Amazon Photo Access Tokens

Summary: A newly discovered vulnerability regarding Amazon Photos Android App shows that the access tokens can be leaked into separate apps. Commonly access tokens allow users to authenticate and access an app.

The discovered vulnerability shows how 3rd party apps can theoretically retrieve the access token from the app’s manifest file. The access tokens can then be used for other apps including Amazon Drive which can have access to files on the device. As such, it is theoretically possible for threat actors to gain access to user’s files as a form of attack.

Why it matters: The discovered vulnerability matters due to the potential of threat actors to target the user. Amazon is one of the largest retailers and as such has access to private information of customers including their location and email address. This vulnerability’s largest concern regards the possibility of it being used to access the Amazon Drive app which could have access to the target’s device. It is possible that threat actors could use the vulnerability to take over a user’s device such as in the event of a ransomware attack. Although there is no evidence that such an attack has taken place so far, a fix has already been implemented by Amazon. Such a vulnerability is a reminder for users to update their apps frequently to ensure security patches are properly implemented to protect information, devices, and users.

Proxy Server Bypassing MFA Phishing Campaign

Summary: A phishing campaign from as late as September 2021 has been discovered attempting to bypass MFA of users. Normally, MFA is used to help prevent attackers from accessing a target’s account by requiring two different forms of authentication. Upon successful access, threat actors then pivot to perform Business Email Compromise attacks on other targets.

This new phishing campaign uses a proxy server between the target and the authentic website which allows threat actors to steal session cookies. Session cookies allow users to stay connected to a website until the user leaves or the cookie expires. By validating with MFA, users are able to securely connect to a website. However, by stealing a user’s session cookie, an attacker can use the already authenticated session to bypass another MFA submission.

Why it matters: Normally, MFA is used to secure the connection between the user and the apps. It is part of a strong security posture of any company to have a strong authentication method to ensure account security. Session cookies allow users to stay online with minimal interference and thus increasing usability. Unfortunately, due to the temporary persistence of session cookies, attackers are able to steal them and bypass the strong security defenses placed by a company. As such, it will allow threat actors to access their targets’ sessions and perform unauthorized activities that are normally behind greater security controls.

Apple Lockdown Mode

Summary: Apple launched a new feature for iOS 16, iPad OS 16, and macOS Ventura named Lockdown Mode which offers enhanced protection of Apple devices. Lockdown mode was created to help people who are at risk of being personally targeted by threat actors. Of particular concern is the threat of spyware targeting these high-value individuals.

Apple’s Lockdown Mode minimizes the attack surface of the device by severely limiting the device’s features. Such limits include disabling media and previews on messages and preventing wired connections on iPhones. The launch of Lockdown mode is specifically combined to combat state-sponsored spyware and will continue to develop and provide protection over time.

Why it matters: Phones are a universal device that is carried nearly all the time by users. Apple’s iPhones in particular hold the second largest market share of the smartphone industry. Due to the growing threat of cybercrime, particularly spyware, the threat of spyware for millions of iPhone users is significantly high particularly since the release of NSO Group’s Pegasus. Such spyware can allow access to information stored on the target user’s devices including messages and photographs. The introduction of Lockdown Mode helps to reduce the capabilities of spyware for Apple users and helps protect their privacy.

OrBit Malware Introduces a Backdoor to Linux

Summary: A newly discovered malware named OrBit is specifically designed for Linux operating systems. The malware can affect all processes on a machine and is designed to steal information from processes and store it in files on the host machine. The malware also creates a backdoor through an SSH shell and attempts to hide network activity.

By hiding the information in specific files, the malicious nature of the OrBit malware can make the activity more difficult to spot. The inclusion of an SSH shell would not only allow malicious threat actors to download files but would also allow them to have a direct connection to the victims’ computers. From there, the obscure files are later retrievable by the hacker along with the stolen credentials and other commands stored in the files.

Why it matters: Linux is a popular operating used for cloud services and as cloud services and transition to the cloud continue to grow so will the number of vulnerable systems. Thus, malware targeting the cloud not only targets the cloud’s infrastructure but also privacy and security. Normally, cloud services are managed by authorized administrators. In the event a cloud-based Linux system is compromised, so will the entirety of the cloud service and more. The threat poses a large impact as it will allow an attacker to have access to the administrator and the administrator’s privileges. Such an event risks not only the company’s information but the stored information of customers as well. It is more evident than before for cloud administrators to harden the cloud access but also to implement best practices to avoid accidental download of malware.

Windows 8.1 “End of Support”

Summary: The update to the Windows 8 operating system, Windows 8.1 which was released on October 17, 2013, is now officially approaching its ‘end of support’ date. When logging into Windows 8.1, as of the Windows update released on 7/12/22, users are now displayed with a full screen notification informing them of the end of support date which is on January 10, 2023. The notification may be dismissed with a ‘remind me later’ option in which users are able to set custom date for the notification to reappear; however, Windows 8.1 Pro and Enterprise users will not see this option as the notification will not be displayed on Pro and Enterprise editions.

An end of support date, when referring to operating systems and software, is an announced date which indicates no future support or updates will be provided by the developers, in this case Microsoft.

Why it matters: The end of support date announced by Microsoft marks the date beyond which no further updates will be made to Windows 8.1. This means any bugs and/or vulnerabilities that exist on the operating system on that date will not be patched by Microsoft. For this reason, using an operating system beyond the ‘end of support’ date is highly recommended.

Security Tip of the Month

Summary: The first line of defense when securing any account, whether offline or online, is a password/passphrase; therefore, it is important to follow best practice guidelines when creating and managing passwords. The following guidelines provided by UC Santa Barbara provide the ideal basic requirements for creating a strong password.

  • Passwords should never be shared with anyone including IT departments and technical support staff.
  • Use MFA whenever possible.
  • Passwords should contain a minimum of eight characters; however, 16 characters is ideal.
  • Password complexity is important; therefore, passwords should contain both alphanumeric and special characters.
  • Passwords should never be reused.

The National Cybersecurity and Communications Integration Center (NCCIC) provides the following additional password creation guidelines:

  • Use unique passwords on different systems and accounts.
  • Do not use passwords based on personal information.
  • Used the maximum allowed number of characters when creating passwords.
  • Do not use any words that can be found in any dictionary.

Why it matters: A strong password is an integral component of securing an account. Using a weak password may allow an attacker to gain easy access to a targeted account. By increasing the character length and complexity of a password, the chances of account comprise is greatly reduced. Similarly, in cases in which an account password is compromised, by using a unique password for all accounts attackers are less likely to gain access to other accounts belonging to the same user.

An example of poor password practice can be found in an article by Security magazine in which the top 20 most common passwords found on the dark web are listed. The following are the top five most common passwords:

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 12345

None of the passwords found on the top 20 list follow the guidelines mentioned above.