Information Security Report | October 2018

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

This month features a new strain of malware designed to extract credit card information on an eCommerce platform, Internet scanning malware targeting public SSH servers using default account names with elevated system access, more hardcoded root passwords in Cisco and a new acoustic attack method that can narrow down on the authentication pattern used to unlock android devices. Notable breaches include card skimming malware targeting electrical sales site Newegg, malicious banking apps impersonating ANZ and CBA apps on the Google Play store and customer data stored in plaintext on auctioned NCIX hardware.

Current Threats and Exploits

  • Magneto eCommerce Malware:
    A security researcher has discovered a new strain of malware designed to extract the credit card information users enter on the eCommerce platform Magneto. The malware has been found to have infected more than 7000 Magneto sites currently in operation. To infect the site, a cyber adversary performs a brute force attack against the site to allow them to authenticate and then embeds a line of JavaScript. The JavaScript monitors characters input by the user and sends them to magentocore[dot]net host in Russia.
    It is recommended that, if you are running Magneto, the server is investigated to ensure that it has not been targeted. (1)
  • Acoustic Echo Location Attacks for Smartphones:
    Security researchers have uncovered a new acoustic attack method that can be used to narrow down on the authentication pattern used to unlock android devices. The attack uses the phone’s speakers to emit inaudible sounds which echo off the user’s finger and are then detected by the phone’s microphones. Using the echoed information, the approximate movements of the user’s finger can be determined. The researchers used this information to track a user’s finger movement when entering their unique unlock pattern on a Samsung android phone. Using the technique, they were able to reliably reduce the number of possible patterns by 70%, allowing them to gain access to the device in a much shorter period of time.
    While the attack is only theoretical at the moment, users are advised to use a more robust method of authenticating to their device, such as a PIN number instead of the unlock pattern. (2)
  • Malware targeting public SSH servers:
    Researchers have discovered GoScanSSH malware that scans the Internet and targets public SSH servers using default accounts. The malware is not yet known to exploit any known vulnerabilities but was found to target default account names that are likely to have elevated system access like ‘root’ and ‘admin’. After it successfully authenticates on a system, a copy of the malware is uploaded and used to carry out the same attack against other systems. It then checks into its command-and-control (C&C) server using the Tor2web proxy service to keep the C&C server hidden from defensive measures. It was noted that when the malware scans for systems to infect, it excludes IP networks that belong to certain military and government networks.
    As a security best practice, and to prevent the risk of being infected, network administrators should ensure that default account names (especially those with elevated system access) should either not be used or should be configured to use very complex passwords. Anomalous traffic using Tor web proxies should also be investigated as likely possible indicators of compromise. (3)
  • More Cisco Hard Coded Passwords:
    Cisco has released patches for their Video Surveillance Manager software which removes a hardcoded root password. This hardcoded password allows an attacker to authenticate to any VSM device as root, using a known password. The vulnerability only affects VSM releases 7.10, 7.11 and 7.11.1.
    Users of these systems are advised to install the patches as soon as possible. (4)

Magecart credit card skimming malware has struck again, this month targeting computer and electrical sales site Newegg.

Recent Breaches

  • Newegg customers affected by Magecart Malware:
    The computer and electrical sales site Newegg has been infected with card skimming malware, known as Magecart. Magecart, which has also attacked both British airways, as well as Ticketmaster, was detected on Newegg’s website, skimming credit card details on their payment processing from the 14th of August to the 18th of September. Newegg released a statement informing customers that they are performing an extensive investigation into how their site was infected, as well as providing a warning to those who purchased goods from them during the breach.
    The statement recommends affected users to freeze their credit cards and to monitor and report any suspicious activity that occurs on their bank accounts. (5)
  • NCIX Customer Data Breach:
    Servers seized by the landlord of the, now closed, Canadian hardware retailer NCIX were auctioned to private buyers without first removing confidential customer information. It is claimed that the hardware contained credit card numbers for over 260,000 customers for purchases made as far back as 2007, all stored in plaintext. The servers also contained other customer data including purchase histories, contact information and password hashes.
    The breach has sparked debate around responsibility. (6)

Other News

  • Fake banking apps scam on Google Play store:
    More than a thousand bank customers have downloaded malicious banking apps that impersonate legitimate ANZ and CBA banking apps from the Google Play store since they were first reported as fraudulent in June until the international security group ESET alerted Google in early September. ESET highlighted that, besides ANZ and CBA, banks from the UK, Switzerland and Poland and an Australian cryptocurrency exchange were also targeted. As the apps were available on the official Android app store, they managed to gain bank customers’ trust and steal their credentials, including login account, password and credit card details. Neither ANZ nor CBA were obliged to inform the public or notify authorities as they were not compromised themselves. The incident has exposed serious issues in Google Play’s automated verification process for new apps.
    Customers who believe they may have downloaded a fake app or have noticed unusual transactions should contact their bank immediately. (7) (8)