Bluetooth Vulnerability Allows Traffic Monitoring, Manipulation

By: Eduard Kovacs

A high severity vulnerability affecting some Bluetooth implementations can allow an attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange. Some of the impacted vendors have already released patches.

The flaw, discovered by researchers at the Israel Institute of Technology and tracked as CVE-2018-5383, is related to the Secure Simple Pairing and LE Secure Connections features.

According to the Bluetooth Special Interest Group (SIG), whose members maintain and improve the technology, Bluetooth specifications recommend that devices supporting the two features validate the public key received during the pairing process. However, this is not a requirement and some vendors’ Bluetooth products do not perform public key validation.

An unauthenticated attacker who is in Bluetooth range of the targeted devices during the pairing process can launch a man-in-the-middle (MitM) attack and obtain the encryption key, which allows them to intercept traffic and forge or inject device messages.

“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful,” the Bluetooth SIG explained.

Additional technical details about the vulnerability and attack method were made public on Monday by CERT/CC.

The Bluetooth SIG says it has now updated specifications to require products to validate public keys. The organization has also added testing for this vulnerability to its Bluetooth Qualification Process, which all products that use Bluetooth must complete.


The source code of the Exobot Android banking trojan has been leaked online

By: Pierluigi Paganini

The source code of the Exobot Android banking trojan has been leaked online, researchers already verified its authenticity.

The source code of the Exobot Android banking trojan has been leaked online and experts believe that we will soon assist at a new wave of attacks based on the malware.

The Exobot Android banking trojan was first spotted at the end of 2016 when its authors were advertising it on the dark web.

The authors were advertising it saying that it can be used for phishing attacks, it implements various features of most common banking Trojan such as intercepting SMS messages.

Exobot is a powerful banking malware that is able of infecting even smartphones running the latest Android versions.

In January, the authors decided to stop working at the malware and offered for sale its source code.

Now researchers from Bleeping Computer confirmed to have received a copy of the source code from an unknown individual and shared it with malware researchers from ESET and ThreatFabric in order to verify its authenticity.

“The code proved to be version 2.5 of the Exobot banking trojan, also known as the “Trump Edition,” one of Exobot’s last version before its original author gave up on its development.” reads a blog postpublished by Bleeping Computer.

Exobot Android banking trojan

According to experts from ThreatFabric the version provided to Bleeping Computer was leaked online in May. It seems that one of the users that purchased the malicious code decided to leak it online.


Singapore’s Largest Healthcare Group Hacked, 1.5 Million Patient Records Stolen

By: Mohit Kumar

Singapore’s largest healthcare group, SingHealth, has suffered a massive data breach that allowed hackers to snatch personal information on 1.5 million patients who visited SingHealth clinics between May 2015 and July 2018.

SingHealth is the largest healthcare group in Singapore with 2 tertiary hospitals, 5 national specialty , and eight polyclinics.

According to an advisory released by Singapore’s Ministry of Health (MOH), along with the personal data, hackers also managed to stole ‘information on the outpatient dispensed medicines’ of about 160,000 patients, including Singapore’s Prime Minister Lee Hsien Loong, and few ministers.

“On 4 July 2018, IHiS’ database administrators detected unusual activity on one of SingHealth’s IT databases. They acted immediately to halt the activity,” MOH said.

The stolen data includes the patient’s name, address, gender, race, date of birth, and National Registration Identity Card (NRIC) numbers.

The Ministry of Health said the hackers “specifically and repeatedly” targeted the PM’s “personal particulars and information on his outpatient dispensed medicine.”

So far there’s no evidence of who was behind the attack, but the MOH stated that the cyber attack was “not the work of casual hackers or criminal gangs.” The local media is also speculating that the hack could be a work of state-sponsored hackers.

Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) also confirmed that “this was a deliberate, targeted, and well-planned cyberattack.”


The SIM Hijackers

By: Lorenzo Franceschi-Bicchierai

Meet the hackers who flip seized Instagram handles and cryptocurrency in a shady, buzzing underground market for stolen accounts and usernames. Their victims’ weakness? Phone numbers.

It seemed like any other warm September night in the suburbs of Salt Lake City. Rachel Ostlund had just put her kids to bed and was getting ready to go to sleep herself. She was texting with her sister when, unexpectedly, her cell phone lost service. The last message Rachel received was from T-Mobile, her carrier. The SIM card for her phone number, the message read, had been “updated.”

