We admit here in hackercombat.com, we are one of the cybersecurity news organizations that somewhat hyped Artificial Intelligence (AI) when it comes to cybersecurity. We wrote numerous articles heralding the “hero” that will save us from the seemingly endless cat and mouse race between discovering a vulnerability that is currently exploited, and the time the vendor issues the patch addressing the vulnerability. We are no different from other tech sites which placed AI as a possible solution to the human labor-intensive process in order to quash software bugs, let alone the security flaws it enables.
IBM Security exposed the world’s dependence on the “hero”, the AI being mistakenly identified by many cybersecurity organizations as a silver bullet of our current cybersecurity problems. Big Blue considers such a premise as bias, indeed, IBM is correct. Seemingly the industry is so used to the intensive labor procedure of fixing a discovered security flaw. It takes humans to discover a bug, report it to the vendor and another unknown period until the latter issues the patch which will quash the bug. That is, of course, is an ideal situation, many of the flaws were discovered, weaponized by cybercriminals without the vendor knowing its existence for weeks, months or even years. It takes a “good samaritan” to finally report the bug with enough details to the developers, who is the only one that can issue a fix.
“One is the algorithm itself. Is it biased in the way it’s approached, and the outcome it’s trying to solve? If you’re trying to solve the wrong outcome, and the outcome is biased, then your algorithm is biased. It’s not like the bad guys are waiting for us to learn how to do this. So, the faster we get there, the better off (we are),” hinted Aarti Borkar, IBM Security’s Vice President.
Antivirus products and End Point services for decades have employed heuristics scanning, which in itself is a crude type of artificial intelligence. Heuristics scanning claims to detect threats that signature-based scanning cannot accomplish, as the latter requires the actual virus signature present in its scanning engine to detect the particular malware. Instead of causing the number of malware to plummet, cybercriminals took the challenge – employing a combination of virus development and social engineering in their campaigns.
Heuristics scanning technologies predates all the current crop of malware we are encountering such as ransomware, cryptocurrency mining malware and stealth banking trojans. Current heuristics from a practical standpoint were unable to disable infection from those mentioned threats. We continue to hear news of local governments operations disabled due to ransomware infections, and all of them paid the steep ransom demand of cybercriminals.
Other than that Artificial Intelligence technologies will continue to improve, maybe in a year or two from now, we will post a follow-up article expressing our happiness as AI becomes truly effective against the campaigns launched by malware authors. Till then, we will continue reporting stories about malware infections, even if that means we will indirectly implicate the ineffectiveness of today’s antimalware software products.
U.S. telecom giant, Sprint has recently revealed that a certain number of Sprint customer accounts were taken over by unauthorized users using a loophole in Samsung.com’s “add a line” feature. The company disclosed this information as per their June 22 internal report and the following information of affected users are now in the hands of unknown personalities:
Account creation date
Monthly recurring charges
Even with a huge laundry list of information was stolen, Sprint remains calm as the telecom giant claims that the information lost to the Samsung.com breach was not substantial enough to for identity theft to thrive. Sprint on their part issued a force reset of their customer’s PIN in order to lessen the chance of further security breaches. The forced PIN change was initiated on June 25, three full days after the discovery of the incident.
“Sprint has taken appropriate action to secure your account from unauthorized access and has not identified any fraudulent activity associated with your account at this time. Sprint re-secured your account on June 25, 2019. We apologize for the inconvenience that this may cause you. Please be assured that the privacy of your personal information is important to us. Please contact Sprint at 1-888-211-4727 if you have any questions or concerns regarding this matter,” explained Sprint in its official press release.
The company urges all its affected customers to visit www.indentitytheft.gov, a website operated by the U.S. Federal Trade Commission. Sprint claims that the preventive and security measures provided by the FTC will be very helpful for customers that continue to worry about the data breach incident. As of this writing, Sprint has not disclosed the details on what actually happened to Samsung.com’s “add a line” feature, and how it caused Sprint customers to get hacked through the use of the website.
