2020 has come in like a wrecking ball, creating havoc with the most unrealistic events. One of such strange news surfaced for Android Phone users recently.

Well, the culprit is a peaceful image of a sunset on a lake, surrounded by mountains and clouds. What harm could be done by such a beautiful perfect picture, right? Well, the answer is hidden in the image’s color codes.

This scandalous image has become a viral sensation over the past week or so. Android enthusiasts and geeks are sharing the image with a disclaimer to not set it up as wallpaper. But some over excited users are daring enough to try it, leading their mobile OS to fail and crash.

This isn’t the first incident of its kind. It’s a common episode with iPhones and iOS devices, through specially crafted files or message strings. Not long ago, a Sindhi-language text and Italian flag text bomb was doing rounds, freezing everyone’s iPhones. But in comparison, it’s a rare incident with Android devices.

Android Phone Wallpaper Bug: How It Works?

First identified by Ice Breaker, a Samsung phones aficionado and researcher, tweeted about this image with a warning label (shared above). This image, only when set as the Android phone wallpaper, soft-bricks most Android phones.

What is Soft Brick in Android?

A device is soft bricked when it becomes unresponsive to one or multiple functions. For example, application crashes, phone freeze-out. These are mainly low-intensity software related bugs and can be fixed using resetting/ rebooting the device or deleting the guilty files.

How this Wallpaper Bricks the Android Phones?

Initially this mystery was only backed by guess-work, blaming the image’s metadata. But after further investigation, it was discovered that the real problem was with the image color codes.

Android OS uses SRGB mode to display graphics, while the image under spotlight has RGB color space. This was identified by Dylan Roussel from 9to5Google while he was testing it on multiple Android devices. He found that the image did not trigger the bug in Android 11, which can be attributed to the fact that the latest Android version “converts the color space (if it’s not already supported)”.

So as a closing argument, it isn’t really the image’s fault. Any other image, with similar color space could have the same effect.

What Happens When You Set it as an Android Phone Wallpaper?

This image is harmless as long as it is popping up in any app, or even saved in your phone gallery. Only using it as a wallpaper may lead to a number of irrational activities on your smartphone, such as:

• Applications crash
• Device crash and landing on lock screen
• Phone turning on and off repeatedly on a loop
• Phone gets completely unresponsive to any touch or action
• Even a simple restart does not fix the issue here

You can see a demonstration of this Android Wallpaper Bug in the video below:

Devices/ OS Unaffected by the Android Wallpaper Bug?

The confirmed and tested list of devices that are not affected by this bug are:

1. Android 11
2. Pixel 4 XL
3. Huawei Mate 20 Pro
4. OnePlus phones

How to Fix the Android Phone Wallpaper Bug?

While the Wallpaper issue isn’t a malicious virus or malware, it can still be pretty annoying. And if you’re one of the “smart” guys who has already or is gonna try this “stupid” idea, then here’s a list of quick solutions you can opt for:

1. To start with, if you’re quick enough while your phone is still responsive, you can change back your wallpaper to something normal and avoid the brick altogether
2. As a next step, if your phone has a custom recovery ROM, then you can simply go in and delete the wallpaper. This will erase the image source from the OS. For this, you can find the file named ‘Wallpaper’ at following paths:
   - Upto Android OS 4.0: Go to /data/data/com.android.settings/files/
   - From Android OS 4.1 to above: Go to /data/system/users/0/
3. If nothing else works, then the last and ultimate option is to ‘Factory Reset’ (using the bootloader).

Fortunately, Google and Samsung have also taken note of this problem and are currently working on a solution for probably all the older versions of Android.

Note: If you really like the image and want to use it as a Wallpaper on Android Phones, then you can edit the image using filters, or gradients. This makes the image completely harmless.

On June 1, 2020, a highly critical VMware Cloud Director vulnerability was disclosed to the world, that basically hands over an enterprise server’s keys to the hacker.

VMware is a popular cloud services corporation, with an abundant range of products and services such as Private Hybrid Cloud Solutions, Hyperconverged Infrastructure, Virtual Cloud Networking, App Virtualization, Storage Technology among others. VMware Cloud Director is one of their most popular services. Originally known as vCloud Director, it is widely used by enterprise level companies and cloud service providers for data center expansion and management, automation, cloud development and migration, multi-site management and more.

But the trusted VMware Cloud Director came under heat when Citadelo, a cybersecurity firm, released a security update detailing how the vCloud Director can be abused to gain privilege access.

VMware Cloud Director Vulnerability Explained

The newly-found VMware Cloud Director exploit was first discovered in April, when the Citadelo team was performing a security audit for an unnamed Fortune 500 client. This enterprise, as clear by now, used VMware Cloud Director and wanted to investigate their cloud infrastructure.

This vulnerability has been rated 8.8 CVSSv3 Score, and classified as CVE-2020-3956.

The root cause of this flaw can be determined as improper handling of the input, resulting in a code injection vulnerability. However, this exploit can only take effect when the input is sent from an authenticated attacker. He can send “malicious traffic” to the VMware Cloud Director, which can subsequently cause arbitrary RCE (Remote Code Execution).

This code injection flaw can be exploited by means of:

• HTML5- and Flex-based UIs
• API Explorer interface
• API access

Researcher leads Tomáš Melicher and Lukáš Václavík further explain the technicality that led them to this finding,

“Everything started with just a simple anomaly. When we entered ${7*7} as a hostname for the SMTP server in vCloud Director, we received the following error message: String value has an invalid format, value: [49]. It indicated some form of Expression Language injection, as we were able to evaluate simple arithmetic functions on the server-side.”

After a few failed attempts, the team was finally able to access arbitrary java classes and call them with malicious payloads.

CVE-2020-3956 Vulnerability Impact

This vCloud Director vulnerability has been regarded as ‘highly important’ because it can allow a skilled hacker to gain full control of the target corporation’s entire infrastructure. The extent of this bug’s devastating effects reach upto the ability of attacker to gain access of:

• All customers within the infrastructure
• Available private clouds,
• Sensitive company and customer information, such as:
  - Full names
  - Emails
  - Password hashes
  - IP addresses
• Internal system databases for:
  - Foreign Virtual machines’ tampering
  - Privilege escalation of administrators
  - Stealing login credentials

Citadelo ethical hackers behind this discovery have released a POC (Proof of Concept) to exhibit how severe this flaw really is. Click here to check it out.

VMware Cloud Director Patch

Like with most genuine researches, the Citadelo team also privately notified the VMware offices about the said vulnerability and its exploits. VMware development team has released it’s Cloud Director fixes in recent updates.

Vulnerable VMware Cloud Director Versions:
(On Linux and PhotonOS machines)

• <= 10.0.1
• <= 9.7.0.4
• <= 9.5.0.5
• <= 9.1.0.3

Patched Versions:

• 9.1.0.4
• 9.5.0.6
• 9.7.0.5
• 10.0.0.2

Additionally, VMware has also published a Mitigation Workaround on this issue, in their Knowledge base. Click here to go through it.

While the world is collectively whining about 2020, Zoom is one of the few lucky who is triumphing the ‘social-distance’ ship. But since its global rise, Zoom has not only garnered abundant users but also tech experts and researchers. And starting March, 2020 everyone seems to stumble upon one bug here, another vulnerability there.

Zoom Security issues are rising by the day, and have majorly affected school classes, business meetings, social hangouts, etc. The first big Zoom threat came to light in April 2020, when many meetings started experiencing random uninvited attackers who would scribble or shout profanity, racial slurs, or share inappropriate images. These incidents famously came to be known as Zoombombing.