Rachel did what most people would have done in that situation: she turned the phone off and on again. It didn’t help.

She walked upstairs and told her husband Adam that her phone wasn’t working. Adam tried to call Rachel’s number using his cell phone. It rang, but the phone in Rachel’s hands didn’t light up. Nobody answered. Rachel, meanwhile, logged into her email and noticed someone was resetting the passwords on many of her accounts. An hour later, Adam got a call.

“Put Rachel on the phone,” demanded a voice on the other end of the line. “Right now.”

Adam said no, and asked what was going on.

“We’re fucking you, we’re raping you, and we’re in the process of destroying your life,” the caller said. “If you know what’s good for you, put your wife on the phone.”

Adam refused.

“We’re going to destroy your credit,” the person continued, naming some of Rachel and Adam’s relatives and their addresses, which the couple thinks the caller obtained from Rachel’s Amazon account. “What would happen if we hurt them? What would happen if we destroyed their credit and then we left them a message saying it was because of you?”

The couple didn’t know it yet, but they had just become the latest victims of hackers who hijack phone numbers in order to steal valuable Instagram usernames and sell them for Bitcoin. That late summer night in 2017, the Ostlunds were talking to a pair of these hackers who’d commandeered Rachel’s Instagram, which had the handle @Rainbow. They were now asking Rachel and Adam to give up her @Rainbow Twitter account.


How the Russians broke into the Democrats’ email, and how it could have been avoided

By: Kate Fazzini

The 12 Russian operatives indicted by the Justice Department waged a campaign of well-executed espionage and novel technical engineering, coupled with rudimentary computer attacks.

That last part is key. Their tools may have been top-notch and their manipulation may have been slick, but the mode of entry was old-school and beatable, according to experts.

According to the Justice Department, the Russians used spear-phishing as one of their primary attack techniques. Spear-phishing refers to an email targeted at an important person — or a “big fish” — who can provide entry to a cache of the most important data. It starts with basic reconnaissance (like looking at Facebook and LinkedIn profiles) to create a portrait of a prominent individual, then using that portrait to create an email that he or she is sure to click on. In the Democratic National Committee hack in 2016, those emails were just spoofed to look like security updates from Google, according to the indictment.

To prevent this type of attack, the DNC could have done much more in terms of “basic cyber hygiene,” according to Amit Yoran, a founding member of the U.S. Computer Emergency Response Team, the arm of Homeland Security that reacts to major cyberattacks in the U.S. Patching systems and using two-factor authentication, which involves verifying a person’s identity using more than simply a password, would have greatly mitigated the damage the Russian agents could do, he said.

Not only does it show how preventable the incidents surrounding the attacks on the DNC could have been but the increasingly integral role private-sector companies have on the front lines of national defense, he said.

Spotlight shifts to companies

The Russians allegedly took a multi-pronged approach to the Democrats’ congressional and presidential campaigns, as well as the elections systems in several U.S. states. According to the indictment, a software vendor was the conduit to one attack against the voting registration system in Florida.

When the DNC realized they’d been hacked, they called in an American consulting firm to help. That company, which was not named in the indictment, removed many instances of malware left on DNC machines by the Russians.

However, that firm didn’t rid the committee’s servers of all instances of the malware, according to the Justice Department. Some malware remained, according to the indictment, and the Russians continued operating. Also, in the process of working on DNC computers, the consulting firm made their presence known to the attackers. Typically, that is not something a cybersecurity response firm wants to do.

The Russians were then able to find “countermeasures” to get around those defenses, prosecutors said.

For corporations watching and wondering what this might mean for the private sector: “At the most basic level, you’ve got to be able to defend yourself,” said Yoran, who now serves as chief executive of cyber-risk management company Tenable. “The rule of law isn’t well established in cyberspace. You’ve got to put in place reasonable protections and reasonable measures.”


Como golpistas “clonam” o WhatsApp de políticos para ganhar dinheiro.

By: Bruna Souza Cruz e Helton Simões Gomes

Alguém de confiança pede dinheiro emprestado pelo WhatsApp. Você, solidário, faz o depósito. Só que, tempos depois, descobre que o autor do pedido era um golpista, que conseguiu “clonar” o perfil no aplicativo para se passar pela pela pessoa conhecida.

