REVUE DE PRESSE CYBER - STEVALYS
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
REVUE DE PRESSE CYBER
Du 25 NOVEMBRE au 1er DECEMBRE 2019
FAILLES et ATTAQUES
« L’intégrité est une composante essentielle de la sécurité.
Et pas seulement en informatique ». D. Hallépée
STEVALYS
contact@stevalys.comTABLE DES MATIERES TABLE DES MATIERES 1 FAILLES ET ATTAQUES ERREUR ! SIGNET NON DEFINI. OVER ONE BILLION CONSUMERS EXPOSED IN DATA LEAK 3 WEB SKIMMERS USE PHISHING TACTICS TO STEAL DATA 4 NEW TECHNIQUE ALLOWS RANSOMWARE TO OPERATE UNDETECTED 6 HACKER GETS 4 YEARS IN JAIL FOR NEVERQUEST BANKING MALWARE 7 ONECOIN CRYPTO-SCAM LAWYER FOUND GUILTY OF WORLDWIDE $400M FRAUD 10 DATA ON 1.2 BILLION USERS FOUND IN EXPOSED ELASTICSEARCH SERVER 12 UN EMPLOYE DETOURNE 22 MILLIONS DE DOLLARS POUR ACHETER DU BITCOIN ET JOUER AU POKER 15 4,2 MILLIONS DE DOLLARS EN CRYPTOMONNAIES SAISIS PAR LA POLICE NEO-ZELANDAISE 17 PESTS FORCE ESTONIAN GOVERNMENT OFFLINE 18 NURSING HOME PATIENTS AT RISK AFTER RANSOMWARE ATTACK 20 MALICIOUS ANDROID SDKS CAUGHT ACCESSING FACEBOOK AND TWITTER USERS DATA 21 NEW 'GINP' ANDROID TROJAN TARGETS CREDENTIALS, PAYMENT CARD DATA 24 APPLE : 142 APPLICATIONS MALVEILLANTES DETECTEES DANS L’APP STORE 26 VISTAPRINT LAISSE ACCIDENTELLEMENT UN FICHIER CLIENT EN LIBRE-ACCES SUR INTERNET 27 HEALTHCARE EXECS CHARGED IN $1BN FRAUD SCHEME 30 MINOR ARRESTED FOR JACK DORSEY TWITTER HACK 31 OVER 12,000 GOOGLE USERS HIT BY GOVERNMENT HACKERS IN 3RD QUARTER OF 2019 32 TWITTER, FACEBOOK USER DATA IMPROPERLY ACCESSED VIA MALICIOUS SDKS 35 HACKERS STEAL $49 MILLION IN ETHEREUM FROM CRYPTOCURRENCY EXCHANGE UPBIT 36 GOOGLE SHARES DATA ON STATE-SPONSORED HACKING ATTEMPTS 38 DEXPHOT MALWARE USES RANDOMIZATION, ENCRYPTION, AND POLYMORPHISM TO EVADE DETECTION 40 FIREFOX GETS TOUGH ON TRACKING TRICKS THAT SNEAKILY SAP YOUR PRIVACY 42 CYBERATTAQUE : LE SYSTEME D'INFORMATION DU CHU DE ROUEN "QUASIMENT REVENU A LA NORMALE" 47 MALWARE : DES HACKERS UTILISENT YOUTUBE POUR MINER DU MONERO (XMR) 50 HACKERS DEMAND BEER 52 Stevalys 2019 © 1
CRYPTOCURRENCY EXCHANGE UPBIT LOSES $52M IN ATTACK 53 GOOGLERS FIRED FOR BREAKING SECURITY POLICY 55 HACKERS ACCESSED MAGENTO MARKETPLACE USER DATA 56 KIDS’ SMARTWATCH SECURITY TRACKER CAN BE HACKED BY ANYONE 57 RANSOMWARE ATTACK FREEZES HEALTH RECORDS ACCESS AT 110 NURSING HOMES 60 LINKEDIN : 3 AFFAIRES IMPLIQUANT LA GESTION DOUTEUSE DES DONNEES PERSONNELLES EN UNE SEMAINE 63 MAGENTO MARKETPLACE BREACH EXPOSES USER DETAILS 66 THIRD-PARTY VENDOR EXPOSES DATA OF PALO ALTO EMPLOYEES 67 UNITED STATES POST OFFICE FACES CYBERSECURITY CHALLENGES 68 SECURITY GIANT PROSEGUR STRUCK BY RANSOMWARE 70 AMAZON VOULAIT CREER DES LISTES DE SURVEILLANCE VIA LES CAMERAS DES SONNETTES RING 71 L’ENTREE EN VIGUEUR DU RCS POURRAIT EXPOSER LES UTILISATEURS A DES CYBERATTAQUES 73 Stevalys 2019 © 2
Over One Billion Consumers Exposed in Data Leak Infosecurity magazine, le 25 novembre 2019 Personal information on over one billion individuals harvested by two data enrichment firms has been exposed online, according to security researchers. Data enrichment or aggregation providers effectively sell access to large stores of data merged from multiple third-party sources, primarily for companies to gain deeper insights into current and prospective customers. However, there are inevitable privacy risks attached to such practices, despite the efforts of the aggregator firms themselves to keep their own data stores secure. In mid-October, Bob Diachenko and Vinny Troia discovered a wide open Elasticsearch server containing four billion user accounts across more than 4TB of data. “A total count of unique people across all data sets reached more than 1.2 billion people, making this one of the largest data leaks from a single source organization in history. The leaked data contained names, email addresses, phone numbers, LinkedIn and Facebook profile information,” explained Vinny Troia, chief of threat intelligence at Data Viper. “The discovered Elasticsearch server containing all of the information was unprotected and accessible via web browser at http://35.199.58.125:9200. No password or authentication of any kind was needed to access or download all of the data.” The privacy snafu exposed around 622 million unique email addresses, mainly those associated with a data enrichment firm known as People Data Labs [PDL]. The second was identified by Troia as OxyData and is an almost complete scrape of LinkedIn data. However, it’s unclear who left the data exposed on the Elasticsearch server. Troy Hunt, who runs the HaveIBeenPwned? breach notification site, said the case highlights a real challenge at the heart of the data enrichment industry. Stevalys 2019 © 3
“Regardless of how well these data enrichment companies secure their own system, once they pass the data downstream to customers it's completely out of their control. My data — almost certainly your data too — is replicated, mishandled and exposed and there's absolutely nothing we can do about it. Well, almost nothing,” he said. “[PDL’s] privacy policy states that people may ‘access any information we have on them’ and that they will ‘reply to a person’s request within five business days’ or delete it outright. It'll be interesting to see how that scales if even a very small slice of the 622M impacted individuals takes them up on that offer.” Web Skimmers Use Phishing Tactics to Steal Data Infosecurity magazine, le 25 novembre 2019 Security researchers have discovered a new digital skimming attack which borrows phishing techniques to steal card data from a fake payments page. E-commerce sites often use secure payment pages hosted by third-party payment service providers (PSPs). However, attackers have used this system to insert digital skimming code loaded as a fake Google Analytics library called ga.js, according to Malwarebytes. Director of threat intelligence, Jérôme Segura, discovered a fake payment-mastercard[.]com domain that was “hosting a completely different kind of skimmer that at first resembled a phishing site. “This skimmer is interesting because it looks like a phishing page copied from an official template for CommWeb, a payments acceptance service offered by Australia’s Commonwealth Stevalys 2019 © 4
