Author: Charley Nash

Security researchers have found that several modern Honda car models have a vulnerable rolling code mechanism that allows the cars to be unlocked and, sometimes, the engine to be started remotely.

Named Rolling-PWN, the weakness enables replay attacks in which a threat actor intercepts the codes from the keyfob to the car and uses them to unlock or start the vehicle.

The researchers claim to have tested the attack on several Honda models between 2021 and 2022, including Honda Civic 2012, Honda Accord 2020, and Honda Fit 2022.

A modern car’s keyless entry system relies on rolling codes produced by a pseudorandom number generator (PRNG) algorithm to ensure that unique strings are used each tine the keyfob button is pressed.

The rolling code mechanism was originally introduced to prevent fixed code flaws that enabled man-in-the-middle replay attacks.

Vehicles have a counter that checks the chronology of the generated codes, increasing the count upon receiving a new code. However, non-chronological codes are accepted when the vehicle is out of range, or if the keyfob is pressed accidentally.

Researchers Kevin2600 and Wesley Li found that the counter in Honda vehicles is resynchronised when the car vehicle gets lock/unlock commands in a consecutive sequence. Thus causing the car to accept codes from previous sessions, which should, by now, have been invalidated.

An attacker that is equipped with software-defined radio (SDR) equipment could capture a consecutive sequence of codes and replay then at a later date to hijack the vehicle.

The researchers provided videos alongside details about the issue.

The vulnerability is being tracked as CVE-2021-46145 (medium severity) and is described as an issue “related to a non-expiring rolling code and counter resynchronization” in the keyfob subsystem in Honda.

Newer models are still vulnerable, despite being disclosed in December 2021 when tests were carried out on a 2012 Honda Civic.

Rob Stumpf, an automotive journalist, was able to replicate Rolling-PWN on his 2021 Honda Accord by capturing codes at different times.

Stumpf explains that it doesn’t matter if days or months have passed since capturing the codes, as long as the re-sync sequence is replayed.

An attacker would not be able to drive the car away though because the keyfob needs to be in proximity to do that, according to the researcher.

Researchers tried to notify Honda of the vulnerability but could not find a relevant contact for reporting security-related issues. They eventually filed a report to Honda’s customer service but have not heard back.

A spokesperson for Honda stated, in a statement to Vice, that the report wasn’t credible.

“The key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report.”

Honda added, “in addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claim.”

 

The post Rolling-PWN Attacks Allow Hackers to Unlock Honda Cars Remotely appeared first on IT Security Guru.

Last Friday, the US Department of Justice (DOJ) announced that a Florida resident named Ron Aksoy has been arrested and charged for allegedly selling thousands of fraudulent and counterfeir Cisco products over a span of 12 years.

Aksoy, 38, also known as Dave Durden, is reported to have run at least 19 companies founded in New Jersey and Florida, approximately 10 eBay storefronts, at least 15 Amazon storefronts, and multiple other entities with an estimated combined retail value of over $1billion.

The charges against Aksoy include one count of conspiracy to traffic in counterfeit goods and to commit mail and wire fraud, four counts of wire fraud, three counts of mail fraud, and three counts of trafficking in counterfeit goods.

The court documents state that the fake companies imported tens of thousands of counterfeit Cisco networking devices from China and Hong Kong and resold them to customers in the US and overseas, whilst falsely representing them as new and genuine.

The fraudulent and counterfeit products suffered from many performance, safety, and functionality problems, sometimes costing users thousands of dollars. This is because the fraudulent models sold were typically older, lower-model products that had been modified and enhanced by Chinese counterfeits to appear to be genuine, newer Cisco devices.

As written in the indictment, Customs and Border Protection (CBP) seized roughly 180 shipments of counterfeit Cisco goods that were being shipped to Aksoy’s false company, Pro Network Entities, from China and Hong Kong between 2014 and 2022.