Since then, there have been multiple Zoom security issues news. Let’s quickly brush up on the highlights:

• Saved Zoom meeting recordings were publicly available online on Zoom’s cloud servers
• Fake Zoom client software enabled Information Scraping to get the details of an organization’s employees.
• Zoom phishing scam, posing as employee’s HR department
• A corrupted fake Zoom installer file emerged that attacked your system’s camera
• 500,000 Zoom Accounts leaked and sold on Dark Web
• Several Zoom zero-day exploits still open

Now coming back to the latest Zoom Vulnerabilities – On June 3, 2020, Cisco Talos reported 2 critical vulnerabilities in Zoom Application that provided code execution privileges on your machine.

Latest Zoom Vulnerability 2020 Under Spotlight

The 2 new-found Zoom Vulnerabilities are highly severe as they allow a threat actor to “execute arbitrary code on the victim's machine”. Both these flaws can be exploited for  path-transversal attacks to write or install arbitrary code files on any machine running the Zoom Video conferencing tool.

The under-discussion Zoom Vulnerability CVEs have been classified as:

1. CVE-2020-6109 (TALOS-2020-1055)
2. CVE-2020-6110 (TALOS-2020-1056)

Apparently, these vulnerabilities allow hackers to attack Zoom group chat and individual participants, without the need of any interaction. They work as simply as sending a malicious message via chat feature in Zoom to the targeted group or individual.

CVE-2020-6109 – CVE Giphy Arbitrary File Write

CVSSv3 Score: 8.5
Zoom Vulnerability Version (tested on): 4.6.10

The first Zoom vulnerability was present in the process that manages GIF messages from Giphy, which in an ‘ideal environment’ is the only server used by Zoom for GIFs. But researchers found that there was a validation error that didn't check if the sent GIF is loading from Giphy or any other service.

This gave the threat actor a chance to send malicious GIFs from their controlled server. Now, as per Zoom’s architecture, these GIFs would then be stored onto the recipient’s system, in the application’s folder.

But the vulnerability takes full effect in the fact that Zoom doesn't sanitize filenames, thus allowing directory transversal. This essentially means that the attacker can intentionally redirect the path to store the file outside Zoom’s install folder, and into any writable directory.

Additionally, the file contents need not be a GIF or image, but can be an executable script or code, which can be exploited further for another vulnerability.

CVE-2020-6110 – CVE Chat Code Snippet RCE

CVSSv3 Score: 8.0
Zoom Vulnerability Version (tested on): 4.6.10 and 4.6.11

The second Zoom vulnerability resides in the chat functionality, that is

“built on top of XMPP standard with additional extensions to support the rich user experience. One of those extensions supports a feature of including source code snippets that have full syntax highlighting support. The feature to send code snippets requires the installation of an additional plugin but receiving them does not. This feature is implemented as an extension of file sharing support.”

The above functionality zips the code snippet before sharing, which then unzips when it is received on the victim’s end. This is where the vulnerability comes into action. Researchers explain that Zoom does not verify the contents of such zip files in it’s zip file extraction feature, thus allowing any cyber attacker to install arbitrary binaries on the victim's system.

Additionally, like the first vulnerability, this one also takes advantage of path transversal flaw, allowing malicious zip archives to write files outside the Zoom’s assigned directory on the targeted computer, finally leading to remote code execution.

Zoom Vulnerability Fix & Patch

Fortunately, the Talos team reported both issues to the Zoom organization in April 2020. Following which the Zoom development team fixed both vulnerabilities and released the patched version on June 3, 2020.

Zoom Patched Version: 4.6.12

Make sure that you’ve updated the Zoom application and are running it’s latest version on your Windows, Linux and Mac machines.

Data Breaches have become as frequent as an influencer’s Instagram posts. This week’s most alarming data breach news comes to us from the Indian E-Payments and UPI mobile application - BHIM (Bharat Interface for Money).

BHIM is a government sponsored payments application, developed by CSC (Common Service Centres Scheme) E-governance Services Ltd. Launched in 2016 by NCPI (National Payments Corporation of India), the app boasts of over 136 Million downloads. In Addition, the app works on the UPI technology, that stands for Unified Payments Interface that enables financial transactions by assigning unique IDs to users. Interestingly UPI project is also developed by NCPI.

An authorized app, like BHIM, is highly trusted by users when jumping onto a new technology, especially in the financial zone. BHIM was heavily marketed by the Indian government during the 2016 demonetisation phase for easy and instant money transfers. That’s why the BHIM hacking news comes as such a shock, (looking into the app’s background and it’s direct support from the government).

The news was first reported on May 30th, 2020 by VPNMentor, a cybersecurity firm, who discovered the breach back on April 23rd, 2020 and notified the BHIM team and CERT-In (Computer Emergency Response Team) in time. Let’s take a deep look at the report to understand what got leaked and how it could affect the registered BHIM users.

BHIM Data Leak Details

The BHIM data dump exposed during this breach amounted to 409 GB with approximately 7.26 Million Indian user records. The individuals ranged from all backgrounds, age groups (including minors), religions and status. The leaked files are highly confidential, with sensitive details like Personal Identifiable Information (PII) and financial information. This further consisted of complete user profiles and corresponding banking records, with specifics like:

• Name
• Age
• Gender
• Date of Birth
• Address
• Profile and ID Pictures
• Religion and Caste Status
• Fingerprint scans
• Scanned Copies of
  - Aadhaar Card (National ID of India)
  - PAN (Permanent Account Number) Card (by Indian Income Tax Department)
  - Caste Certificates
  - Proof of Residence
  - Educational and Professional Certificates
• ID numbers for
  - Government Programs
  - Social Security Services
• Screencaps of financial transactions within banking apps, stored as proof
• Business Names and respective UPI IDs
• And more

How the BHIM Data Breach Happened?

The source of the breach was CSC BHIM website - http://cscbhim.in/, that was “used in a campaign to sign large numbers of users and business merchants to the app” across all states of India. The data from this campaign was stored on the widely-used Amazon Web Services S3 bucket, which was ‘not secure’ due to a developer’s carelessness. This would be technically referred to as AWS S3 bucket misconfiguration.

S3 buckets is a cloud storage facility that is one of the most used and preferred choices throughout the globe. But while integration, the developer needs to follow security best practices and set up certain protocols, suitable for their environment.

The exposed BHIM data was available in the S3 bucket, labeled as ‘csc-bhim’. It held the PII and financial data for a huge number of individuals and businesses who signed up for the said campaign, like:

• Farmers
• Mechanics
• Service Providers
• Store Owners
• And more

BHIM Hacking Devastating Impacts

This massive breach has left millions of Indian citizens in shock and worried for their privacy, and rightly so. With the amount of public data at stake, it has become a deeply concerning issue, which will lead up to various fraudulent activities and damaging long-term impact.

One of the major leaks in the BHIM hacking is the UPI IDs. UPI payment system is an alternate approach for financial transactions. You can consider it equivalent to a bank account. This makes the BHIM UPI data like a goldmine for hackers and cybercriminals, who can utilize these, in combination with PII, for various illegal transactions like:

• Identity Theft
• Tax Fraud
• E-Payment Theft
• Phishing Attacks

Moreover, the exposed S3 bucket also contained an APK (Android Application Package), which is a private file used by Android OS while app installation. Noam Rotem and Ran Locar, the lead researchers from VPNMentor explain,

“AWS Key pairs are the equivalent of admin user/password in Amazon’s infrastructure, potentially giving the holder of the key access to all data, the ability to start and stop servers, access the S3 bucket’s controls, and more. We did not test the credentials, but even their presence is an alarming sign of bad security design practices.”

India being a development company, most of its population is either uneducated or unaware of how scams work. They can be the perfect audience for a cyber attacker, trying to leverage this opportunity. This extensive exposure of private data will also create a difference and trust shift between the “Indian public, government bodies, and technology companies”.

