06 September
Your Weekly Cybersecurity Update (6 September 2024)
- Singapore’s Consumer Watchdog Fined for Data Breaches, Failed to Secure Consumer Information
- Research Study: What’s The Worst Place to Leave Your Secrets
- Critical Infrastructure Under Threat: Zero-Day Vulnerability Exploited to Spread Mirai Botnet
- Banks Under Fire for Inadequate Scam Protection as Victims Suffer
- FIDO Security Token YubiKey 5 Vulnerable to Cloning Attacks
- Critical Vulnerability Found in Airport Security System
Singapore’s Consumers Association of Singapore (Case) has been fined S$20,000 for breaches of the Personal Data Protection Act (PDPA) following two separate data security incidents.
The Personal Data Protection Commission (PDPC) found Case failed to implement proper security measures to safeguard consumer data and neglected to develop and enforce data protection policies. These lapses resulted in the compromise of personal information for thousands of consumers.
Two Incidents Exposed Consumer Data
The first incident occurred in October 2022 when hackers accessed Case email accounts and sent phishing emails to consumers. These emails appeared legitimate, claiming to be from Case and requesting consumers to click on a link to receive compensation for complaints. Three consumers fell victim to the scam, losing a total of S$217,900.
A second incident came to light in June 2023 when consumers reported receiving targeted phishing emails replicating complaints they had submitted to Case. The PDPC investigation determined this data breach likely occurred during a vendor data migration process in December 2019. This incident exposed the personal information, including names, email addresses, contact details, and complaint details, of 12,218 individuals.
Case’s Security Shortcomings
The PDPC investigation revealed several security lapses by Case:
- Weak password management: Passwords for compromised accounts did not meet minimum complexity requirements and hadn’t been changed for years.
- Negligent vendor management: Contracts with vendors lacked clear data security clauses, putting consumer data at risk.
- Lack of staff training: Case hadn’t conducted data protection training for its staff in five years.
- Insufficient IT security measures: Case lacked proper email security, logging, monitoring, and internal security controls.
Case’s Response and Moving Forward
Case has taken steps to address these security shortcomings, including:
- Implementing multi-factor authentication for applications.
- Installing security software to protect against malware, spam, and phishing attacks.
- Tightening access controls to systems.
- Decommissioning outdated devices and implementing patch management.
- Increasing password complexity requirements and enforcing regular password changes.
- Including data protection clauses in vendor contracts.
- Providing data protection training to new and existing staff.
- Working towards obtaining Cyber Essentials Mark and Data Protection Trust Mark certifications.
The PDPC has directed Case to review and update its data protection policies and rectify all security gaps identified. This incident serves as a stark reminder for organizations handling personal data to prioritize robust cybersecurity measures and staff training to safeguard consumer information.
Researchers deployed digital tripwires disguised as AWS credentials in various public locations online to see how quickly threat actors would take advantage of them. The findings highlight the importance of strong password hygiene and data protection measures.
Canary Tokens: Secret Spies
Canary tokens are essentially fake credentials placed within systems to lure attackers. When a threat actor attempts to use these seemingly valid tokens, an alert is triggered, notifying the owner of a potential security breach.
The Experiment
The researchers strategically placed AWS credentials as canary tokens across various publicly accessible platforms, including code repositories (GitHub, GitLab, Bitbucket, DockerHub), self-managed public services (FTP server, web server, blog), SaaS services (Pastebin, JSFiddle), package managers (NPMJS, PyPi), and cloud storage buckets (AWS S3, GCP).
Swift Response from Threat Actors
The findings revealed surprisingly swift responses from malicious actors. Notably, tokens placed on GitHub and DockerHub were accessed within seconds and minutes, respectively. Pastebin proved to be a goldmine for exposed credentials, with unprotected tokens being snatched immediately. Interestingly, there were no attempts on Bitbucket or GitLab.
Scraping Bots on the Hunt
The analysis suggests the use of automated tools by threat actors to scrape public platforms for exposed credentials. This highlights the need for stricter access controls and proper token management practices.
Key Takeaways
- Public platforms like GitHub and Pastebin are prime targets for scraping sensitive information.
- Threat actors can move very quickly to exploit exposed credentials.
- Canary tokens offer a valuable tool for early detection of unauthorized access attempts.
Recommendations
- Implement strong password policies and enforce regular rotation of credentials.
- Grant least privilege access and restrict access to sensitive data.
- Utilize environment-specific tokens to minimize the impact of a potential breach.
- Encrypt sensitive data at rest and in transit.
- Conduct regular security audits and educate staff on best practices for handling sensitive information.
- Consider deploying canary tokens as an additional layer of security.
While limitations exist in pinpointing the exact malicious intent behind every access attempt, the research clearly demonstrates the ever-present threat landscape. By adopting a multi-layered approach that combines strong security practices with proactive measures like canary tokens, organizations can significantly improve their security posture.
A critical zero-day vulnerability in AVTECH IP cameras is being weaponized to spread the notorious Mirai botnet, posing a serious threat to industrial control systems and critical infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning in early August about the remote code execution (RCE) vulnerability, which has now been exploited to infect vulnerable devices with Mirai cryptominer malware.