Alvo de uma ação da Polícia Federal em conjunto com a Polícia Civil nesta terça-feira (17) nos estados do Maranhão e Mato Grosso do Sul, os bandidos por trás do golpe têm entre suas vítimas ministros, deputados estaduais e federais e até uma governadora. Alguns dos atingidos chegaram a depositar R$ 70 mil.

Recentemente, outros políticos e figuras próximas ao poder também foram alvo da mesma situação. Mas como isso é possível?

Em março, a PF abriu um inquérito para averiguar uma denúncia de deputados federais e ministros, que vinham percebendo um comportamento estranho de suas contas no WhatsApp. Pessoas próximas a eles haviam recebido mensagens deles com pedidos de dinheiro.

Entre os atingidos pelo golpe estão os ministros Carlos Marun (Secretaria de Governo), Eliseu Padilha (Casa Civil) e o ex-ministros Osmar Terra (Desenvolvimento Social) e Gastão Vieira. Além deles, foram atingidos a governadora do Paraná, Cida  Borghetti (PP), e pelo menos cinco deputados estaduais, como Adriano Sarney (PV-MA).

Uma das pessoas abordadas pela conta “clonada” de Sarney chegou a depositar R$ 70 mil. Os valores pedidos nem sempre eram tão altos. Outras vítimas chegaram a enviar R$ 8 mil.

Os golpistas pediam que o dinheiro fosse depositado em contas bancárias do Banco do Brasil em São Luís, no Maranhão. A maioria delas, abertas em nome de laranjas.

No decorrer da investigação, os policiais descobriram que o golpe não só não era novo como um de seus autores já havia escapado da polícia.


Hackers have stolen more than $1 billion from cryptocurrency exchanges in 2018

By: Sam Jacobs

The popularity of cryptocurrency has also given rise to a proliferation in the number of crypto exchanges.

The website lists 205 crypto exchanges, with Japan-based Binance topping the rankings for 24-hour transaction volume.

Clearly, there’s an opportunity in the space to make a profit by clipping the ticket on crypto trades.

At the same time, more transaction providers in the nascent, largely unregulated market for cryptocurrencies means more targets for hackers. So far in 2018, the hackers have been busy.

A report in the Wall Street Journal shows more than $US800 million ($AU1.08 bn) worth of cryptocurrency has been stolen by hackers this year.

The figures are based on an investigation by Autonomous Research, an independent research provider for the finance industry.

The biggest hack this year took place on Coincheck, a Japanese-based exchange which had more than $US500 million worth of crypto stolen in late-January.

Last month, South Korean exchange Bithumb was targeted, as hackers made off with around $US30 million while the company suspended operations and moved its crypto holdings to cold storage.

While companies such as Binance, Coincheck and Bithumb are usually referred to as exchanges, their functions differ from traditional stock exchanges such as the ASX.

Earlier this year, the chair of the Australian Digital Commerce Association (ADCA), Loretta Joseph, told Business Insider that exchanges should be referred to as “digital marketplaces”, given that they aren’t regulated and merely provide a forum for buyers and sellers to exchange crypto independently.

Another way in which crypto exchange companies differ from stock exchanges is that they often provide a vehicle to store users’ cryptocurrency, which is also what makes them a target for hackers.

Going back to 2011, there’s been a total of 56 cyber attacks across currency exchanges and initial coin offerings.

Autonomous Research said there’s been seven crypto exchange hacks so far this year, four of them in Asia.


How the US Government Secretly Sould ‘SPY PHONES’ to Suspects

By: Brian Barrett

IN 2010, A suspected cocaine smuggler named John Krokos bought encrypted BlackBerry devices from an undercover Drug Enforcement Administration agent. That sort of federal subterfuge is par for the course. But in this case, the DEA held onto the encryption keys—meaning that when the government moved on Krokos and his alleged collaborators a few years later, they could read the emails and messages that passed to and from the phone.