Aksoy would have falsely submitted official paperwork to CBP using the alias “Dave Durden.” The same name was used by Aksoy to communicate with Chinese co-conspirators.

The operation is alleged to have generated over $100 million in revenue, of which Aksoy held a share.

The DOJ has compiled a publicly available list of Pro Network companies, as well as eBay and Amazon shop names for potential victims to browse. Those who feel as though they may have fallen victim to Aksoy and/or a Pro Network company are advised to get in touch with authorities.

The post CEO of Multiple Fake Companies Charged in $1bn Counterfeit Scheme to Traffic Fake Cisco Devices appeared first on IT Security Guru.

It has emerged that the $540 million hack of Axie Infinity’s Ronin Bridge in March 2022 was the consequence of one of its former employees getting tricked by a fraudulent job offer on LinkedIn.

According to a report written by The Block, which was published last week, two people familiar with the matter were cited. Allegedly, a senior engineer at the company was tricked into applying for a job at a non-existent company, causing the individual to download a fake offer document disguised as a PDF.

The Block stated: “After what one source described as multiple rounds of interviews, a Sky Mavis engineer was offered a job with an extremely generous compensation package.”

The offer document acted as a vessel to deploy malware designed to breach Ronin’s network, leading to one of the crypto sector’s largest hacks to date.

In April, in an analysis of the attack, the company said: “Sky Mavis employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised.”

“This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.”

In April 2022, the U.S. Treasury Department implicated the Lazarus Group, a North Korea-backed hacking group, in the incident, calling out the adversarial collective’s history of attacks targeting the cryptocurrency sector to gather funds for the hermit kingdom.

The earliest example of using fake job offers a social engineering lure used by the advanced persistent threats (APT) can be found linked to a campaign in August 2020 dubbed by Israeli cybersecurity firm ClearSky as “Operation Dream Job.”

ESET, in its T1 Threat Report for 2022, noted how actors operating under the Lazarus umbrella have used fake job offers through social media as its strategy for targeting defence contractors and aerospace companies.

Ronin’s Ethereum bridge was relaunched in June. However, the same group is suspected to be behind the recent $100 million altcoin theft from Harmony Horizon Bridge.

The post Hackers Used Fake Job Offer on LinkedIn to Target Axie Infinity appeared first on IT Security Guru.

Last Thursday, Disneyland had their Facebook and Instagram accounts taken over by a self-proclaimed “super hacker” who posted racist and homophobic posts.

The threat actor, operating under the name “David Do”, claimed that he was seeking “revenge” on Disneyland employees after some of them had allegedly insulted him.

One of the posts read: “I am a super hacker that is here to bring revenge upon Disneyland […] Who’s the tough guy now Jerome?”

The hacker also published posts claiming to have “invented” COVID-19 and further claimed that he was working on a new “COVID20” virus.

The hacker posted four posts to Disneyland’s Instagram account before 5am PR, according to a follow up post on the official Disneyland blog.

The post said: “The hacker also tagged several other Instagram accounts, but it is unknown if they are friends and will help lead police to the hacker.”

He also encouraged users to follow his private Instagram account.

His posts received thousands of angry and shocked comments from Disney’s 8.4 million followers.

The Disneyland Facebook and Instagram accounts were temporarily taken down shortly after the posts went live and were subsequently brought back online after the team had removed the posts. The other social media pages run by the park appeared to be unaffected.

The Disneyland blog continues: “It’s not known how this person managed to gain access to the Disneyland Instagram account. Was it a stranger hack or a previous employee with access to the logins?”

“We worked quickly to remove the reprehensible content, secure our accounts and our security teams are conducting an investigation.”

A version of the (censored) posts remains available on the Disneyland blog.

The incident comes almost a year after three Disney theme park employees were arrested in Florida as part of an operation to catch sexual predators who target children via the internet.

The post Disneyland Social Media Hacked appeared first on IT Security Guru.

