CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 56: May 15 2023

Links

https://www.bleepingcomputer.com/news/security/toyota-car-location-data-of-2-million-customers-exposed-for-ten-years

https://www.theregister.com/2023/05/11/bh_asia_mobile_phones/

https://cyware.com/news/phishing-campaign-distributes-smokeloader-via-fake-invoice-b155d82b

https://cyware.com/news/beware-crooks-are-using-malicious-qr-codes-to-steal-your-money-b0bab8b3

Car location data of 2 million customers exposed for ten years

  • Toyota Motor Corporation
    • Japan
    • disclosed a data breach
      • car-location information
    • 2,150,000 customers
    • ten years
      • between November 6, 2013, and April 17, 2023.
    • security notice published in the company’s Japanese newsroom
  • Breach
    • a database misconfiguration
      • allowed anyone to access its contents without a password
    • Toyota Connected Corporation
    • Exposure
      • T-Connect G-Link
      • G-Link Lite
      • G-BOOK
        • between January 2, 2012, and April 17, 2023.
      • T-Connect is Toyota’s in-car smart service
        • voice assistance
        • customer service support
        • car status and management
        • on-road emergency help
      • Data
        • in-vehicle GPS navigation terminal ID number
        • the chassis number
          • also known as chassis number
        • vehicle location information with time data.
          • Oops
        • possibility of video recordings taken outside the vehicle having been exposed in this incident
          • between November 14, 2016, and April 4, 2023, which is nearly seven years
        • Fix
          • implemented measures to block access from the outside
        • Bright Side
          • no evidence that the data was misused
          • unauthorized users could have accessed the historical data
          • possibly the real-time location of 2.15 million Toyota cars
            • do not constitute personally identifiable information
              • attacker would need to know the VIN of their target’s carvehicle identification number
                • also known as chassis number
              • Other Incidents
                • October 2022
                  • Data Breach
                  • T-Connect customer database access key on a public GitHub repository

Millions of mobile phones come pre-infected with malware

  • Trend Micro researchers
    • Black Hat Asia
      • a growing problem for regular users and enterprises
    • manufacturing outsourced to an original equipment manufacturer (OEM)
      • someone in the manufacturing pipeline to infect products with malicious code as they ship out
    • firmware started to come with an undesirable feature – silent plugins
      • found over 80 different plugins, although many of those were not widely distributed
    • Impact
      • cheap Android
        • mobile devices
        • smartwatches
        • TVs
      • turns the devices into proxies which are used to steal and sell SMS messages, take over social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.
      • objective of the malware is to steal info or make money from information collected or delivered.
      • proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more.
      • The user of the proxy will be able to use someone else’s phone for a period of 1200 seconds as an exit node

Phishing Campaign Distributes SmokeLoader via Fake Invoice

  • An ongoing phishing campaign has been identified by CERT-UA, in which attackers are abusing compromised email accounts to send phishing emails containing invoice lures. The main target of the attack is the computers used by financial accountants. The attackers aim to gain remote access to banking systems by using the SmokeLoader malware.
  • A financially motivated campaign
  • The alert warns that the attackers are using spam emails with the subject “bill/payments” with a ZIP archive attached.
  • The attacks have been linked to the financially motivated UAC-0006 group, which has been active since at least 2013.
  • The attackers attempt to steal authentication-related information, such as credentials, keys, or certificates, and then, create unauthorized financial transactions into accounts controlled by them.
  • The attached ZIP archive is a polyglot file, meaning that it is a single file that can be interpreted as multiple file formats. It consists of a decoy document and a JavaScript file.
  • Digging deeper into the polyglot file
  • The polyglot file, named pax_2023_AB1058..js, uses PowerShell to download and run further payloads. Specifically, it downloads an executable file called portable.exe, which, when run, launches the SmokeLoader malware.
  • The compilation date of the file and the date of registration of the domain involved indicate that the campaign started in April 2023.
  • Once running, SmokeLoader injects malicious code into currently running processes and proceeds with downloads of other payloads.
  • What to do?
  • The CERT-UA has suggested that Javascript loaders, which are typically used at the initial stage of the attack, can be blocked by restricting the launch of Windows Script Host (wscript.exe) on the PC. Additionally, they have provided relevant indicators of compromise (IoCs), which can be used to restrict the SmokeLoader-related file on the other side of the security fence.

Crooks are Using Malicious QR Codes to Steal Your Money

  • Smartphone users need to be careful about scanning QR codes displayed in public places, including shops, restaurants, and parking areas. In this modern digital world where people are increasingly relying on QR codes to make payments, cybercriminals are abusing it as a lucrative source to steal funds from them. Here’s a glance at some recent examples.
  • Fake survey via QR code
  • Scammers put up a fake QR code on the glass door of a bubble tea shop. It would urge visitors to fill out the survey for a “free cup of milk tea.”
  • To complete the survey, a bogus third-party app was downloaded onto the user’s device to complete the ‘survey.
  • This enabled the scammers to siphon out $20,000 from the bank account of the victim.
  • Parking ticket QR code scam
  • In another incident, scammers were found leaving fake parking tickets on drivers’ windshields.
  • It tricked car owners into believing that the tickets were issued by San Francisco’s government, who end up paying amounts to scammers.
  • Scanning the code would redirect victims to a phishing link impersonating the San Francisco Municipal Transportation Agency (SFMTA) website, prompting them to enter their credit card details.
  • Cybercriminals monetizing through QR code scams is also a concerning factor as this can enable them to purchase more sophisticated tools or get their hands on stolen user records put on sale to expand their attack scope. That’s not all! Cybercriminals have also been experimenting with QR codes to pilfer credentials from victims.
  • Harvesting credentials via QR codes
  • Earlier this year, FortiGuard Labs shared details of a campaign wherein threat actors were using multiple QR codes to target Chinese-speaking users.
  • These codes were dispatched in a Word document attached to an email spoofing the Chinese Ministry of Finance.
  • Threat actors with stolen credentials can abuse them to gain direct access to victims’ accounts. They can also use it to perform identity theft.
  • Stay safe
  • Follow the FBI’s advisory to avoid falling victim to such scams. Users must also take caution by checking the URL of the code before entering their financial and personal information. As a general rule, they must check the authenticity of the address link by typing the website name directly into the browse