Privacy and Security related news for the week ending 2020 07 28

We have a very entertaining and full agenda for you this week, from Trump on social media, to makeup for that social media to the drone you use to do those dramatic overhead shots, if you are a YouTube star in your off hours, you are going to want to read this weeks Security Matters Update.

We also have a very clever new compromise for Docker, reverse engineering for tax reporting software for companies operating in China that revealed far more than your numbers, and why your Garmin stopped reporting your runs over the weekend.

We think you will enjoy this week’s selection of stories!


Trump’s Plans For More Social Media Regulation Move Forward

Emma Woollacott: the US National Telecommunications and Information Agency (NTIA), has filed a formal petition to the Federal Communications Commission (FCC), asking it to issue rules on when internet platforms are liable for user content posted on their sites.

The move stems from an executive order signed by Trump in May, after Twitter warned users to fact-check his (Trump)s statements claiming mass fraud in mail-in voting. It centers on Section 230 of the Communications Decency Act, which protects social media companies from liability for content posted by their users, and allows them to remove offensive or inaccurate posts.

The petition requires platforms to demonstrate that content regulation is being carried out ‘in good faith’, and requires them to be politically neutral. It calls on the FCC to rule on how section 230 covers content moderation decisions, and clarify when platforms are entitled to protection.

“The petition is a monumental waste of the FCC’s time: it garbles both statutory interpretation and constitutional law,” says general counsel James Dunstan.

“There’s no way for the FCC, the FTC, or any court to decide what constitutes ‘good faith’ content moderation, because it would require the government to examine the content of internet speech, which the First Amendment clearly forbids.”


UK: Over Half of Universities Suffered Data Breach in Past Year

Over half (54%) of UK universities reported a data breach to the regulator in the past 12 months, with an average of two reports each, according to new Freedom of Information (FOI) data collected by Redscan. The security firm received back answers from 86 of the 134 higher education institutions it contacted, to compile the new report: The state of cyber security across UK universities.


Bank of Ireland fined €1.66 million after being tricked by fraudster

Bank of Ireland, has been fined almost €1.7 million after regulators discovered it had failed to inform financial regulators and the police after a fraudster tricked them into transferring funds from a client’s account.

In September 2014, a fraudster impersonated a client of Bank of Ireland’s former subsidiary, Bank of Ireland Private Banking Limited (BOIPB), and tricked the bank into making transferring a total of €106,430 (approximately US $125,000) from the client’s personal current account and the bank’s own funds into a UK bank account.

The fraudster had hacked into the victim’s email account to request the money transfers from the bank.

Astonishingly, the bank released confidential details related to the account to the fraudster without requiring them to answer any security questions. Furthermore, the bank did not call the client using the contact telephone number on its database to confirm the request for the money transfer.

Indeed it was over a year later before the Central Bank discovered a reference to the incident in Bank of Ireland’s logs, demanded more details, and insisted that the fraud should be reported to the police.


New Linux malware uses Dogecoin API to find Command and control (C&C) server addresses

Intezer Labs researchers say that in recent attacks carried out by the Ngrok group this year, the hackers have targeted Docker installations where the management API has been left exposed online.

The hackers abused the Docker API to deploy new servers inside a company’s cloud infrastructure. The servers, running a version of Alpine Linux, were then infected with crypto-mining malware dubbed ‘Doki.’

The new multi-threaded malware leverages “an undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address despite samples being publicly available in VirusTotal.”

The process, as reverse-engineered by researchers, is detailed below:

Query dogechain.info API, a Dogecoin cryptocurrency block explorer, for the value that was sent out (spent) from a hardcoded wallet address that is controlled by the attacker. The query format is: https://dogechain.info/api/v1/address/sent/{address}

Perform SHA256 on the value returned under “sent”

Save the first 12 characters from the hex-string representation of the SHA256 value, to be used as the subdomain.

Construct the full address by appending the subdomain to ddns.net. An example domain would be: 6d77335c4f23[.]ddns[.]net

What all the steps above mean is that the Doki creators, the Ngrok gang, can change the server where Doki gets its commands by making one single transaction from within a Dogecoin wallet they control.

If DynDNS (ddns.net) receives an abuse report about the current Doki C&C URL and takes it down, the Ngrok gang only has to make a new transaction, determine the subdomain value, and set up a new DynDNS account and grab the subdomain.

This mechanism, clever as it is, is also an effective way of preventing law enforcement from taking down the Doki backend infrastructure, as they’d need to take control over the Ngrok gang’s Dogecoin wallet, something that would be impossible without the wallet’s cryptographic key.