Official Statement on ‘BHIM Hacked’

Interestingly, BHIM and NCPI have both denied any possibility of this data breach, stating that,

“We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows a high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem”

Next Steps on BHIM Data Breach

As per VPNMentor report, the BHIM data breach was patched on May 22nd, 2020. Even if the case is closed, the data might still be out there, as a threat actor could have accessed it during the one year (allegedly) that it was open for.

But this is definitely not the last of data breach or ransomware infiltration. Users should be educated and aware about how to protect their data. Let’s quickly go through some efficient tips:

1. Change your password often, specially after a data breach news, to a strong alpha-numeric key
2. Never share your OTP with any stranger, even anyone posing from the bank or government sector
3. Don’t share your bank/ card details with anyone over the phone, messages or emails
4. Don’t click on any suspicious link in an email, or fill out your personal information
5. Never install untrusted applications
6. Lastly, if you’re highly concerned, you can directly get in touch with CSC e-Governance Services and enquire about the issue and their next steps

Stay Updated, Stay Safe!

REvil group is a notorious cyberattacker gang, that is infamous for many ransomware hackings in the recent past. They rose to fame in early May 2020, after the influential Grubman Shire Hack News, but have been active since 2019. Their main gameplay is to hack high profile corporations, and breach their data with ransomware.

In the latest REvil hacking news, 2 organizations namely Vierra Magen Marcus and Elexon have been their most recent data breach targets. Let’s get in depth of both reports,

REvil – Vierra Magen Marcus Data Breach

Vierra Magen Marcus LLP is an intellectual property law firm with clients ranging up from Fortune 500 to emerging SMEs. Like in the case of Grubman Shire data breach, Vierra Magen is also a legal firm and has been providing legal counsel since 2001.

REvil ransomware operators, just last week, posted highly confidential information from VMM, worth 1.2 TB. The data leak consisted of:

• Non Disclosure Agreements
• Company Patents
• Sensitive Files and Data
• Multiple Sources
• And more

Below are few screenshots from the Vierra Magen Marcus data leak, sorted by client/ company names:

REvil – Elexon Data Breach

Elexon is associated with British electricity wholesale market and administers BSC – Balancing and Settlement Code. They play a crucial role in managing the supply-demand chain of generators and suppliers in the UK electricity industry.

According to Cyble, a cybersecurity firm, Elexon’s digital data was breached on May 14, 2020, but was leaked by the ransomware group just a couple days back. The leaked Elexon data dump has been analysed and verified as legitimate. It includes high value information like:

• Elexon confidential Files
• Passport Copies
• Enterprise Renewal Applications
• Enterprise Analysis Data
• And more

Few snapshots of the Elexon data leak:

REvil – Sri Lanka Telecom Hacked

In another recent REvil cybercrime news, Sri Lanka Telecom has been allegedly infiltrated by the ransomware gang. SLT is the nation’s largest fixed line operator, who recently underwent a cyberattack.

In an official statement, Sri Lanka Telecom stated that their internal servers were compromised with the ransomware, but they have overcome the situation now and are dealing with it. Their quick workaround was to isolate the threatened systems and implement corrective measures. Luckily, none of their machines with customer information or services were impacted during the cyberattack.

REvil Data Leak – Motive and Impact

Clear from the incidents above, REvil is notoriously spreading its evil wings over any significant IT systems throughout the globe. According to their prevailing pattern, REvil’s agenda is quite simple:

• They target an influential or data-rich firm
• Inject the ransomware (most likely their weapon of choice ‘sodinokibi’)
• This blocks, corrupts or infiltrates the organizations’ sensitive information
• Next, REvil sends threat notes demanding a huge sum of money
• If the company fails to payoff in time, REvil operators either:
• Leak the data publicly, or
• Auction off valuable data to the highest bidder

Staying true to their reputation, REvil has recently auctioned off Donald Trump’s sensitive information obtained from Grubman Shire data breach, and have next placed an ad to sell Madonna’s business data for 1 Million Dollars in cryptocurrency.  

If you’re a business with high-stakes data information, you should definitely think about investing in a state-of-the-art cybersecurity system, avoid careless mistakes and pay special attention to:

• Keeping alpha-numeric, strong and non-obvious passwords (including all your staff and systems)
• Never click on unauthenticated links
• Always check the url before giving any login or sensitive credentials
• Use firewall and keep your antivirus up to date
  
  
  

WordPress is a user-friendly CMS, preferred and used by millions of businesses, bloggers and individuals around the world. It currently powers 35% of all websites on the internet. Even with such a wide reach, this mega-platform has been under cyber experts' radar for various security concerns. One of the most common attacks include hackers exploiting WordPress’ popular plugins.

PageLayer is a popular WordPress plugin that enables non-technical users to build their website by simple drag-and-drop features. It’s fairly easy to use and works with most WordPress themes available in the market. According to latest statistics, it is currently installed and actively used in over 200,000 websites.

On May 28, 2020, Wordfence, a WordPress security firm, disclosed 2 critical vulnerabilities that can let threat actors take over your PageLayer-installed WordPress website.

WordPress PageLayer Vulnerability: How it Works?

Wordfence explained that a cyberattacker can take advantage of the 2 new-found security flaws in PageLayer WordPress plugin to launch wipe and takeover attacks.  

The first vulnerability allows a subscriber (or high-level) user to manipulate website posts’ content. While the second flaw took things to the next level by allowing a threat actor to fake an administrator-level request to alter plugin settings. This would further enable the attacker to inject malicious javascript into the site’s code. These PageLayer vulnerabilities occurred as a result of:

1. PageLayer’s exposed AJAX actions, which failed to validate permission checks. This indirectly gave access to any authenticated user to perform admin-level activities.

2. Another issue with PageLayer was nonce disclosure in the header’s page source . For those unaware, Nonce is simply a key in WordPress used to protect forms/ urls from hackers. By gaining this nonce, any site visitor can pose as a legitimate user to misguide AJAX actions, along with other security issues.

3. As Nonces can be easily compromised, they further impact CSRF (Cross Site Request Forgery) protection in WordPress.

The combination of above compromised functions gave birth to the 2 mentioned high-severity PageLayer vulnerabilities with CVE IDs yet to be identified.

The real-world impact of these vulnerabilities could be devastating to the site-owner as well as normal visitors. Some of the major repercussions might include:

• Creation of rogue user and administrator accounts
• Modify the website’s posts and pages
• Erasing or wiping out entire website and its contents
• Misleading the users and redirecting them to 3rd party malicious links
• Even the site visitor’s PC can be at risk as the hacker can compromise his security through the browser

PageLayer Patch

On April 30, 2020, the threat intelligence team at Wordfence disclosed the vulnerabilities to PageLayer’s development team, who soon released a patch in their latest version on May 6, 2020.

Previously Vulnerable Version: 1.1.2
Patched Version: 1.1.4

As of May 27, around 120,000 websites were still using PageLayer v1.1.2. If you’re working on a PageLayer WordPress website, please update your plugin immediately to forego any such risks and attacks. To read the full report from Wordfence, click here.

We’ve said this before, and we’ll say it again, hackers have got too much time on their hands since the worldwide coronavirus pandemic and lockdown situation. We’ve been receiving multiple data breach news every day, including high profile data leaks involving celebrities and even Donald Trump.

Our recent story covers the well-known caller-identifying and spam blocking application – Truecaller Data Breach. The popular app has become a necessity for some since the rise of smartphones, and its active users cross the 150 million mark. Truecaller is owned and operated by a Stockholm, Sweden corporation namely, True Software Scandinavia AB.

