MENTIS

Week of April 29, 2019

MENTIS
news

Week of April 29, 2019

Georgia Tech Suffered Data Breach, Leaving 1.3 Million Exposed*:

  • Georgia Tech confirmed that it has suffered from data breach when web app of a Georgia Institute of Technology exposed information of 1.3 million former and current students, staff members, as well as student applicants.
  • "A central Georgia Tech database was accessed by an unknown outside entity" revealed by the school in one of their press release.
  • The press release further revealed that cybersecurity team of Georgia Tech is conducting a detailed forensic investigation so as to determine exactly what type of information has been extracted from system, which could include names, birth dates, addresses, and Social Security numbers.
  • Information security officials of the university are working so as to determine extent of this breach, along with identifying those who might get affected by the breach.
  • The IT team found this web app vulnerability in late Mar. 2019 after noticing a substantial performance impact, and then traced that first unauthorized access to its system was on December 14, 2018.
  • However, still it is unknown for how much time the hacker(s) have access to the Georgia Tech database.
  • Now, the vulnerability was patched.
  • Also, the school said that "the U.S. Department of Education and University System of Georgia have been notified, and those whose data was exposed will be contacted as soon as possible regarding available credit monitoring services".

*Source: SPAMfighter News, April 22, 2019

https://www.spamfighter.com/News-22152-Georgia-Tech-suffered-Data-Breach-leaving-13-Million- Exposed.htm

Trojanized TeamViewer Used In Targeted Attacks Against Multiple Embassies*:

  • A recent cyberattack campaign employed a weaponized version of TeamViewer and malware disguised as a top secret US government document to target officials in several embassies in Europe.
  • The malware, phishing documents, and other artifacts used in the attacks appear to all be the work of a single individual using the handle EvaPiks, who's been active in an illegal Russian-carding forum for some time.
  • However, what's still not entirely clear is if the same individual is also solely carrying out the attacks as well, or if others are involved, according to researchers at Check Point Software Technologies who spotted the attacks.
  • But the type of victims being targeted, and the multiple-stage nature of the attacks, are more indicative of nation-sponsored actors or sophisticated cyber groups
  • Embassy officials from at least seven countries have been targeted so far — Italy, Kenya, Bermuda, Nepal, Guyana, Lebanon, and Liberia.
  • In each instance, the targeted individuals appeared to have been carefully selected and were tied to government revenue related roles and the financial sector, suggesting a possible financial motive for the attack.
  • In each attack, the threat actors have sent targeted individuals an XLSM document containing malicious macros via email with the subject "Military Financing Program."
  • The document itself is reasonably well-crafted, with a logo of the US Department of State on it and marked as top secret.
  • The macros - when enabled - extract two files from encoded cells within the XLSM document.
  • One of them is a legitimate AutoHotkey (AHK) program.
  • The other is a malicious version of AHK that connects to a command-and-control server and downloads and executes a malicious version of TeamViewer that allows the attacker to take remote control of the infected system.
  • The malicious TeamViewer can also download and execute other commands, including one for hiding the TeamViewer interface so the victim doesn't know it's running, and another for saving session credentials to a text file.
  • Check Point says its research shows that EvaPiks has been involved in previous campaigns where a weaponized version of TeamViewer was used to try and gain remote control of targeted systems.
  • Over the course of these campaigns, the hacker has kept changing the functionality of the malicious TeamViewer DLL.
  • The first variant that Check Point analyzed had the ability to send some basic system information back to the attacker and to self-delete.
  • A second version that surfaced in 2018 featured a new command system and a long list of banks, crypto markets, and ecommerce sites of interest to the attacker.
  • The third and current variant has added a DLL execution feature and uses external AutoHotKey scripts to gather information and session credentials, Check Point said.
  • Overall, the infection chain is not all that sophisticated.

*Source: Dark Reading, April 22, 2019

https://www.darkreading.com/endpoint/trojanized-teamviewer-used-in-targeted-attacks-against-multiple- embassies/d/d-id/1334497

Docker Hub Hack Exposed Data Of 190,000 Users*:

  • Docker Hub, the official repository for Docker container images, has announced a security breach on late Friday night.
  • The breach came to light after the company started emailing customers about a security incident that took place a day earlier on April 25.
  • Docker says the hacker had access to this database only for a short moment, but data for approximately 190,000 users had been exposed.
  • The company said this number is only five percent of Docker Hub's entire userbase.
  • It is unclear if the hacker downloaded any user data from this Docker Hub server, but if he did, he may have gained access to Docker Hub user names, hashed passwords, and Github and Bitbucket tokens used for auto-building Docker container images.
  • Docker is now notifying users and prompting a password reset.
  • The company is also asking users to review GitHub and Bitbucket account login logs for any unauthorized access from unknown IP addresses.
  • While only 190,000 seems a small breach, it is not. 
  • A vast majority of Docker Hub users are employees inside large companies, who may be using their accounts to auto-build containers that they then deploy in live production environments.
  • A user who fails to change his account password and may have their accounts autobuilds modified to include malware.
  • Docker said it is still investigating the incident and will share details when available.
  • The security incident was not disclosed on the company's website, but only via email.

