New Supply Chain Attack 📱, Chrome Cuts Camerafirma 🌐, Hacked Account Sellers Targetted By Social Media 💰

CyberLite Feb 9, 2021

Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.

See a term you don’t understand in this issue? Any word that’s in italics and underlined is explained in a guide that accompanies each issue. Just click on them and you’ll be taken to the guide!


🌐 Chrome Cuts Camerafirma

Camerafirma is a certificate authority (CA) based in Madrid. They provide TLS (Transport Layer Security) server authentication certificates. Let’s unpack everything there quickly…

Certificate Authorities 101

  • Transport Layer Security is a technology for keeping an internet connection secure and safeguarding any sensitive information sent between two systems using encryption algorithms. Unhelpfully, you’ll often see TLS referred to as SSL (Secure Sockets Layer), TLS is essentially the evolution of SSL and has nearly completely replaced it.
  • A TLS certificate achieves two main functions. It verifies the ownership of a website/domain, preventing fake versions from posing as the legitimate site. It also enables encryption to take place by storing the encryption keys required to use TLS. If a site has a valid certificate you’ll see a small lock icon when you access it in your web browser.
  • Certificate authorities are responsible for issuing these certificates and checking that whoever is applying for a certificate does actually own the domain they claim to.
  • What could go wrong? The dangers are most easily explained by looking back at a cyber attack from 2011, when a CA known as DigiNotar was hacked. This allowed a solo hacker to issue hundreds of fake certificates for domains like google.com and microsoft.com. These were then applied to fake sites impersonating Google and Microsoft products. When users accessed them they appeared to be secure and controlled by Google or Microsoft.
  • It’s very important that CA’s use the best security practices and also carefully evaluate every domain they issue a certificate to. Otherwise, they might unknowingly issue a certificate to a fake website.

This week Mozilla published a list of 26 incidents where Camerafirma didn’t do the proper due diligence when issuing certificates. The full list of sins can be found here and includes issuing certificates for domains that didn’t even exist. As a result, Chrome announced that in its Chrome 90 update all certificates issued by Camerafirma will be invalid - any sites that use them will be insecure and users will get a fullscreen warning when accessing them. Other browsers are expected to follow in Chrome’s footsteps.


💰 Social Media Targets Hacked Account Sellers

Facebook, Instagram, TikTok, and Twitter all took steps to crack down on users involved in selling hijacked user accounts. Hundreds of accounts involved in facilitating the trading have been seized. A user’s accounts across multiple platforms are often hijacked and sold together, hence the co-ordinated action from all four platforms.

A database from the site OGUsers was also leaked. OGUsers is a prominent forum used for selling hijacked accounts. The database contained private messages showing users advertising accounts for sale for as much as $6000. A user by the name of beam claims to have brokered north of 10,000 transactions on the forum.

Securing Your Accounts: Make sure you use multi-factor authentication (MFA) whenever possible. MFA is where you receive a code from a mobile app or text message that allows you to log in. If you run any high-profile accounts opt to receive a code using a mobile app. A particularly determined criminal can convince a mobile service provider to transfer ownership of a target’s phone number to a device they control (an action known as SIM swapping).


📱 New Supply Chain Attack

A small number of users of the Android emulator (software that allows users to play Android games on their PCs) NoxPlayer received a notification to update the app in January, but when they installed the update they were actually installing malware on their computers.

The hackers were able to compromise the update mechanism of NoxPlayer and add their own code to an update. Despite the app having over 150 million users, only 5 specific users within the Asian gaming community were targeted.

The concept of the attack here is very reminiscent of the SolarWinds attack where the update mechanism for the SolarWinds Orion software was compromised. In a world where every security professional is pushing users and organizations to update their software as frequently as possible, compromising the update mechanism is an increasingly appealing avenue for attackers to take. This is a trend that’s only going to become more common.