The Cybersecurity and Infrastructure Security Agency (CISA) has released a new advisory suggesting North Korean state-sponsored cyber actors are using the Maui ransomware to target Healthcare and Public Health (HPH) Sector organisations in the US.

The document, written by the CISA, the Federal Bureau of Investigation (FBI) and the Department of the Treasury, suggests that actors have been engaging in these campaigns since May 2021.

The advisory reads, “North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services – including electronic health records services, diagnostics services, imaging services and intranet services.”

“In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.”

CISA said that the ransomware appears to be designed for manual execution by a remote actor. It uses a combination of Advanced Encryption Standard (AES), RSA and XOR encryption to encrypt target files.

David Mahdi, Chief Strategy Officer at Sectigo said, “when we look at what ransomware does, it leverages a user’s (or entity when dealing with non-humans or machines) access within an organization to encrypt and steal sensitive files.”

“The authentication given to a user defines the level of damage the hacker will do. Therefore, a zero-trust, identity-first approach is critical. To prevent ransomware, you can’t just lock down data, you need a clear method of verifying all identities within an organization, whether human or machine and what parts of it they are allowed to access.”

CISA wrote that while initial access vectors for Maui-related incidents are currently unknown, HPH organisations can take various steps to mitigate damage. This includes installing updates for operating systems, software and firmware as soon as they are released and securing and monitoring remote desktop protocol (RDP), among other things.

CISA also recommend, among other things, the use of multi-factor authentication (MFA) for as many services as possible, auditing user accounts with administrative or elevated privileges and installing and updating antivirus software on all hosts.

“How can one stop the ransomware attacks in their tracks?” Mahdi asked.

“The answer is combining identity-first principles with least-privilege data access security, all while leveraging a variety of cybersecurity best practices and technologies […] Focusing on identity and access privileges drastically mitigates the damage that ransomware attacks can have on the healthcare industry in the long run.”

The post US Healthcare and Public Health Sector Organisations Targeted by North Korean Hackers appeared first on IT Security Guru.

Pop-punk band Blink-182’s drummer, Travis Barker, and UK rapper, Aitch, are among a host of artists set to launch new NFTs with LimeWire as the file sharing site relaunches as a crypto marketplace.

Over the next month, the site will launch new collectibles on the marketplace alongside artists like Brandy.

Travis Barker said “I have always been interested in Web3 and NFTs so I am pretty stoked to release my first NFT collection and to do it on LimeWire,” Barker said in a statement.

“I hope that my NFT collection will inspire aspiring artists and fans who want to learn about my creative journey and how I make music. LimeWire has created a platform that makes exciting content like this accessible to all of my fans – even ones who are unfamiliar with Web3.”

In a statement, LimeWire’s co-CEOs Paul and Julian Zehetmayr said: “We see a huge demand in the entertainment space for platforms that recognise and appreciate artists for their talent and put them in the driver’s seat.”

“LimeWire presents a new commercial opportunity for artists of all sizes and genres to engage with their fans, gain more exposure in a unique way and retain more of their earnings.”

The popular peer-to-peer file sharing site was ordered to be shut down in 2010 following a court injunction that was issued by a US federal court judge Kimba Wood.

LimeWire is now set to return as “a one-stop marketplace for artists and fans alike to create, buy and trade digital collectibles without the technical crypto requirements of the current NFT landscape”.

The site is initially focusing on music, however eventually the company is aiming “to bring digital collectibles into the mainstream” and attract one million users in its first year “through partnerships with major artists in the music industry”.

The service says that music fans will be able to buy and trade various “music-related assets” on their marketplace, including limited edition released, unreleased demos, graphical artwork, and backstage content.

 

The post LimeWire File Sharing Site Relaunches as a Crypto Marketplace appeared first on IT Security Guru.

Last week, the Cyber Police of Ukraine disclosed that it apprehended nine members of a criminal gang that embezzled 100 million hryvnias via hundreds of phishing sites that claimed to offer financial assistance to Ukrainian citizens as part of a campaign aimed at capitalising on the ongoing conflict.