Truecaller Data Breach

Just a couple of days ago, Cyble, a cybersecurity & research agency, found a ‘For Sale’ ad from a seller on a Dark Web site. The post ensured a delivery of Truecaller data dump of 47.5 Million users’ personal details for $1000. Or in Indian numbers, a 4.75 Crore Users’ Database for around INR 75,000.

The post came from an undisclosed but trustworthy seller who, in the past and currently, has sold billions of authentic records. But what was surprising in this deal was the low price he demanded for this. This was unlike his previous deals and that’s what led Cyble team to go in depth and verify the acquired records. More on their findings below, but first let’s take a look at the specifics of the Truecaller data leak.

Truecaller Data Dump Details

Though Truecaller is installed on smartphones worldwide, the data dump included details of only its Indian users. That is also neatly organized and sorted by cities, states and carriers.

Like stated above, the dump included details of 47.5 Million Truecaller users including sensitive information like,

• Name
• Phone Number
• Email
• Gender
• Network Carrier
• Location - City, State
• Facebook ID
• And more

Truecaller Hacked? Truth Behind the News

Since the news of this potential cyberattack has surfaced, Truecaller has consistently denied the possibility of any breach, saying:

“Thank you for bringing this to our attention. There has been no breach of our database and all our user information is secure. We take the privacy of our users and the integrity of our services extremely seriously and we are continuously monitoring for suspicious activities. We were informed about a similar sale of data in May 2019. What they have here is likely the same dataset as before. It's easy for bad actors to compile multiple phone number databases and put a Truecaller stamp on it. By doing that, it lends some credibility to the data and makes it easier for them to sell. We urge the public and users not to fall prey to such bad actors whose primary motive is to swindle the people of their money.”

In their original report, Cyble had confirmed that the Truecaller 2020 database was part of the Truecaller 2019 data leak. They have also manually verified the entries, and found them to be genuine users. Interestingly, Truecaller hasn’t even made an effort to obtain the dump to check it themselves before broadcasting the above statement.

But whether Truecaller was hacked or not, still remains a question, as a data leak can be attributed to a number of instances like misconfiguration, etc. However, according to an investigation conducted a few years back by Factwire, few Truecaller security issues were reported to the public, including the database publicly available on their website search.

Truecaller Hacking News: Impact & Next Steps

If you’ve an account with Truecaller, don’t panic. Instead go to an authorized ‘Data Breach Monitoring’ platform like Cyble’s Am I Breached and check for any exposure.

Next step would be to stay alert against any future spams, scams or identity thefts. Such individually targeted sophisticated attacks are a common routine for threat actors when they come across a fresh data dump.

That said, we’ll urge you to stay hopeful, as Truecaller is continuously assuring it’s users that their data is safe in their ‘bank-grade security’.

Just a few months back in December 2019, the world was introduced to StrandHogg Android Vulnerability that lets a malicious app hijack your phone through Android’s multitasking feature. It worked quite simply:

• The malicious app (that exploits StrandHogg vulnerability) needs to be installed on the victim’s Android phone
• The victim clicks on any trusted app (including system apps)
• Instead the malicious app opens up, masqueraded with similar UI as the ‘clicked’ application

This interception allows the malware (or cyberattacker operating it) to acquire privilege credentials, banking details, etc. by showing fake login screens. Another threat that comes from this flaw is getting the user to grant important device permissions. To understand StranHogg 1.0 more clearly, take a look at the demonstration below:

StrandHogg 2.0 Malware

The Norwegein team of researchers from Promon, who discovered StrandHogg 1.0 vulnerability, have just revealed StrandHogg 2.0 - The Evil Twin. The name comes from a Norse term that means ‘hostile takeover’. They have debuted this bug with a scary introduction, stating that StrandHogg 2.0 is ‘more dangerous, more difficult to detect’ than its older brother.

StrandHogg 2.0 is a critically severe vulnerability, as identified by Google, and has been classified CVE-2020-0096. This flaw affects all Android-based phones, except the most latest version ‘Android Q’ (or Android 10). According to Google’s April 2020 statistics, less than 15-20% of the global market is using Android 10; which evidently confirms that over 1 billion Android mobile devices are currently exposed to the StrangHogg 2.0 exploit.

What is StrandHogg Bug? How is it Affecting 1 Billion Android Devices?

StrandHogg 2.0 is a privilege escalation bug that doesn’t require the root access or related permissions to be executed, and can also be executed without user interaction.

StrandHogg 2.0 adopts the reflection technique, and simply adapts the identity of other legitimate apps installed in the victim device. As soon as the StrandHogg malware application gets installed, the cyberattacker at backend will instantly be able to mimic all applications on the said device, without the need to pre-configure each target app.

After installation, all the user has to do is click on the app icon of any mobile application, and StrandHogg will immediately take its place and show a malicious screen (with the same interface). The victim, unknowingly, will provide device access or login details to the attacker, who can misuse these permissions and data to his like.

To summarize, exploiting Strandhogg 2.0 vulnerability will enable the attacker to access:

• Photos
• SMS Messages
• Login credentials of the target application
• Record phone calls and conversations
• Spy using the mobile’s microphone and camera
• Track user location via GPS
• And more

StrandHogg 2.0 vs StrandHogg 1.0

The latest StrandHogg vulnerability is similar yet different from the original. We can say that in some ways, it is an improvement (from a Cyberattacker POV). For example, unlike the first version, StrangHogg 2.0 doesn’t work around Android's ‘Task Affinity’ function.

In other words, StrandHogg 1.0 could only attack one app at a time, while StrandHogg 2.0 can perform dynamic attacks simultaneously on multiple or all apps on the infected device. This significantly augments the latter’s power and attack capabilities.

But the biggest threat posed by StrandHogg 2.0 is its sophisticated attack method that leaves no trace behind, and can easily trick security experts, scanners and anti-virus. This is achieved because of StrandHogg 2.0’s ‘code-based execution’ with no external configuration.

StrandHogg 2.0 Fix & Patch

Much to every Android user’s relief, Promon has stated that they haven’t found StrandHogg 2.0 to be the bad guy in any of the major hacking campaigns. The bug got discovered in December 2019, and the security researchers team immediately notified Google.

In April 2020, Google released the StrandHogg 2.0 Patch and started distributing it. The smartphone manufacturing companies will soon start delivering the relevant software updates for this flaw.

All we can do now is wait for our device’s next software release. Nevertheless, we should always follow cybersecurity best practices, and watch out for dubious activities like:

• Beware of any StrandHogg app download, by avoiding unheard of or suspicious applications
• Your frequently used apps don’t unexpectedly ask:
  - You to Login
  - Device Permissions
• When the legitimate app’s buttons and links don’t work as expected

To read the full report from Promon, please click here.

Apple follows a ‘walled garden’ strategy for its wide range of products – With strictly closed environment and regulations for not only its hardware/ software, but also associated 3rd party applications. Clearly, no other brand puts as much scrutiny on its smartphones, and that is probably what excites researchers, hackers and ‘reverse engineers’ to dedicate their time on releasing iPhone Jailbreak tools.

What is Jailbreak (iOS)? Is Jailbreaking Safe?

Jailbreaking is gaining privileged root access in iOS/ iPhone to manage Apple restrictions, mainly for software and app installations. Jailbreaking, typically gives a user full control of the device’s OS, granting otherwise restricted permissions like customizations and app installations. This is mostly done through pushing modified code into the Kernel, to bypass the iOS signature checks or disable them.

With earlier versions of iOS 3, 4, etc. Jailbreaking was much easier and more common, but gradually Apple has become more rigorous with its guidelines and security policies. The mega giant’s main selling point is iPhone/ iPad’s simple and controlled user experience, so naturally they would oppose Jailbreaking, as the compromised custom solutions might not feel ideal for their audience.

