The cyber-world is full of twists and turns, with both the cybersecurity expert and the threat actor trying to stay a step ahead of each other at all times. This week’s cyber news headlines capture some of these moves of cybersecurity experts and adversaries.
Teenager Helps Identify Critical Vulnerability in India’s Online Railway Ticket Booking Platform – IRCTC
Cybersecurity expertise doesn’t always have to come from professionals. An aware citizen can also be an agent of loophole detection, as seen in a recent incident in India. A bug in the IRCTC or the Indian Railway Catering and Tourism Corporation went unnoticed until a Chennai-based 17-year-old private school student helped identify the bug. The seventeen-year-old Ranganathan pointed out that the critical Insecure Object Direct References (IODR) vulnerability in the IRCTC website could let adversaries access and modify or even cancel the bookings of other passengers. He found the bug while viewing his ticket on the website, where he could access the travel details of other passengers. The exposed passenger details include their names, ages, genders, train details, PNR number, travel date, departure and arrival stations, etc.
Ranganathan further mentioned that since the back-end code was the same for all passengers, an attacker could easily order food, alter boarding stations, or cancel other passengers’ tickets. These changed travel details can then be used to launch a targeted phishing campaign. Alternatively, the adversaries could download and leak copies of a million passengers’ travel and personal information. Soon after detecting the bug on 30th August 2021, Ranganathan reported it to the Computer Emergency Response Team (CERT), who, in their turn, took five days to patch the vulnerability.
Beware of Fake Calls Suggesting Crypto Investments
As global cryptocurrency investors increase, the crimes against them grow as well. Recently, the Security Service of Ukraine (SBU) brought down six Lviv-baser call centers linked to such scammers. The adversaries use VoIP phone numbers to conceal their locations while calling foreign investors.
The law enforcement officers at SSU confiscated over 100 documents and devices linked to the malicious activities. Their investigation revealed several Lviv locals and rented offices running six illegal call centers from where adversaries offered stock and cryptocurrency investment suggestions to foreigners. Unsuspecting crypto investors transferred their funds to the adversaries’ bank accounts or crypto wallets.
Thus, cryptocurrency investors are advised to receive calls suggesting new schemes and currencies with caution, as these are scams more often than not. You must also enable MFA and other cybersecurity measures for added protection.
REvil Uses Double Chat to Cheat Affiliates
Ransomware protection measures warn us of the evil ways of the threat actors, but who would have imagined that there might be fraudulent activities going on within ransomware gangs as well! In a recent incident, the notorious REvil ransomware gang was reported in the Hacker’s Court by affiliates for robbing them of their share of the ransom. Investigations by malware specialists revealed that REvil had found a way of cheating its affiliates and keeping 100% of the ransom payments. The usual norm is that for every ransom received from the victim, affiliates get 70%, and REvil gets 30% of the amount. But the REvil RaaS operators are exploiting a backdoor to set up a double chat window to dupe affiliates.
This backdoor enables REvil to decrypt files and chats between the affiliates and victims. The victims receive identical chats: one from the original affiliate who launched the attack and the other from REvil. Using this double chat scheme, REvil hijacks the affiliates’ share of ransom payment, and this has aggravated several affiliates who have been robbed of over $21.5 million by REvil so far.
Vulnerability Detected in The D-LINK DIR-3040 Smart WiFi Mesh Router
Cybersecurity experts at Cisco Talos recently discovered a vulnerability in the D-LINK DIR-3040 smart WiFi mesh router, an AC3000-based wireless internet router that allows users to connect several devices in their network, even at home. Exploiting this flaw (dubbed as CVE-2021-21913), adversaries can turn off user devices or remove connected devices from the network. Not only that, but the attackers can also view sensitive information such as the root password of the primary device and execute remote code to reboot the connected devices.
Cisco Talos collaborated with D-LINK to resolve the issue and release an update for affected customers to ensure protection against potential cyber threats. Furthermore, all D-LINK users are advised to update the products immediately.
Microsoft Introduces New Emergency Mitigation Feature
Because of the increased exploitation of zero-day vulnerabilities, Microsoft has introduced a new Exchange Server feature called the Microsoft Exchange Emergency Mitigation (EM). In a nutshell, EM is a service meant to be a quick fix for all major cyber threats until a patch for the specific vulnerability is released. EM applies interim mitigations for the actively exploited high-risk vulnerabilities and secures servers from incoming attacks, thereby giving admins some extra time to apply security updates.
EM comes as a boon for all servers whose admins couldn’t patch the flaws in time, thus leading to attacks by financially motivated and state-sponsored hacking groups. Built upon Microsoft’s Exchange On-premises Mitigation Tool (EOMT), EM runs as a Windows service on Exchange Mailbox servers and is auto-installed. It functions by detecting cybersecurity loopholes in Exchange Servers and applying interim mitigations till admins have access to a security update. As mentioned, these are temporary fixes and not a replacement for Exchange Server Security Updates (SUs). Admins are free to disable the EM service if they don’t want Microsoft to auto-apply mitigations to their Exchange servers.
India And Japan Gear Up With Cyber Defence
The Indian and Japanese cybersecurity experts have developed robust measures to challenge the spyware frequently deployed by Chinese adversaries. Japan has recently launched a national cybersecurity policy that explicitly issues red alerts for the threat-causing nations of Russia, China, and North Korea. The policy complies with Japan’s strategy of refreshing its defensive plans every three years and instructs the Self Defence Force to enhance its cyber defenses. The policy envisions making cybersecurity available for their citizens because the government noticed critical cyber threats targeting the nation.
The Indian government, on the other hand, has instructed its defense professionals to prepare for any cyber warfare that may target the nation in the coming years. Vice President M. Venkaiah Naidu has suggested the possibility of increased use of drones and robotics in warfare. Regions of Jammu & Kashmir in India share borders with China and Pakistan, which is one of the many reasons for the nation’s conflict with these nations. Following the recent Quad meeting of the USA, Australia, Japan, and India, China has cleared its intentions of developing infosec standards for the world. It calls down upon the Quad member nations for tarnishing its reputation among regional countries, and the recent cybersecurity flexes by Japan and India prove that the wedge is working.