Bank,” he explained. “The attackers have crafted it specifically for an Australian store running the PrestaShop Content Management System (CMS), exploiting the fact that it accepts payments via the Commonwealth Bank.” The fake payments page even alerts users if any fields they fill in are invalid. After the victim’s details are exfiltrated, they are redirected to the real payment processor. The real Australian Commonwealth Bank site is displayed along with the correct total amount due for purchase. This is done by creating a unique session ID and reading browser cookies, Segura explained. “Externalizing payments shifts the burden and risk to the payment company such that even if a merchant site were hacked, online shoppers would be redirected to a different site (i.e. Paypal, MasterCard, Visa gateways) where they could enter their payment details securely,” he concluded. “Unfortunately, fraudsters are becoming incredibly creative in order to defeat those security defenses. By combining phishing-like techniques and inserting themselves in the middle, they can fool everyone.” Stevalys 2019 © 5
New Technique Allows Ransomware to Operate Undetected Security week, le 25 novembre 2019 A recently discovered technique allows ransomware to encrypt files on Windows-based systems without being detected by existing anti-ransomware products, Nyotron security researchers warn. Dubbed RIPlace, the technique allows malware to bypass defenses using the legacy file system "rename" operation, and the security researchers say it is effective even against systems that are timely patched and run modern antivirus solutions. RIPlace, the researchers say, can be used to alter files on any computers running Windows XP or newer versions of Microsoft’s operating system. In a detailed report covering the findings (PDF), the researchers note that most ransomware operates by opening and reading the original file, encrypting content in memory, and then destroying the original file by writing encrypted content to it/saving the encrypted file and then erasing the original/or by saving the encrypted file and then leveraging Rename to replace it. When a Rename request is called (IRP_MJ_SET_INFORMATION with FileInformationClass set to FileRenameInformation), the filter driver gets a callback. What the researchers discovered was that, if DefineDosDevice (a legacy function that creates a symlink), is called before Rename, one could pass an arbitrary name as the device name, along with the original file path as the target to point on. The issue, they explain, is that the callback function filter driver “fails to parse the destination path when using the common routine FltGetDestinationFileNameInformation.” Although an error is returned when passing a DosDevice path, the Rename call succeeds. “Using this technique, it is possible to maliciously encrypt files and bypass antivirus/anti- ransomware products that do not properly handle IRP_MJ_SET_INFORMATION callback. We believe that malicious actors may abuse this technique in order to bypass security products Stevalys 2019 © 6
that rely on FltGetDestinationFileNameInformation routine as well as avoid any recording of such activity by EDR products,” the researchers explain. The researchers discovered the technique in spring 2019 and have been in contact with Microsoft, security vendors, and law enforcement and regulatory authorities. Unfortunately, they say only a handful of security vendors have acknowledged a fix, despite dozens being impacted. Nyotron published two videos demonstrating how RIPlace can bypass Symantec Endpoint Protection (SEP) and Microsoft Defender Antivirus (Defender AV) and also released a free tool that allows anyone to test their system and security products against RIPlace evasion technique. Hacker gets 4 years in jail for NeverQuest banking malware Naked Sophos Security, le 25 novembre 2019 A Russian hacker has been sentenced to four years in US prison for using the NeverQuest banking Trojan to infect the computers of unwitting victims, steal their login information for online banking accounts, and use it to wipe out their accounts. The US Attorney’s Office for the Southern District of New York announced the sentencing of Stanislav Vitaliyevich Lisov on Thursday. According to the Justice Department (DOJ), NeverQuest has been used by cybermuggers to try to weasel millions of dollars out of victims’ bank accounts. Stevalys 2019 © 7
Nasty and complex It’s a nasty piece of work. Researchers have determined that NeverQuest’s origins lie in an evolving threat family called Vawtrack, also known as Snifula, Catch or Grabnew. Once NeverQuest slips onto a victim’s computer, it wakes up when the system logs onto an online banking website. Then, it transfers the victim’s login credentials, including their username and password, back to a command and control server. That lets the malware’s administrators remotely control a victim’s computer and log into their financial accounts, transfer money to accounts that the crooks control, change the login credentials, write online checks, and purchase goodies from online vendors at their victims’ expense. According to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), the Trojan installs what’s called a Virtual Network Computing (VNC) server that disguises malicious activity, escaping detection by making it look like that activity is coming from the victim’s own computer. NeverQuest can replicate and spread with the help of FTP servers, the Neutrino Exploit Kit, and social networking sites. It uses web-injection to evade detection by antivirus software and can slip by two-factor authentication (2FA). The malware can also launch man-in-the-middle and man-in-the-browser attacks; harvest email, FTP, and stored browser credentials; and can capture video and screenshots. Lisov: NeverQuest’s daddy The DOJ says that between June 2012 and January 2015, Lisov worked on “key aspects” of creating and administering a botnet based on computers infected by this malicious NeverQuest beast. Lisov’s duties included maintaining infrastructure for the criminal enterprise, including by renting and paying for the servers used to manage the botnet. Those servers were stuffed with stolen login credentials – approximately 1.7 million of them, including usernames, passwords, and security questions and answers to get into their bank and other financial accounts. Stevalys 2019 © 8
