Weekly Executive Summary for Week Ending June 3, 2016

Targeted Industries

• Software
• Information Technology
• Finance
• Internet
• Banking

Active Threats

• Anonymous
• Stealth Falcon
• Inj3ct0r Team
• APT1 Comment Crew
• CtrlSec

Major Events

• Windows Zero Day Selling for $90,000
• Millions of Stolen Myspace, Tumblr, Credentials Being Sold Online
• Flaw Allows Hackers to Modify Texts on LG Smartphones
• Hardcoded Credentials Found in Medical System

Conclusions

Hackers claim to have a zero-day vulnerability that will allow other attackers admin rights to any Windows machine from Windows 2000 to a fully patched Windows 10. This zero-day was originally available on the black market for $95,000 and is now selling for $90,000. Security experts say the exploit looks legitimate, and this could be an extremely effective tool for hackers if they already have a foothold to an existing computer network. There is no way to be absolutely sure that the zero-day is legitimate without actually purchasing it, but there are a number of strong indicators ensuring its validity. One is that the seller is offering the use of an independent escrow agent to verify that the exploit works before the payment is made, and the other is two videos that accompany the hacker’s for-sale listing that show the vulnerability in action.

Source: Windows Zero Day Selling for $90,000

The same service that claimed to have information on 164 million LinkedIn users earlier this month, said they now have data on 360 million Myspace accounts now. These attacks are being attributed to Peace-the same hacker. The post claims that MySpace was hacked on June 11, 2013 and the dataset obtained has 360,213,024 records, 11,341,248 which contain both a username and password, and 68,493,651 that contain a secondary password. MySpace confirmed that accounts prior to June 11 are affected, they also added that they are using automated tools in an attempt to block suspicious activity on user accounts and invalidate old user passwords. A user will be prompted to authenticate then reset passwords to their account upon logging in. Details around how the breach actually occurred are scarce, though it is known that MySpace passwords were stored using the cryptographic hash function SHA-1(without salting), this is almost universally regarded as weaker than it was first designed to be.

Source: Millions of Stolen Myspace, Tumblr Credentials Being Sold Online

FAQ about the incident

LG a company who owns shares of nearly 10% in the U.S. smartphone market, has released fixes to two serious vulnerabilities, which includes a flaw that could be used by an attacker to remotely delete and modify text messages. These vulnerabilities were discovered by researchers at Check Point. One issue is that the device can be exploited locally which is due to a privileged LG service named “LGATCMDService”, since the service is not protected by a bind permission any application regardless of its permissions or origin can communicate with it. This will allow attackers to connect to the service and perform various actions, including reading and overwriting the IMEI and MAC addresses, rebooting the device, disabling a USB connection, wiping the device, and even bricking it completely. The second flaw is due to LG’s implementation of the WAP Push, which is a protocol used for text messages that contain links to websites. This protocol is vulnerable to SQL injections, a remote attacker can then have the ability to delete or modify any message from a targeted smartphone.

Source: Flaw Allows Hackers to Modify Texts on LG Smartphones

Carnegie Mellon ‘s CERT has issued an advisory on the MEDHOST (PIMS) Perioperative Information Management System, which was designed to improve the process from patient introduction to surgery. PIMS contains hard-coded credentials which provide access to the customer database, if an attacker has knowledge of the hard-coded credentials and a way to communicate directly with the application database server they may be able to obtain or modify patient information. MEDHOST has addressed the problem in version PIMS 2015R1 and newer, and administrators have been advised to upgrade to the latest version, though malicious actors could reverse to earlier versions to obtain the credentials. The danger in using hard-coded credentials is they can be used to bypass strong authentication procedures developed by administrators, and since this product can be accessed remotely administrators should ensure that only trusted sources can access the server hosting the product.  

Source: Hardcoded Credentials Found in Medical System

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity.

Mail us at: uhwocscc@hawaii.edu