More Than a Weekend Update
One thing I have always appreciated when it comes to the infosecurity community, is that it’s built on the fundamental principle that in order to combat cybercrime, we must work together. There are many groups operating with this mindset already in existence including ISACs, Open Source Intelligence, Information Sharing groups, and more. At DomainTools we strive to contribute as much as possible by producing a combination of educational and actionable webinars, blog posts, and presentations. With this mind, I’m thrilled to introduce an additional resource, our podcast, Breaking Badness.
The primary objective of this weekly podcast, which will replace our Monday Media Wrap Up, is to deliver timely and relevant security news in under thirty minutes. I invite you to join myself, Security Researcher, Emily Hacker, and Director of Product Management, Tim Helming, every Wednesday for a combination of pertinent news, and infosec comedy. I can promise there will be plenty of laughs (or at the least, eye rolls), and light hearted conversation that aims to keep you up to date on what’s happening in the ever changing cybers.
With that, I’m proud to share episode number one of Breaking Badness:
Coming up this week on Breaking Badness. Today we discuss the Android Security Bulletin of February 2019, the security content of the iOS 12.1.4 update, and phishing attacks and against Facebook via Google Translate.
Here are a few highlights from each article we discussed:
[Kelsey] Emily, can you break down exactly what this updating is fixing?
[Emily] As you know, per usual, the update had a couple things it was fixing. But the most important bug that it was fixing, was actually to patch a vulnerability where an attacker could send a specially crafted PNG file that would enable the attacker to then execute arbitrary code. So what that means is that by just by sending an image over, you know via text or maybe sending a malicious link that would lead to the malicious PNG file, an attacker could download malicious malware onto your phone, which is not ideal. There were no reports of this being exploited in the wild, but that just means nothing was reported. So, I mean, there’s always a chance it was, and that it affected a lot of Android versions.
[Kelsey] It sounds like there’s a vulnerability that allows executing arbitrary code within the context of privileged access.
[Emily] Executing arbitrary code would be whatever they want it to be. That would be the malicious software. They might be able to execute code on your phone that enables it to log what I would call keystrokes on a computer. I guess there’s also called keystrokes on the phone, and therefore they’re able to see everything you’re typing in, or they might be able to execute code that’s allowing them to kind of install a back door so they can get back onto your phone later.
[Tim] The update has to do with a FaceTime flaw, where on a group FaceTime, an attacker could eavesdrop before the call was really initiated. So that’s a little bit scary. Now having said that, when it comes to actual people’s behavior, I don’t know about you guys, but when I receive a FaceTime call from somebody that I don’t recognize, I don’t answer it. And personally, and maybe I’m an outlier here, have never used, or attempted to use group FaceTime. But anyway, it may have mitigated how widespread this would be, but having said that, it is obviously good that Apple has patched it. Emily there’s a couple other vulnerabilities that were patched in the same update, can you tell us about those?
[Emily] So there were three additional updates that were patched, but two of them I felt, were really more deserving of attention, more so than the FaceTime flaw. So those were CVE-2019-7286 and 7287, and these are similar but different. So 7286 actually enables the attacker to elevate their privileges, and 7287 enables an attacker to execute arbitrary code with kernel privileges. So used in tandem, that’s going to allow someone to basically execute malware on your phone and then elevate their privileges, so that could be pretty serious. It was reported by Google Project Zero, which is an organization that discovers vulnerabilities in all kinds of software. Ben Hawkes tweeted out that it was being exploited in a wild as an 0day.
[Kelsey] And speaking of suspicious sites, there’s a threat actor that was phishing for more than compliments this week. Which leads to our final article, which is a phishing attacks against Facebook via Google Translate. So Emily, will you break down what this phishing attempt looked like, and how the threat actor basically harvested credentials via Google Translate?
[Emily] This email was delivered to the author, which is really good because he received a quite a few details. The phishing domain was Facebook underscore secure, but spelled wrong—“secur” at hotmail.com. So he said from the mobile device, the friendly name was actually something along the lines of “Google security” and if you are on your phone, and you’re checking your email a lot of times all you’ll see is a friendly name on the email. You won’t actually see the full email address. The email was crafted to look like the email that Google will send you when you have logged into your account or when someone has logged into your account from a new device. So from his perspective, he received an email that looked like it was from Google, that was saying you had this weird login. His first thought was like, oh no, I didn’t do this, somebody is hacking into my account. Luckily for him, he made the smart choice as in, instead of just clicking on the link from his phone email, he got on his laptop to check the email because he was planning on digging around.
Once he was on his computer he was able to see that the sender was Facebook underscore “secur” spelled wrong and clearly was not sent from Google. If you click on the link in the email body that’s supposed to lead you to the page to review your Google security login attempt, it actually brings you to a Google Translate page. And now why that is interesting, is that it’s obscuring the actual malicious URL. So it was leading to a malicious website that was being loaded up through Google Translate. If you just looked at the URL bar, it read “translate dot Google dot com slash numbers and letters and then the actual malicious URL”.
The guy who received this email did say that if you entered your credentials and clicked submit, you would be redirected to a fake Facebook login page asking you to login with your Facebook credentials which it would then steal as well. So logically this whole phishing attempt is just bizarre because it’s a fake Facebook email address pretending to be Google, sending a Google login warning email, that asks for your Google credentials, and then redirects to Facebook. So I mean, if anyone was paying attention to what they were doing, it would be pretty clear pretty quickly that it was not legitimate. It’s just another clever, in my opinion, way of obscuring the malicious URL
Introducing the Hoodie Scale
[Kelsey] I’ve found that working in infosec it is a lot like charging hell with a squirt gun. So, Tim came up this great rating scale to help prioritize examples of nefarious activity. Would you mind introducing our audience to this beautiful rating system that were talking about?
[Tim] Well, we all know, because this has been pretty much accepted worldwide, that attackers wear hoodies. So I think the hoodie unit of measure for this is a common universal truth that you aren’t an actual, you know, threat actor or an actual cybercriminal until you’re sitting at your computer, hunched over in a black hoodie, with the hood on, despite the fact that you are indoors.
[Emily] There is a text neck, there must be hacker neck or hacker back or something that is going to be an ailment of the future.
[Tim] That’s a good point. You know, I got to say from a safety standpoint, it is good that when they’re reaching through your screen to steal your credentials or your money or whatever, they wear black gloves, OSHA recommends that I think, for reaching through screens.
[Kelsey] Perfect. I think we’re all agreed on the hoodie scale (out of ten hoodies). So I think the next thing we need to do is rate the articles. Normally, I will go through this as we discuss the articles, however in this case, we will now rate the articles from today according to the Hoodie Scale:
This Week’s Hoodie Ratings
Android Security Bulletin of February 2019
[Tim]: 4/10 Hoodies
[Emily]: 4/10 Hoodies
iOS 12.1.4 Update
[Tim]: 4/10 Hoodies
[Emily]: 4/10 Hoodies
Phishing Attacks and Against Facebook via Google Translate
[Tim]: 1/10 Hoodies
[Emily]: 1/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us next Wednesday at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible new podcast music!