On their part, Samsung claims that they keep their systems and website secure, and no Samsung customer info from their systems was leaked to the outside world. “We recently detected fraudulent attempts to access Sprint user account information via Samsung.com, using Sprint login credentials that were not obtained from Samsung. We deployed measures to prevent further attempts of this kind on Samsung.com and no Samsung user account information was accessed as part of these attempts,” said a Samsung spokesperson.
The need for cybersecurity measures has been viewed as an issue, however, many companies have problems with countermeasures, as proven by our many years of coverage of cybersecurity news here at hackercombat.com. Due to insufficient security investment and security personnel shortage, the risks in conducting business in today’s technology-driven economy. We at hackercombat.com defines cybersecurity as the act of protecting information data from cyber attacks such as computer intrusion, virus infection, information leakage, data alteration, and destruction. The most common threats against firms include targeted attack, malware infiltration and lack of security personnel.
A targeted attack is one of the cyber attack methods. It is conducted aiming at the information in a specific organization such as a company and will steal various information regardless of the method. As an example, after collecting information on employees who belong to you, you may be spoofed by employees of affiliated companies, etc.
Three Foundations of a secure enterprise:
Enforce security measures including not only the company but also supply partners such as business partners and system management.
Appropriate communication with related parties such as information disclosure related to cybersecurity risks and measures to combat them.
Recognize cybersecurity risks and take appropriate leadership in allocating resources, etc.
It is necessary for companies to take appropriate measures, such as whether they have bases overseas, along with the strengthening of domestic and foreign laws and regulations and security measures. In the case of the European Union-enforced GDPR (General Data Protection Regulation), for example, all global companies that provide Web services for domestic and foreign users, and handle IP addresses and cookies (data sent from the browser to the server according to the past user behavior), Even if you do not have branch offices overseas, if you do not respond according to the GDPR, you may be subject to disposal and compensation.
It is essential to work on strengthening cybersecurity measures throughout the entire organization. And for implementation, securing security personnel is one of the important items. Lack of security personnel and human resource development have become major issues in cybersecurity measures. In addition to hiring outside personnel, implementing human resources development in-house as a measure is the first step in cybersecurity measures. When it comes to cybersecurity measures, there is a tendency for security enhancement of systems and electronic devices to precede.
On the other hand, many of the security damage is triggered by human factors, and we must be aware that employee literacy may lead to security vulnerabilities. Conversely, if you raise security awareness and enable all employees to respond appropriately, you can effectively strengthen corporate cybersecurity. In order to improve employee security literacy, it is necessary to improve IT literacy and to hold regular training sessions on the latest cyber-attack methods and countermeasures. The important thing is that each and every employee has an active role in security measures. Along with the progress of digitization, cybersecurity measures have been taken for granted. In addition to proactive measures, when an incident such as an information leak occurs, the employees involved must immediately make a sure decision and create a system that does not aggravate the damage.
On the other hand, IT and security fields are very diverse, so it is difficult to decide how much literacy should be acquired, and it is necessary to have a training system to learn appropriately. In such cases, it is recommended to outsource cybersecurity training to a specialized school. By asking for a specialized training period, you can efficiently improve security skills using a structured IT and security curriculum. In addition, there is also the merit that it is possible to carry out education and training without having to spend the work hours of senior employees by requesting training to the outside.
Singapore continues to be a role model when it comes to the fight towards cybersecurity readiness in Southeast Asia. The city-state has learned a lot from last year’s SingHealth data breach, that brought Singapore into the stage of renewed cybersecurity renewal. Singapore established bug bounty programs, now in its 3rd edition this year 2019, its leaders are also establishing new policies for “interim” technical measures that will hopefully lessen the attractiveness of the country in future cyber attacks.
Singapore’s public sector is now in full swing with its core project implementation of automated email filtering. When it comes to determining if the email is legitimately safe to open, the use of automated anti-spam and anti-phishing tools is more time-efficient. Of course, humans operating the computers will always be the front liners when it comes to any cybersecurity initiative, hence, massive public sector campaigns through user retraining programs are now being implemented across the city-state’s public sector and government agencies.