*Source: ZDNet, April 27, 2019

https://www.zdnet.com/article/docker-hub-hack-exposed-data-of-190000-users/

Facebook Expects To Be Fined Up To $5 Billion By FTC Over Privacy Issues*:

  • Facebook said on Wednesday that it expected to be fined up to $5 billion by the Federal Trade Commission for privacy violations.
  • The penalty would be a record by the agency against a technology company and a sign that the United States was willing to punish big tech companies.
  • The social network disclosed the amount in its quarterly financial results, saying it estimated a one-time charge of $3 billion to $5 billion in connection with an “ongoing inquiry” by the F.T.C.
  • Facebook added that “the matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.”
  • Facebook has been in negotiations with the regulator for months over a financial penalty for claims that the company violated a 2011 privacy consent decree.
  • That year, the social network promised a series of measures to protect its users’ privacy after an investigation found that its handling of data had harmed consumers.
  • The F.T.C. opened a new investigation last year after Facebook came under fire again.
  • This time, the company was accused of not protecting its users’ data from being harvested without their consent by Cambridge Analytica, a British political consulting firm that was building voter profiles for the Trump campaign.
  • Facebook also suffered a data breach that exposed the personal information of nearly 50 million users.
  • Levying a sizable fine on Facebook would go against the reputation of the United States of not restraining the power of big tech companies. 
  • For years, American regulators have faced criticism that they allowed Silicon Valley firms to grow unchecked, even as their European counterparts aggressively brought actions against tech companies — including fining Google a record $5.1 billion last year for abusing its power in the mobile phone market.
  • For the Trump administration, penalizing Facebook would be a defining action.
  • Although President Trump has rolled back scores of business regulations, he and others in Washington — including Democrats — have coalesced around calling for greater scrutiny and enforcement of tech companies.
  • Senator Elizabeth Warren, Democrat of Massachusetts and presidential candidate, has called for the breakup of Amazon, Google and Facebook.
  • And Mr. Trump has sounded alarms over the dominance of the firms and their control over speech and the distribution of information.
  • It would also be a milestone for the F.T.C., whose biggest fine for a tech company was $22 million against Google in 2012 for misrepresenting how it used some online tracking tools.
  • The agency, which is charged with overseeing deceptive and unfair business practices, is riding a wave of anti-tech sentiment as questions about how tech companies have contributed to misinformation, election meddling and data privacy problems have stacked up.
  • But some lawmakers said a fine would not suffice in punishing Facebook.
  • “Facebook must be held accountable — not just by fines — but also far reaching reforms in management, privacy practices and culture,” Senator Richard Blumenthal, Democrat of Connecticut, added in a tweet.
  • The F.T.C. declined to comment.
  • Officials at the agency have not reached a final decision on Facebook, said two people with knowledge of the situation, who were not authorized to speak publicly.
  • In recent weeks, the agency’s chairman, Joseph Simons, sent strict orders to all commission offices and staff in the consumer protection, enforcement and privacy bureaus to not discuss the Facebook case, two people said.

*Source: New York Times, April 24, 2019

https://www.nytimes.com/2019/04/24/technology/facebook-ftc-fine-privacy.html

How A Nigerian ISP Accidently Hijacked The Internet*:

  • On November 12, 2018, a small ISP in Nigeria made a mistake while updating its network infrastructure that highlights a critical flaw in the fabric of the Internet.
  • The mistake effectively brought down Google — one of the largest tech companies in the world — for 74 minutes.
  • To understand what happened, we need to cover the basics of how Internet routing works.
  • When I type, for example, HypotheticalDomain.com into my browser and hit enter, my computer creates a web request and sends it to Hypothtetical.Domain.com servers.
  • These servers likely reside in a different state or country than I do.
  • Therefore, my Internet service provider (ISP) must determine how to route my web browser's request to the server across the Internet.
  • To maintain their routing tables, ISPs and Internet backbone companies use a protocol called Border Gateway Protocol (BGP).
  • BGP is a dynamic routing protocol, meaning it automatically updates routing tables as changes occur.
  • The Internet isn't a single straight line from one point to another.
  • There are generally a few different paths a connection can take from point A to point B. BGP's job is to decide which path is the "best" path (shortest) to reach any given destination network, and update routers accordingly.
  • This path can change as routers are taken down and brought back up online. BGP handles all of these route changes automatically.
  • The Internet is broken up into a number of autonomous systems (ASs).
  • Each AS is assigned an autonomous system number (ASN) by the Internet Assigned Numbers Authority (IANA). 
  • Your ISP has at least one ASN, likely even more. Big companies like Google also maintain their own border routing infrastructure and have their own ASN.
  • Autonomous systems form connections with their neighbors, called peers. 
  • Through these peer connections, ASs advertise the routes — or "network prefixes," as they are called — that they know how to reach.
  • Neighbors forward on these advertisements to their other neighbors to propagate them across the Internet backbone.
  • Eventually, because of these route advertisements, an ISP in Seattle can learn a route all the way to a web server hosted in Sydney.
  • So, what exactly happened on November 12?
  • It all starts with an organization called the Internet Exchange Point of Nigeria (IXPN).
  • Internet exchange points (IXPs) are common, especially in developing countries.
  • They provide a central location for regional ISPs to peer with each other and share data at reduced bandwidth costs.
  • Without IXPs, regional ISPs might not have a direct connection with each other. This means traffic between them may travel an overly long distance, possibly even leaving the country before coming back in.
  • IXPs also act as a single point of connection for larger remote companies and services.
  • In the case of IXPN, Google maintains a peering connection with participating Nigerian ISPs, allowing direct connections from their networks to Google's services.
  • To facilitate this, Google announces its network prefixes (routes) to its ISP peers in Nigeria. Think of it like building a highway straight to Google instead of having to take a winding country road up through Europe.
  • These peering agreements and route advertisements are generally for the benefit of the ISPs and their customers alone, so they use route filters to prevent accidently advertising the prefixes beyond their own networks. 
  • Without these route filters, the ISP routers, using BGP, would continue to propagate the routes to their other neighbors across the Internet and risk changing how global Internet traffic routes to Google.
  • On November 12, 2018, at around 21:13 UTC, MainOne Cable Company in Nigeria was performing routine maintenance on its routing infrastructure. 
  • During this maintenance, it accidently misconfigured its route filters, causing it to announce 212 Google prefixes (and several Cloudflare prefixes) to its other BGP neighbors.
  • China Telecom, one of MainOne's BGP peers, accepted the route advertisement and relayed it to its neighbors.
  • Transtelecom, based in Russia, accepted this advertisement and relayed it to its peers.
  • At this point, the advertisement had made it far enough into the Internet that many ASs began accepting it.
  • For around 74 minutes, most traffic destined for Google and Cloudflare services from around the world was routed through Russia, into China, and on to MainOne in Nigeria.
  • Cloudflare was quick to spot the issue and update its routing topography to mitigate the problem.
  • Many users attempting to access Google services, however, had their connections crash right into the largest system of censorship in the world, China's Great Firewall.
  • Everyone else suffered extreme latency as their connections were routed across the world to Nigeria before reaching Google.
  • Why is this a big deal? This accident highlights a critical vulnerability in the fabric of the Internet.
  • BGP relies on the trust system. Peers trust that their neighbors are advertising accurate routes.
  • If a neighbor starts advertising routes to prefixes it doesn't own, it could start intercepting and man-in-the-middling connections to any connection it wants.
  • A single small ISP from Nigeria managed to disrupt traffic to the largest company on the Internet because of a simple mistake.
  • The good news is that there is a fix out there. Resource Public Key Infrastructure (RPKI) uses cryptographic signatures to authenticate BGP route advertisements, similar to how websites use certificates.
  • Route origin validation (ROV) confirms that prefix advertisements come from the actual owner. Unfortunately, only 13% of advertised prefixes use RPKI, and less than 1% of ASs validate route advertisements.
  • If our Internet service providers and other participants on the Internet backbone don't start adopting these standards soon, the next BGP hijack might not be an accident — and will likely be much worse.

*Source: Dark Reading, April 25, 2019

https://www.darkreading.com/cloud/how-a-nigerian-isp-accidentally-hijacked-the-internet/a/d-id/1334482

Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

Image CAPTCHA
scroll top