A Month In Breaches: November

A Month in Breaches November Issue, breaches, Breach Data

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

WAPDropper Android Malware

Researchers at CheckPoint have recently discovered new WAPDropper malware that signs up Android users to premium telecom services, mainly targeting users in Southeast Asia. If victims download the infected app hosted on third-party app stores the malware downloaded through the malicious app will sign users up for premium phone numbers and services the users will be charged large fees for services which are not being used whilst downloads and executes an additional payload and uses a machine learning solution to bypass image-based CAPTCHA test. Normally, a CAPTCHA test must be carried out to offer a subscription. WAPDropper malware, however, is able to override CAPTCHA by using image recognition services with an ML solution. To cover the malicious motives WAPDropper downloads a second stage malware and has the ability to spread and initiate various attack vectors to steal victim information.

Hackers have been using third party Android stores to spread WAPDropper malware. Avoiding these markets will reduce the chance of compromise. The fact that text distortion-based and image recognition CAPTCHAs are vulnerable to machine-based learning attacks the need for alternatives security methods has grown immensely.

To avoid getting infected with WAPDropper malware, download Android apps from the Google Play Store. It is shiw\\own that WAPDropper malware has been discovered within applications such as ‘dolok’, ‘af’, ‘email’ and ‘game app’ that have been downloaded and updated from outside the Play Store. While the accounts could have been already breached, it is recommended that users should immediately uninstall these applications from their devices.

Critical VMware Zero-Day Bug

Vmware has discovered a command injection zero-day bug affecting six VMware products including its Workspace One, Identity Manager, and vRealize Suite Lifecycle Manager. It is listed as CVE-2020-4006 with a severity rating of 9.1 out of 10. Versions impacted include:
VMware Workspace One Access 20.10 (Linux), VMware Workspace One Access 20.01 (Linux), VMware Identity Manager 3.3.3 (Linux), VMware Identity Manager 3.3.2 (Linux), VMware Identity Manager 3.3.1 (Linux), VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux), VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows).

An attacker with network access to administrative configurator on port 8443, as an outcome of the initial compromise of the service via brute-forcing/ Dictionary/ Password spraying, can execute system level commands with unrestricted privileges on the underlying operating system.

The company has not published any patches yet for those versions at this point, however, the company does provide admins with a temporary workaround designed to fully remove the attacker vector on affected systems and prevent exploitation of CVE-2020-4006. Full details on how to implement and revert the workarounds on Linux-based appliances and Windows-based servers are available here.

Cyber Monday/Black Friday Shopping Risks

With Christmas season shopping peaking and an abundance of shopping offers on the internet, poses a risk for individuals. Consumers lack knowledge about some of the biggest retail risks. According to the research, 85 percent are at least mildly concerned about their personal information being compromised when shopping through a website or browser, while 88 percent of shoppers are at least mildly concerned about the safety of mobile apps for retail purposes. Magecart is an umbrella term encompassing several different threat groups who all use the same modus operandi.

They compromise websites (mainly built on the Magento e-commerce platform) in order to inject card-skimming scripts on checkout pages, stealing unsuspecting customers’ payment-card details and other information entered into the fields on the page. Hackers will engage in domain infringement, including but not limited to deceptively-spelled look-alikes or using a ‘.org’ when the real site uses ‘.com’ to con you into providing your sensitive information. They may use this tactic in combination with other hacker go-tos like spear-phishing email campaigns.

Overall, experts anticipate holiday shopping during the 2020 Black Friday and Cyber Monday season to be largely carried out online, particularly with the COVID-19 pandemic this year keeping many in their homes. CTRL advises consumers to be cautious and circumspect of fraudulent sites spoofing legitimate and popular businesses, unsolicited emails purporting to be from charities, and unencrypted financial transaction.