But revisiting our above question, it is completely safe and ‘legal’ to try jailbreaking, but because Apple doesn’t encourage this, that’s why jailbreaking your new iPhone will affect your warranty.

Unc0ver v5.0.1 Jailbreak

The UnC0ver jailbreaking tool has been a trusted solution for many throughout the years. Much to everyone’s delight, the developers team behind this program, released their newest version over the weekend as Unc0ver 5.0.1, and quickly followed by the updated version Unc0ver 5.0.1.

This updated new tool unlocks all recent iOS, iPadOS versions starting with:

• iOS 11.0 -11.4.1
• iOS 12.0 - iOS 12.2
• iOS 12.4
• iOS 13.0 - iOS 13.5
• iPadOS 13.0 - iPadOS 13.5

*Note: This jailbreak software does not work on iOS 12.3 - 12.3.2 and 12.4.2 - 12.4.5

Below is the complete list of devices supported by UnCover v5.0.1:

• iPhone: 6/6 Plus, 6s/6s Plus, SE, 7/7 Plus, 8/8 Plus, X, XR, XS, XS Max, 11, 11 Pro, 11 Pro Max
• iPad: Air 1/2/3, Pro 1/2/3 generation, Mini 2/3/4/5, 5/6
• iPod Touch: 6, 7

As stated above, Uncover 5.0.1 works on the current iOS 13.5 operating system as well, which is a huge deal as the last time it happened was in 2014. Unc0ver lead developer ‘Pwn20wnd’ explained that they were able to achieve such success because of an iOS zero-day vulnerability, currently unknown to Apple.

Unc0ver 5.0.1 zero-day vulnerability was discovered by Pwn20wnd, and is a milestone in itself as every other jailbreak since iOS 8 uses 1-day exploits. Due to this very reason, those older jailbreaks were quickly patched in the next software update or hardware (wherever needed). iPhone owners interested in jailbreaking their device would generally wait for it to get outdated. That’s why Unc0ver v5 is such a breakthrough!

Unc0ver iPhone Jailbreak Benefits

Unlike most jailbreaks, Unc0ver 5.0.1 provides abundant features and advantages, by working to enhance your device, rather than restrict its permissions/ privileges. Let’s a take a look at some of the highlights:

• Compatibility with all latest devices iOS 11.0 through to iOS 13.5 (Refer to the list above)
• iOS in-built services will still work, for example, Facetime, iMessage, iCloud and others
• Doesn’t drain battery life
• Unregulated storage access
• Stable release utilizing sandbox exceptions
• Doesn’t disable future software updates (But beware of installing any update that contains patch for Unc0ver v5.0.1 zero day vulnerability)
• Easy installations with Cydia and Tweak injectors
• Limiting hacking risk by providing a highly secure environment after jailbreaking. This is done by keeping security layers for user apps and system intact
• Unc0ver installation is supported by with or without computer on - iOS, macOS, Windows and Linux systems.

Out of all Apple devices, the iPhone has been most criticized for its security solutions. Recently Siguza, an iOS security researcher and one of the key developers in Unc0ver 5.0.1 has rolled out a Psychic Paper Exploit that allows 100% access to your private data. One news reports, that a single email can hack your iPhone, while another suggests that a simple text bomb causes your iPhone to crash immediately. While all such rumors are engulfing Apple’s iOS, the release of Unc0ver 5.0.1 might prove to be a hit with current users.

Unc0ver Download (v5.0.1)

You can download Unc0ver 5.0.1 here.

For how to jailbreak iPhone with Unc0ver, please read the detailed installation guide for iOS, macOS, Windows and Linux, by clicking here.

For installation of Unc0ver without computer, please click here.

Dark Web is a mysterious hub, something like a treasure trove of valuable information. Apart from many illegal activities like drug marketplace, dangerous hirings, phishing attacks, financial frauds, it is a cyber attackers playground, as most data dumps are sold or auctioned over here publicly. Just a couple days back, Wishbone database was first sold and then distributed for free here.

But the new meat of data breachers is the extremely popular academic application for Math enthusiasts – Mathway. The app model works as simply as sending an equation or math problem and receiving back its solved answer, completely free. It is one of the top-rated educational apps with #4 rank on Apple’s App Store, 10+ Million downloads on Google Play Store and #2,065 website rank on Alexa.

With such wide audience reach, the Mathway data breach news has become an alarming issue. Let’s take a look at the details:

Mathway Hacked – Data Leak News and Hacker Details

Since the past month, there have been many reports of Mathway databases being privately sold on various platforms like Telegram channels, hacker forums, and more marketplaces on the Dark Web.  

But recently one such ad surfaced publicly on a popular dark web hacking forum, confirming the Mathway data breach. The post exhibited a sale of 25M User records of Mathway data dump for a price of $4,000 in crypto currency - Bitcoin or Monero.

Quite interestingly, Mathway data breach is the exceptional work of Shiny Hunters, who has been associated with lots of data breaches lately, like Microsoft Github Hacking, Wishbone Data Breach and more. He has also shared few details about the latest Mathway cyber attack with ZDNet, saying that the Mathway data dump was acquired in January, 2020 by accessing the app’s backend and then later scrubbing off any trace of this intrusion.

Mathway Data Breach – What Got Leaked?

Mathway’s major audience consisted of kids, teens and young students, which is a crucial concern, especially with parents.

Regarding Mathway data dump details, and what exactly got leaked, it is mainly Email Addresses and Hashed Passwords with other system data. But there’s always the possibility that the hacker has more details stored for future dealings.

We’re also receiving new updates by the minute, that now the Mathway data dump is allegedly being leaked fully for free. And multiple sources have confirmed it as authentic.

Mathway Hacked – Next Steps

Since this news has rolled out, many students and parents are panicked regarding their cyber safety. As one of the very first steps, you should immediately change your Mathway account password, and for any other account using the same/ similar password.

Additionally, we always suggest our readers (and practice ourselves) to use a password manager and create random alpha-numeric keys, different for each account.

Update:

A Mathway representative has admitted and confirmed about the data breach and promised to take necessary steps,

“At Mathway, we take our customer's trust seriously, especially when it comes to their data, and we are committed to doing what is right for our customers. We recently discovered that certain Mathway customer account data, emails and hashed and salted passwords, was acquired by an unauthorized party. Upon learning of this, we retained a leading data security firm to investigate, address any vulnerabilities and remediate the incident. We are notifying all potentially impacted customers and are requiring password resets for all accounts. We regret any inconvenience this may cause our customers.”

While the entire world is worried about the current pandemic and evaluating their life choices, the cyberattacker community doesn’t seem affected by it at all. Their most recent data-breach target is ‘Wishbone’ – the popular teen social networking app where users interact via comparison quizzes, held across a vast number of categories.

Wishbone User Database For Sale

On May 20, 2020, an undisclosed hacker put public ‘For Sale’ ads on various well-known hacking forums over the dark web. It agrees on a delivery of 40 Million Wishbone user account details for a whopping price of 0.85 bitcoin cryptocurrency (equivalent to $8,000).

In recent times, more and more cyber attackers are switching to cryptocurrency for ransom because of easy transfer and untraceable benefits. Just last week, in the scandalous data leak of Donald Trump, Lady Gaga, Madonna and more A-listers, the attacker ‘REvil’ has sold high-profile data for a massive price in ‘Monero’ cryptocurrency.

Coming back to Wishbone hacking ordeal, companies like Cyble have hinted that this database has been circulating for sometime in private dealings, but has surfaced for public sale just now.

The seller in this case might just be a ‘data broker’ instead of the actual hacker. Moreover, there’s a huge possibility that the corresponding Wishbone data breach actually took place earlier this year with identified time-stamps dating back to January, 2020.

Additionally, this cyber criminal is currently dealing in selling tons of valuable databases from influential companies, amounting to approx 1.5 billion records.