The initiative is under the supervision of Teo Chee Hean, a Senior Minister and concurrently a Coordinating Minister for National Security. His agency released initial findings, confirming threats, not only the public sector of the island nation but also against private enterprises. Minister Hean established a committee that will evaluate the progress of various government agencies to be fully compliant to the IT security policy set at the wake of SingHealth incident of 2018.
For Singapore, everything starts from the awareness, readiness, and eagerness of public servants in the area of safe computing habits. Regular IT audits are also in full swing which hopefully will address weaknesses in the public sector’s networks and computers. From the perspective of the Chief Information Officer (CIO)/Chief Information Security Officer (CISO), the move to cloud computing goes beyond “cost reduction measures” and gives control over IT-related assets.
Singapore is no different from the rest of the world, which cannot stop the march of cloud-computing. It is where the trade-off between security/privacy and convenience of accessibility of data is re-evaluated by each organization engaging with cloud-computing platforms. Cloud assumes that the security department will have veto power. It may or may not actually be. However, if you do not give too much veto power, you will make mistakes. For example, even if it is “compliance” (that is, important confidential information that can not be placed in the cloud environment), IT vendors immediately start selling “certified solutions” (in fact, such solutions already exist.)
In Cloud computing, it considers data (that is, confidential information) to be as liquid. We can control the flow of this liquid and let it flow in the desired river. User data is like gas, and behaving like gas is a new concept. The data will spread to fill the area being processed, true but really troublesome for any IT professional trying to secure devices in an organization. The convenience of information processing may be lost due to confidentiality. It is not clear if this fact could be learned from the information security of the past 20 years. If only one method can ensure the necessary convenience, the user is willing to adopt that method, even using a USB memory. To think that data (information) resembles a gas just because users do their own risk assessments related to policy violations. If the important data can be put into the cloud environment and work that leads to the improvement of the convenience of the company can be realized, users who are employees (good or bad) will try to take the risk of putting data into the cloud environment.
The United Kingdom’s National Cyber Security Centre (NCSC) has issued an advisory warning UK citizens using computers and other Internet-connected mobile devices that large-scale DNS hijackings in the Internet are ongoing, and the agency provides simple mitigation advice for IT professionals to implement in their respective areas of coverage. NCSC defined DNS hijacking as an incident where DNS entries of an authoritative DNS server were edited by a 3rd party without permission. Such attack creates an unsafe environment for users, as their traffic get redirected to a false website instead of the genuine website they wish to visit. NCSC highlighted that hackers are concentrating on establishing transparent proxy, Domain hijacking, obtaining TLS certificates without authority and creating malicious DNS records, all without the knowledge of the target victims.
Unfortunately, the majority of what NCSC describes as “Account Take Over” (ATO) cases involve the domain registrar itself, and end-users have nothing to do with it. Though the agency issued a short advice for domain registrars in order to minimize the chance of a take over of their DNS systems by unknown parties. “Registry and Registrar Lock – many registries offer a “registrar lock” service. This lock prevents the domain being transferred to a new owner, without the lock being removed. A “registry lock” (which sometimes involves a fee) is considered an additional level of protection whereby changes cannot be made until additional authentication has taken place which usually involves a call to the owner,” explained the NCSC report.
The focus of heightened alert is for service providers and domain registrars to prioritize offering domain lock for their customers, which comprises of the following functionalities, as directly quoted from NCSC:
Prevents the nameservers from being changed;
Prevents domain registrant and / or contact details being changed;
Prevents the domain from being transferred to another registrar.
DNS server hosting is a regular part of the domain registry and Internet Service Provider business, however, it is not considered as a money-making endeavor. Hence, ISPs and domain registrars are not placing a lot of investment when it comes to securing their DNS infrastructure.