The agency said in a press statement that “criminals created more than 400 phishing links to obtain bank card data of citizens and appropriate money from their accounts. The perpetrators may face up to 15 years behind bars.”

The law enforcement operation ended in the seizure of computer equipment, bank cards, mobile phones, as well as the criminal proceeds illicitly obtained through the scheme.

Some of the rogue domains registered by the actors included ross0.yolasite[.]com, foundationua[.]com, and euro24dopomoga0.yolasite[.]com, among others.

The malicious landing pages, designed to siphon victim’s banking information, operated under the guise of surveys designed to look like an application for payment of financial assistance from E.U. countries. This highlights the opportunistic nature of the social engineering attack.

Once bank details have been obtained, the threat actors unauthorisedly logged into the accounts and fraudulently withdrew money totalling more than 100 million hryvnias ($3.37 million) from over 5,000 citizens.

The distribution vector used to propagate the links is not clear. It could have been achieved through different methods though, including SMS phishing scams (smishing), direct messages on social media apps, spam emails, SEO poisoning, or seemingly benign ads.

The agency has warned citizens to “obtain information about financial payments only from official sources, not to click on dubious links, and in no case to communicate confidential, in particular banking, information to third parties or to indicate such data on suspicious resources.”

The post Ukrainian Authorities Arrest Phishing Gang For Embezzling 100 Million UAH appeared first on IT Security Guru.

An anonymous threat actor is selling several databases which they claim contain more than 22 terabytes of stolen information on roughly 1 billion Chinese citizens for 10 bitcoins (approx. $195,000).

The announcement was posted on a hacker forum by a user with the handle ‘China Dan,’ saying that the information was leaked from the Shanghai National police (SHGA) database.

The information they shared about the allegedly stolen data suggests that these databases contain Chinese national residents’ names, addresses, national ID numbers, several billion criminal records, and contact information numbers.

ChinaDan shared a sample with 750,000 records containing delivery information, police call records, and ID information. These records would allow interested buyers to verify that the data for sale is not fake.

The threat actor stated in a post that: “In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizens.”

“Databases contain information on 1 Billion Chinese national residents and several billion case records, including: Name, Address, Birthplace, National ID Number, Mobile number, All Crime / Case details.”

The threat actor confirmed that data was exfiltrated from a local private cloud provided by Aliyun (Alibaba Cloud), part of the Chinese police network (public security network).

On Sunday, Binance CEO Zhao Changpeng confirmed that his company’s threat intelligence experts spotted ChinaDan’s claims and said that the leak likely originated from an ElasticSearch database that a Chinese government agency accidently exposed online.

Zhao added, “our threat intelligence detected 1 billion resident records for sell in the dark web, including name, address, national id, mobile, police and medical records from one asian country. Likely due to a bug in an Elastic Search deployment by a gov agency.”

“This has impact on hacker detection/prevention measures, mobile numbers used for account takeovers, etc.”

Zhao added that “apparently, this exploit happened because the gov developer wrote a tech blog on CSDN and accidentally included the credentials.”

If Chinadan’s claims are accurate, this attack would be the most significant data breach ever impacting China and one of the largest in history.

 

The post Hacker Claims to Have Stolen Information on 1 Billion Chinese Citizens appeared first on IT Security Guru.

NATO has announced plans to develop virtual rapid response capabilities “to respond to significant malicious cyber activities.”

These plans were published in a declaration made following the NATO Summit in Madrid, last week. The latest summit was significant in light of Russia’s invasion of Ukraine earlier this year, amid fears of the conflict spreading further. Referring to the invasion, the declaration stated: “We, the Heads of State and Government of the North Atlantic Alliance, have gathered in Madrid as war has returned to the European continent. We face a critical time for our security and international peace and stability.”

The declaration outlined an agreement between member countries “on a voluntary basis and using national assets, to build and exercise a virtual rapid response cyber capability,” among other things. NATO acknowledged that: “we are confronted by cyber, space and hybrid and other asymmetric threats, and by the malicious use of emerging and disruptive technologies.”