Wishbone User Data Leak for FREE

But the incident took an interesting turn when the infamous hacker ‘Shiny Hunters’ came in to play. He was last credited with the notorious Microsoft Github hacking and has been a major threat actor in several data-breach cases.

On the very next day of the original ad posting, Shiny Hunters came in as a competitor and released the entire Wishbone data dump for free, that too on one of the same ad forums.

Now, was this just an overlooked mistake, or an intentional revenge plan, we can surely predict tension between the 2 seller parties. We only hope this doesn’t spiral into a free data leak loop affecting many organizations, as both cyberattackers are known for their legitimate databases.

Wishbone Data Leak Details

Certain cybersecurity researchers have obtained and confirmed the Wishbone registered members database that got leaked in this clout battle. The data has also been verified through various friends and acquaintances who had accounts with Wishbone.

This treasure trove of information will be quite dangerous in the wrong hands with high-risk possibilities of credential-stuffing attacks, account takeovers, phishing campaigns and more. It’s all the more worrisome, as a huge portion of the database includes minors (Wishbone’s biggest audience group).

Now, let’s take a look at exactly what all sensitive information got leaked:

• Username
• Email Address
• Encrypted Passwords (MD5 hash)
• Phone Numbers
• Profile Images
• Personal Details - Gender, Date of Birth, Location,
• Social Media Access Tokens (Facebook, Twitter)
• Device Details
• Account Status
• And more

Wishbone Account Hacked – What Should You Do?

If reports are to be believed, most of the data is confirmed as legitimate and thus deems a huge risk, especially if you’re registered with Wishbone. So under the disturbing circumstances, here’s what you can do:

• If you’re logged in with your email, change your Wishbone account PASSWORD immediately
• If you’re using your Wishbone password on any other websites/ apps, change that as well
• If you’re signed up through Facebook or Twitter, disconnect your account from these social platforms. Here’s how you can do it for Facebook and Twitter
• Furthermore, you can check if your account has been hacked here at Cyble’s official data-leak verification software
  
  
  

May 19, 2020 brought another colossal vulnerability in the public eye. An Isreali team of academic researchers, from Tel Aviv University and Interdisciplinary Center of Herzliya, released an interesting discovery. The details include a DDoS amplification attack that has organizations like Google working actively to prevent it.

The flaw is broadcasted as NXNSAttack, which impacts the DNS protocol that can be abused to launch a large magnitude distributed denial of service (DDoS) attack, and subsequently can take down targeted websites.

This new research comes from a cyber-security enthusiast group of researchers, namely:

• Researcher: Lior Shafir, PHD Student, Tel Aviv University
• Supervisor: Yehuda Afek, Professor, Tel Aviv University
• Supervisor: Anat Bremler-Barr, Professor, The interdisciplinary Center, Herzliya

What is a DDoS Attack?

Before we move on, let’s clear our basics. A Distributed Denial of Service attack is a powerful weapon against websites and servers. This is done by exhausting them with higher traffic than they can handle, thus ultimately knocking them down. A typical DDoS attack can be achieved by flooding the targeted system with connection requests, messages or fake packets, incoming from multiple sources. This can also be attempted from a small number of computers to create a large scale impact.

What is NXNSAttack?

A NXNSAttack  is a flaw in the DNS delegation process that exploits recursive DNS servers. The vulnerability really comes from how DNS servers manage the recursive queries.

To simplify, when you type in a domain name in the address bar, it is the DNS who is responsible for translating this text into IP addresses. But a recursive DNS lookup is when one DNS server communicates with multiple DNS servers to locate an IP address.

Furthermore, these conversions occur on authoritative ‘upstream’ DNS servers that hold a list of DNS records and are the main centers to carry out these requests. These authoritative servers can also choose and delegate similar operations to a ‘downstream’ alternate server like your ISP (Internet Service provider). This delegation of powers became the root cause that hackers misused to magnify the DDoS attacks.

Now coming back to our topic and connecting all the dots, a NXNS attack occurs when a hacker sends a single malicious request to trick an innocent DNS server into running thousands of requests all at once.

This amplified mechanism allows the attacker to bring down a big chunk of the internet with a handful of devices. The official research paper details how a threat actor can manipulate a recursive DNS using a hacked DNS to create a massive surge on a target server and finally crash it indefinitely.

How NXNSAttack Works

For a better understanding, we’ll take the same instance that the researchers have used to beautifully explain the NXNSAttack. But before that, refer the figure below to comprehend the conventional DNS hierarchy structure:

Now, let’s go through the steps below to understand the major flow of how NXNS Attack works

Step 1: The threat actor deploys his own DNS Authoritative Server, and hosts the DNS record for is own domain, i.e. www.attacker.com

Step 2: Now he sends a query for attacker.com to the recursive (or resolving) DNS server.

Step 3: Because the resolving server doesn’t have a matching record to resolve this domain name, it further sends the request upstream and eventually lands on the attacker’s Authoritative DNS server.

Step 4: Now, this malicious DNS responds back saying it doesn’t have the requested domain, and instead gives a list of name servers who might have the said records. The said list consists of a huge number of fake subdomains for the target website, let’s say www.victim.com.

Step 5: The recursive DNS server, upon receiving the reply, transmits DNS query for all listed subdomains, thus flooding the victim authoritative name server.

The final Step 5 above is a well-thought and successfully-executed attempt at DDoS attack.

NXNSAttack Amplification – Real-world Impact

The brains behind this research have proved that creating a high scale surge in any target website, will naturally lead to the associated server crash. Such explosive ‘NXNSAttack’ DDoS attack can blow out of proportion from 2 to 1620 times the original size.

Though a guarded server would most likely be able to detect and block a single malicious DNS behind any DDoS attack, the NXNSAttack provides the hacker the opportunity to misguide with multiple domains and elongate the timeline.

Moreover, as Shafir explains,

"When you try to attack a root server, the attack becomes much more destructive. We cannot prove that they can be knocked down because they're very strong servers, but the amplification is very high and these are the most important assets. Parts of the internet would not work at all in this worst case."

How to Fix Massive DDoS Attack? – NXNSAttack Patch

It’s scary to think how easily any wanna-be hacker can take advantage of this situation, with a couple of devices, a few dollars to set up the server and automated DNS queries.

Luckily, the responsible research team behind the discovery of NXNSAttack started notifying relevant corporations as early as in the beginning of 2020. The checklist included major DNS providers like Google, Amazon, Microsoft, Cloudflare, IBM, other DNS software and CDN providers for mitigation purposes.

Affected softwares include:

• ISC BIND (CVE-2020-8616),
• NLnet labs Unbound (CVE-2020-12662),
• PowerDNS (CVE-2020-10995), and CZ.NIC Knot Resolver (CVE-2020-12667)
• Other commercial DNS providers such as Google, Microsoft, Amazon, Cloudflare, Oracle, IBM Quad9, Verisign, ICANN

The good news is that numerous patches have been released by concerned organizations in the past month, while some are still continuing to address the issue. The world soon realized and accepted NXNSAttack as a real challenge and are working through to address its issues.

If you’re a server administrator, we recommend you must go through the detailed documentation of the Israeli researchers and fix DNS resolvers as soon as possible.

Cyber Attacking is a notorious activity and hackers do it for different motives. Few want to bring awareness, see a positive change, some have a vengeful spirit, while others are simply creating nuisance, or looking to make personal profit. And the latest high profile cybercrime is giving us narcissistic vibes with their agenda, because of their offbeat narratives and demands.