NCSC provided the following security suggestions in order for DNS-hosting organizations to be confident of their DNS server security:
1. Implement DNSSEC
DNSSEC is a security extension that proves the reliability of correspondence information of IP address and host name sent from DNS server. This is to prevent DNS response spoofing attacks such as DNS cache poisoning. In DESSEC, the DNS server that sends the response signs the response using the private key, and the recipient verifies it with the public key. Because you can not sign correctly without the private key, you can detect false responses by verifying the signature. A normal DNS server does not have a means to authenticate the other party, so by supporting DNSSEC, it can have its function.
2. Monitor TLS
TLS certificate creation needs to be done correctly, the “web of trust” truly depends on the level of trust people to the certificate authority. Lost of trust to a certificate authority means lost of business, just like what happened to Diginotar’s and Symantec’s dissolved certificate authority businesses.
3. Auditing and Monitoring
4. Access Control
5. Change Control
“Keep evidence – in case your entire domain is hijacked, you’ll need to appeal to your registry for help. Keep extensive records which can be used to prove ownership,” concluded the NCSC report.
As more and more people are conducting their everyday financial transaction needs through the use of smartcards, that is the reality on the ground. People use less cash, and the growing demand for the use of debit/credit cards is globally speaking the release of EMV cards to replace magnetic stripe cards are not yet fully implemented. Hence the PCI DSS Goals and Requirements are established in order to guide the financial sector.
The six goals with their corresponding requirements are enumerated below:
1. Build and maintain secure networks and systems:
Install and maintain a firewall to protect cardholder data
This is the responsibility of system administrators and their team of IT staff. The smartcard itself is just a frontend, the “magic” of using a piece of plastic card in on its backend, the servers that supports the electronic transactions. Both the merchant and the bank are connected by this network that is expected to run 24/7, as ecommerce never stops as office hours stop.
Do not use vendor-supplied defaults for system passwords and other security parameters
Trouble comes with the “default”, there is a term in the IT support industry called the “tyranny of the default”, where the end-user are totally dependent on the default values. Default values for passwords are documented in the web, never use them for a production system.
2. Protect cardholder data
Protect stored cardholder data
Physical security is still one of the strongest security to implement. But immediately succeeding it is the stored data itself that gets read and written through machines like ATMs and POS terminals. It is the full responsibility of banks and merchants that their terminals fully comply with the current security standards.
Encrypt when transmitting cardholder data over an open public network
This is a common practice across the industry, no one will trust a merchant with non-encrypted POS, and no one will ever transact with a bank that has no reasonable implementation of encryption standards practice all around the world for securing their customer’s data.
3. Maintenance of vulnerability management program
Protect all systems as malware and update anti-virus software regularly
Malware infection vulnerability is the very reason why POS and ATM machines are usually running a variant of the Unix and Linux operating systems. This is due to the number of malware available in the Windows platform, it is not recommended for use in merchandising and banking purposes.
Develop and maintain highly secure systems and applications
Many banks maintain their old but still dependable Unix systems, some banks even uses the decades-old mainframe systems for the same reason, security.
4. Introducing powerful access control methods
Restrict access to cardholder data to the extent necessary for business
Also known as user account control, only those bank employees and merchant staff tasks with handling data of customers should have access to customer information.
Identify and authenticate access to system components
Aside from time-tested vaults, banks using their Unix/Linux systems have elaborate components that work together in a secure fashion.
Restrict physical access to cardholder data
Same as number 7, however, securing data on the card is itself is the full responsibility of the owner. Misuse of the card does not make the bank responsible for fraudulent transactions.
5. Regular monitoring and testing of the network
Track and monitor all access to network resources and cardholder data
Test security systems and processes regularly
6. Development of information security policy
Develop a policy to support information security for all personnel
Last Valentines day, we made a fearless declaration here in Hackercombat.com, that Trickbot is shaping itself of becoming the “malware of the year”, due to its massive campaigns of infecting computers worldwide. That will remain as our forecast; Trickbot was recently named by the DeepInstinct security researchers as responsible for the compromise of at least 250 million email accounts. It rode on the massive spam emails coming from computers that were already infected, in a campaign to cast a wider net for the banking trojan.