NATO heads of state and government participating in the summit pledged to accelerate the delivery of non-lethal defence equipment to Ukraine, including boosting the country’s cyber-resilience.

Since February, Russia have launched numerous cyber operations against Ukraine. This includes targeting Ukraine’s national telecommunications provider in April, causing significant internet outages.

Adam Marrè, CISO of Arctic Wolf, said: “As the declaration outlines, NATO currently faces cyber and other asymmetric threats from multiple nations. The announcement of this cyber rapid response capability is a recognition that we must do more to coordinate the efforts to combat ongoing and prepare for future nation-state conducted and/or sponsored cyber campaigns.”

“A virtual rapid response cyber capability will greatly increase NATO’s capability to have a more coordinated and effective response to significant malicious cyber activities.”

“This capability will likely be similar to the EU Cyber Rapid Response Teams (CRRT) that have already been created and have been deployed in the Ukraine conflict.”

Discussing the requirements needed to create such a capability, Marrè went on to say: “The new NATO cyber response force will need to develop common cyber operations toolkits with incident detection, prevention, and response capabilities to have an effective coordinated response.

“In addition, they will need to identify and select team members with different domains of expertise, including incident response, forensics and vulnerability assessment that can form cohesive and holistic teams that can rapidly deploy virtually.”

In 2021, NATO warned that it would consider treating cyber-attacks in the same way as an armed attack against any of its allies and issue a military response against the perpetrators. A decision to invoke Article 5 would be taken on a case-by-case basis.

 

The post NATO Announce Plans to Develop Cyber Rapid Response Capabilities appeared first on IT Security Guru.

Following concerns that U.S. users’ data had been accessed by TikTok engineers in China between September 2021 and January 2022, TikTok sought to assure U.S. lawmakers that it’s taking steps to “strengthen data security.”

The admission that some China-based employees can access information from U.S. users came in a letter sent to nine senators. The letter said that the procedure requires the individuals to clear numerous internal security protocols.

First reported by The New York Times, the contents of the letter outline more details about TikTok’s plans to address data security concerns through a multipronged initiative codenamed “Project Texas.”

TikTok CEO Shou Zi Chew wrote in the memo, “employees outside the U.S., including China-based employees, can have access to TikTok U.S. user data subject to a series of robust cybersecurity controls and authorization approval protocols overseen by our U.S.-based security team.”

This includes what it terms a narrow set of non-sensitive TikTok U.S. user data, such as comments and public videos, to meet interoperability requirements, which emphasising that this access will be “very limited” in scope and pursuant to protocols developed in collaboration with the U.S. government.

TikTok, a popular social video-sharing service from Beijing-based ByteDance, has remained a concern for U.S. lawmakers over national security risks that could arise from the Chinese government requesting data belonging to U.S. users directly from its parent firm.

In the letter, the company aimed to assuage concerns that it has never been asked to provide data to the Chinese authorities. They further stated that it would not consent to such government inquiries.

TikTok further stated that 100% of U.S. user data is routed to Oracle cloud infrastructure located in the U.S., and that it’s working with the enterprise software firm on more advanced security controls put in place “in the near future”.

The company said that it’s planning to delete U.S. data from its own backup servers in Singapore and the U.S. and fully switch to Oracle cloud servers situated in the U.S.

This latest wave of scrutiny into TikTok’s operations come after a report by BuzzFeed News that alleged that ByteDance staff had frequent access. They cited anonymous employees, who said that “everything is seen in China” and referenced a “Master Admin” who “has access to everything.”

ByteDance called the allegations and insinuations “incorrect and are not supported by facts,” noting that employees who work on these projects “do not have visibility into the full picture.”

The post TikTok Assures U.S. Lawmakers That They Are Working to Further Safeguard User Data From Chinese Staff appeared first on IT Security Guru.