Squeeze Volume 10 - AWS Leaks Keys, FedEx Scam, IoT, Mac Trojan, & More

Welcome to Squeeze, a curated selection of interesting infosec articles from the past week that you may have missed.

Squeeze Volume 10 - AWS Leaks Keys, FedEx Scam, IoT, Mac Trojan, & More

Welcome to the tenth edition of the Secjuice Squeeze, where we present a selection of last weeks interesting infosec articles curated for your reading enjoyment in case you missed them! This week's volume was created by Bhumish Gajjar, Guise Bule and Mike Peterson.

FedEx Text scam

FedEx has been warning people of a fake FedEx delivery text going around. The way this scam works is it sends you a text message about some false package status, and then in that text includes a "free product." If you take a survey, it asks you for your credit/debit card information. People have been falling for this scam, and then the police in multiple cities conform that these scams are taking people's money. FedEx has said in a statement sent to USA TODAY, "FedEx does not send unsolicited text messages or emails to customers requesting money or package or personal information. Any suspicious text messages or emails should be deleted without being opened, and reported to [email protected]."

Link: https://www.usatoday.com/story/money/2020/01/22/fedex-delivery-notifications-scam-texts/4548088002/

Ransomware Now Steals Credentials Stored in Your Browser

FTCODE, a PowerShell-based ransomware, has added new capabilities, including the ability to swipe saved web browser and email client credentials from victims. Recently, the bad actor has been sending victims links to VBScripts, which then download FTCODE. Once a user executes the VBScript, it, in turn, executes a PowerShell script, which then downloads and opens up a decoy image (saved into the %temp%folder).

Once downloaded, FTCODE takes history details from Internet Explorer and decrypts the stored credentials from information in the registry. For Mozilla Firefox and Thunderbird, the script checks four paths and steals any credentials in them.

Link: https://threatpost.com/ftcode-ransomware-steals-chrome-firefox-credentials/152022/

FTCODE Ransomware Now Steals Chrome, Firefox Credentials

500K Telnet Credentials for IoT Devices Leaked

A hacker has published a list of credentials for more than 515,000 servers, home routers and other Internet of Things (IoT) devices on a popular hacking forum, in what’s being touted as the biggest leak of Telnet passwords to date.

The hacker compiled the list–which includes each device’s IP address, as well as a username and password for Telnet–by scanning the entire internet for devices that were exposing their Telnet port, according to the report. The bad actor then used factory-set default usernames and passwords and/or easy-to-guess password combinations to gain credentials.

Link: https://threatpost.com/hacker-leaks-more-than-500k-telnet-credentials-for-iot-devices/152015/

Hacker Leaks More Than 500K Telnet Credentials for IoT Devices

Mitsubishi Electric Warns of Data Leak After Security Breach

The breach was detected almost eight months ago, on June 28, 2019,  with the delay being attributed to the increased complexity of the  investigation caused by the attackers deleting activity logs. "On June 28, last year, a suspicious behavior was detected and  investigated on a terminal in our company, and as a result of  unauthorized access by a third party, data was transmitted to the  outside," a detailed company statement says.

"This is an advanced method of monitoring and detection, and it took  time to investigate because the log (operation record) for identifying  the transmitted file was deleted by an attacker on some terminals."

Link: https://www.bleepingcomputer.com/news/security/mitsubishi-electric-warns-of-data-leak-after-security-breach/

Mitsubishi Electric Warns of Data Leak After Security Breach
Mitsubishi Electric, a leading global company in the manufacture and sales of electrical and electronic products, disclosed a security breach that might have caused the leak of personal and confidential corporate information.

250 Million Microsoft Customer Support Records Exposed

The wide-open records were discovered by the Comparitech Security team. What’s more, they found that there were five identical sets of those 250million customer records, all wide open, on five different ElasticSearch servers.