Trickbot used to use the flawed SMB protocol in unpatched versions of Windows to spread itself, navigate the network shared files and install itself deep into the operating system. Known as the “TrickBooster” update, TrickBot received a huge facelift in its history, as the banking trojan can now tap the address book of installed in the infected computer, sending phishing attacks to all the contacts of the user. As per DeepInstinct’s research of the new version of TrickBot, the use of user’s contacts further increases the trojan’s possibilities to infect more machines than it used to.
The new spam emails are unique, able to bypass the tried and tested antispam formula established by Outlook.com, Yahoomail.com and GMail.com. In fact, the most heavily infiltrated email address of TrickBot turned out to be from @gmail.com with 25 million unique instances of spam emails containing TrickBot. Yahoo Mail comes second, with 21 million of their customers received the spam email at least once and lastly Outlook.com users with 11 million instances.
“We analyzed the malware sample and found swaths of PowerShell code in its memory. Analysis of this PowerShell code immediately led us to the conclusion that we are dealing with a mail-bot. We discovered more samples of the malware, both signed and not, additional infrastructure used in the campaign – both to distribute (infection points) and control the malware (C2 Servers),” explained Shaul Vilkomir-Preisman, security researcher at DeepInstinct in their official website blog.
The new strain has the capability to hook to Outlook.exe creates a parallel thread, then executes a COM-based command. As it taps the Microsoft.Office.Interop.Outlook instance alongside CoCreateInstance, it hooks to OUTLOOK.exe via OleRun function. TrickBot 2.0 also incorporates advanced features that aid to its proliferation such as cookie theft capability and use legitimately looking digital certificates for the Microsoft Office attachments where it piggybacks.
Rumors have been circulating online discussing TrickBot’s new version were able to reach the mailboxes of United State’s federal agencies such as the Department of Transportation; NASA; Federal Aviation Administration; Internal Revenue Service; Social Security Administration; Department of Justice; Department of Homeland Security; Bureau of Prisons; and Bureau of Alcohol, Tobacco and Firearms.
Compared to the espionage accusations against Huawei Technologies of China, TrickBot authors have made success in stealing not only personally identifiable information but also banking data of Americans and other nationalities. “We continued monitoring the campaign and the infrastructure involved in it, both its infection points and C2 Servers, which were going on and off line, and employing various Geo-IP restrictions and other mechanisms to hamper analysis. It was at one of these servers that we found something that made us realize how successful this campaign is – an Email dump containing approximately 250 million Email addresses,” concluded Vilkomir-Preisman.
The newly discovered ransomware family targets the QNAP network attached storage (NAS) devices. This malicious program, known by security researcher Anomali as eCh0raix (identified by Trend Micro as Ransom.Linux.ECHORAIX.A), was developed for ransomware attacks similar to those of Ryuk or LockerGoga.
A NAS device that is connected to a network acting as file storage and backup system or located in a central location where users can easily access the data. They are a measurable and cost-effective solution for many businesses.
How eCh0raix’s works
eCh0raix is written in Go/Golang, a programming language increasingly used to develop malware. This ransomware- Ch0raix determine the location of the NAS devices by performing language checks and cancels out if it is located in some Commonwealth countries such as Ukraine, Belarus, and Russia. eCh0raix encrypts documents and text files, PDF files, files, and databases as well as multimedia files.
The ransomware demands a ransom of 0.05 – 0.06 bitcoin (around US$567 as of July 11, 2019), paid via a site hosted in Tor, in exchange for the necessary decrypt key. Bleeping Computer has reported that the decryptors seem to be available for Windows and macOS. Affected QNAP NAS devices include QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and QNAP TS 253B.
Ransomware demands 0.05 to 0.06 bitcoin, which are paid via Tor-hosted Web sites in exchange for the required decryption key. Decrypters for Windows and macOS seem to be available, according to BleepingComputer.
