Cyber Security Headlines: Leaky GPS Trackers, Russian Malware Spoof Pro-Ukraine App, MacOS Backdoor to the Cloud

Car GPS tracker exposes location data

Security researchers at BitSight found six vulnerabilities in a GPS tracker from the company Micodus. This tracker includes a hardcoded password that can be used to remotely control it, access real-time location data, past routes, and even cut off fuel. The tracker also ships with a default user password of “123456,” with researchers finding 95% of sampled devices didn’t change it. The company claims to have over 1.5 million hardwired GPS trackers in use across vehicle fleets, national governments, militaries, and law enforcement. BitSight characterized these vulnerabilities as “not difficult to exploit” and suggest that other trackers from the company may have similar vulnerabilities. Impacted trackers largely reside in Ukraine, Russia, Uzbekistan, and Brazil, as well as across western and central Europe. 

(TechCrunch)

Russian malware groups spoof pro-Ukraine apps

Researchers at Google’s Threat Analysis Group discovered that the pro-Kremlin threat group Turla created an app called Cyber Azoz, which references Ukraine’s far-right military unit. Last year the same group compromised EU and American organizations with malware. The app claims it launches a denial-of-service attack against Russian websites. Instead the app installs a trojan on a device. The app must be sideloaded and not available on the Play Store. Google researchers believe only a small number of people installed this spoofed app. 

(The Verge)

MacOS backdoor speaks to the cloud

Security researchers at ESET discovered the backdoor, named CloudMensis, at work in the wild since February. This backdoor exclusively uses public cloud storage services to communicate with operators. The researchers observed it leveraging pCloud, Yandex Disk and Dropbox to receive commands and send data out. The code complexity indicates the threat actor may not be overly sophisticated. The distribution vector and overall targets remain a mystery. The backdoor doesn’t appear to utilize any zero-day exploits to get onto systems, so the researchers suggest making sure machines are running up to date versions of macOS as the best mitigation. 

(InfoSecurity Magazine)

China concluding security audit on Didi

Shortly after Didi Global went public on the New York Stock Exchange last year, Chinese regulators began a cybersecurity investigation into the company, eventually leading to it delisting from the exchange and subjecting it to significant sanctions. Now the Wall Street Journal’s sources say the Cyberspace Administration of China will end its investigation into Didi Global’s cybersecurity practices, preparing to issue a fine of over $1 billion. After that, the regulator will allow Didi to add new users to its platforms, relist its apps domestically, and allow it to pursue a listing on the Hong Kong stock exchange.

(WSJ)

Thanks to today’s episode sponsor, 6clicks

Your GRC solution is only as valuable as the reports it can generate. Provide an exceptional analytics experience for all your GRC stakeholders with the 6clicks reporting suite. Unlock powerful insights and prove compliance using dashboards and charts, pixel perfect reporting, presentations, and data storytelling via LiveDocs. For more information visit 6clicks.com/analytics/overview.

Microsoft reverses on open-source policy 

Last month, Microsoft updated its Store policies to forbid the sale of open-source software. Now in an update to the policy, the company reversed its ban, and will allow otherwise compliant open-source software to be available. Microsoft’s Giorgio Sardo said the company implemented this ban last month to “protect customers from misleading product listings,” out of concerns that bad actors would list otherwise free software for sale with no other value-add to the product. It made the reversal after listening to feedback.

(Beta News)

US disrupts North Korean threat group targeting hospitals

Deputy Attorney General Lisa Monaco announced that the FBI and US Justice Department disrupted the activities of the Maui ransomware group. This came as part of a plea by Monaco for organizations hit by ransomware to report incidents to law enforcements. In this case, a Kansas hospital hit with Maui ransomware contacted the FBI. It traced ransom payments through China-based money launderers to North Korean threat actors. The FBI recovered the hospital’s ransom and other funds in the process. 

(Security Week)

Belgium ministries targeted by Chinese threat groups

Belgium’s Minister for Foreign Affairs announced that multiple Chinese APTs, including APT27, 30, 31 and Gallium targeted defense and interior ministries. No word on if the attacks accessed internal ministry systems, or if both were able to deflect the attacks. Belgium called on Chinese authorities to adhere to state norms agreed to by United Nations members. Rhe Chinese Embassy in Belgium denied the accusation, saying that Belgian officials did not provide any evidence of an attack. 

(Bleeping Computer)

Now we have to worry about SATA cables

There are few pleasures in life as pure and absolute as the air-gap defeating techniques from the mad scientists/security researchers at Ben-Gurion University. The researchers documented how SATA cables in a PC can be used as an antenna to exfiltrate data. As usual for these types of exploits, the technique requires an already infected machine, making it somewhat academic. The researchers used the cables to deliver data over radio channels around 5.9995 GHz during read and write operations at ranges up to 3.9 feet. Speeds weren’t great, peaking at 1 bit per second. The paper also proposes a countermeasure, adding noise during read/write operations.

(Bleeping Computer)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.