Lisov was arrested in Spain in January 2017. He was extradited to the US a year later, and in February 2019, he pleaded guilty to one count of conspiracy to commit computer hacking. At the time of Lisov’s guilty plea, US Attorney Geoffrey S. Berman called Lisov’s crimes “audacious”: As he admitted today, Stanislav Vitaliyevich Lisov used malware to infect victims’ computers, obtain their login credentials for online banking accounts, and steal money out of their accounts. This type of cybercrime extends across borders, poses a malicious threat to personal privacy, and causes widespread financial harm. For his audacious crime, this Russian hacker now faces justice in an American court. It’s good news that one of these bank robbers is off the streets. But this is an ongoing battle, fought against professionally run criminal syndicates, so don’t expect the FBI, Europol or any other crime-fighting organization to be able to rest anytime soon. Stevalys 2019 © 9
OneCoin crypto-scam lawyer found guilty of worldwide $400m fraud Naked Sophos Security le 25 novembre 2019 A Florida lawyer who boasted of making “50 by 50” – as in, $50m by the age of 50 – is now facing a potential 50+ years behind bars for money laundering and lying to banks about funds flowing from OneCoin, a cryptocoin Ponzi scheme that started in Bulgaria but spread like a money-sucking fungus around the world. Mark Scott, 51, a former equity partner at the law firm Locke Lord LLP, was convicted in Manhattan Federal Court on Thursday for laundering about $400 million from the massive international OneCoin fraud. It’s not just an alleged mega-fraud; it’s also led to mega-busts, and its founder – The Missing Cryptoqueen, who talked millions of people into her scheme – has blinked out of sight. Bulgarian Ruja Ignatova was last spotted around October 2017: around the time that the US filed a secret warrant for her arrest. Her brother, Konstantin Ignatov, took over the reins, was arrested at Los Angeles International Airport in March 2019, signed a plea deal, and is facing up to 90 years in jail (though maximum sentences are rarely handed out). Pop some corn and pull up a chair: you can tune in to the true crime saga from the BBC here as reporter Jamie Bartlett presents “a story of greed, deceit and herd madness.” As far as the other OneCoin shysters go, most of them have been arrested or, like Ignatova, disappeared. A slew of OneCoin reps were pitching their scam – what they called “the next Bitcoin” – in a Mumbai exurb in April 2017 when financial cops busted in, raided the meeting, and jailed 18 of them, ultimately seizing more than $2 million in investor funds. As The Atlantic tells it, they’d already moved at least $350m in allegedly scammed funds through a German payment processor. Not that OneCoin has shuttered its “Bitcoin Killer” shop, mind you. It’s humming along as what the US Attorney’s Office in the Southern District of New York calls a “multi-level Stevalys 2019 © 10
marketing network” that pays its members commissions for recruiting others to buy cryptocurrency packages, not from actual proceeds from its coins’ supposed value. In other words, it’s a pyramid scheme, and it sounds just like all the other cryptocoin pyramid schemes we’ve seen blossom and then implode. For more about how these scams work and how to avoid them, check out our deep dive on the subject. OneCoin Ltd has claimed to have over 3 million members worldwide. An investigation has shown that, between the fourth quarter of 2014 and the third quarter of 2016 alone, the outfit generated €3.353 billion (USD$3.70 billion, £2.88 billion) in sales revenue and earned “profits” of €2.232 billion (USD$2.46 billion, £1.2 billion). Mined from pure imagination OneCoin leaders have claimed that their cryptocurrency is mined on the company’s own servers, and that the value is based on supply and demand. As the NY AG tells it, in reality, there are no servers chugging away. Rather, the coin’s “value” – which has grown from €0.50 to about €29.95 as of January 2019 – is actually mined out of the company’s vivid imagination. In fact, the whole thing was set up to defraud investors from the get-go, according to the Department of Justice (DOJ). The DOJ says that Scott first met Ignatova in late 2015, then began laundering OneCoin proceeds in 2016. He did it by setting up a series of bogus private equity investment funds – the “Fenero Funds” – in the British Virgin Islands and lied about $400m in OneCoin fraud money as being investments of “wealthy European families.” He funneled the money through Fenero Fund bank accounts in the Cayman Islands and Ireland. He subsequently transferred the funds back to Ignatova and other OneCoin entities, further disguising the transfers as outbound investments from the Fenero Funds. He lied about the real source of the laundered money to banks and other financial institutions around the world. With the $50m he made, Scott got spendy: he picked up a collection of luxury watches worth hundreds of thousands of dollars, a Ferrari and several Porsches, a 57-foot Sunseeker yacht, Stevalys 2019 © 11
and three multimillion-dollar seaside homes in Cape Cod, Massachusetts. He was arrested near one of his Cape Cod homes in September 2018. Scott was convicted of one count of conspiracy to commit money laundering, which carries a maximum potential sentence of 20 years in prison, and one count of conspiracy to commit bank fraud, which carries a maximum potential sentence of 30 years in prison. But again, maximum sentences are rarely handed down. Throughout all of this, OneCoin has denied that it’s a scam sandwich. It recently sent this statement to the BBC for its The Missing Cryptoqueen podcast: OneCoin verifiably [fulfills] all criteria of the definition of a cryptocurrency. Our partners, our customers and our lawyers are fighting successfully proceedings against OneCoin. We are sure that the vision of a new system on the basis of a financial revolution will be established. Data on 1.2 Billion Users Found in Exposed Elasticsearch Server Security week, le 25 novembre 2019 An exposed Elasticsearch server was found to contain data on more than 1.2 billion people, Data Viper security researchers report. The server was accessible without authentication and it contained 4 billion user accounts, spanning more than 4 terabytes of data, security researchers Bob Diachenko and Vinny Troia discovered last month. Stevalys 2019 © 12
