An anonymous service that can get you hacked, infected online restaurant platforms found, a Mac backdoor discovered, and more.
Welcome to Cyber Security Today. It’s Wednesday July 20th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Looking for ways to be anonymous on the internet? Be careful: A bad choice may lead to your business or home computer being hacked, or to your system being used to hide criminal activity. That’s the warning from researchers at the University of Sherbrooke, Quebec. In a recent report they show that using a residential proxy service can be abused by threat actors. A residential proxy service allows an individual or a business to rent a residential IP address to relay communications from an original address. That way the user’s internet traffic appears to come from the rented IP address, not their real address. Businesses, universities, government departments and police forces may legitimately use this service for doing market surveys, search engine optimization or other reasons. Individuals may want to rent a residential IP address to keep from being identified going to adult or gambling sites or blocked movie sites. The thing is, the researchers point out, some home users may be tricked into letting their residential IP address be used as a proxy. One way is by signing up for a so-called free VPN service. What these customers don’t know is it may be run by scammers. Victims install software on their computers that’s supposed to be a VPN. But it also hijacks their IP address to be rented, or abused, by others. The research serves as a warning to governments, businesses and individuals to carefully research services before they sign up.
Three American-based online ordering platforms used by hundreds of restaurants have hacked with malware that skims off the names and payment card information of customers. According to researchers at Recorded Future, at least 311 restaurants using the MenuDrive, Harbortouch and InTouchPOS web applications were victimized. That led to the copying of over 50,000 compromised payment card records. Those records have been posted for sale on the dark web. The malicious domain being used in the MenuDrive and Harbortouch attacks has been blocked since May 26th. However the domains behind the InTouchPOS infections are still active. Compromising restaurant online ordering platforms with JavaScript-based data-skimmers — known as a Magecart attack — is common: Last year Recorded Future found five other platforms that had been hacked. The problem is that end-user website security scanners may not discover a platform compromise. That’s why online e-commerce platform developers have to carefully scan their code for unapproved additions. That means having a careful inventory of code for version control.
Microsoft is warning developers using the Azure Arc Jumpstart application to not re-use login credentials for an Arc project in any other Azure environment. That’s because until recently those credentials were stored in plaintext in a log file that is readable by any user on an Arc system. The vulnerability was discovered by researchers at Tenable. For those who don’t know, Arc is a bridge for building cloud applications and services in Azure. Jumpstart is an environment to help developers jumpstart their work. A careless developer who reuses credentials in an Arc project could help an attacker get into other parts of an Azure environment.
Another threat to Macintosh users has been discovered. Researchers at ESET say the macOS backdoor leads to the installation of malware that can copy documents and user keystrokes, as well as take screen captures. ESET has dubbed this spyware CloudMensis. It can’t say how Macs are initially compromised. But a key part of an attack needs a threat actor to gain administrative privileges over a compromised machine. That allows the downloading and installation of the second stage of the attack. Access to screen captures, cameras, microphones and keyboard events are usually protected by the macOS Transparency, Consent and Control system. However, CloudMensis can bypass this protection. So far there have been limited signs of distribution, which suggests this spyware is being very targeted. One defence is making sure your Mac is fully patched.
Finally, administrators using routers and switches from Juniper Networks should know that last week the company published 21 security advisories about vulnerabilities that need to be patched. Some are in the Junos OS operating system, while others are in third-party components such as Nginx, OpenSSL, Samba, JavaSE, SQLite and Linux.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.