Researchers at Akamai discovered that the Mirai botnet campaign was leveraging a variety of known vulnerabilities but was primarily focusing on the zero-day command injection flaw in AVTECH CCTV cameras (CVE-2024-7029). Despite the affected camera models being discontinued, they remain widely deployed in critical infrastructure sectors.
Due to the lack of a patch, operators are urged to physically remove and replace the vulnerable devices with more secure alternatives. “If there is no way to remediate a threat, decommissioning the hardware and software is the recommended way to mitigate security risks,” Akamai researchers advised.
The CISA advisory highlighted the widespread use of AVTECH IP cameras across critical infrastructure, including commercial facilities, financial services, healthcare, and public health.
Akamai’s researchers emphasized the growing trend of threat actors exploiting vulnerabilities before they are publicly disclosed. “A vulnerability without a formal CVE assignment may still pose a significant threat to your organization,” they stated. “Malicious actors who operate these botnets have been using new or under-the-radar vulnerabilities to proliferate malware.”
Scams continue to plague Australians, with victims often left devastated and facing challenges in recovering their lost funds. Despite the increasing prevalence of scams, many banks are failing to provide adequate support and protection for their customers.
A Case of Misplaced Trust
Carol Scaramuzzi, a 78-year-old NSW pensioner, fell victim to a sophisticated scam that emptied her bank account of her life savings. She was tricked into believing she was speaking with Apple technical support, who convinced her to provide her bank details to prevent a fraudulent transaction.
Banks’ Lack of Support
After discovering the scam, Scaramuzzi contacted her bank, ING, and reported the matter to the police. Despite her efforts, ING closed the case and refused to reimburse the stolen funds. Scaramuzzi believes the bank had a moral obligation to help, as she had a daily withdrawal limit in place.
Public Pressure Forces Action
It wasn’t until Scaramuzzi’s niece contacted the media that ING finally took action. Within hours of the media inquiry, the bank returned Scaramuzzi’s funds in full. This incident highlights the power of public pressure in forcing banks to address customer concerns.
ASIC Report Criticizes Banks
The Australian Securities and Investments Commission (ASIC) recently released a report criticizing the scam prevention strategies of 15 banks, including ING. The report found that these banks offer poor customer service, slow response times, and mishandling scam reports.
Thousands Affected by Scams
In 2023, Australians lost a collective $2.74 billion to scams. While the total losses decreased slightly, the number of scams reported increased significantly, indicating the growing sophistication of scammers.
ASIC Calls for Improvements
ASIC is urging banks to improve their scam prevention strategies and provide better support to victims. The regulator expects all banks, regardless of size, to take action against scams.
The Need for Change
The case of Carol Scaramuzzi demonstrates the devastating impact scams can have on individuals. It’s crucial for banks to prioritize customer protection and take proactive measures to prevent and address scams. The threat of public embarrassment and regulatory action may be the only motivator for some banks to improve their practices.
A new side-channel vulnerability has been discovered in the YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard. This vulnerability allows attackers to clone the device when they have temporary physical access.
The cryptographic flaw resides in a small microcontroller used in many authentication devices, including smartcards and banking systems. Researchers have confirmed that all YubiKey 5 series models are susceptible to cloning. Unfortunately, there is no patch available to fix the vulnerability, leaving affected devices permanently vulnerable.
How the Attack Works
The attack exploits a side-channel vulnerability in the Infineon cryptographic library used in the YubiKey 5. By measuring electromagnetic radiation emitted by the device during authentication, attackers can extract the secret ECDSA key that underpins the token’s security.
The Threat
While the attack requires specialized equipment and expertise, it poses a significant threat to organizations using YubiKey 5 devices for secure authentication. Attackers could potentially use cloned YubiKeys to gain unauthorized access to sensitive systems and data.
Yubico’s Response
Yubico, the manufacturer of YubiKey, has issued an advisory regarding the vulnerability. The company recommends that users of affected devices consider replacing them with newer models that are not vulnerable.
The Importance of Physical Security
This discovery underscores the importance of protecting physical access to security tokens. Organizations should implement strict physical security measures to prevent unauthorized individuals from accessing devices.
A significant security flaw has been discovered in FlyCASS, a web-based service used by some airlines to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). The vulnerability could have potentially allowed unauthorized individuals to bypass airport security screenings and gain access to aircraft cockpits.
Researchers Ian Carroll and Sam Curry found that the system’s login was vulnerable to SQL injection, a common attack method that allows attackers to manipulate databases. By exploiting this flaw, the researchers were able to add a fictitious employee to the KCM and CASS databases, granting them unauthorized access to secure areas.
The researchers immediately reported the vulnerability to the Department of Homeland Security (DHS), who acknowledged the severity of the issue and disconnected FlyCASS from the KCM/CASS system. However, the researchers faced challenges in coordinating a safe disclosure with both the DHS and the TSA.
The TSA initially denied the vulnerability’s impact but later removed information from its website that contradicted its statements. The researchers also discovered that FlyCASS had suffered a ransomware attack earlier this year.
Despite the TSA’s claims that their procedures would prevent unauthorized access, the vulnerability highlights the importance of robust security measures in critical infrastructure systems. The incident serves as a reminder of the ongoing need to protect against cyber threats that could compromise aviation safety.