In May of 2020, USA’s leading law firm Grubman Shire Meiselas & Sacks got some ‘special love’ from the infamous hackers “REvil”. The group, also known by their ransomware name “Sodinokibi”, earlier garnered publicity in January, 2020, when they attacked Travelex, a foreign exchange company. The intrusion was in the form of a malware that encrypted their data, and demanded untraceable cryptocurrency as ransom. The company actually went through and settled the matter for $2.3 Million in bitcoins, as reported by Wall Street Journal.

Their earlier success could be the reason for the next high profile GSMS Law data breach. Allen Grubman, the famous entertainment lawyer, along with his firm manages many A-list music artists, record labels, Fortune 500 companies and top executives. So naturally they host valuable information on these clients, like,

1. Prominent Contract Deals,
2. Non-Disclosure Agreements,
3. Sensitive Documents,
4. Personal Correspondence,
5. Contact Details
6. Other Personal Data

Scroll down towards the end of the article to see Grubman Shire’s long-list of clientele who are potentially at risk with this ransomware infection.

REvil Ransomware Attack Timeline: The ‘What, When, How’ of it all

There has been a lot of buzz around New York’s Grubman hack since last week, and the threat actors are wasting no time in providing bait, making obnoxious demands and then leaking sensitive data after deadlines are not met. Let’s take a look at how everything conspired since day 1.

May 7, 2020: REvil Ransomware Announcement

The matter came to light when REvil members posted a message on their blog site “Happy Blog”, available on the Dark Web.  It was meant for the GSMS Law team and threatened to leak sensitive files on their clients. By then, the REvil gang had infiltrated the firm’s computer network and encrypted their data.

The below screenshots were published on the site, that affirm they have data amounting to 756 GB on the likes of: Facebook, Lady Gaga, Madonna, Bruce Springsteen, Nicki Minaj, Christina Aguilera, Mariah Carey, Mary J. Blige, Jessica Simpson, Bette Midler, Priyanka Chopra, Idina Menzel and more.

By this point, REvil didn't publicly disclose their demands. Along with above information, the group also shared a Proof of existence as an excerpt of Christina Aguilera 2013 and Madonna's 2019 “Madam X” tour contracts,

May 9, 2020:

Even after many requests, the media didn’t receive any comments on the attack from Grubman Shire Law Firm authorities or team. But suddenly on Saturday, the official GSMS website went offline, leaving its only remnants in the form of their logo.

May 11, 2020:

On Monday, Grubman Shire confirmed the ransomware attack and extortion demands to Variety, and informed that their staff and roster of clients have been duly notified of the data breach. Their statement established that the alleged files have definitely been stolen.

The entertainment and media law firm assured that they are working around the clock with industry experts to solve the cybercrime at hand.

May 12, 2020:

On the very next day, Page Six, New York Post reported that the cybercriminal ring has demanded a ransom of $21 Million. REvil also threatened to gradually roll out small batches of eminent data if they don’t receive the money in time.

The Grubman Law firm didn’t seem to phase out from this warning and said they will not be negotiating with the attackers at any cost. By now, the FBI has completely taken over the case and is conducting a criminal investigation.

May 13, 2020:

As a next move, Grubman hackers uploaded around 1GB data to MEGA cloud storage, but as soon the company got wind of it, they disabled the download link and terminated the actor’s account.

REvil further tried to taunt GSMS Law by referring Coveware, a ransomware recovery firm, and attributing the ‘data leak’ to them. They also mocked the latter by stating that it’s “a mistake to hire a recovery company in the negotiations”.

May 14-15, 2020:

By Thursday, the Grubman ransomware hackers got a lot more serious and published a blog post on the dark web, where they doubled up on the blackmail money and straight away asked for $42 Million within one week's deadline. They detailed that since they are not happy with an insufficient payment of $365,000 made till now, they will be increasing the ransom value. But a GSMS representative denied these claims altogether, repeating that they will never negotiate with these cyber-terrorists.

Along with the latest warning, the threat group also shared 2.4 GB worth of documents on Lady Gaga, containing NDAs and important contracts.

To add fuel to the fire, REvil further claimed that their next target will be the current US President Donald Trump. To quote them directly,

“There's an election race going on, and we found a ton of dirty laundry on time. Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don't want to see him as president. Well, let's leave out the details. The deadline is one week.”

It’s interesting to note that Grubman Shire Firm has never represented Trump or his organization. But still they released a statement in response to the ransomware attacks and public interest,

May 16, 2020

After their exaggerated claims about “Dirty Laundry” on Donald Trump, REvil released a collection of 169 emails on him. But as Shakespeare said, it was ‘much ado about nothing’. Contradicting their earlier statement about incriminating information against the President, the hackers released a bunch of emails, but the data dump only seems to have the word “trump” in common.

In most of the emails, the english word ‘trump’ has been used in conversation, while in other few ‘Donald Trump’ has been mentioned but not in any meaningful ‘dirt’ kind of way.

Some discussions involve mocking references to him from his past TV and ad appearances, while others are plain fundraising letters. In screenshot below, take a look at an email from the REvil Donald Trump data dump,

But, the REvil group themselves admitted that this was the most “harmless” information on the President from their stolen database. They only wanted to show the evidence of the actual material they have, and the concerned parties should be scared of what’s to come.

May 18, 2020:

REvil operators claimed that they have sold off all data related to Donald Trump to an interested party, and that they are very pleased with the deal.

The gang has next claimed an auction of files, documents and sensitive data on Madonna. Full post reads:

REvil Donald Trump Data Leak – More to the Story

With so much happening, it is difficult to predict REvil’s next move. Reportedly they were greatly affected by the word “terrorism” used by Grubman Shire firm in one of their recent statements, and allegedly that’s how the Trump data leak events transpired.

But after complete analysis and tracking their daily activities, these damaging threats against Donald Trump seem to have some substance. Especially, if some 3rd party has already bought the entire data dump and might use it for nefarious purposes. Nevertheless, the activities in the next few weeks, we’ll soon know the truth to the REvil’s claims.  

Grubman Shire Meiselas & Sacks Clientele

Grubman Shire Law firm manages distinguished celebrities and powerful organizations associated with the entertainment and media industry.

Some of the big names that can potentially be at risk are:

For anyone not familiar, ‘Remote Desktop Protocol’ (or commonly referred as RDP) is one of Microsoft’s popular software, that helps connect your computer to another via a network connection. The communication is established through RDP client and server softwares on both systems respectively. Except for Microsoft Windows, it is also available for MacOS, Linux, Unix, iOS and Android.

RDP has been under the cybersecurity experts radar for the past couple of years, mainly because of CheckPoint’s famous revelation on Reverse RDP exploit. It’s research wing has been actively investigating RDP’s weaknesses where hackers could access remote machines and accounts to get their hands on valuable information. But the shocking twist of Reverse RDP changed the game completely.

To understand Reverse RDP attack by ‘Checkpoint’, let’s take an example of a company staff member who’s trying to access a remote (server) machine within the office premises, which has been infected by a RDP malware. So when the said employee will establish connection, the infected PC will attack back on the client PC. This is a traditional Reverse RDP attack, as instead of the client, the remote machine is controlling the process. Let’s take a look at the original Reverse RDP demo by CheckPoint below:

Check Point first brought these issues to light as Part 1, in February, 2019 and Part 2, in August, 2019. This study revolved around numerous critical vulnerabilities in Microsoft, rdesktop and FreeRDP and were reported as

• 26 vulnerabilities (as seen in the screencap below)
• Path Transversal: Guest-host Virtual Machine escape in Hyper-V environment

Microsoft Reverse RDP Patch(es)

Soon after CheckPoint informed Microsoft, and submitted their research in the Black Hat Security conference, Summer 2019, the corporate giant released the patch for issue CVE-2019-0887. But after further analysis, the CheckPoint team found that they could bypass the fix, as the updated version still contained loopholes for the attacker to recreate the earlier exploit. This prompted Microsoft to roll out an updated patch CVE 2020-0655 in February, 2020. Upon initial review, this patch was much more effective to resolve Reverse RDP Windows attack and the issue was closed for then. But the brains behind these vulnerabilities didn’t stop poking around to ensure RDP’s complete security.