Analysis of the data revealed that it pertained to over 1.2 billion unique individuals and that it included names, email addresses, phone numbers, and LinkedIn and Facebook profile information. Further investigation led the researchers to the conclusion that the data came from two different data enrichment companies. Thus, the leak in fact represents data aggregated from various sources and kept up to date. Most of the data was stored in 4 separate data indexes, labeled “PDL” and “OXY”, and the researchers discovered that the labels refer to two data aggregator and enrichment companies, namely People Data Labs and OxyData. Analysis of the nearly 3 billion PDL user records found on the server revealed the presence of data on roughly 1.2 billion unique people, as well as 650 million unique email addresses. Not only do these numbers fall in line with the statistics the company posted on their website, but the researchers were able to verify that the data on the server was nearly identical to the information returned by the People Data Labs API. “The only difference being the data returned by the PDL also contained education histories. There was no education information in any of the data downloaded from the server. Everything else was exactly the same, including accounts with multiple email addresses and multiple phone numbers,” the researchers explain. Vinny Troia also found in the leak information related to a landline phone number he was given roughly 10 years back as part of an AT&T TV bundle. Although the landline was never used, the information was present on the researcher’s profile, and was included in the data set PeopleDataLabs.com had on him. The company told the researchers that the exposed server, which resided on Google Cloud, did not belong to it. The data, however, was clearly coming from People Data Labs. Some of the information on the exposed Elasticsearch, the researchers revealed, came from OxyData, although this company too denied being the owner of that server. After receiving a copy of his own user record with the company, Troia confirmed that the leaked information came from there. Stevalys 2019 © 13
The researchers couldn’t establish who was responsible for leaving the server wide open to the Internet, but suggest that this is a customer of both People Data Labs and OxyData and that the data might have been misused rather than stolen. “Due to the sheer amount of personal information included, combined with the complexities of identifying the data owner, this has the potential to raise questions on the effectiveness of our current privacy and breach notification laws,” the researchers conclude. “From the perspective of the people whose information was part of this dump, this doesn’t qualify as a cut-and-dry data breach. The information ‘exposed,’ is already available on LinkedIn, Facebook, GitHub, etc. begging a larger discussion about how we feel about data aggregators who compile this information and sell it, because it’s a standard practice,” Dave Farrow, senior director of information security at Barracuda Networks, told SecurityWeek in an emailed comment. Jason Kent, hacker at Cequence Security, also commented via email, saying, “Here we see a new and potentially dangerous correlation of data like never before. […] if an attacker has a rich set of data, they can formulate very targeted attacks. The sorts of attacks that can result in knowing password recovery information, financial data, communication patterns, social structures, this is how people in power can be targeted and eventually the attack can work.” Stevalys 2019 © 14
Un employé détourne 22 millions de dollars pour acheter du bitcoin et jouer au poker Journal du coin, le 25 novembre 2019 L’addiction aux jeux d’argent peut mener loin, très loin. Ici un employé n’a pas hésité à détourner 22 millions de dollars de son entreprise pour jouer sur des sites de poker et autres jeux de hasard en ligne, tout cela après avoir converti les sommes volées en cryptomonnaies. L’histoire d’un comptable qui se sert grassement dans la caisse Cette nouvelle affaire sulfureuse nous est rapportée par le Department of Justice (DoJ) du District Central de Californie : Dennis Blieden, un américain de 30 ans, a plaidé coupable aux accusations de fraudes électroniques et de vol d’identité aggravé. L’individu est un ancien cadre de StyleHaul Inc, une entreprise de marketing numérique qui travaille avec des “influenceurs” sur Instagram et YouTube. Selon sa déposition, entre octobre 2015 et mars 2019, l’accusé aurait avoué avoir profité de son poste élevé à la comptabilité et aux finances de sa société pour détourner plus de 22 millions de dollars. Il aurait ainsi viré l’argent pris à l’entreprise vers son compte bancaire personnel, et a couvert ses méfaits en rentrant des données frauduleuses dans les registres comptables de StyleHaul Inc. Dennis Blieden aurait également créé des récépissés fictifs de virements bancaires, qu’il prétendait provenir de Western Union, mais aussi falsifié la signature d’un autre dirigeant de la société. Stevalys 2019 © 15
L’accusé est un amateur de poker et de crypto-gambling Mais Dennis Blieden n’est pas que comptable, il est également le vainqueur de plusieurs tournois de poker professionnels, dont le World Poker Tour de Los Angeles de mars 2018, où il avait gagné le premier prix d’un million de dollars ! C’est ainsi, tout naturellement, qu’il se serait adonné aux jeux de hasard en ligne avec des cryptomonnaies, cryptos qu’il aurait achetées avec une partie de l’argent détourné. Ce sont en tout plus de 8,4 millions de dollars convertis que notre accro aux jeux aurait déposé sur ses comptes en cryptoactifs. Il aurait également utilisé l’argent dérobé pour payer 1,2 million de dollars en chèques pour régler ses dettes envers d’autres joueurs de poker, et 1,1 million de dollars supplémentaires pour rembourser les crédits sur ses cartes bancaires. Autant dire que les jeux d’argent étaient devenus une véritable drogue pour lui. Arrêté en juillet dernier, Dennis Blieden est toujours en prison préventive en attendant son jugement qui devrait avoir lieu le 20 mars 2020, selon le juge en charge du dossier. Notre comptable amateur de poker et de cryptos risque une peine d’emprisonnement qui pourrait le laisser jusqu’à 22 ans derrière les barreaux, loin de toutes tables de jeux. Stevalys 2019 © 16
