Last Week In Blockchain and CyberSecurity News - September 17, 2019
Personal Data of Entire 16.6 Million Population of Ecuador Leaks Online
Security researchers at vpnMentor, Noam Rotem and Ran Locar, have discovered a data leak that holds information belonging to the entire population of Ecuador. The leak consists of 18GB of data containing 20.8 million records.
The exposed data was retained on an unsecured server located in Miami, Florida but owned by an Ecuadorian company.
According to Forbes and the vpnMentor report, the personal leaked information includes:
full name (first, middle, last)
date of birth
place of birth
home, work, and cell phone numbers
date of marriage (if applicable)
date of death (if applicable)
level of education
employer tax identification number
job start date
job end date
If a resident held a bank account with the Ecuadorian national bank, you could find additional information like:
current balance in the account
Fortunately, the Ecuador Computer Emergency Response Team (CERT) closed the database once they were notified by the vpnMentor researchers.
Read more here
France and Germany to Block Facebook’s Libra Cryptocurrency
French Finance Minister Bruno Le Maire has announced that both France and Germany have agreed to block Facebook’s upcoming cryptocurrency, Libra. A joint statement issued by the two governments declares,
Le Maire further asserted the government’s stance against Libra stating,
Libra is designed to allow individuals the opportunity to make payments across Facebook’s various apps, like WhatsApp and Facebook Messenger. Companies such as Visa, MasterCard, and PayPal have all been backers of the project. Libra’s head of policy recently commented on the announcements from France and Germany, stating that this chain of events further underscores the importance of working with regulatory bodies.
Read more here
SIM-Based Attack Has Been Spying on People for Two Years
Researchers at AdaptiveMobile have discovered a new SIM based vulnerability, dubbed Slimjacker. And the exploit has reportedly been used by a classified surveillance company to surveil people’s devices.
To exploit this vulnerability, an attacker sends an inperceivable SMS message containing instructions for an older version of the S@T Browser app, which is currently supported on various cellular carrier’s SIM cards. The hacker can use these instructions to obtain location info and IMEI numbers which they can then send (using SMS) back to a malicious device that records the information.
According to Security Affairs, the attacker can perform the following actions:
Retrieve targeted device’s location and IMEI information,
Spread misinformation by sending fake messages on behalf of victims,
Perform premium-rate scams by dialing premium-rate numbers,
Spy on victims’ surroundings by instructing the device to call the attacker’s phone number,
Spread malware by forcing a victim’s phone browser to open a malicious web page,
Perform denial of service attacks by disabling the SIM card, and
Retrieve other information like language, radio type, battery level, etc.
To make matters worse, the attacker obtains this information without notifying the victim and can steal data off any brand of phone (iPhones, various brands of Android phones). According to the researchers, the mystery company has been utilizing this vulnerability in 30+ countries for over two years. SIMalliance has provided a new set of security guidelines for cellular carriers, providing some recommendations, including:
Implementing filtering at the network level to intercept and block “illegitimate binary SMS messages” and
Making changes to the security settings of SIM cards issued to subscribers.
Get more information here
Asus, Lenovo, and Other Routers Riddled with Remotely Exploitable Bugs
Researchers have discovered more than a hundred vulnerabilities in small office/home office routers and network-attached storage devices (NAS) from vendors like Asus, Zyxel, Lenovo, Netgear, and others. The researchers pen tested 13 different models and discovered at least one web application vulnerability per device, including cross-site scripting (XSS), operating system command injection, or SQL injection flaws. Many of the vulnerabilities could allow an attacker to gain remote access to the device’s shell or administrator panel.
According to the pen test paper, researchers were able to discover 125 different CVE’s and remotely exploit six devices without authentication.
The affected devices include:
Buffalo TeraStation TS5600D1206,
Netgear Nighthawk R9000,
Many of the companies have taken mitigation steps; however, some organizations such as Drobo and Buffalo Americas have been unresponsive.
Read more here
InnfiRAT Malware Steals Litecoin and Bitcoin Wallet Information
Hackers have updated a remote access Trojan (RAT), InnfiRAT, with extensive capabilities to steal sensitive data, including cryptocurrency wallet information.
Researchers at ThreatLabZ have analyzed the malware and discovered some interesting abilities. InnfiRAT is based on .NET and includes 11 commands, including anti-VM, process checks, and enumeration capacities.
After infecting a victim's computer, the malware copies itself into %AppData%/NvidiaDriver.exe and drop a Base64-encoded PE file which will then be decoded into a .NET binary. After executing, InnfiRAT first checks to see if it’s running in a sandbox and looks for process monitor processes.
If it determines that any of those values are present, the malware automatically terminates itself. If it’s initial scans don’t show any red flags, it will then proceed to collect the machine’s HWID and country.
After the initial recon processes, InnfiRAT grabs browser cookies to steal stored usernames and passwords, as well as searches for wallet.dat files in %AppData%\Litecoin\ and %AppData%\Bitcoin\ folders. If the malware discovers any information, it quickly delivers that data back to its C2 server.
Other commands InnfiRAT can execute on a victim's computer include:
SendUrlAndExecute(string URL) - download a file from a specified URL and execute it
ProfileInfo() - collect and exfiltrate network, location, and hardware info
LoadLogs() - write files into specific folders
LoadProcesses() - get a list of running processes and send it to the C2 server
Kill (int process) - kill a specific process on the victim’s machine
RunCommand(string command) - execute a command on the victim’s machine
ClearCooks() - clear browser cookies for specific browsers
You can find indicators of compromise (IOC) like malware sampled hashes and domains in the ThreatLabZ team's InnfiRAT write-up.
Read more here