Cyber Round-up

Cyber Round-up for 22nd July

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

Cyber Attack Causes Albanian Government to Shut Down Website

The Albanian government was forced to shut down their website following a recent cyber attack. The attack has been described as “synchronized and sophisticated”, and reportedly began impacting government services on Saturday night. It appears the website is still offline and we are unsure when it will be back in operation. The government is working with several cyber security companies, including Microsoft, to contain and mitigate the attack.


More Malicious Apps in Google Play Store

The official Google Play Store has once again been found distributing malicious apps containing spyware. Reports suggest that three million android users may have already been infected and potentially lost money as a result of these apps; the malware in use has been name Autolycos, which shares similarities to the Joker spyware. There are multiple apps currently being used to spread Autolycos, such as Funny Camera by KellyTech and Razer Keyboard & Theme by rxcheldiolola. We strongly recommend avoiding these apps entirely. We also advise Android users to only install apps they fully reviewed and use an anti-malware product to protect your devices and data.


Cleartext Passwords Exposed by Okta

Identity services provider Okta has recently had a big focus on understanding their security and improving it to prevent attacks similar to the Lapsus$ incident last year. Despite this, they appear to be facing some serious flaws that could allow attackers to extract plaintext passwords. This was found by security researchers at Authomize, but after raising the issue with Okta, it was made clear that these “are features, not bugs”. This raises the concern that the company is intentionally exposing plain text credentials within their applications.

This statement from Okta appears to avoid addressing the issues raised, which is a big concern considering their recent history of attacks.


FBI Issues Warning About Apps Stealing Crytocurrency

The FBI has issued a warning regarding cryptocurrency-themed applications designed to steal from investors. They have observed the activity of these criminals, who have been seen in contact with U.S. investors attempting to gain their trust. Their goal is to convince the victims to download a malicious mobile app; the scheme has reportedly caused losses of around $42.7 million since October 2021. The FBI are working to protect U.S. investors from these kinds of attacks and have made a number of recommendations to help financial institutions stay protected.


Russian Hacking Group APT29 Using Online Storage Services To Compromise Devices

APT29 has been recorded to be using the online storage services Google Drive and Dropbox to collect user information and download Cobalt Strike malware to compromise a device. Recent victims of APT29 have received spear phishing emails containing an HTML or PDF file including a link that downloads an ISO file containing steps to exfiltrate user information to an online storage service. Cobalt Strike is then downloaded from an online storage service for device takeover and establishes a connection to a command and control server controlled by APT29. The utilisation of online storage services helps to mask the attack as many organisations deem these legitimate for use and integrate these services into their operations.


PLC And HMI Password Cracking Tools Hiding Malware

Programmable Logic Controllers and Human-Machine Interface are terms usually corresponding to industrial processes. Password cracking tools are legal and are used to help recover lost or unknown passwords. Some password cracking tools for PLCs and HIMs have been found to be harbouring trojan malware. The malware reported is Sality, which is capable of terminating security software running on the device and integrating the device into the Sality botnet for crypto mining and distributed password cracking. The malware also monitors the clipboard of the device for cryptocurrency wallets and exchanges this with the attacker’s cryptocurrency wallet, which, could potentially make an unsuspecting user transfer cryptocurrency to the incorrect address.


Chinese Hackers Attack Belgium’s Ministry Of Defence

Belgium’s ministry of foreign affairs has publicly stated that Chinese state-backed hackers have conducted an attack on the FPS Interior and the Belgian Defence. The groups named by the Belgium government that are responsible for the attack are APT27, APT30, APT31 and Gallium/Softcell/UNSC 2814. China has countered the claims saying that the Belgium government refuses to deliver evidence that can back up its claims.


Vulnerabilities & Updates

CISA Warns Of Critical MV720 GPS Tracker Vulnerabilities

MV720 is a model of GPS tracker for cars and other vehicles that have been reported to have severe vulnerabilities that are easily exploitable by hackers. The Cybersecurity and Infrastructure Security Agency have put out an ICS Advisory to alert all users to the potential of being hacked through the device. The cellular-enabled MV720 uses a Sim card to transmit status and location updates as well as to receive SMS messages issuing commands. The key vulnerabilities identified are:

CVE-2022-2107: hard-coded password vulnerability in the MiCODUS API server. Allows a remote attacker to log into the web server and send SMS commands to a target’s GPS tracker. This allows an attacker to gain control of any tracker, access and track vehicle location in real-time, cut off fuel and disarm alarms or other features provided by the gadget.

CVE-2022-2141: broken authentication mechanisms could allow an attacker to send SMS commands to the tracking device without authentication.

A default password vulnerability was also present for the device but wasn’t assigned a CVE. All devices are shipped with the default password “123456” and users aren’t enforced to change this. This could allow an attacker easy access to the device if the default password wasn’t changed.

CISA advisories for these flaws can be found here.


And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #198 – 22nd July 2022        

Why not follow us on social media:

Ironshare – Security Simplified