☀ SolarWinds Orion Hacked… Again

If SolarWinds PR department thought they might finally get a week off, they were sadly mistaken. Whilst the Russians were installing their backdoor into Orion (read my previous coverage here), a different attacker, potentially of Chinese origin, was exploiting another Orion vulnerability. This vulnerability was used by attackers to spread across networks they’d already compromised.

This second attack really highlights just how much SolarWinds security practices leave to be desired.

“SolarWinds increased its profits by increasing its cybersecurity risk, and then transferred that risk to its customers without their knowledge or consent.” Bruce Schneider

🔥 Rapid Fire

Some shorter stories…

Apple has started offering an iCloud password extension for Chrome. The increasing competition to manage your passwords is only a good thing; we’re seeing the friction needed to up your password security getting lower and lower. Link.

CrowdStike has published details about an emerging ransomware actor they’ve named Sprite Spider. Their ransomware product is particularly dangerous and evades detection by hiding in open-source projects such as Notepad++. Link.

Some light relief: A Road sign between Burton and Wadlincote in England was recently hacked to instruct drivers to “go back to Swadlincote, you idiots. We are supposed to be in lockdown!”. A resident, Karen Banks complained to the council and the sign was promptly updated, as you can see below! Link.

Microsoft Defender has been updated to detect MacOS vulnerabilities. It will now allow admins to discover vulnerabilities affecting MacOS devices on their network. Link.

The Babyk ransomware gang has published a list of organizations that they won’t target. Namely hospitals, non-profits, schools. Although they said that they would still target any foundations “who help LGBT and BLM”. I somehow doubt this list of “ethics” will make anyone see ransomware operators in a more favorable light. Link.


🎯 New Vulnerabilities

The most interesting new vulnerabilities disclosed this week.

Google released a blog post disclosing a zero-day in its Chromium Engine which power browsers such as Chrome and Microsoft Edge. Google has deliberately not released many details but it is described as a “heap buffer overflow” in the V8 Javascript engine. Everyone is urged to update their browsers ASAP. Link.

Researchers have verified that macOS is also vulnerable to the 10-year old vulnerability found in the sudo program last week. The vulnerability could be exploited by an attacker who has access to a low-privileged account to gain admin (root) access. Link.

SonicWall (a networking device maker) disclosed a critical zero-day vulnerability in its Secure Mobile Access 100 series. A report from NCC group found it was being actively exploited by “highly sophisticated threat actors”. Link.

Cisco has addressed a number of critical vulnerabilities in its small business and VPN routers. These vulnerabilities could be exploited to execute malicious code as an administrator (root user). They arose as a result of HTTP requests not being properly validated, allowing an attacker to send a specially crafted HTTP request to exploit the vulnerabilities. Link.


💭 Anything Else?

Other news, ideas and insights from around the web that you might enjoy.

Clubhouse had its moment this week when Elon Musk interviewed the Robinhood CEO. This issue of Platformer contains the best take on Clubhouse I've read. Link.

Google puts forward its vision of what will replace cookies. Trying to figure out how we deliver relevant ads to users without tracking them individually is an incredibly difficult task. Without a solution, only large platforms with the reach of Google and Facebook will be able to make money selling ads. Link.

The Security in Colour Newsletter is a weekly guide on events, resources and courses in the cyber community. It complements the excellent Security in Colour podcast. Link.

How I Would Get My First Cybersecurity Job If I Had Zero Experience Or Education. A video guide from Cybersecurity Meg. There's a lot of useful information and resources here! Link.


❤ Liked what you read?

Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!

If you’re that friend… Sign up here to receive CyberLite every week!


🎁 Wrapping Up

If you’ve got questions, comments or just fancy a chat then shoot me an email or send me a message on Linkedin/Twitter. I’d love to hear from you!

Thanks for reading, I’ll catch you next week!

Oli

Oliver Kitchin

Cybersecurity consultant. Passionate about people, technology and the great outdoors. He/Him.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.