At a glance.
- Welcome Chat is spyware.
- SAP patches serious RECON bug.
- Porphiex botnet distributes Avadaon ransomware.
- Data Viper's breach.
- LiveAuctioneers suffers third-party loss of PII.
Welcome Chat should not be welcomed.
Bratislava-based security firm ESET says the Molerats, also known as the Gaza Hackers, have resurfaced with Welcome Chat, an app that represents itself as offering secure messaging. It does indeed deliver messaging, but security not so much: it’s a spyware carrier by design.
The app targets Arabic speakers in the Middle East. As ESET describes it, “Not only is Welcome Chat an espionage tool; on top of that, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store.”
Welcome Chat requests that users grant an extensive list of permissions upon installation: send and view SMS messages, access files, record audio, access contacts, and access device location. Chat apps do tend to request more permissions than most other classes of applications, and so even this list might pass a user’s scrutiny without raising an alarm. But in this case the permissions do more than facilitate chat.
Designed to call back to its command-and-control server every five minutes, Welcome Chat has been observed exfiltrating sent and received SMS messages, call log history, contact list, user photos, recorded phone calls, the GPS location of the device, and device information.
Many if not most spyware apps of this sort are Trojanized versions of legitimate applications. But ESET thinks Welcome Chat is different, that it was designed ab initio as spyware: no clean, innocent version of Welcome Chat has yet turned up.
SAP patches RECON bug.
SAP has patched a significant vulnerability. The issue, CVE-2020-6287, arises in the LM Configuration Wizard of the NetWeaver Application Server. Researchers at Onapsis discovered the vulnerability, which is reckoned a serious one. There’s no evidence of exploitation in the wild so far, but CISA strongly recommends applying the patch as soon as possible.
Onapsis calls the bug “RECON” (that is, “Remotely Exploitable Code On NetWeaver“). It opens affected SAP systems to an unauthenticated attacker who could gain full access to them. “This includes,” Onapsis writes, “the ability to modify financial records, steal personally identifiable information (PII) from employees, customers and suppliers, corrupt data, delete or modify logs and traces and other actions that put essential business operations, cybersecurity and regulatory compliance at risk.” Thus RECON represents a serious threat to data integrity, security, and privacy.
We heard from Jayant Shukla, CTO and Co-Founder of K2 Cyber Security, who commented on the seriousness of the vulnerability:
"Java-based web applications are among the most common on the internet today, and remain the most vulnerable to high risk vulnerabilities like remote code execution, SQL injection, cross site scripting and other vulnerabilities in the OWASP Top 10.
The SAP NetWeaver AS JAVA vulnerability is particularly concerning since SAP is used in the framework of many organization’s applications guarding their most precious data assets. This vulnerability points to the need already pointed out by NIST (National Institute of Standards and Technologies), for Runtime Application Self-Protection (RASP) – also known as runtime application security, to help protect web applications because Web Application Firewalls and other perimeter defenses have been failing to defend against exploitation of such zero-day vulnerabilities in production."
Chis Clements, VP of Solutions Architecture at Cerberus Sentinel also offered observations:
"ERP systems are the ‘keys to the kingdom’ for organizations. They can control orders, billing, inventory, and many other core business processes. Critical security issues in these systems expose organizations to devastating consequences should they be exploited by cyber criminals. Attackers could leverage this SAP vulnerability to bypass security controls to create themselves an SAP user account with the highest privileges in the system. Such a malicious user could disable checks and balances to place fraudulent orders or bills that could significantly disrupt business operations. First and foremost, affected SAP customers should immediately patch any vulnerable systems to ensure they are protected from this attack. Further, organizations should also ensure that their critical ERP systems are closely monitored and audited for any suspicious activities. It seems crazy, but many organizations are not actively monitoring their ERP systems with the same diligence as other systems and applications for fear of potential disruption in the ERP system operation which creates a glaring blind spot for their security teams to spot internal fraud or external compromise."
Avadon ransomware distributed by Porphiex botnet.
Security firm Check Point warns that the Porphiex botnet is delivering Avadon ransomware. Porphiex had hitherto been best known as a distributor of sextortion emails, but it’s now carrying more than an implausible threat to email your friends discreditable screenshots of you during moments of private leisure. It had also been used to distribute GandCrab ransomware, ZDNet notes. Its distribution of Avadon is accomplished with a phishing email that uses a wink emoji as its subject and carries its payload in an attached zip file.
Data Viper's data breach.
KrebsOnSecurity confirms that security start-up Data Viper, which describes itself as a “threat intelligence platform designed to provide organizations, investigators and law enforcement with access to the largest collection of private hacker channels, pastes, forums and breached databases on the market,” has itself been breached. The founder of Data Viper, Vinnie Troija, says that the data that’s been posted for sale in the dark web didn’t come from his firm, but rather from the original hackers who are simply interested in discrediting him. Mr. Troija does acknowledge that there was a compromise at Data Viper, but says it occurred when one of his developers accidentally left his credentials exposed. He blames the hacking groups “Gnostic Players” or “Shiny Hunters” for the whole operation, and he describes their motive as personal revenge. Some of the data being offered are indeed old, but others may not be.
One bit of alleged fallout from the Data Viper affair, ZDNet reports, is what appears to be a very large trove of personal data lost in the 2019 MGM Resorts breach. The tally of affected guests had earlier been put at 10.6 million. But, if those who claim to have hacked Data Viper are to be believed, that number is an order of magnitude too low. They’re advertising data on more than 142 million MGM hotel guests, and they’re asking just a shade over $2900 for the whole set.
James McQuiggan, security awareness advocate at KnowBe4, emailed the following comments on the Data Viper incident: “Within organizations, there needs to be the same vigilant and secure protocols in place for the production servers and the development servers. The cyber criminals are interested in Personally Identifiable Information that is marketable for them where they can sell it and make an easy profit. Whether it's the production or development systems, if they aren't hardened and have similar restrictive access controls, the cyber criminals will be more than happy to take it off your hands. It's a damage to the brand's reputation if breached, primarily when they work in cybersecurity already.”
Data breach at LiveAuctioneers.
The online auction house LiveAuctioneers disclosed that it suffered a data breach that exposed names, email addresses, mailing addresses, phone numbers, and encrypted passwords of users. No paycard data were, the company says, compromised in the incident. CloudSEK discovered and reported the breach to the affected service, which they said affected some 3.4 million users. The source of the breach was a third-party data processing partner.
We also heard from KnowBe4's James McQuiggan on this incident as well:
"For this data breach, like many before it, it's recommended that people make sure they have unique passwords for all of their different accounts. With this collection of usernames, passwords, email addresses, mailing addresses and social media profiles, the users involved in live auctions are people who are most likely going to have a significant amount of liquid in their bank accounts.
"While the current response for the people impacted by this data breach is to change their password, they will need to change their other accounts' passwords where they used the same password. It's understandable people like to use passwords they can easily remember, but it's essential to use a password management program to track those unique and strong passwords, and in the event of a data breach, it's easy to only change the one account's password.
"This event is an excellent example that encryption is only as good as its capabilities, and using an easily decrypted method, is not secure encryption. Organizations want to make sure they are protecting the databases that contain the sensitive information of their users with secure encryption, limited access with multi-factor authentication for interactive access, and proper security monitoring of the system to prevent data exfiltration.
"Cyber criminals see this as a whale of a find. With access to the usernames and passwords and other sensitive information, they will target these people with specific email scams. The aim will be to collect more personal data and possibly access to other financial accounts. Cyber criminals can use the information to actively convince the users they have access to accounts and strike fear to get them to click on links or open attachments."