This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 5 minutes read

Ankura CTIX FLASH Update - September 2, 2022

Ransomware/Malware Activity


800 Million State-Surveillance Records Exposed in Publicly-Available Database

A giant database from Chinese electronics manufacturer Xinai Electronics was identified as being publicly available, exposing millions of faces and vehicle license plates. The exposed database held over 800 million records, which is the second largest known data security breach of the year. Xinai Electronics creates systems for "controlling access for people and vehicles to workplaces, schools, construction sites and parking garages across China." The company utilizes facial recognition for "a range of purposes beyond building access, including personnel management, like payroll, [and] monitoring employee attendance and performance", and it also uses a cloud-based vehicle license plate recognition system to allow drivers to pay for parking in unattended garages. According to the company’s website, all data collected was supposedly stored securely on the company's servers, but security researcher Anurag Sen identified an Alibaba-hosted server containing the unsecured database. Sen reported that the database included "hundreds of millions of records and full web addresses to image files hosted on several domains owned by Xinai" and emphasized that "neither the database nor the hosted image files were protected by passwords." Specifically, the database included information about Chinese citizens, including links to high-resolution photos of faces, each person's name, age, sex, and resident ID numbers, as well as vehicle license plates in parking garages, driveways, and other office entry points. As of mid-August, the database was no longer publicly accessible. Prior to this, however, an undated and unclaimed ransom note was left that claimed the database contents had been stolen and demanded "a few hundred dollars worth of cryptocurrency" in order to return the data. TechCrunch noted that the blockchain address left in the note does not have any evidence of receiving funds from Xinai. In China, facial recognition technology is routine and state surveillance is hyper present. Ensuring that this personally identifiable information (PII) is stored securely is of high priority. CTIX analysts will provide any updates regarding this breach as it becomes available.


Threat Actor Activity


REvil Hits First High-Level Target Since 2021

After a several month hiatus, REvil ransomware has reemerged into the threat landscape and has claimed responsibility of compromising Midea Group, a Chinese electrical appliance manufacturing organization. REvil has remained fairly silent since the Kaseya hack in 2021 where the group compromised software vendor Kaseya which allowed the successful breach of several IT management service companies. Several members of the REvil organization were reportedly arrested back in January as a part of an international law enforcement operation. In this latest attack, assets exfiltrated by REvil claim to be several terabytes of information including blueprints and firmware sources, financial information, scans of physical ID's and digital ID documents, screenshots of internal vSphere environments, SSH keys, and several compressed ZIP archives. REvil has already dumped some of the files to their leak site, pushing for the Midea Group to pay the undisclosed ransom. REvil is known for their double extortion tactics in previous attacks, encrypting systems and files alongside exfiltrating the data offsite to use as leverage in ransom demands. CTIX will continue to monitor the fallout of this incident and provide additional updates as more information is released.


Vulnerabilities


Microsoft Researchers Discover Account Takeover Vulnerability in Android TikTok Application

Researchers from Microsoft's 365 Defender Research Team have discovered a one-click account takeover vulnerability in the popular short-form video app TikTok. The vulnerability, tracked as CVE-2022-28799, exists in the Android version of the application, which has over 1 billion downloads on the Google Play Store. Identified in February 2022, the flaw was quickly patched in the affected versions following the responsible disclosure. The vulnerability relies on the application’s implementation of WebView JavaScript interfaces, which allow apps to load and display web pages. These interfaces also create a bridge between JavaScript and Android’s native language, Java. The researchers discovered a common vulnerability with these JavaScript interfaces that allows a threat actor to inject a malicious interface that could lead to "data leakage, data corruption, or, in some cases, arbitrary code execution." By utilizing a deeplink, a feature in the Android operating system that allows URLs to be handled by an application rather than a web browser, the researchers could exploit the JavaScript interface injection flaw. First, they utilized a redirect to access a deeplink normally only used inside the TikTok application rather than through external links. This internal deeplink uses a filter to block potentially malicious websites from being loaded through it. The researchers discovered two parameters they added to the deeplink URL which bypassed this filter. Loading a malicious website using this deeplink gave access to 70 internal Java methods, ultimately allowing a threat actor to compromise a TikTok user account. The researchers create a proof-of-concept (PoC) exploit that was successfully able to replace a victim user's description to "!! SECURITY BREACH !!" when the user clicks on the malicious link. As stated, the vulnerability has been patched in the most recent version of the TikTok Android application and no exploitation has been discovered in the wild.


Boeing Company Releases Safety Alert Following Vulnerabilities in the OPT Application

The Boeing company has released a worldwide safety alert for their Onboard Performance Tool (OPT) for iOS following a vulnerability discovery from British security firm Pen Test Partners. Boeing’s OPT allows flight crew and ground personnel to “perform real-time weight and balance and takeoff and landing calculations for all current Boeing airframes” and is available on iOS and Windows, as well as EFB versions for integrated devices onboard aircrafts. The researchers identified an issue with the calculations the tool made in the iOS version of the app, allowing threat actors to tamper with mission-critical data and causing pilots to use the wrong settings and potentially inducing a crash. While this vulnerability has a “low risk of interference,” it was patched by Boeing last year. Further testing of the application led the researchers to discover another flaw in the application. The second vulnerability existed in a vital database used by the OPT, which was not secured against unauthorized changed. The database stored records of the length of runways at various airports. By changing the records in this database, threat actors could have increased the risk of a crash at takeoff or landing without any warnings that the modification had occurred. After two (2) years of working with Boeing, Pen Test Partners has confirmed that this issue has been fixed in July 2022. The long delays between discovery and patching are due to the number of regulatory approvals required to make the change to the OPT application. This example highlights the slow response times that have plagued the aviation industry for years. CTIX analysts recommend organizations utilizing Boeing’s Onboard Performance Tool to ensure the tool is updated to the latest version OPT v4.72.


The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed and the CTIX team (ctix@ankura.com) for threat intelligence inquiries.

© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.

Tags

cyber response, cybersecurity & data privacy, data & technology, data privacy & cyber risk, f-risk, memo

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with