Fired Chicago Schools Employee Causes Data Breach

Recently, a temporary worker at Chicago Public Schools was fired from her job and is alleged to have stolen a personal database in retaliation. The personal database contained the information of approximately 70,000 people. The information which was stolen included, names, employee ID numbers, phone numbers, addresses, birth dates, criminal histories, and any records associating individuals with the Department of Children and Family services.

She allegedly copied the database then proceeded to delete it from the Chicago Public School’s system. Those affected by this breach included employees, volunteers and others affiliated with Chicago Public Schools. Luckily, the breach was discovered before any information was used or spread in any way by the former employee. The individual is now being charged with one felony count of aggravated computer tampering/disrupting service and four counts of identity theft.

This incident is an example of a very essential part of computer security, no matter how many security measures are put in place to guard a system somebody, like a disgruntled employee, can still cause a security breach. The lesson to be learned is to keep a close eye on employees, especially those which show red flags, and to be careful what data/databases certain employees are authorized to use, view and modify.

Written by: Craig Gebo

Source: https://www.securitymagazine.com/articles/89553-fired-chicago-schools-employee-causes-data-breach

An Overlooked Way of Getting Malware Onto Mac’s

By: John Schnaufer

This article was about malware targeted against Macs that can be hidden in the Mac app store. The writer of the article says that although they found the vulnerability, no one has used it yet from what they can see.

This attack could be used by bypassing the code signing done before submission to the app store. The code signature checks or code signing is basically virtual security checks, to make sure the app is safe and stable. It was noticed that the code only gets checked once, and then the signature doesn’t get checked again. This means that an attacker can make a clean app, submit it to the app store, and then once it gets downloads from users, release an update infected with malware for the users to download. They can also steal or buy real code signatures and put them into their malicious app and it has the possibility of getting published to the app store for everyone to download.

The writer of the main article says, “As a result of this research, Reed himself added code signature verification to Malwarebytes Mac products so they now perform a check every time they launch.” Reed works at the company Malwarebytes and he put out an update to their software to check the code signature again of updates to apps. He even says, “A script kiddie could pull off something like this.” This shows how something should be done to fix this problem before others catch on and start infecting peoples computers with malware. This was released recently, so hopefully, it gets fixed soon. I remember when I made my app for the app store and I do not ever remember any checks being done to my updates after the initial release.

 

Source:

https://www.wired.com/story/mac-malware-hide-code-signing/

 

Iranian Hackers Steal Academic Research Papers From Over 70 Universities

By: Brent Burgess                                                                                                                9/18/201

Around three weeks ago SecureWorks, a cybersecurity research group, discovered a massive phishing scheme that has been recently targeting many universities. This phishing attack has targeted over 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States. Most of these spoof sites had domains which attempted to replicate the universities’ library pages, getting access to accounts attempting to enter their library resources, and obtaining 31 terabytes of academic knowledge. When the information was entered, they were redirected to the actual university library site where they either were signed in or asked to repeat their credentials. The 16 domains were created between May and August of this year. Many of these stolen research papers were then sold by texting an encrypted message to WhatsApp or Telegram.

These phishing attacks were found to be perpetrated by the Cobalt Dickens hacking group which has been found to be closely associated with the Iranian government. In March of this year, the United States had indicted the Mabna hacking group and nine members in connection with the group. This group’s previous attacks appeared to have the same infrastructure as the Cobalt Dickens attacks, implying some of the same members were involved. These universities which create cutting-edge research are high priority targets due to the value of their information presents as well as the difficulty of securing them. This hack has taken place shortly after the United States decided to re-establish economic sanctions with the United States implying a potential political motivation.

