UNM4SK3D: France, Android, and FIN7
Hear no evil. See no evil. Speak no evil. Over the weekend, France ignored the ‘massive’ pre-election hacking attack on Emmanuel Macron’s campaign and elected him the new President over far-right candidate Marine Le Pen.
Hackers leaked nine gigabytes of emails two days before the French Presidential Election, which everyone across the world seemed to be watching. This hacking attack’s ineffectiveness was a stark contrast from that of the Hillary Clinton email debacle that surrounded the US elections. The unsuccessfulness of this attempt could be attributed to the 44-hour legal ban on election reporting surrounding the Sunday vote and the fact that the silence continued well into Monday. That, coupled with the lack of a thriving tabloid culture and the suspicion surrounding the incident led many in the country to react with silence and disdain. Many questions surround the hack, including the validity of some of the emails. According to the New York Times, “There were also reports that Mr. Macron’s campaign, well aware that it was a hacking target, had deliberately fed hackers false information in responding to phishing emails, which may explain why the leaked data was disseminated late in the campaign.”
While no one can prove Russia’s involvement in the attack, it appears Kremlin has emerged as the most likely culprit. On Election Day, the French-language version of Sputnik, the Russian news outlet, played up social media coverage of the leaks. “In a hearing of the Senate’s Armed Forces Committee, NSA Director Michael Rogers indicated that the NSA had warned French cybersecurity officials ahead of the country’s presidential runoff that Russian hackers had compromised some elements of the election.” Earlier, in a report late last month, Security firm Trend Micro noted that the same Russian group that hacked the US Democratic National Committee and the Clinton campaign had also created a phishing domain intended to spoof a Microsoft storage website used by Macron. Some of Macron’s party emails published as torrent files Friday included metadata in Cyrillic, suggesting that they had been edited on a computer running software with Russian-language configurations. For now, all we can say is, ‘Bienvenue Macron.’
We don’t have a Fox News in France. There’s no broadcaster with a wide audience and personalities who build this up and try to use it for their own agendas. — Johan Hufnagel, managing editor of the leftist daily Libération
To hear more about election influence operations in Europe, listen to this podcast from CyberWire.
Android users need to proceed with caution the next time they look to download from the Google Play store, as it appears millions of smartphones are at risk of a ‘screen hijack’ vulnerability.
This vulnerability allows hackers to steal your passwords, bank details and helps ransomware apps extort money from victims. Google is aware of the issue however, they have acknowledged they will not release a patch until ‘Android O’ has been released, which is scheduled for launch in the 3rd quarter of this year. Coincidentally, millions of users are still waiting for the ‘Android N’ update from their device manufacturers (OEMs). Until then, those users will potentially be victimized by ransomware, adware and banking Trojans for another year. Discovered by CheckPoint security researchers, “the problem originates due to a new permission called “SYSTEM_ALERT_WINDOW,” which allows apps to overlap on a device’s screen and on top of other apps.
The ability for malicious apps to hijack a device’s screen is one of the most widely exploited methods used by hackers to trick unsuspecting Android users into falling victim for malware and phishing scams. Google updated its policy in October 2015 that by default grants this extremely sensitive permission to all applications directly installed from the official Google Play Store. To combat malicious apps, Google deploys automated malware scanner ‘Bouncer,’ but this tool is not enough to keep all malware out of the market. So, an unknown number of malicious apps are still out there, equipped with the permission. We encourage Android owners to take precaution when downloading from Google Play and read comments left by other users.
According to our findings, 74 percent of ransomware, 57 percent of adware, and 14 percent of banker malware abuse this permission as part of their operation. This is clearly not a minor threat, but an actual tactic used in the wild. -CheckPoint researchers
Want Security Auditing Tools for your Android? Read this Top 10 List and secure your device.
If you’re a diehard Chipotle fan, you may want to check your bank statement before the next Taco Tuesday. At the end of April, the beloved restaurant announced that they’re investigating a breach of the network that supports its credit card payment processing.
The ongoing investigation is focused on card transactions that occurred between March 24 and April 18. The company provided little details on the investigation or its findings thus far, but warned customers, the 70% of whom pay using a card, to monitor transactions closely.
In a similar, potentially related but unconfirmed story, FIN7, a sophisticated group with suspected ties to cybercrime gangs operating in Eastern Europe is now actively targeting and breaching prominent brand-name restaurants in the U.S., including Chipotle, Baja Fresh, and Ruby Tuesday. While Chipotle is the only chain to acknowledge a breach so far, malware samples and other evidence obtained by CyberScoop seem to indicate otherwise. According to two anonymous cyber security researchers, more than 20 U.S.-based hospitality companies, of which include hotels and restaurants, have been successfully hacked by FIN7 since the summer of 2016. A phishing email carrying an attachment titled ‘Payment overdue.eml’ that describes a nonexistent overdue payment was sent to an email account associated with a Chipotle location in Tulsa, Oklahoma. Two other related file samples were also detected on VirusTotal in the last month. Those files are titled ‘Order bajafresh.docx’ and ‘Order Ruby Tuesday .rtf.’
This highly targeted phishing attack appears to have targeted a user at the restaurant in order to limit the effectiveness of corporate security initiatives. -Blake Darché, co-founder of cybersecurity firm Area 1 Security
For another story of a breach at corporate restaurant locations, read this report on the payment card incident at Arby’s.
Microsoft estimates that by 2020 4 billion people will be online, twice the number that are online now, meaning the human attack surface will become an even more dangerous target.
Security Misconfiguration arises when Security settings are defined, implemented, and maintained as defaults. Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform.
Defaults are often insecure, so secure settings should be defined, implemented, and maintained regularly. Attackers find these misconfigurations through unauthorized access to default accounts, unused web pages, unpatched flaws, unprotected files and directories and more. If a system is compromised through faulty security configurations, data can be stolen or modified slowly over time and can be time-consuming and costly to recover.
The NEW Security Misconfigurations Micro Certification will explore security misconfigurations in detail, ensuring you will learn how to combat and protect against this type of attack.
Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the field of cyber security. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.