All in all, the conclusion here is that companies running Docker as their virtualization software in the cloud need to make sure the management interface’s API is not exposed to the internet – a small misconfiguration that allows third-parties to control their Docker install.

In its report, Intezer specifically mentions this issue, warning that the Ngrok gang was so aggressive and persistent in their scanning and attacks that it usually deployed its malware within hours after a Docker server became exposed online.


FBI warns US companies about backdoors in Chinese tax software

Catalin Cimpanu: The US Federal Bureau of Investigation has sent an alert on Thursday warning US companies about backdoor malware that is silently being installed on the networks of foreign companies operating in China via government-mandated tax software.

The backdoors allow threat actors to execute unauthorized code, infiltrate networks, and steal proprietary data from branches operating in China.

Making matters worse, the FBI says that all foreign companies are required by local Chinese laws to install this particular piece of software in order to handle value-added tax (VAT) payments to the Chinese tax authority.

“In July 2018, an employee of a US pharmaceutical company with business interests in China downloaded the Baiwang Tax Control Invoicing software program from baiwang.com. Since at least March 2019, Baiwang released software updates which installed a driver automatically along with the main tax program. In April 2019, employees of the pharmaceutical company discovered that the software contained malware that created a backdoor on the company’s network,” the FBI said – describing what later security firm Trustwave identified as the GoldenHelper malware.

“In June 2020, a private cybersecurity firm reported that Intelligence Tax, a tax software from Aisino Corporation that is required by a Chinese bank under the same VAT system, likely contained malware that installed a hidden backdoor to the networks of organizations using the tax software,” the FBI also said – describing what Trustwave identified as the GoldenSpy backdoor, believed to be a second and improved iteration of the original GoldenHelper malware.

The FBI warns US companies that the backdoor malware installed on their systems has dangerous capabilities that may allow “cyber actors to preposition to conduct remote code execution and exfiltration activities on the victim’s network.”

FBI officials said they believed US companies in the healthcare, chemical, and finance sectors operating in China are in particular danger, based on China’s historical interest in these sectors.

While the FBI alert didn’t point the finger at the Chinese government directly, the alert said that both Baiwang and Aisino operate their VAT software under the management and oversight of NISEC (National Information Security Engineering Center), a state-owned private enterprise, with “foundational links” to China’s People Liberation Army, suggesting to a well-orchestrated nation-state intelligence gathering operation.


Four years on from launch, the No More Ransom initiative has helped over 4 million victims of ransomware attacks retrieve their files for free.

Over four million victims of ransomware attacks have now avoided paying over £600 million in extortion demands to cyber criminals in the first four years of Europol’s No More Ransom initiative.

First launched in 2016 with four founding members, No More Ransom provides free decryption tools for ransomware and has been growing ever since, now consisting of 163 partners across cybersecurity, law enforcement bodies, financial services and more.

Together, they’ve released free decryption tools for over 140 families of ransomware which have been downloaded a combined total of over 4.2 million times – something which Europol estimates has prevented $632 million from being paid out to cyber criminals.

Among the top contributors to the project are Emisisoft, which has provided 54 decryption tools for 45 ransomware families, founding member Kaspersky, which has provided five tools for 32 ransomware families and Trend Micro, which has provided two decryption tools for 27 ransomware families.

Preventative steps recommended by Europol include backing up important files offline, so that in the event of an attack, files can be immediately retrieved, no matter if a decryption tool is available or not. Europol also recommends that users don’t download programs from suspicious sources or open attachments from unknown senders, so as to avoid falling victim to email-based attack.


Smartwatch Maker Garmin Shuts Down Services After Ransomware Attack

By Larry Dignan: As of Monday morning, Garmin said that Garmin Connect has returned with limited functionality. Simply put, Garmin has had a rough week. Here’s the timeline:

Garmin services and production go down after ransomware attack. July 24

Garmin’s outage, ransomware attack response lacking as earnings loom

Garmin Fenix smartwatches hit with GPS, run and activity saving glitch amid outage

Specifically, Garmin Connect can now July 27th display activity details and uploads, register devices, show the dashboard, produce reports and segments. The company noted on its status page:

July 27th.: We are happy to report that Garmin Connect recovery is underway. We’d like to thank you for your understanding and patience as we restore normal operations.

Limited functionality remains for daily summary, courses, Garmin Coach, third party sync and Strava. On Strava, Strava Beacon integration is working, but segments, routes and uploaded activities are being queued to sync.