4,2 millions de dollars en cryptomonnaies saisis par la police néo-zélandaise Journal du coin, le 25 novembre 2019 Internet Magic Money – Lorsqu’on s’intéresse aux différents cybercriminels décidant d’utiliser des cryptomonnaies pour leurs sombres desseins, les affaires se suivent… et ne se ressemblent pas forcément. Aujourd’hui, nous vous parlerons de ce programmeur néo- zélandais accusé d’être devenu riche grâce à un site de streaming illégal, et qui se serait en plus découvert une passion pour le crypto-trading. Pour l’heure, tout n’est pourtant pas tout à fait clair. Un site de streaming lucratif La police néo-zélandaise a saisi 4,2 millions de dollars en cryptomonnaies ainsi que 800 000 dollars sur un compte en banque appartenant à Jaron David McIvor, un développeur de 31 ans. Selon la police, McIvor serait impliqué dans du blanchiment d’argent et aurait reçu des millions de dollars par le biais d’un site de streaming vidéo illégal qu’il aurait aidé à créer. Or, la loi néo-zélandaise est claire, comme l’explique le sergent Keith Kay : « Introduire des fonds obtenus illégalement en Nouvelle-Zélande constitue du blanchiment d’argent et la police enquêtera en profondeur sur les avoirs de ceux qui se livrent à de telles activités, quel que soit l’endroit du monde où le crime est commis. » Stevalys 2019 © 17
Le tuyau de PayPal et de l’IRS La police s’est empressée de geler les fonds concernés, sous couvert de ses lois dédiées aux fonds tirés d’activités criminelles. Les forces de l’ordre auraient été mises sur la piste de McIvor grâce à un tuyau de l’IRS américain qui avait reçu des rapports d’activités PayPal suspectes. Décrit comme ayant un mode de vie simple et bien loin du faste habituel déployé par les cybercriminels les plus clichés, McIvor aurait découvert le crypto-trading quelques temps après avoir commencé ses obscures activités, selon la police néo-zélandaise. Il aurait alors pu faire fructifier certains de ses profits. Notons que la loi néo-zélandaise permet le gel conservatoire d’avoirs sur la base d’un doute raisonnable dans ce contexte cybercriminel. Jusqu’à présent, McIvor nie les allégations de blanchiment d’argent. Il faudra attendre encore un peu pour savoir si de réelles charges seront retenues contre lui… et si oui, lesquelles. Pests Force Estonian Government Offline Infosecurity magazine, le 26 novembre 2019 The government of Estonia lost internet access after hungry rats chewed through fiber-optic cable located underground near the country's capital, Tallinn. Estonian State Portal www.eesti.ee—a secure internet environment through which the country's residents can easily access state e-services and information—was forced offline for 5 hours as a result of the incident, which occurred last Wednesday. Speaking on Estonian radio on Thursday, head of the State Network Department Kaido Plovits said: "It was a fiber-optic data cable that is widely used in telecommunications. Rodents had damaged it in several places, and we had to replace tens of meters of cable to fix the problem. Stevalys 2019 © 18
The entire state network had not collapsed, just a small part of it, whose security has not yet been automated." While the culprits made off with full bellies, Estonians were left digitally stranded as access to several important digital services managed by the State Information Systems Authority (RIA) was interrupted. The furry creatures' unconventional meal choice temporarily brought down a handful of health services managed by the Estonia Health Insurance Fund (EHIF), including a digital prescriptions service. Estonians were advised to contact their physician to request an old- fashioned paper prescription or approach the Emergency Medicine Department to fill urgent requests for medicine. The Eesti Loto website, which sells lottery tickets for the €10,000,000 prize Eurojackpot, was also kicked offline by the peckish pests. The operation of ID cards and mobile ID cards was not interrupted. The RIA became aware that a crucial cable laid in Harju County had malfunctioned at around 4:30 p.m. on November 20. Emergency repair work was immediately instigated, and many RIA and EHIF services resumed by about 7:30 p.m. Final repair work to the cable was completed at around 9:30 p.m. Plovits told the daily Postimees newspaper that under normal circumstances the RIA would announce emergency maintenance work well in advance, but that the rats' activities had called for swifter action. Plovits said: "Since the cable was badly damaged, we had to repair it immediately otherwise the damage would be much greater." Estonia is currently installing a parallel network of data connections to bolster the country's defenses against cyber-attacks and also, it seems, hungry rats. The small European country suffered a major cyber-attack in 2007 when Russian threat actors reacted to the removal of a Red Army soldier statue from the center of Tallinn to a military cemetery. Stevalys 2019 © 19
Nursing Home Patients at Risk After Ransomware Attack Infosecurity magazine, le 26 novembre 2019 An IT services company has been hit with a $14 million ransom demand after suffering a major infection which could impact crucial patient care at many of its US nursing home clients, according to reports. Milwaukee-based Virtual Care Provider Inc. (VCPI) provides cloud hosting, IT managed services, cybersecurity and more to clients across the country, including 110 nursing homes and acute care facilities, according to researcher Brian Krebs. However, it apparently suffered a Ryuk infection on November 17 affecting all of its clients’ data. The firm is said to manage 80,000 endpoints and servers for its care home customers. As well as VCPI’s own billing and payroll systems the attack crucially impacted the firm’s IT services to clients including access to patient records. In some cases, this could be a life-threatening outage, according to CEO Karen Christianson. “We’ve got some facilities where the nurses can’t get the drugs updated and the order put in so the drugs can arrive on time,” she told Krebs. “In another case, we have this one small assisted living place that is just a single unit that connects to billing. And if they don’t get their billing into Medicaid by December 5, they close their doors. Seniors that don’t have family to go to are then done.” The incident follows a ransomware attack on a large French hospital last week which resulted in “very long delays in care.” Healthcare organizations and the third-party companies that serve them are seen as potentially lucrative targets for ransomware authors as they may have less to spend on cybersecurity but are running mission critical services that they simply can’t afford to lapse. Stevalys 2019 © 20