Experts have not been able to know the exact infection vector, but the message on the Bleeping Computer forum reads that infected NAS devices do not have the latest patches, with weak passwords. It is believed that people behind eCh0raix used brute-force to exploit the vulnerabilities of their specific NAS devices. The researchers also discovered that eCh0raix, unlike the normal ransomware is designed for targeted attacks. For example, in the offline version of eCh0raix, a coded encryption key for a particular purpose is embedded and the decryption key is uniquely assigned to each key.
Targeted ransomware attack
eCh0raix is not the first family of ransomware to target NAS devices, but a threat for file encryption designed specifically for this purpose. Although ransomware activities decreased in 2019, they targeted ransomware attacks was very much in the news. For example, with LockerGoga, Norsk Hydro lost about $ 40 million, while Ryuk was used to block the press activity in the United States. Ransomware also suspended some government services in Baltimore following an alleged attack costing them $ 18.2 million.
Many threats use insecure systems. In the case of eCh0raix, these are weak password or vulnerabilities. For example, Anomali researchers discovered that their Internet analytics in the United States had generated more than 19,000 QNAP NAS devices with direct access to the Internet. NAS devices are generally not protected by anti-malware solutions, making them highly vulnerable.
Backup NAS devices
QNAP Systems, the NAS device manufacturer targeted by eCh0raix, has issued recommendations for the prevention of ransomware software, such as, enabling the QNAP snapshot feature that can backup and restore files. To further reduce the number of attacks on NAS devices, users and businesses must apply best practices, including:
Update the NAS device firmware to fix exploitable vulnerabilities, and change the default credentials or add the authentication and authorization mechanism to access the NAS device.
Make sure other systems or devices, including routers connected to or integrated with NAS devices, are also updated.
Minimal Privilege Policy Compliance: Enable features or components only when necessary or use a VPN to access NAS devices over the Internet.
Enable the built-in security features of NAS devices. For example, protecting access to the QNAP network helps to prevent brute force attacks or similar disruptions.
A report, based on the Belgium-based NWT VRT revealed that Google employees routinely listened to audio files recorded by Google Home Smart Home speaker, and Google Assistant smartphones.
As per ZdNet, the report elucidates how employees listen to snippets of the recordings when the user activates the device with the usual “OK Google” commands.
After receiving copies of several recordings, NWS VRT approached users, asking them to check their voices or those of their children and to talk to digital assistance or PDAs.
Google responded to the report by posting a blog titled “More information about our processes to safeguard speech data”.
Google acknowledged that it uses sequences of linguists from around the world who “understood the nuances and accents of a particular language”, and had reviewed and copied a small series of questions to better understand these languages. The terms and condition indicate that the users’ conversations are recorded.
Google blog mentions that that capturing interaction is an important part of the sound technology in the process of creating products like Google Assistant. According to them, various security measures are implemented to protect the privacy of users during the review process.
Google product manager of Search David Monsees in a blog penned by him said, “We just learned that one of these language reviewers has violated our data security policies by leaking confidential Dutch audio data. Our Security and Privacy Response teams have been activated on this issue, are investigating, and we will take action. We are conducting a full review of our safeguards in this space to prevent misconduct like this from happening again.”
According to Google, it applies a wide range of safeguards to protect user privacy throughout the entire review process. The blog further adds, “Language experts only review around 0.2% of all audio snippets. Audio snippets are not associated with user accounts as part of the review process, and reviewers are directed not to transcribe background conversations or other noises, and only to transcribe snippets that are directed to Google.”
The company states that Google Assistant sends audio data to Google after device activation. He also said that devices, including Google Assistant can sometimes receive something like “false accept”, which means there are fewer voices or words in the background than their software interprets as keywords.
Although Google stated that the audio was recorded after the command was heard, NWT VRT stated that out of over a thousand sample heard, 153 should never be recorded and that the “OK Google” command was not clearly given.
In February, Google detailed that its Nest Guard, the centerpiece of the Nest Secure home alarm system, would soon receive Google Assistant functionality — meaning the device needed to have both a speaker and microphone.
Users were not made aware that the Nest Guard had a microphone at all, however.
Google responded that it was nothing more than a mistake to not to tell users about the Nest Guard microphones.
