With so much smart technology to protect us, are we taking the basic precautions of securing it? Recent and ongoing mishaps with the Amazon Ring lead to more scrutiny in the area of smart home devices, with findings being dismal at best. As we look to require multi-factor and certificate-based clearance in our homes, hackers are exploiting our pocketbooks with legitimate TLS-certified domains from abroad. Credit fraud, especially from spoofed sites with real certificates, is at an all-time high in the Ukraine, and one hacking group finally paid the price.
And, Trend Micro sighted the first active attack on a Use-After-Free vulnerability, but the breadcrumbs might track back to Israeli spy agencies. How the black hats may be leading in the fight to encrypt, and how our IoT breaches and credit card scams are telling us - it might be time to take a page from their book.
The irony of IoT security cams
You buy a smart camera to properly secure your home. Too bad nobody took the time to properly secure your camera.
There have been over 300 incidents of breach with the Amazon Ring indoor cam—most notably, a hacker spewing racial epithets through the mounted device of an 8-year-old, communicating with her in her bedroom and insulting her mother.
This is not why we bring smart things into our homes.
You’d assume that with such privileged access to our most valuable assets (presumably in the home, presumably why we’d want a camera in the first place), security would be a key selling feature, or at least a key priority. It seems that it is not.
You can access your Ring account with about as much ease as logging into your Gmail account from a friend’s laptop. No multi-factor authentication. No certificate-based authentication. Just a username and password combo that has been systemically abused. By their own admission, Amazon has left its users open to “credential stuffing” attacks (breaching another system, stealing a user’s credentials and using them across platforms). Use of static credentials creates a petri dish for these kinds of attacks. Also in play were leaked WIFI credentials and a puzzling vulnerability that allowed a user to stay logged in to the Ring after the password was changed.
Now that IoT is no longer “new technology,” excuses dwindle for its negligence in security. Commendably, regulatory agencies like the FDA are implementing IoT safety standards across some verticals, but it seems the technology has far outstripped its security. When the companies producing these smart appliances are leaders in technology and innovation, the case becomes even more curious.
Until then, Amazon suggests enabling two-factor authentication.
- How PKI Certificates Could Help Secure the Internet of Things [IoT]
- Why the Rise of Enterprise IoT Puts Machine Identities to the Test
- IoT and Machine Identity Management: Getting Smarter about Securing Smart Technologies
How long has this been going on? Ukrainian hacking group and long tail damage
How do you tell a real online retail store from a fake? The fake will almost always have a real TLS certificate.
The problem is so ubiquitous that in the Ukraine alone there were nearly 80,000 cases of payment card fraud in 2018, not in small part owing to the number of typosquatted domains. Primary targets? The twenty top US retailers. Macy's was a hot target last year, although the method of attack was on their own website, surprisingly.
A little less than a month ago, Ukrainian police finally cracked down on a hacker group out of the Kharkiv region that was responsible for its fair share of extortion. On its rap sheet was the notoriety of hacking 20,000 private servers worldwide. And then came all the rest.
The compromised servers were part of an international business, being hawked to foreign buyers or used to create botnet mercenaries, used for DDoS attacks, data mining or weaponizing fraudulently installed software command centers. It was all bad.
Unfortunately, this group worked both sides of the counter and moonlighted as a sort of investment agency as well, circa 2014—setting up fake call centers and throwing clients’ stock market “investments” (made through their bogus website) into their own private accounts. With their scale of enterprise, it’s worth wondering if they might not have been more successful at the real thing. In any event, this side hustle earned them a cool 100K per month, and they were one of many to capitalize off what can only be termed a Ukrainian card fraud epidemic.
So, are consumers getting more gullible or are fraudsters just getting better? Probably the second one, although it helps to keep savvy. A primary reason for the believability of these spoofed domains is the prevalence of legitimate TLS certificates on the Dark Web. With data surpassing oil in value, and machine identities now worth more than human ones, it’s no wonder the internet has a thriving economy for SSL/TLS certs. Just make sure they aren’t yours.
And think twice before answering any Ukrainian investment calls.
- Domain Spoofing Is Still a Serious Threat for Online Retailers
- Venafi Retail Research: Will Holiday Shoppers be Duped By Look-alike Domains?
- The London Protocol Aims to Expose the Misuse of Machine Identities in Phishing Attacks
First use-after-free vulnerability caught In the wild
Late summer of last year, Google was hunting the Sidewinder bug. Early this year, researchers at Trend Micro finally caught it being actively exploited. The find is the first of its type. And researchers were able to trace the length of malicious activity—from last March up until their recent discovery—based on the date their digital certificates were created. Cybercriminals are getting more and more wily about misusing machine identities in their attacks. It’s reassuring that threat researchers are keeping pace.
Here’s what we know. There was a set of three malicious apps on the Google App Store that, when working together, were designed to exploit the Linux kernel and siphon user data. If you were browsing, you would have seen what looked like inauspicious “photography and file manager tools.” The attack, among other things, takes advantage of Binder flaw CVE-2019-2215, which can be used to gain root privileges in Android. Binder is Android’s primary Inter Process Communication System.
The attack stands out for two reasons.
The first is just strong suspicion, but interesting. One of the three apps in question, a photography app called Camero, uses command and control servers suspicioned to belong to Sidewinder, a hacking group with a history of profiling Palestinian targets. In November, Google floated Israel’s NSO group as being linked to the vulnerability.
Secondly, with Trend Micro’s find, this is the first known active attack in the wild that uses the use-after-free vulnerability, an exploitation of memory after it has been freed, in some cases allowing for remote code execution.
The good news is that it was only downloaded 10 times. We’ll be grateful that the adversary’s marketing skills were less sophisticated than its attack attempts.