Last Week In Blockchain and CyberSecurity News - September 17, 2019

Personal Data of Entire 16.6 Million Population of Ecuador Leaks Online

Security researchers at vpnMentor, Noam Rotem and Ran Locar, have discovered a data leak that holds information belonging to the entire population of Ecuador. The leak consists of 18GB of data containing 20.8 million records.  

The exposed data was retained on an unsecured server located in Miami, Florida but owned by an Ecuadorian company.   

According to Forbes and the vpnMentor report, the personal leaked information includes: 

  • full name (first, middle, last)

  • gender

  • date of birth

  • place of birth

  • home address

  • email address

  • home, work, and cell phone numbers

  • marital status

  • date of marriage (if applicable)

  • date of death (if applicable)

  • level of education

  • employer name

  • employer location

  • employer tax identification number

  • job title

  • salary information

  • job start date

  • job end date

If a resident held a bank account with the Ecuadorian national bank, you could find additional information like:  

  • account status 

  • current balance in the account 

  • amount financed 

  • credit type 

Fortunately, the Ecuador Computer Emergency Response Team (CERT) closed the database once they were notified by the vpnMentor researchers.  

Read more here

France and Germany to Block Facebook’s Libra Cryptocurrency

French Finance Minister Bruno Le Maire has announced that both France and Germany have agreed to block Facebook’s upcoming cryptocurrency, Libra. A joint statement issued by the two governments declares,

[They] believe that no private entity can claim monetary power, which is inherent to the sovereignty of nations.

Le Maire further asserted the government’s stance against Libra stating,

I want to be absolutely clear: in these conditions, we cannot authorise the development of Libra on European soil.

Libra is designed to allow individuals the opportunity to make payments across Facebook’s various apps, like WhatsApp and Facebook Messenger. Companies such as Visa, MasterCard, and PayPal have all been backers of the project. Libra’s head of policy recently commented on the announcements from France and Germany, stating that this chain of events further underscores the importance of working with regulatory bodies.

Read more here

SIM-Based Attack Has Been Spying on People for Two Years

Researchers at AdaptiveMobile have discovered a new SIM based vulnerability, dubbed Slimjacker. And the exploit has reportedly been used by a classified surveillance company to surveil people’s devices.  

To exploit this vulnerability, an attacker sends an inperceivable SMS message containing instructions for an older version of the S@T Browser app, which is currently supported on various cellular carrier’s SIM cards. The hacker can use these instructions to obtain location info and IMEI numbers which they can then send (using SMS)  back to a malicious device that records the information.  

According to Security Affairs, the attacker can perform the following actions: 

  • Retrieve targeted device’s location and IMEI information, 

  • Spread misinformation by sending fake messages on behalf of victims, 

  • Perform premium-rate scams by dialing premium-rate numbers, 

  • Spy on victims’ surroundings by instructing the device to call the attacker’s phone number, 

  • Spread malware by forcing a victim’s phone browser to open a malicious web page, 

  • Perform denial of service attacks by disabling the SIM card, and 

  • Retrieve other information like language, radio type, battery level, etc. 
     

To make matters worse, the attacker obtains this information without notifying the victim and can steal data off any brand of phone (iPhones, various brands of Android phones). According to the researchers, the mystery company has been utilizing this vulnerability in 30+ countries for over two years. SIMalliance has provided a new set of security guidelines for cellular carriers, providing some recommendations, including:  

  • Implementing filtering at the network level to intercept and block “illegitimate binary SMS messages” and 

  • Making changes to the security settings of SIM cards issued to subscribers. 

Get more information here

Asus, Lenovo, and Other Routers Riddled with Remotely Exploitable Bugs

Researchers have discovered more than a hundred vulnerabilities in small office/home office routers and network-attached storage devices (NAS) from vendors like Asus, Zyxel, Lenovo, Netgear, and others. The researchers pen tested 13 different models and discovered at least one web application vulnerability per device, including cross-site scripting (XSS), operating system command injection, or SQL injection flaws. Many of the vulnerabilities could allow an attacker to gain remote access to the device’s shell or administrator panel.  

According to the pen test paper, researchers were able to discover 125 different CVE’s and remotely exploit six devices without authentication. 

The affected  devices include: 

  • Asustor AS-602T,  

  • Buffalo TeraStation TS5600D1206,  

  • TerraMaster F2-420,  

  • Drobo 5N2,  

  • Netgear Nighthawk R9000,  

  • TOTOLINK A3002RU. 

Many of the companies have taken mitigation steps; however, some organizations such as Drobo and Buffalo Americas have been unresponsive.  

Read more here

InnfiRAT Malware Steals Litecoin and Bitcoin Wallet Information

Hackers have updated a remote access Trojan (RAT), InnfiRAT, with extensive capabilities to steal sensitive data, including cryptocurrency wallet information.  

Researchers at ThreatLabZ have analyzed the malware and discovered some interesting abilities. InnfiRAT is based on .NET and includes 11 commands, including anti-VM, process checks, and enumeration capacities.  

After infecting a victim's computer, the malware copies itself into %AppData%/NvidiaDriver.exe and drop a Base64-encoded PE file which will then be decoded into a .NET binary. After executing, InnfiRAT first checks to see if it’s running in a sandbox and looks for process monitor processes.  

If it determines that any of those values are present, the malware automatically terminates itself. If it’s initial scans don’t show any red flags, it will then proceed to collect the machine’s HWID and country.  

After the initial recon processes, InnfiRAT grabs browser cookies to steal stored usernames and passwords, as well as searches for wallet.dat files in %AppData%\Litecoin\ and %AppData%\Bitcoin\ folders. If the malware discovers any information, it quickly delivers that data back to its C2 server.  

Other commands InnfiRAT can execute on a victim's computer include: 

  • SendUrlAndExecute(string URL) - download a file from a specified URL and execute it 

  • ProfileInfo() - collect and exfiltrate network, location, and hardware info 

  • LoadLogs() - write files into specific folders 

  • LoadProcesses() - get a list of running processes and send it to the C2 server 

  • Kill (int process) - kill a specific process on the victim’s machine 

  • RunCommand(string command) - execute a command on the victim’s machine 

  • ClearCooks() - clear browser cookies for specific browsers 

You can find indicators of compromise (IOC) like malware sampled hashes and domains in the ThreatLabZ team's InnfiRAT write-up

Read more here