring either Firefox or Google Chrome (or a Chromium-based browser) to work.
The main caveat is that the team at Princeton do want to use the gathered data to feed IoT research — so users of the tool will be contributing to efforts to study smart home devices.
The title of their research project is Identifying Privacy, Security, and Performance Risks of Consumer IoT Devices. The listed principle investigators are professor Nick Feamster and PhD student Danny Yuxing Huang at the university’s Computer Science department.
The Princeton team says it intends to study privacy and security risks and network performance risks of IoT devices. But they also note they may share the full dataset with other non-Princeton researchers after a standard research ethics approval process. So users of IoT Inspector will be participating in at least one research project. (Though the tool also lets you delete any collected data — per device or per account.)
“With IoT Inspector, we are the first in the research community to produce an open-source, anonymized dataset of actual IoT network traffic, where the identity of each device is labelled,” the researchers write. “We hope to invite any academic researchers to collaborate with us — e.g., to analyze the data or to improve the data collection — and advance our knowledge on IoT security, privacy, and other related fields (e.g., network performance).”
They have produced an extensive FAQ which anyone thinking about running the tool should definitely read before getting involved with a piece of software that’s explicitly designed to spy on your network traffic. (tl;dr, they’re using ARP-spoofing to intercept traffic data — a technique they warn may slow your network, in addition to the risk of their software being buggy.)
The dataset that’s being harvesting by the traffic analyzer tool is anonymized and the researchers specify they’re not gathering any public-facing IP addresses or locations. But there are still some privacy risks — such as if you have smart home devices you’ve named using your real name. So, again, do read the FAQ carefully if you want to participate.
For each IoT device on a network the tool collects multiple data-points and sends them back to servers at Princeton University — including DNS requests and responses; destination IP addresses and ports; hashed MAC addresses; aggregated traffic statistics; TLS client handshakes; and device manufacturers.
The tool has been designed not to track computers, tablets and smartphones by default, given the study focus on smart home gizmos. Users can also manually exclude individual smart devices from being tracked if they’re able to power them down during set up or by specifying their MAC address.
Up to 50 smart devices can be tracked on the network where IoT Inspector is running. Anyone with more than 50 devices is asked to contact the researchers to ask for an increase to that limit.