A recent report from Emisoft revealed that there had been 491 ransomware attacks on healthcare providers between Q1 and Q3 this year. An academic study published earlier this month claimed that data breach remediation efforts by targeted hospitals effectively led to a spike in mortality rates from heart attacks. The same researchers argued that ransomware “might have an even stronger short-term negative relationship with patient outcomes than the long-term remediation efforts studied here.” Malicious Android SDKs Caught Accessing Facebook and Twitter Users Data The hacker news, le 26 novembre 2019 Two third-party software development kits integrated by over hundreds of thousands of Android apps have been caught holding unauthorized access to users' data associated with their connected social media accounts. In a blog post published yesterday, Twitter revealed that an SDK developed by OneAudience contains a privacy-violating component which may have passed some of its users' personal data to the OneAudience servers. Following Twitter's disclosure, Facebook today released a statement revealing that an SDK from another company, Mobiburn, is also under investigation for a similar malicious activity that might have exposed its users connected with certain Android apps to data collection firms. Both OneAudience and Mobiburn are data monetization services that pay developers to integrate their SDKs into the apps, which then collect users' behavioral data and then use it with advertisers for targeted marketing. Stevalys 2019 © 21
In general, third-party software development kits used for advertisement purposes are not supposed to have access to your personally identifiable information, account password, or secret access tokens generated during 'Login with Facebook' or 'Login with Twitter' process. However, reportedly, both malicious SDKs contain the ability to stealthy and unauthorizedly harvest this personal data, which you otherwise had only authorized app developers to access from your Twitter or Facebook accounts. "This issue is not due to a vulnerability in Twitter's software, but rather the lack of isolation between SDKs within an application," Twitter clarified while revealing about the data collection incident. So, the range of exposed data is based upon the level of access affected users had provided while connecting their social media accounts to the vulnerable apps. This data usually includes users' email addresses, usernames, photos, tweets, as well as secret access tokens that could have been misused to take control of your connected social media accounts. "While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so," Twitter said. "We have evidence that this SDK was used to access people's personal data for at least some Twitter account holders using Android; however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS." Twitter has also informed Google and Apple about the malicious SDKs and suggested users to simply avoid downloading apps from third-party app stores and periodically review authorized apps. Stevalys 2019 © 22
Meanwhile, in a statement provided to CNBC, Facebook confirmed that it had already removed the apps from its platform for violating its policies and issued cease and desist letters against both One Audience and Mobiburn. "Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores," Facebook said. In response to this, OneAudience announced to shut down its SDK and also provided a statement saying, "this data was never intended to be collected, never added to our database and never used." "We proactively updated our SDK to make sure that this information could not be collected on November 13, 2019. We then pushed the new version of the SDK to our developer partners and required that they update to this new version," OneAudience said. Both social media companies are now planning to shortly inform their users who may have been impacted by this issue. Stevalys 2019 © 23
New 'Ginp' Android Trojan Targets Credentials, Payment Card Data Security week, le 26 novembre 2019 A recently discovered Android banking Trojan that features a narrow target list and two- step overlays is capable of stealing both login credentials and credit card data, ThreatFabric reports. Dubbed Ginp and identified in October, the malware has been around since June and has seen five major updates since, with the latest bringing pieces of code copied from the Anubis banking Trojan. Initially, Ginp was masquerading as a "Google Play Verificator" app and was focused on stealing the victim’s SMS messages. In August, it was updated with banking-specific features and started posing as fake “Adobe Flash Player” apps. By abusing the Accessibility Service, the malware could perform overlay attacks and set itself as the default SMS app. Its generic credit card grabber targeted programs such as Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram and Twitter. A third version added payload obfuscation and Snapchat and Viber to the target list. The next version introduced code taken from Anubis — the malware’s source code was leaked earlier this year — and switched to a new overlay target list, focused on banks. It now targets 24 apps belonging to seven different Spanish banks: CaixaBank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank and Santander. Detected this month, the most recent version of the malware brings only small modifications, including a new endpoint apparently related to downloading a module, likely with new features or configurations. Once executed on the victim device, the malware removes its icon from the app drawer, then asks for the Accessibility Service privilege. As soon as it receives these privileges, the malware grants itself additional permissions to be able to send messages and make calls. Stevalys 2019 © 24
Based on received commands, Ginp can send or harvest SMS messages, update the command and control (C&C) URL, update the target list, request admin privileges, set itself as the default SMS app, prevent the user from disabling Accessibility Services, enable overlay attacks, get installed apps or contacts, enable call forwarding, and hide itself and prevent removal, among others. In addition to requesting the victim’s login credentials, the malware’s overlays demand credit card details, claiming they are necessary to validate the user’s identity. Once this second step has been completed, the successfully targeted application will be ignored in future attacks. Simple but effective, Ginp is expected to evolve, likely adding some more capabilities taken from Anubis. Within 5 months, its authors have proven they can build a Trojan from scratch and pack it with powerful capabilities. “Ginp’s unusual target selection is not just about its focus on Spanish banks but also the wide selection of targeted apps per bank. The fact that the overlay screens are almost identical to the legitimate banking apps suggests that the actors might be very familiar with the Spanish banking applications and might even be accustomed to the language,” ThreatFabric points out. Given that the path used in the inject requests contains the country code of the targeted institution, ThreatFabric believes that the malware author is already planning an expansion to additional countries or regions. Stevalys 2019 © 25