That revelation is detailed in a new report from Human Rights Watch, along with a 2015 email that shows that the DEA had expressed interest in using smartphone malware from Italian company Hacking Team to spy on multiple suspects’ locations. Together, they illustrate a potentially chilling practice on the part of the US government to preemptively plant spy devices on suspects. They also shed light on actions by federal law enforcement that aren’t necessarily illegal, but do test the boundaries of surveillance, and potentially subject non-targets to federal snooping.

“If the government is distributing, effectively, bugging devices, without sufficient court oversight and authorization, I think that could really have a chilling effect on free expression, if people feel like they have to assume the risk that any phone they’re handed could have been bugged in a way that would violate their rights,” says Human Rights Watch researcher Sarah St. Vincent.

BlackBerry has denied any involvement in the proceedings, and the DEA declined to comment because some litigation related to the Krokos investigation remains ongoing. Krokos himself eventually pleaded guilty, and received a 138-month prison sentence.


Hackers disseminam vírus de macOS em grupos de bate-papo do Slack e Discord sobre criptomoedas

By: Altieres Rohr

Especialistas em segurança da DutchSec e da Malwarebytes analisaram um código malicioso distribuído em canais de bate-papo que abordam assuntos relacionados a criptomoedas como o Bitcoin e que, portanto, atinge usuários com interesse nesse assunto. A praga digital foi programada para computadores macOS da Apple (tais como o MacBook, o iMac e o Mac mini) e dá o controle total do computador infectado ao hacker.

Para convencer as vítimas a instalarem o vírus, os criminosos se disfarçam de moderadores ou membros da equipe dos canais e sugerem o uso de um comando especial que, segundo eles, resolveria problemas técnicos que as pessoas estariam enfrentando. O comando, porém, é responsável por baixar o programa malicioso e executá-lo com permissão total (“root”).

Os especialistas batizaram o vírus de OSX.Dummy (uma palavra em inglês que pode ser traduzida como “bobo”, “leigo” ou “burrinho”) pela falta de sofisticação do código malicioso e do ataque. No entanto, o ataque chama atenção por atingir usuários de computadores da Apple, que raramente são atingidos por pragas digitais.

Uma vez instalado no computador, o vírus cede o controle total do sistema aos responsáveis pelo vírus. A praga também rouba a senha de “root” da vítima.

Russia’s national vulnerability database is incomplete, and a cover for software snooping

By: Bradley Barth

The government organization running Russia’s national vulnerability database (NVD) is far less comprehensive than its American counterpart, omitting many critical bugs while focusing heavily on flaws that appear to be specifically relevant to Russian state information systems, according to new research from Recorded Future.

The Russian database, known as the BDU, is administered by the Federal Service for Technical and Export Control of Russia (FSTEC), a national military counterintelligence agency. According to Recorded Future, since 2014 FSTEC has published only about 10 percent of the 107,901 total bugs announced by the American NVD, which is operated by the U.S. Commerce Department’s National Institute of Standards and Technology (NIST).

In a blog post issued today, Recorded Future concludes that the Russian database exists not so much to provide a public service, but rather to establish a minimum set of security guidelines for Russian officials tasked with securing government information systems.

At the same time, having an official vulnerability database also gives Russia a seemingly legitimate cover for demanding that foreign software and security companies submit their products to FSTEC and related agencies for inspection of their source code, Recorded Future continues. But in reality, this is just a thin veneer through which Russia disguises its efforts to gather intel on foreign software, the researchers assert.

“FSTEC is a military organization and is publishing ‘just enough’ content to be credible as a national vulnerability database. The Russian government needs vulnerability research as a baseline for FSTEC’s other technical control responsibilities, such as requiring reviews of foreign software,” writes report authors and researchers Priscilla Moriuchi, director of strategic threat development, and Dr. Bill Ladd, chief data scientist.

In an interview with SC Media, Moriuchi added that the BDU database is “virtually useless,” with “almost nothing in this that you can’t find in another database that is… more comprehensive.” And yet, it is “just enough legitimate content” to provide plausible deniability regarding “the real mission of the organizations.”

Recorded Future notes that a disproportionate number of BDU’s published bugs are flaws known to be commonly exploited by Russian APT groups. Indeed, the report says that FSTEC has listed about 60 percent of all vulnerabilities used by the Russian military. The researchers believe that this could mean Russian military officials are taking measures to ensure that the same exploits aren’t similarly employed against their own government’s information systems.