Earlier this year, Amazon found a team of people to answer questions about speakers powered by Alexa Amazon, similar to Google, to improve the accuracy of its voice assistant.
The recording sent to the human team does not have a full name, but is linked to the account name, the device serial number, and the user name of the clip.
Some team members are tasked with copying commands and analyzing whether Alexa answers correctly or not. Others were asked to write background noises and poorly calculated conversations by the device.
Bluetooth makes it easy to transfer files, photos, and documents to devices, such as mobile phones, PDAs, and laptops in a short distance. This wireless communication protocol was developed in 1998. Bluetooth technology has revolutionized wireless communication between devices with its simple and ubiquitous features. Unfortunately, Bluetooth technology has increased security issues in individuals. Hackers continue to use Bluetooth vulnerabilities for various known activities, such as: theft of personal data, installation of malware and others. This is a newly discovered major security breach that not only affects mobile phones, but even cars and systems.
BlueBorne is a security hole in some Bluetooth implementations. It was reviewed on April 2017 by security researchers in Armis. Vulnerabilities exist on mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux. This can allow hackers to take control of the device and attack the center’s users to steal information.
The researchers explained the scope of the attack vectors as follows: “For the attack, the target device does not need to be coupled to a drive device or configured invisible mode.” So far, Armis Labs has identified eight days-zero vulnerabilities indicating the existence and potential of attack vectors. Armis believes that there are more vulnerabilities to be expected on various platforms using Bluetooth, and this vulnerability is fully functional and can be exploited successfully.
BlueBorne has become a dangerous threat because of the kind of complex medium. Unlike most Internet-based attacks, BlueBorne attacks spread through the air. This means that hackers can silently connect to smartphones and computers and take control of devices without user intervention.
Btlejacking, this Bluetooth attack vector, was released in August 2018 at the DefCon conference in Las Vegas by Damien Cauquil, Head of Research and Development at Digital Security. With this new technology, hackers can disrupt and recover Bluetooth devices with low power consumption. This is based on an interference vulnerability identified as CVE-2018-7252, which affects versions 4.0, 4.1, 4.2, and 5 of the BLE devices. In order to exploit the weak points, the attacker must be within 5 meters of distance.
Hundreds of millions of Bluetooth devices are potentially vulnerable to attack vectors, allowing hackers to discover BLE connections, block BLE devices, and control vulnerable Bluetooth devices. Attacks on Bluetooth enabled devices can be done with a micro-integrated BIT computer that costs only $ 15 and a few lines of open source code.
Security researchers at security firm Armis have discovered two new “BleedingBit” bugs on Bluetooth chips that affect companies around the world. The first bug, followed by CVE-2018-16986, was a remote code execution bug that involved four chip models embedded in seven Cisco access points and five Meraki access points. By exploiting the vulnerabilities, remote attackers can send dangerous BLE transmission messages, called “ad packages,” stored on vulnerable memory chips. When BLE is enabled, these malicious messages may be called to trigger a critical memory overflow. It can also allow hackers to corrupt memory, access the operating system, create a backdoor, and remotely execute malicious code.
The second chip vulnerability was identified as CVE-2018-7080 and affected multiple Aruba access points, including the full 300 series, and allowed attackers to access completely new and different firmware versions and install them.
BleedingBit is cited as a wake-up call to enterprise security for two reasons.
“First, the fact that an attacker can enter the network without any indication or warning raises serious security concerns. Second, these vulnerabilities can destroy network segmentation — the primary security strategy that most enterprises use to protect themselves from unknown or dangerous unmanaged and IoT devices. And here, the access point is the unmanaged device,” said Yevgeny Dibrov, Armis CEO in a blog post.
Privacy4Cars researchers have discovered a new major vulnerability, CarsBlues, in the information and entertainment systems of different types of vehicles. This attacks can be done in minutes with cheap, available hardware and software. This allows hackers to remove personal identification information (PII) from users who have synchronized their mobile phone with their car via Bluetooth. It is estimated that tens of millions of vehicles worldwide are victims of hacker attacks.