The exposed Microsoft customer records, spanning 14 years (from 2005 until the very end of 2019), include both personal information and recordings of conversations between Microsoft customer support representatives and customers from around the world. The exposed personal information includes customer email addresses, IP addresses, and locations, of which some, but not all, were redacted. The records also include logs of the interactions between Microsoft support agents and customers, as well as descriptions of and information about those support interactions, and internal confidential notes.

Link: https://www.theinternetpatrol.com/250-million-microsoft-customer-support-records-exposed/

AWS Engineer Leaks Private Keys, External Analysts discover them in Minutes

An Amazon Web Services (AWS) engineer last  week inadvertently made public almost a gigabyte’s worth of sensitive  data, including their own personal documents as well as passwords and  cryptographic keys to various AWS environments. It is noteworthy here is how quickly the employee’s credentials were recovered by a third party, who—to the employee’s good fortune, perhaps—immediately warned the company.

On  the morning of January 13, an AWS employee, identified as a DevOps Cloud Engineer on LinkedIn, committed nearly a gigabyte’s worth of data to a personal GitHub repository bearing their own name. Roughly 30 minutes later, Greg Pollock, vice president of product at UpGuard, a California-based security firm, received a notification about a potential leak from a detection engine pointing to the repo.

Link: https://gizmodo.com/amazon-engineer-leaked-private-encryption-keys-outside-1841160934

Amazon Engineer Leaked Private Encryption Keys. Outside Analysts Discovered Them in Minutes
An Amazon Web Services (AWS) engineer last week inadvertently made public almost a gigabyte’s worth of sensitive data, including their own personal documents as well as passwords and cryptographic keys to various AWS environments.

U.S. Lawmakers Introduce Bipartisan Effort to Cut NSA Surveillance

A bipartisan pair of U.S. Senators have introduced the "Safeguarding Americans' Private Records Act" in an effort to cut down on the vague language of Section 215 of the Patriot Act that once justified mass surveillance of American citizens. After being renewed by President Barack Obama back in 2015, Section 215's five-year renewal is fast approaching in March. That represents a golden opportunity for lawmakers to reform the arguably invasive bill.

Link: https://threatpost.com/new-bill-proposes-nsa-surveillance-reforms/152183/

New Bill Proposes NSA Surveillance Reforms

Oil & Gas Infrastructure in the U.S. May Be in Trouble

Dragon, Inc. has published a new report indicating a rise in hacking activity targeting electric and gas utility companies in the U.S. The attacks, which mostly take advantage of password-spraying techniques, have been attributed to APT33, an advanced persistent threat sponsored by Iran. While a truly damaging attack would require significant time and effort, Dragos notes, the risk of a disruptive attack occurring is nonetheless worrying.

Link: https://www.securitymagazine.com/articles/91594-risk-of-disruptive-or-destructive-attack-on-the-electric-sector-significantly-increases

Risk of Destructive Attacks on the Electric Sector Significantly Increases
A new report highlights hacking activity targeting U.S. electric utilities and oil and gas firms attributed to the threat group Magnallium.

Adware-Injecting Shlayer Trojan has Infected One in 10 Macs, Kaspersky Says

While many Mac-owning consumers believe their devices to be relatively safe from malware, Kaspersky has penned a new report showing that they are far from immune. The Russian cybersecurity firm has tracked the rise in the Shlayer malware since it first surfaced back in February 2018. Since then, Shlayer has been distributed by about 1,000 "partner" websites. While generally considered more annoying than harmful, Shlayer's focus on adware is generally thought to help its authors save money and generate more revenue than something more destructive.

Link: https://www.darkreading.com/attacks-breaches/the-annoying-macos-threat-that-wont-go-away/d/d-id/1336875

The Annoying MacOS Threat That Won’t Go Away
In two years, the adware-dropping Shlayer Trojan has spread to infect one in 10 MacOS systems, Kaspersky says.

The awesome image used in this article is called Bad Dog and was created by Paul Gorsuch.