“This widespread spoofing of login pages to steal credentials reinforces the need for organizations to incorporate multi-factor authentication using secure protocols and          implement complex password requirements on publicly accessible systems.”                  -SecureWorks

Sources:

https://www.zdnet.com/article/iran-hackers-target-70-universities-in-14-countries/ https://www.express.co.uk/news/world/1017903/US-sanctions-Iran-hackers-nuclear-power-cybersecurity-donald-trump/                                    https://www.securityweek.com/iranian-hackers-target-universities-large-attack-campaign-secureworks                                                https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities

 

 

Instant Messaging? How About “Instant Malware”

Telegram LogoIf you’ve never heard of Telegram, it’s an instant messaging platform that’s quickly gaining popularity for its emphasis on secure, private chats. In fact, the developers of Telegram are so confident in its security, that they’ve announced multiple hacking contests with six figure bounties. So far, none of the contests have found a winner.

One of the features that makes Telegram so nice to use is the ability to instantly share files with your friends. Pictures, word documents, PDFs, those sorts of things. But what if someone sent you an executable program. Would you run it? Probably not — but what if it looked like a picture, or a word document, or a PDF?

Beginning March 2017, many unsuspecting users fell victim to a vulnerability in how Telegram handled Unicode, specifically the “right-left override” character (or RLO). The RLO character is intended to reverse any text that precedes it. In some applications, the RLO is improperly handled and can cause the characters after the RLO to not be displayed. Telegram, however, displays strings with an RLO character correctly. So what’s the big deal?

It turns out that applying this to filenames can be disastrous. By cleverly naming a file to hide the real extension, it’s possible to trick someone into downloading something that appears harmless. For example, if an attacker wanted to send you a malicious javascript file, they could send you a file named “photo_high_re\U+202Egnp.js” and Telegram would display it as “photo_high_resj.png“.

This exploit was used to install malware such as backdoors and spyware, though some craftier attackers were using Telegram to trick people into running cryptominers. Kaspersky Labs uncovered the vulnerability in October 2017, which means this vulnerability existed for at least 8 months. Kaspersky Labs also noted that this was an increasingly popular exploit for 2017. Kaspersky Labs alleges that the source of the attack was Russian cybercriminals, and that no evidence was found to suggest the exploit was known outside of the Russian cybercriminal community.

Victims of this attack actually would have been somewhat protected if the security confirmations on Windows were still enabled. When executing the file, Windows correctly displays what type of file it is (javascript, exe, etc). However, even for the users that still have this feature enabled, I think it’s fair to say that most people have trained their muscle memory to click “Run” when that popup appears. This serves as a good reminder to always take a moment to verify what you’re doing.

Original article: https://www.csoonline.com/article/3254139/security/hackers-exploit-zero-day-flaw-in-telegram-to-mine-cryptocurrency.html
Telegram: https://telegram.org/
Kaspersky Labs: https://securelist.com/zero-day-vulnerability-in-telegram/83800/

Written by Jesse R.

“Faceliker” Facebook Trojan Making Comeback

“Faceliker” is malware that has been around for a few years, but recently in 2017 McAfee is reporting surges in the use of Faceliker (9.8% of all new malware in Q1/Q2 are Faceliker strains). Faceliker uses JavaScript to basically hijack the users’ clicks and generates likes on Facebook. The malware is becoming increasingly common to be embedded within malicious Chrome extensions.

Why would someone want to hijack clicks from users? Well, it seems as though Faceliker is being used to promote “fake news” (*cough* propaganda), and is also used to promote advertisements and games that aren’t popular, but seem popular due to the likes accumulated by Faceliker. It also can promote fake pages of companies or users in order to make them seem real or reputable, and possibly result in possible catfishing.

McAfee is not certain, but it appears that Faceliker is only being used to promote content by spoofing likes. It is possible different Faceliker strains are being used to steal passwords or other sensitive data, but there isn’t a clear cut answer.

-Ryan Corrao

https://www.komando.com/happening-now/422202/watch-out-facebook-hijacking-malware-is-spreading

https://themerkle.com/faceliker-facebook-malware-makes-a-surprising-comeback/