Cyber Security News of the week — 27.03.2022|01.04.2022
CISA Warns of Ongoing Cyber Attacks Targeting Internet-Connected UPS Devices
The U.S. Cybersecurity and Infrastructure Security Agency and the Department of Energy are jointly warning of attacks against internet-connected uninterruptible power supply devices by means of default usernames and passwords.
UPS devices, in addition to offering power backups in mission-critical environments, are also equipped with an internet of things capability, enabling the administrators to carry out power monitoring and routine maintenance. But as is often the case, such features can also open the door to malicious attacks.
The agencies have also urged concerned entities to update the UPS usernames and passwords to ensure that they don’t match the factory default settings. “This ensures that going forward, threat actors cannot use their knowledge of default passwords to access your UPS,” the advisory read.
Experts Uncover Campaign Stealing Cryptocurrency from Android and iPhone Users
Researchers have blown the lid off a sophisticated malicious scheme primarily targeting Chinese users via copycat apps on Android and iOS that mimic legitimate digital wallet services to siphon cryptocurrency funds.
“These malicious apps were able to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey,” said Lukáš Štefanko, senior malware researcher at ESET in a report shared with The Hacker News.
The wallet services are said to have been distributed through a network of over 40 counterfeit wallet websites that are promoted with the help of misleading articles posted on legitimate Chinese websites, as well as by means of recruiting intermediaries through Telegram and Facebook groups, in an attempt to trick unsuspecting visitors into downloading the malicious apps.
“This means that victims’ funds could be stolen not only by the operator of this scheme, but also by a different attacker eavesdropping on the same network”.
The Slovak cybersecurity company said it found dozens of groups promoting malicious copies of these wallet apps on the Telegram messaging app that were in turn shared on at least 56 Facebook groups in hopes of landing new distribution partners for the fraudulent scheme.
“Based on the information acquired from these groups, a person distributing this malware is offered a 50 percent commission on the stolen contents of the wallet,” ESET noted.
Rather they can only be downloaded by visiting one of the malicious websites using configuration profiles that make it possible to install applications that are not verified by Apple and from sources outside the App Store.
The investigation also unearthed 13 rogue apps that masqueraded as the Jaxx Liberty Wallet on the Google Play Store, all of which since been removed from the Android app marketplace as of January 2022. They were collectively installed more than 1,100 times.
Honda’s Keyless Access Bug Could Let Thieves Remotely Unlock and Start Vehicles
A duo of researchers has released a proof-of-concept demonstrating the ability for a malicious actor to remote lock, unlock, and even start Honda and Acura vehicles by means of what’s called a replay attack.
The attack is made possible, thanks to a vulnerability in its remote keyless system that affects Honda Civic LX, EX, EX-L, Touring, Si, and Type R models manufactured between 2016 and 2020. Credited with discovering the issue are Ayyappan Rajesh, a student at UMass Dartmouth, and Blake Berry .
This is not the first time a flaw of this kind has been uncovered in Honda vehicles. A related issue discovered in 2017 Honda HR-V models is said to have been “seemingly ignored” by the Japanese company, Berry alleged.
“Manufacturers must implement Rolling Codes, otherwise known as hopping code,” Rajesh said. “Legacy technology utilized by multiple automakers to remotely lock and unlock doors may be vulnerable to determined and very technologically sophisticated thieves,” Honda spokesperson Chris Martin told The Hacker News.
“At this time, it appears that the devices only appear to work within close proximity or while physically attached to the target vehicle, requiring local reception of radio signals from the vehicle owner’s key fob when the vehicle is opened and started nearby”.
Bugs in Wyze Cams Could Let Attackers Takeover Devices and Access Video Feeds
Three security vulnerabilities have been disclosed in the popular Wyze Cam devices that grant malicious actors to execute arbitrary code and access camera feeds as well as unauthorizedly read the SD cards, the latter of which remained unresolved for nearly three years after the initial discovery.
Romanian cybersecurity firm Bitdefender, which discovered the shortcomings, said it reached out to the vendor way back in May 2019, following which Wyze released patches to fix CVE-2019–9564 and CVE-2019–12266 in September 2019 and November 2020, respectively.
But it wasn’t until January 29, 2022, that firmware updates were released to remediate the issue related to unauthenticated access to the contents of the SD card, around the same time when the Seattle-based wireless camera maker stopped selling version 1.
This also means that only Wyze Cam versions 2 and 3 have been patched against the aforementioned vulnerabilities while leaving version 1 permanently exposed to potential risks.
“Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network,” the researchers cautioned.
Stay Focused. Stay Vigilant.
Cyber Security News Team — Cyber Security Community of SLIIT