June 2, 2023
Exploitation of MOVEit Transfer Zero Day, iOS Triangulation Cyberattack, BrutePrinting
In this Episode:
Active Exploitation of MOVEit Transfer Zero Day
?? Edwin Kwan, Sydney, Australia ↗
MOVEit Transfer Critical Vulnerability (May 2023) – Progress Community
New MOVEit Transfer zero-day mass-exploited in data theft attacks
Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability
iOS Triangulation Cyberattack
?? Mark Miller, Ann Arbor, Michigan↗
Eugene Kasperskey on Twitter: https://twitter.com/e_kaspersky/status/1664263801490014208
Operation Triangulation: Operation Triangulation: iOS devices targeted with previously unknown malware | Securelist
?? Katy Craig, San Diego, California ↗
[2305.10791] BrutePrint: Expose Smartphone Fingerprint Authentication to Brute-force Attack
New BrutePrint Attack Lets Attackers Unlock Smartphones with Fingerprint Brute-Force
This Day in Tech History
Hey. It’s 5:05 on Friday, June 2nd, 2023. From the Sourced Podcast Network in New York City, this is your host, Pokie Huang. Stories in today’s episode come from Edwin Kwon in Sydney, Australia, Mark Miller in Ann Arbor, Michigan, Katy Craig in San Diego, California, Marcel Brown in St. Louis, Missouri.
Let’s get to it.
This is Edwin Kwan from Sydney, Australia.
Hackers are actively exploiting a zero-day vulnerability in MOVEit Transfer to steal data from organizations. MOVEit Transfer is a managed file transfer solution that allows for secure transfer of files using protocols like SFTP, SCP and HTTP.
Progress, the parent company behind MOVEit Transfer released a security advisory, warning of a critical SQL injection vulnerability that allows for privilege, escalation, and potential unauthorized access on target systems. The vulnerability does not have a CVE assigned yet.
There are around 2,500 exposed MOVEit transfer servers with most of them located in the US. A number of organizations have reported being breached and having data stolen with the attacks having started over the US Memorial Day holiday when there are fewer staff monitoring the systems.
” We’ve discovered a new cyber attack against iOS called Triangulation.” That’s the beginning of a warning tweet from Eugene Kaspersky on June 1st. He goes on to say, “Triangulation transmits private information to remote servers. Microphone recordings. Photos from instant messengers, geo location. And data about a number of other activities.”
How did Kaspersky’s team find out about the cyber attack? Several dozen of the team’s phones or infected. That sounds odd at first listen. How could this happen to an experienced cyber security team? It turns out that this is not something new. According to their forensic research it’s been going on for almost four years.
The attack is through a message with an attachment received by the iMessage service. The tricky part is without any user interaction, the message triggers a vulnerability that leads to code execution.
Again, quoting directly from the article. “The timelines of multiple devices indicate that they may be reinfected after rebooting. The oldest traces of infection that we’ve discovered happened in 2019. As of the time of this writing in June, 2023, the attack is ongoing.”
The Kaspersky team has set up an Operation Triangulation page where you can follow their research and findings as they’re discovered.
This is Mark Miller calling in from Ann Arbor, Michigan. You can find links to the original Twitter feed and Operation Triangulation on today’s episode page at 505updates.com.
Fingerprint authentication on smartphones isn’t as foolproof as we thought. The smartphone industry may have implemented liveness detection and attempt limits to tackle some threats, but there’s a new attack that takes it to a whole new level.
This is Katy Craig in San Diego, California.
Researchers dug deep into the impossible, a fingerprint brute force attack on regular smartphones. They even came up with a fancy name for it: BrutePrint. This attack acts as a middleman bypassing attempt limits and hijacking fingerprint images. Here’s the deal.
They found two zero-day vulnerabilities in the smartphone fingerprint authentication framework, and they used the simplicity of the SPI protocol to hijack those precious fingerprint images. They put their attack to the test on 10 different smartphones from the top vendors. And guess what? Almost all of them were vulnerable in some way.
But here’s the twist. The iPhone stood strong and resisted their attempts. It took them a whopping 40 minutes to unlock it without any prior knowledge about the victim. Not bad, apple, not bad.
Now, before you start freaking out, there’s hope. This isn’t a common attack method, and the researchers suggest some software and hardware mitigation measures to strengthen your defenses.
Biometric authentication is convenient, but it’s not invincible. So keep your software up to date and install patches when they’re available.
This is Katy Craig. Stay safe out there.
This is Marcel Brown, the most trusted name in technology, bringing you some technology history for June 2nd and June 3rd.
June 2nd, 1966. NASA’s Lunar Lander, Surveyor 1, lands in the Ocean of Storms area on the moon, becoming the first US spacecraft to soft land on an extraterrestrial body. The previous Ranger program had sent craft that had hard landings, otherwise known as crash landings. However, the Soviet spacecraft, Lunar 9, claims the honor of being the first to soft land on the moon almost exactly four months prior to Surveyor 1.
June 3rd, 1983. The science fiction film, War Games, is released. Notable for bringing the hacking phenomena to the attention of the American public, it ignites a media sensation regarding the hacker subculture. The film’s Norad set is the most expensive ever built at the time, at a cost of $1 million.
Not widely known is that the movie studio provided the film’s star, Matthew Broderick, with the arcade games Gallagher and Galaxian, so he could get firsthand experience before shooting the film’s arcade scenes.
That’s your technology history for today. For more, tune in next week and visit my website ThisDayInTechHistory.com.
That’s it for today’s open source and cybersecurity updates. For direct links to all stories and resources mentioned in today’s episode, go to 505Updates.com, where you can listen to our growing library of over 100 episodes. You can also download the transcript of all episodes for easy reference.
5:05 is a Sourced Networks Production with updates available Monday through Friday on your favorite audio streaming platform. Just search for “It’s 5:05!”. And please consider subscribing while you’re there.
Thank you to Edwin Kwan, Mark Miller, Katy Craig, Marcel Brown for today’s contributions.
The Executive Producer and the editor is Mark Miller. The sound engineer is Pokie Huang. Music for today’s episode is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by Captivate.fm. This is Pokie Huang. See you next Monday… at 5:05.