Apple : 142 applications malveillantes détectées dans l’App Store Le siècle digital, le 26 novembre 2019 Grâce à une nouvelle technique de dépistage, des chercheurs ont détecté 142 applications malveillantes dans l’App Store d’Apple. Une fois installées, elles peuvent notamment diffuser du contenu non autorisé, partager des fake news ou encore récolter des données personnelles sur les utilisateurs. Récemment, nous apprenions que la plupart des téléphones Android étaient vendus avec d’importantes failles de sécurité dans leurs applications pré-installées. C’est aujourd’hui Apple qui est sous le feu des projecteurs. Bien que l’App Store soit un espace très sécurisé, certaines applications malveillantes parviennent à être mis en avant sur la plateforme. Elles cachent ainsi une seconde interface qui ne peut pas être détectée par le filtrage effectuée par Apple, comme le rapporte IEEE Spectrum. En fait, ces applis deviennent réellement malveillantes une fois installées sur un appareil, notamment après une commande involontaire de l’utilisateur. Grâce à un nouvel outil baptisé CHAMALEON-HUNTER, une équipe de chercheurs a pu en repérer 142, il a recours à deux techniques pour y parvenir. Alors que la première analyse la hiérarchie du code pour détecter une seconde interface éventuelle, la seconde s’attarde sur la sémantique pour y trouver des choses suspectes, comme des mots qui n’ont aucun rapport avec l’application en elle-même. La méthode de fonctionnement de cet outil a été détaillée dans IEEE Transactions on Dependable and Secure Computing, et sa précision est de 92,6%. 28 000 applications analysées L’outil a été utilisé sur pas moins de 28 000 applications sur une période de six mois. 58 d’entre elles diffusaient du contenu interdit, 38 servaient de plateformes de crowdsourcing malveillant, 14 récoltaient des données sensibles et 11 partagaient des fausses informations. D’autres effectuaient notamment de la fraude publicitaire. Stevalys 2019 © 26
Parmi ces applications, certaines ont atteint le Top 100 de leur catégorie, mais ont été supprimées par Apple depuis. Les chercheurs estiment qu’environ 0,8 des applications de l’App Store sont susceptibles d’héberger un cheval de Troie similaire. Malheureusement, CHAMALEON-HUNTER a ses limites, comme l’explique Xueqiang Wang de l’université de l’Indiana : “Notre approche n’est utile que lorsque les interfaces masquées sont déjà intégrée à l’application. Néanmoins, les hackers peuvent utiliser d’autres méthodes pour introduire des interfaces cachées”. C’est pour cela que les chercheurs souhaitent développer des techniques encore plus poussées pour détecter les apps malveillantes. Par exemple, ils cherchent un moyen de repérer les applications ciblant des activités spécifiques, comme la collecte de données sur la santé des utilisateurs. Vistaprint laisse accidentellement un fichier client en libre-accès sur internet Le siècle digital, le 26 novembre 2019 Un chercheur en sécurité informatique, Olivier Hough, a interpellé, le 21 novembre, le géant de l’impression en ligne Vistaprint via Twitter. Le chercheur a découvert une base de données client entière non chiffrée, disponible en ligne, sans aucun mot de passe pour la protéger. Hey @Vistaprint do you have a bug bounty program? or a security contact I can talk to. Got something here that your security team will want to look at ASAP my DM’s are open — Oliver Hough (@olihough86) November 21, 2019 Stevalys 2019 © 27
Olivier Hough a détecté la faille grâce au moteur de recherche Shodan qui permet de traquer les bases de données vulnérables. La détection date du 5 novembre, le fichier, qui ne recevait ni n’envoyait de données, a été actualisé pour la dernière fois mi-septembre. Impossible à ce stade de savoir depuis combien de temps la base de données était librement accessible, ni si elle a été exploitée par des individus malintentionnés. L’entreprise d’impression en ligne est la propriété du groupe néerlandais Cimpress. À l’origine de Vistaprint, le groupe investit désormais dans plusieurs entreprises spécialisées dans le même secteur, elle propose tout une gamme d’offre de supports personnalisables à ses clients. Un fichier comprenant 51 000 interactions entre Vistaprint et ses clients Les consommateurs directement concernés par le piratage sont basés aux États-Unis, au Royaume-Uni et en Irlande. Le fichier, désormais inaccessible en ligne, se présentait sous la forme de cinq tableaux recensant 51 000 interactions entre les consommateurs et le service clientèle de l’entreprise. Une vaste palette de données étaient accessible, allant des mails échangés avec la plateforme, aux noms et coordonnées de certains clients, en passant par des enregistrements téléphoniques entre agents et consommateurs de l’entreprise. 1er tableau, « cases ». Dans ce tableau il était possible de retrouver les demandes des clients, leurs noms, adresses mail, numéros de téléphone et la date et l’heure de l’échange avec Vistaprint. Le tableau comportait notamment des données confidentielles de l’entreprise, comme la nature de la demande de la personne sollicitant le service client, si la demande était « neutre » ou « négative » et la priorité de la demande. 2er tableau, « chat ». Stevalys 2019 © 28
