Squeeze Volume 10 - AWS Leaks Keys, FedEx Scam, IoT, Mac Trojan, & More
Welcome to Squeeze, a curated selection of interesting infosec articles from the past week that you may have missed.
Welcome to the tenth edition of the Secjuice Squeeze, where we present a selection of last weeks interesting infosec articles curated for your reading enjoyment in case you missed them! This week's volume was created by Bhumish Gajjar, Guise Bule and Mike Peterson.
FedEx Text scam
FedEx has been warning people of a fake FedEx delivery text going around. The way this scam works is it sends you a text message about some false package status, and then in that text includes a "free product." If you take a survey, it asks you for your credit/debit card information. People have been falling for this scam, and then the police in multiple cities conform that these scams are taking people's money. FedEx has said in a statement sent to USA TODAY, "FedEx does not send unsolicited text messages or emails to customers requesting money or package or personal information. Any suspicious text messages or emails should be deleted without being opened, and reported to [email protected]."
Link: https://www.usatoday.com/story/money/2020/01/22/fedex-delivery-notifications-scam-texts/4548088002/
Ransomware Now Steals Credentials Stored in Your Browser
FTCODE, a PowerShell-based ransomware, has added new capabilities, including the ability to swipe saved web browser and email client credentials from victims. Recently, the bad actor has been sending victims links to VBScripts, which then download FTCODE. Once a user executes the VBScript, it, in turn, executes a PowerShell script, which then downloads and opens up a decoy image (saved into the %temp%folder).
Once downloaded, FTCODE takes history details from Internet Explorer and decrypts the stored credentials from information in the registry. For Mozilla Firefox and Thunderbird, the script checks four paths and steals any credentials in them.
Link: https://threatpost.com/ftcode-ransomware-steals-chrome-firefox-credentials/152022/
500K Telnet Credentials for IoT Devices Leaked
A hacker has published a list of credentials for more than 515,000 servers, home routers and other Internet of Things (IoT) devices on a popular hacking forum, in what’s being touted as the biggest leak of Telnet passwords to date.
The hacker compiled the list–which includes each device’s IP address, as well as a username and password for Telnet–by scanning the entire internet for devices that were exposing their Telnet port, according to the report. The bad actor then used factory-set default usernames and passwords and/or easy-to-guess password combinations to gain credentials.
Link: https://threatpost.com/hacker-leaks-more-than-500k-telnet-credentials-for-iot-devices/152015/
Mitsubishi Electric Warns of Data Leak After Security Breach
The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs. "On June 28, last year, a suspicious behavior was detected and investigated on a terminal in our company, and as a result of unauthorized access by a third party, data was transmitted to the outside," a detailed company statement says.
"This is an advanced method of monitoring and detection, and it took time to investigate because the log (operation record) for identifying the transmitted file was deleted by an attacker on some terminals."
250 Million Microsoft Customer Support Records Exposed
The wide-open records were discovered by the Comparitech Security team. What’s more, they found that there were five identical sets of those 250million customer records, all wide open, on five different ElasticSearch servers.
The exposed Microsoft customer records, spanning 14 years (from 2005 until the very end of 2019), include both personal information and recordings of conversations between Microsoft customer support representatives and customers from around the world. The exposed personal information includes customer email addresses, IP addresses, and locations, of which some, but not all, were redacted. The records also include logs of the interactions between Microsoft support agents and customers, as well as descriptions of and information about those support interactions, and internal confidential notes.
Link: https://www.theinternetpatrol.com/250-million-microsoft-customer-support-records-exposed/
AWS Engineer Leaks Private Keys, External Analysts discover them in Minutes
An Amazon Web Services (AWS) engineer last week inadvertently made public almost a gigabyte’s worth of sensitive data, including their own personal documents as well as passwords and cryptographic keys to various AWS environments. It is noteworthy here is how quickly the employee’s credentials were recovered by a third party, who—to the employee’s good fortune, perhaps—immediately warned the company.
On the morning of January 13, an AWS employee, identified as a DevOps Cloud Engineer on LinkedIn, committed nearly a gigabyte’s worth of data to a personal GitHub repository bearing their own name. Roughly 30 minutes later, Greg Pollock, vice president of product at UpGuard, a California-based security firm, received a notification about a potential leak from a detection engine pointing to the repo.
Link: https://gizmodo.com/amazon-engineer-leaked-private-encryption-keys-outside-1841160934
U.S. Lawmakers Introduce Bipartisan Effort to Cut NSA Surveillance
A bipartisan pair of U.S. Senators have introduced the "Safeguarding Americans' Private Records Act" in an effort to cut down on the vague language of Section 215 of the Patriot Act that once justified mass surveillance of American citizens. After being renewed by President Barack Obama back in 2015, Section 215's five-year renewal is fast approaching in March. That represents a golden opportunity for lawmakers to reform the arguably invasive bill.
Link: https://threatpost.com/new-bill-proposes-nsa-surveillance-reforms/152183/
Oil & Gas Infrastructure in the U.S. May Be in Trouble
Dragon, Inc. has published a new report indicating a rise in hacking activity targeting electric and gas utility companies in the U.S. The attacks, which mostly take advantage of password-spraying techniques, have been attributed to APT33, an advanced persistent threat sponsored by Iran. While a truly damaging attack would require significant time and effort, Dragos notes, the risk of a disruptive attack occurring is nonetheless worrying.
Adware-Injecting Shlayer Trojan has Infected One in 10 Macs, Kaspersky Says
While many Mac-owning consumers believe their devices to be relatively safe from malware, Kaspersky has penned a new report showing that they are far from immune. The Russian cybersecurity firm has tracked the rise in the Shlayer malware since it first surfaced back in February 2018. Since then, Shlayer has been distributed by about 1,000 "partner" websites. While generally considered more annoying than harmful, Shlayer's focus on adware is generally thought to help its authors save money and generate more revenue than something more destructive.