UNM4SK3D: Facebook, Huawei, and Nissan
#cryptocurrencySure, everyone loves a funny cat video, but if you receive a video file (packed in zip archive) sent by someone through Facebook messenger, think twice before opening it. That video may just be a cryptocurrency mining bot. Discovered by researchers from security firm Trend Micro, this new bot is spreading through Facebook Messenger and targeting Google Chrome desktop users to "take advantage of the recent surge in cryptocurrency prices." The so-called 'Digmine' bot is used for mining the Monero-cryptocurrency. It disguises itself as a non-embedded video file, under the name 'video_xxxx.zip,' but actually contains an AutoIt executable script. 'Digmine' works by infecting the victim’s computer, downloading its components and related configuration files from a remote command-and-control (C&C) server. The malware then installs a cryptocurrency miner, which secretly mines Monero in the background using the CPU power of the infected computers.What's worse, 'Digmine' also "installs an autostart mechanism and launch Chrome with a malicious extension that allows attackers to access the victims’ Facebook profile and spread the same malware file to their friends' list via Messenger." Interestingly enough, those who open the malicious video file through the Messenger mobile app are not affected. Originally, 'Digmine' was infecting users in South Korea, spreading its activities to Vietnam, Azerbaijan, Ukraine, Philippines, Thailand, and Venezuela. But, the concern is that with Facebook's global reach, this bot will continue to spread. Facebook, however, has said they have taken down most of the malware files. As always, use caution when opening videos and files shared via social media.
The extension will read its own configuration from the C&C server. It can instruct the extension to either proceed with logging in to Facebook or open a fake page that will play a video. The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components. -Trend Micro researchersFacebook isn't the only place an unwanted cryptocurrency mining bot has been found. Just ask Starbucks. Read this past edition of 'UNM4SK3D' for details.
#botnetMirai, Mirai, on the wall... Looks like there's a variant after all. This time, the variant is 'Satori' (also known as Okiku), which has been targeting Huawei's router model HG532. You may recall that the original creators of the IoT malware Mirai have already been sent to jail, but unfortunately, variants of the notorious botnet are still floating around cyberspace thanks to the availability of its source code on the Internet. Recently found by Check Point security researchers who said they tracked hundreds of thousands of attempts to exploit a vulnerability in the Huawei router model in the wild, 'Satori' has infected more than 200,000 IP addresses in just 12 hours. "Researchers suspected an unskilled hacker that goes by the name 'Nexus Zeta' is exploiting a zero-day remote code execution vulnerability (CVE-2017-17215) in Huawei HG532 devices, according to a new report published Thursday by Check Point."This vulnerability stems from the implementation of the TR-064 (technical report standard), an application layer protocol for remote management. Specifically, in the Huawei devices, the TR-064 was exposed on the Internet through Universal Plug and Play (UPnP) protocol at port 37215. CVE-2017-17215 allowed remote attackers to execute arbitrary commands to devices, meaning they were able to exploit this flaw to download and execute the malicious payload on the Huawei routers and upload the botnet. Of the global attacks found, the most targeted countries include the United States, Italy, Germany, and Egypt. Since their discovery, CheckPoint has disclosed the vulnerability to Huawei, who confirmed the issue and released a security notice to customers. To protect against this flaw, users can "deploy Huawei NGFWs (Next Generation Firewall) and upgrade their IPS signature database to the latest IPS_H20011000_2017120100 version released on December 1st."
The number of packets used for the flooding action and their corresponding parameters are transmitted from the C&C server. Also, the C&C server can pass an individual IP for attack or a subnet using a subnet address and a number of valuable bits. -CheckPoint researchersGo in-depth on botnet attacks. Read 'Reaper- Calm Before the IoT Botnet Attack.'
#hackedAnother day, another breach. The latest news comes from Nissan Canada Finance, who recently notified 1.13 million customers of a data breach. Notified on December 21st, it appears this breach has affected an unspecified number of past and present customers, but was caused when an unidentified third-party gained access to customer names, addresses, vehicle makes and models, vehicle identification numbers, credit scores, loan amounts, and monthly payments. It appears no card information was accessed and the breach only affected Canadian customers. “While the precise number of customers affected by the data breach is not yet known, NCF is contacting all of our current and past customers – approximately 1.13 million customers – who have financed their vehicles through Nissan Canada Finance and Infiniti Financial Services Canada,” the company said.As compensation, Nissan Canada Finance is offering free credit-monitoring services through TransUnion for a year. Currently, they are working with cyber security experts to determine how the breach happened, exactly how many customers were affected, and what specific personal information was exposed. In reaction to breaches such as this one, Travis Greene of SecurityWeek writes, "With breach after breach exposing the full picture of our digital identity, we have to face the reality that securing identity attributes is an impossible task. Our consumer digital identities will never be reclaimed...The best approach to ensuring no more of our digital identity falls into the wrong hands is to implement stronger, two-factor authentication (2FA) for the use of digital identities, in a way that is consumer-friendly. All companies and governments that maintain identity and attribute data should be required by regulation to implement 2FA, a solution that significantly enhances authentication security." Hopefully, NCF will discover the root cause of this breach and act accordingly to respond and prevent further breaches. Until then, we as consumers must act with caution when sharing our precious information.
We apologize for any frustration and anxiety this may cause our customers, and we thank you for your patience and support as we work through this issue. We are focused on supporting our customers and ensuring the security of our systems. - Alain Ballu, president, Nissan Canada Finance
'How Much More Needs to be Compromised?' See one take on the current state of cyber security.