Ici c’était les interactions en ligne qui étaient recensées. Vistaprint y affichait des informations sur le navigateur, la connexion réseau, le système d’exploitation, le fournisseur internet du client ainsi que le lieu duquel il a échangé avec Vistaprint. 3e tableau, « mail ». Comme son nom l’indique, dans cette partie-ci étaient recensés les fils de mails échangés par les services de l’entreprise et ses clients. Avec potentiellement de nombreuses informations personnelles se retrouvant dans ces échanges. 4e tableau, « téléphone ». Selon la même logique, cette section de la base de données recense la date et l’heure de l’appel, le temps de mise en attente, une transcription de l’appel et un lien vers l’enregistrement de l’appel. TechCrunch, qui a révélé publiquement la faille, ne donne pas de précisions sur le 5e et dernier tableau expliquant simplement que des adresses mail et téléphoniques du service client de Vistaprint était également visibles sur le document. Vistaprint admet une faille « inacceptable » Contacté par TechCrunch l’entreprise a admis qu’une telle faille était « inacceptable » et « n’aurait pas dû se produire en aucune circonstance ». Par ailleurs, l’entreprise a expliqué mener une enquête interne sur l’incident. Elle a également ajouté que les clients potentiellement impactés par la faille de l’entreprise seraient prévenus. Les raisons pour lesquelles la base de données a été mise en ligne en libre accès restent incertaines. Le document était nommé « migration », ce qui pourrait suggérer qu’il servait à stocker des données en attendant leur transfert entre deux serveurs. Une défaillance interne, un laxisme en matière de sécurité, comme ce fut par exemple le cas Gearbest, ou plus près de l’Hexagone, chez Bouygues. Ce genre d’incident est souvent provoqué par une simple étourderie bien humaine, c’est typiquement le genre de faille qu’il faut s’attendre à voir apparaître régulièrement à l’avenir. Stevalys 2019 © 29
Healthcare Execs Charged in $1Bn Fraud Scheme Infosecurity magazine, le 27 novembre 2019 Six former executives and employees of a US healthcare start-up have been charged with running a fraud scheme that’s said to have made them $1bn. The men — who include the co-founder, president, COO/CFO and EVP of business operations — worked for a tech firm called Outcome Health which provides digital medical information and advertising in doctors’ offices. It’s alleged they sold tens of millions of dollars of advertising inventory that did not exist, inflating the company’s financials so that they were able to raise nearly $1 billion in financing in 2016 and 2017. Co-founder and CEO Rishi Shah, 33, of Chicago, Illinois; co-founder and president, Shradha Agarwal, 34, of Chicago; and COO Brad Purdy, 30, of San Francisco, are charged with various counts of mail fraud, wire fraud and bank fraud. Senior analyst Kathryn Choi, 29, of New York, and analyst Oliver Han, 29, of Chicago, are each charged with one count of conspiracy to commit wire fraud. According to the Department of Justice, the group sold pharmaceuticals clients ad inventory that they didn’t have, and under-delivered on ad campaigns, before falsifying performance data and patient engagement metrics. It’s also alleged that several of those indicted falsified data shared with auditors, which led to the latter approving over-inflated revenue figures for 2015 and 2016. This enabled them to raise $110m in debt financing in April 2016, $375m in December 2016 and nearly $488m in early 2017, with Shah and Agarwal allegedly splitting dividends of nearly $263m between them. “Outcome’s former executives and employees allegedly deceived lenders, investors, and their own auditors by falsely representing revenue for additional profit,” said principal deputy assistant attorney general John Cronan of the Justice Department’s Criminal Division. Stevalys 2019 © 30
“The charges announced today demonstrate that lies and deception cannot serve as the basis for any company, including start-up companies, to falsely grow revenue for additional capital and private gain.” Minor Arrested for Jack Dorsey Twitter Hack Infosecurity magazine, le 27 novembre 2019 A former member of the Chuckling Squad is presumably not laughing now after being arrested for hacking the Twitter account of Twitter CEO Jack Dorsey. The alleged hacker, who is a minor, is said to be part of a group that used a SIM-swapping technique to hack into Dorsey's account in August of this year and send out multiple tweets containing racial slurs. They also tweeted bomb threats and retweeted anti-Semitic material. The group, known as the Chuckling Squad, have claimed responsibility for a number of high- profile social media hacks, including one perpetrated against actress Chloe Grace Moretz. The threat group was able to carry out the hack after gaining access to Dorsey's phone number and transferring that number to a new SIM card. Following the hack, Twitter has updated its two-factor authentication so that users no longer have to give their phone number. "We applaud the efforts of all the law enforcement agencies involved in this arrest," said the Santa Clara County District Attorney's Office, which manages the Regional Enforcement Allied Computer Team (REACT). "REACT continues to work with and assist our law enforcement partners in any way we can. We hope this arrest serves as a reminder to the public that people who engage in these crimes will be caught, arrested, and prosecuted." Stevalys 2019 © 31
Hacker Debug, a leader of the Chuckling Squad, told Motherboard that the minor was arrested about two weeks ago after being kicked out of the threat group in October. "He was a member of Chuckling Squad but not anymore. He was an active member for us by providing celebs/public figure [phone] numbers and helped us hack them," Debug said. After the minor furnished the group with Dorsey's number, other squad leaders known as Aqua and NuBLoM tricked a wireless provider into giving them control of the phone number. They were then able to receive two-factor authentication SMS codes. Guidelines issued by the Federal Trade Commission on how to protect yourself from a SIM- swap attack include recommendations to limit the personal information you share online and set up a PIN or password on your phone account. Phone users are also advised never to reply to calls, emails, or text messages that request personal information, as they may be phishing attempts. Over 12,000 Google Users Hit by Government Hackers in 3rd Quarter of 2019 The hacker news, le 27 novembre 2019 As part of its active efforts to protect billions of online users, Google identified and warned over 12,000 of its users who were targeted by a government-backed hacking attempt in the third quarter of this year. According to a report published by Google's Threat Analysis Group (TAG), more than 90 percent of the targeted users were hit with "credential phishing emails" that tried to trick victims into handing over access to their Google account. Stevalys 2019 © 32
You can also read