Researchers Reveal New Security Flaw Affecting China’s DJI Drones

Ravie Lakshmanan: Cybersecurity researchers on Thursday revealed security issues in the Android app developed by Chinese drone-maker Da Jiang Innovations (DJI) that comes with an auto-update mechanism that bypasses Google Play Store and could be used to install malicious applications and transmit sensitive personal information to DJI’s servers.

The twin reports, courtesy of cybersecurity firms Synacktiv and GRIMM, found that DJI’s Go 4 Android app not only asks for extensive permissions and collects personal data (IMSI, IMEI, the serial number of the SIM card), it makes of anti-debug and encryption techniques to thwart security analysis.

“This mechanism is very similar to command and control servers encountered with malware,” Synacktiv said.

“Given the wide permissions required by DJI GO 4 — contacts, microphone, camera, location, storage, change network connectivity — the DJI or Weibo Chinese servers have almost full control over the user’s phone.”

Reverse engineering the app, Synacktiv said it uncovered the existence of a URL (“hxxps://service-adhoc.dji.com/app/upgrade/public/check”) that it uses to download an application update and prompt the user to grant permission to “Install Unknown Apps.”

“We modified this request to trigger a forced update to an arbitrary application, which prompted the user first for allowing the installation of untrusted applications, then blocking him from using the application until the update was installed,” the researchers said.

Even more concerning, the app continues to run in the background even after it’s closed and leverages a Weibo SDK (“com.sina.weibo.sdk”) to install an arbitrarily downloaded app, triggering the feature for users who have opted to live stream the drone video feed via Weibo. GRIMM said it didn’t find any evidence that it was exploited to target individuals with malicious application installations.

Besides this, the researchers found that the app takes advantage of MobTech SDK to hoover metadata about the phone, including screen size, brightness, WLAN address, MAC address, BSSIDs, Bluetooth addresses, IMEI and IMSI numbers, carrier name, SIM serial Number, SD card information, OS language and kernel version, and location information.

Last May, the US Department of Homeland Security had warned companies that their data may be at risk if they use commercial drones manufactured in China and that they “contain components that can compromise your data and share your information on a server accessed beyond the company itself.” This is proof.


Dave data breach affects 7.5 million users, leaked on hacker forum

Overdraft protection and cash advance service Dave has suffered a data breach after a database containing 7.5 million user records was sold in an auction and then released later for free on hacker forums.

Dave is a fintech company that allows users to link their bank accounts and receive cash advances for upcoming bills to avoid overdraft fees. Subscribers who need extra money to pay a bill can get a payday loan up to $100, but cannot receive another loan until it is repaid.

A threat actor released a database containing 7,516,691 users records for free on a hacker forum on Friday.

After reaching out to Dave regarding their database being leaked, Dave disclosed the incident as a data breach a day later.

In a statement sent to BleepingComputer Saturday, Dave says their database was breached after Waydev, a former third-party service provider used by the company was breached.

"The stolen information included some personal user information including names, emails, birth dates, physical addresses and phone numbers. Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers.

Be sure to change your password at any other sites where you used the same password as in the Dave app.


Selfie star? Change your makeup brand. Cosmetics Giant Avon Leaks 19 Million Records.

Yet another improperly, or not at all secured Elasticsearch database on Azure found wide open with no password protection or encryption.

The London-headquartered firm, which boasts over $5.5bn in annual worldwide sales, was apparently exposing the 7GB database for nine days before it was discovered on June 12.

It contained personally identifiable information (PII) on customers and potentially employees, including full names, phone numbers, dates of birth, email and home addresses, and GPS coordinates. Also included in the haul were 40,000+ security tokens, OAuth tokens, internal logs, account settings and technical server information.

While the PII could have been leveraged to commit a wide range of identity fraud and follow-on phishing scams, the exposed technical details also posed a risk to Avon, according to SafetyDetectives.

“Given the type and amount of sensitive information made available, hackers would be able to establish full server control and conduct severely damaging actions that permanently damage the Avon brand; namely, ransomware attacks and paralyzing the company’s payments infrastructure,” it argued.

Interestingly, a June 9 filing with the Securities and Exchange Commission revealed the firm had suffered a “cyber-incident in its information technology environment which has interrupted some systems and partially affected operations.”

A second filing on June 12 claimed that the firm was planning a restart of its systems.

“Avon is continuing the investigation to determine the extent of the incident, including potential compromised personal data.”