On May 14, 2020 CheckPoint disclosed additional vulnerability that the February, 2020 patch was not able to fix. The latest RDP exploit is related to a Windows’ API function ‘PathCchCanonicalize’, which was introduced by Microsoft in the 1st Reverse RDP patch. This action is supposed to provide validation and security to applications against Path Transversal attacks.

Microsoft Reverse RDP Client Canonicalization Flaw

In the events leading up till now, CheckPoint eventually identified that the problem lies in the cannocalization function that is ideally meant to sanitize file paths. Technically, this new issue allows attackers to access the client and server clipboard synchronization and drop arbitrary files on the client’s device.

To put it in simple words, RDP offers a clipboard feature which can be compromised during a connection between a client and bad server, and used for copying malicious files on Client machine – to achieve RCE (Remote Code Execution.

Additionally, the Reverse RDP patch can be exploited by altering the path. Best coding practices encourage you to validate paths with a unique address. But here the path was simply bypassed by switching backslashes (\) with forward slashes (/). This failure by Microsoft has now allowed threat actors to carry out path-traversal attacks.  

Omri Herscovici, Research Team Leader from CheckPoint explained,

"In CVE-2019-0887, Microsoft tried to solve the path traversal with PathCchCanonicalize without realizing it can be bypassed. In CVE-2020-0655, Microsoft addressed the '\' issue independently in the RDP handling code, without fixing the PathCchCanonicalize function."

In such attacks, the hacker tricks a computer application into leaking sensitive contents. Without the above mentioned canonicalization security, the cyberattackers will be able to access valuable information, and further modify crucial files.

Is RDP Secure? – Latest Update on Reverse RDP Vulnerability / Exploit

If you’re using a 3rd Party RDP Client, then you’re most likely exposed to the “Path Transversal” flaw.

Summarizing the above findings, the latest Microsoft patch only focused on fixing their official client flaws, but conveniently left the 3rd Party RDP Clients exposed. During any remote connection, your critical files are at risk, as the attacker can easily access, read and modify them.

Though the Microsoft team has been informed of this latest vulnerability, they haven’t released any patch yet, and neither are they offering any explanations for this.

Meanwhile, CheckPoint urges the affected users to “manually apply a patch against it” in the relevant programs.

Google owned and operated Firebase is undoubtedly the most trusted production platform, especially by Mobile App developers. Launched in 2011, it quickly made its place in the tech world because of its comprehensive list of services, all under one roof. Some of its popularly sought after features include,

• Serverless App Development
• Cross-platform collaboration
• Real-time Database Management
• Cloud Storage
• App Hosting
• Crashlytics
• User Authentication
• Remote Configuration
• Push Notifications and much more

As one of the most reliable Android App Databases and focused on user-security, Firebase is currently associated with more than 30% of the Google Play Store Apps. But like every other development software, configuration is the key here as well. This statement has now been validated by Comparitech, a tech research firm, when they introduced the latest Firebase database exploit involving misconfiguration.

On May 11, 2020, Comparitech, disclosed their investigative research on Android apps security, stating that some common Google Firebase Misconfigurations allow unauthorized access to user-personal data. Approximately 24,000 Android apps have been exposed, with abundant data dump available for anyone who knows where to look.

Firebase Database Android Apps Exposed - Behind the Research

The team responsible for this breakthrough research was led by Bob Diachenko. In the time available, they were able to examine a small pool of applications, from the vast Google Play Store ocean. For a clearer insight, we’re breaking down their research specifics and findings below:

• The team studied 515,735 applications, which comprises only 18% of the total available apps on the Google Play Store channel
• Out of them, 155,066 apps were using Firebase services
• Next, around 11,730 were publicly exposing their Firebase database
• Particularly 9,014 apps contained the ‘write’ authorization, where hackers can add, edit, delete, download the information
• More in-depth analysis revealed, that 4,282 Android applications were leaking sensitive data
• Comparitech further extrapolated these numbers to give us an idea of vulnerability’s vastness:
• Going by 4,282 out of 515,735 apps ratio, we get 0.8-0.9% of all Google Play Store Apps.
• That somewhere amounts to 24,000 Android Apps that are potentially exposed to Firebase misconfiguration error

As per Firebase’s official records, it is estimated that currently over 1.5 million apps across iOS and Android are using this database and related utilities. Comparitech revealed that the confirmed vulnerable applications have 4.22 billion downloads. Given such high stakes, the Firebase hack must be taken seriously.

Firebase Misconfiguration Error - Analysis & Discoveries

Comparitech revealed the process that led them to this valuable piece of discovery. Their initial approach included sorting the Apps using Firebase by searching the text strings in the app resources. Another troubling matter here is that Firebase database urls are normally indexed on SEs like Bing. Next came the simplest and most important step – Append .json at the end of Firebase URL. Ideally the result on this hit should be ‘Access Denied’, but as established above, the researchers got many positive results. From there on, they manually examined the databases for any sensitive information.

The investigating team has assured of their White Hat techniques, confirming that they destroyed all data that was discovered and accessed for research purposes. The exposed data unveiled the following statistics:

1. 7,000,000+ Email IDs
2. 4,400,000+ Usernames
3. 1,000,000+ Passwords
4. 5,300,000+ Contact Numbers
5. 18,300,000+ Names
6. 6,800,000+ Messages
7. 6,200,000+ GPS Location
8. 156,000+ IP Addresses
9. 560,000+ Physical Addresses
10. Credit Cards information
11. Official Identity Proof’s information and much more

How to Fix Firebase Misconfiguration Issues?

Following the discovery, Google Firebase ‘security’ is surrounded by many questions and speculations. Is Firebase secure? Can you bypass Firebase?

But lo and behold, it isn’t quite Google Firebase’s flaw, but rather a development-side fault. That being said, such misconfiguration issues are quite common within databases, and have a complex history of how that came to be. Earlier in 2020, reports suggested that around 82% of cybersecurity related vulnerabilities were credited to some sort of misconfiguration errors.  

Coming back to the Firebase Misconfiguration issue, you should be aware of the next-level threats that this error may cause. If an attacker gets access to your database, then exploiting insecure firebase for malicious data and malware would be easy as pie.

Rather than making it a blame-game, if you’re an App owner/ developer, you should look forward to the below mentioned preventive and resolving measures:

1. First and foremost, Comparitech has strongly recommended all Firebase equipped app developers to check up on their configuration settings instantly.
2. Implement conventional database rules, and pay keen attention to restrict unauthorized access to databases.
3. All app developers must create a checklist and follow Google Firebase’s official Security guidelines documentation.
4. Since this is a misconfiguration issue, and a lot of developers might come under scrutiny because of it, we want to raise a point in their favor. During development and project delivery, ‘Time Pressure’ is a huge issue, because of which certain instructions might be neglected. Proper timeline must be given for adequate and smooth evolution of the project.
5. This research was only carried out for Android applications, but it applies to anyone using Firebase database. If you do, it’s high time to check your Firebase security and permission levels.
6. For all app users, as a general practice you must only provide sensitive and personal information to trusted applications.

The Comparitech team informed Google their report findings on April 22, 2020, prior to publishing it publicly. Google gave the following response:

"Firebase provides a number of features that help our developers configure their deployments securely. We provide notifications to developers about potential misconfigurations in their deployments and offer recommendations for correcting them. We are reaching out to affected developers to help them address these issues."

Interested in reading the full report by Comparitech? Click here.