Alleged SIM swapping crypto-crooks cuffed, iOS app snooping, ad-fraud botnets, and more
All your extra bits and bytes of this week's infosec news in less than 5 minutes
Roundup Here's a summary of more infosec news beyond what we've already reported this week – enjoy.
Beware of pretend Italian plumbers bearing gifts: Mario, the beloved video game plumber with a porn-star mustache, should be treated with caution, according to security shop Bromium. Well, at least images of him.
Engineer Matthew Rowen was investigating a Windows Trojan that has an unusual pattern of behavior. The malware's PowerShell commands are hidden in a picture of Nintendo's Mario, which is odd. What's more interesting is that the code is programmed to only run when the infected machine is in Italy. Who’s writing this software nasty – Wario?
Panda pops… How China’s hacker spies apparently ransacked US, Euro biz: Chinese government hackers, dubbed APT10 aka Stone Panda, broke into at least three businesses in the US and Europe to steal valuable confidential information, infosec outfits Recorded Future and Rapid7 claimed this week.
We’re told these compromised organizations include IT and business cloud provider Visma; a billion-dollar Norwegian company with more than 850,000 clients worldwide; an international clothing firm; and US intellectual property lawyers with high-tech clients in sectors from pharmaceutical and biomedical to electronics and automotive.
The miscreants, according to researchers, were able to break in using stolen login details for Citrix and LogMeIn remote-desktop software, and then exploited elevation-of-privilege vulnerabilities to compromise Windows networks as administrators. Against Visma, the alleged Beijing spies used the Trochilus malware to infect computers and remote-control them from command servers. Technical details, and advice on how to stay safe, over here.
Crypto-hungry SIM swap suspects cuffed: Two men have been collared by the Feds on allegations they tricked mobile network staff into transfering strangers’ phone numbers to their SIM cards so they could hijack and drain the victims’ online crypto-coin wallets.
Ahmad Wagaafe Hared, 21, of Tucson, Arizona, and Matthew Gene Ditman, 23, of Las Vegas, Nevada, were charged in the US with conspiracy to commit computer fraud and abuse, conspiracy to commit access device fraud, extortion, and aggravated identity theft. According to prosecutors:
The conspirators allegedly convinced the representatives of cellphone service providers to transfer or port cellphone numbers from SIM cards in the devices possessed by victims to SIM cards in devices possessed by the conspirators, a practice known as SIM swapping. The indictment further alleges that after Hared, Ditman, and others gained control of victims’ cellphone numbers, they used additional deceptive techniques to gain access to email, electronic storage, and other accounts of victims and ultimately to cryptocurrency accounts of victims. Hared, Ditman, and their co-conspirators also extorted victims of the SIM swapping scheme.
The pair are among of a number of alleged, or convicted, SIM swappers that have been popping up in the news lately.
Chinese bank IT admin jailed for $1m theft: An IT administrator at China’s Huaxia Bank is facing more than ten years in the clink after admitting stealing a hefty amount of cash.
Qin Qisheng, 43, found a number of flaws in the bank's core operating system that could be exploited to withdraw cash from ATMs for free. He siphoned off amounts ranging from $740 to $2,965 with each withdrawal, and put the dosh in his own account, investing some of it in the stock exchange.
When his bosses uncovered the caper, he agreed to give all the money back, claiming it had just been "resting" in his account. The authorities were less forgiving, however, and he'll now be spending the next 10 and a half years behind bars.
Google, New York City cops clash over Waze police checkpoint alerts: Cops in the Big Apple sent a cease-and-desist letter to Google, demanding it remove alerts from its Waze app that warn drivers of nearby drink-driving checks. These so-called driving-while-intoxicated (DWI) checkpoints are set up by the plod to test motorists aren’t over the booze limit, though Waze tips off citizens. Google has refused to comply, arguing that alerting folks to checkpoints preemptively makes them drive safer.
Cisco emits wad of security fixes: There are a bunch of product updates from Cisco this week that address security vulnerabilities in its gear. Some are updates to much earlier advisories. Of the new ones, we’ve got cross-site scripting holes in Cisco Identity Services Engine (CVE-2018-15440, CVE-2018-15463), a bug that can anyone can use to crash a Cisco Meeting Server (CVE-2019-1676), a content injection vulnerability in Cisco WebEx Business Suite (CVE-2019-1680), and various other issues that need patching, where support contracts allow, to keep the bad people out.
In space, er, Apple, no one can hear, er, see you scream, er, your screen: Apple has reminded iOS app developers not to use code that monitors exactly how people use their software without informing them. It turns out a number of high-profile applications are using an analytics package called Glassbox that beams back telemetry, from app to developer, so coders can observe how folks interact with the user interfaces, which is a no-no as it may leak sensitive information like credit card numbers.
Following a TechCrunch probe, Apple this week said: “Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity. We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary.”
Wi-Fi me to TheMoon, let me fraudulently view ads on YouTube: A botnet of compromised home broadband routers, dubbed TheMoon, has been caught fetching YouTube video pages seemingly to inflate vid ad impressions, according to US ISP CenturyLink. The malware infects Linksys, ASUS, MikroTik, GPON, and D-Link routers by scanning for known vulnerabilities in the devices and in web applications running on Internet-of-Things gadgets. The botnet is also used for brute-forcing credentials to log into websites and causing other mischief.
Phishing attack mimics Google using Translate: Phishing attacks are nothing special these days, however, researchers at Akamai have found one cunning criminal using Google Translate to steal credentials.
The superbly-named Larry Cashdollar at Akamai was sent an email that looked as though it came from Google telling him a new Windows machine had logged into his Facebook account. His suspicions were aroused when he noticed the email was sent from Hotmail, and decided to dig deeper. After clicking on a link in the message that claimed to offer more details, he clocked the URL had taken him to Google Translate: what he was seeing was a translated page that was trying to trick him into typing in his Gmail email address and password. The Google logo in the top left corner, and google.com in the URL, may have convinced a few victims at least to hand over their credentials.
Plus, some anti-phishing tools do not check Google Translated URLs. As ever, with suspicious emails check, check, and check again.
Swiss cheesed off with crap election security: Switzerland’s national postal system is inviting folks to hack its e-voting technology in a simulated federal vote so as to test the security of its networks and software. There’s up to roughly $50,000 (40,000 quid) up for grabs if you’re able to change votes without being detected. Source code, here.
Hacked remote-desktop login souk shut down: xDedic, a marketplace for buying and selling stolen RDP login details as well as people’s private personal information, has been torn offline by the FBI and officials in Belgium, Ukraine and Europol. We’re told the operation’s website has been seized, and three suspects cuffed in connection with the cyber-souk, ending what has been years of criminality. At its height, xDedic touted logins for 85,000 systems at a few bucks a pop, allowing fraudsters to bank as much as $70m from their victims. ®