BlueBorne: Wormable Bluetooth Attack

Armis Labs revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them. The new vector is dubbed “BlueBorne”, as it spread through the air (airborne) and attacks devices via Bluetooth. Armis has also disclosed eight related zero-day vulnerabilities, four of which are classified as critical. BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware laterally to adjacent devices. Armis reported these vulnerabilities to the responsible actors, and is working with them as patches are being identified and released.

What Is BlueBorne?
BlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode. Armis Labs has identified eight zero-day vulnerabilities so far, which indicate the existence and potential of the attack vector. Armis believes many more vulnerabilities await discovery in the various platforms using Bluetooth. These vulnerabilities are fully operational, and can be successfully exploited, as demonstrated in our research. The BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution as well as Man-in-The-Middle attacks.

Additional Information: Download our Technical White Paper on BlueBorne

These vulnerabilities include:

  • Information Leak Vulnerability in Android (CVE-2017-0785)
  • Remote Code Execution Vulnerability (CVE-2017-0781) in Android’s Bluetooth Network Encapsulation Protocol (BNEP) service
  • Remote Code Execution Vulnerability (CVE-2017-0782) in Android BNEP’s Personal Area Networking (PAN) profile
  • The Bluetooth Pineapple in Android—Logical flaw (CVE-2017-0783)
  • Linux kernel Remote Code Execution vulnerability (CVE-2017-1000251)
  • Linux Bluetooth stack (BlueZ) information leak vulnerability (CVE-2017-1000250)
  • The Bluetooth Pineapple in Windows—Logical flaw (CVE-2017-8628)
  • Apple Low Energy Audio Protocol Remote Code Execution vulnerability (CVE Pending)

Blueborne – Android Take Over Demo

 

Install BlueBorne Vulnerability Scanner by Armis app (created by Armis team) from Google Play Store to check if their devices are vulnerable to BlueBorne attack or not. If found vulnerable, you are advised to turn off Bluetooth on your device when not in use.

Recent search terms:

Jio Customer Database of over 120 million users leaked

On Sunday evening, a website called “magicapk.com” surfaced that contained the personal data of millions of Reliance Jio users.

Jio-SIM-Card-Reliance-Jio-LYF[1]

At roughly 6 pm on Sunday, a website called “magicapk.com” started making its way through various Indian social media channels including Twitter, WhatsApp and Reddit India. The website, which came with a simple user interface as shown above, simply asks visitors to enter a Reliance Jio mobile number to get access to “Jio sim details”.

It could be the biggest data breach in India as the data leak in question over pertains to a database of over 120 million users of Reliance Jio. The website seems already a little sluggish and expected to go down soon as more users rush to find out if their personal data has been leaked. It took a couple or three tries for the number to show up on the website. It is not clear at this moment why this data has been leaked or how someone outside Jio got access to sensitive customer data.

Recent search terms:

Zomato hacked – User Data Available for Sale $1,001

According to Hackeread.com, a user by the name of “nclay” claimed to have hacked Zomato and was willing to sell data pertaining to 17 million registered users on a popular Dark Web marketplace.

This included emails and password hashes of registered Zomato users with the price set for the whole package at $1,001.43 (BTC 0.5587) – BTC here stands for Bitcoins. Hackeread adds the vendor also published data and evidence to prove it was genuine.

Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.

Zomato, in a blog post

Legion hackers – Interview with The Washington Post

 

A group that calls itself “Legion” promises more, and bigger, data dumps.

According to the interaction by Washington Post’s Max Bearak, the hacking group was not after these specific high-profile targets with a hitlist, instead it was the other way around. The group reportedly got hold of several terabytes of raw data categorised by “interests” within which they got hold of gigabytes of data pertaining to Indian public figures. In short, it was the available data that helped them choose whom to target first.

The current objective was to was to dump classified data into public domain. The data which instigated the Legion to these hacks apparently came from what remains to be an unknown source. And it was quite a big dump with access to over 40k+ servers in India. It was so immense that the hacker group even built a tool to sift through them.

Source: The man hacking India’s rich and powerful talks motives, music, drugs and next targets – The Washington Post

Gooligan, Google Malware

 

Check Point reported at least 86 apps have been found to have traces of Gooligan, most of which appear legitimate and have been given artificially high ratings in the app store.

Once one of the infected apps is installed onto a user’s device, either from an app store or by clicking a malicious link, it begins collecting data about the device and reporting it to a command and control server—a centralized computer that issues commands to and receives reports from devices.

How to check / know if your account is hacked?

Check Point recommended in a blog post that people who suspect their devices may have been compromised (seen unusual pop-up ads on your phone lately?) should check to see whether their account has been breached by entering their email addresses at the following website: https://gooligan.checkpoint.com/.