WME Security Briefing 09 October 2024

WME Cybersecurity Briefings No. 029

Remote Control Vulnerabilities in Kia Vehicles

Overview

Famous cybersecurity researchers Neiko Rivera, Sam Curry, and others have identified a series of vulnerabilities in Kia vehicles. The flaws could be exploited to control crucial functions of their cars remotely. Cybercriminals can exploit car users using only the license plate. The identified issues are present in almost all Kia models produced after 2013. The found vulnerabilities seem extremely dangerous as they can result in unauthorized access to the requested party’s personal information to execute commands on their behalf.

Impact

The identified vulnerabilities could be abused by a malefactor to obtain control over the car’s core functionalities, such as unlocking the doors, starting the engine, and tracking the vehicle. The exploitation process involves the manipulation of the Kia dealership infrastructure through unauthorized HTTP requests and the subsequent propagation of the fake account and access tokens assigned to a specific vehicle.

As revealed by the findings, it is also possible to obtain access to the sensitive data, such as the name of the car’s owner, their phone number, email address, and physical address using the vehicle identification number and performing several HTTP requests.

The obtained data could be further employed by criminals to disguise themselves as the real owner of the vehicle. They can create the second “invisible” user for the automobile without the proprietor’s knowledge, so obtaining the absolute control over the asset. More so, the attack can be carried out in less than 30 seconds and it all can happen regardless of the fact if the car was subscribed to the Kia’s remote services or not.

Recommendation

Kia has addressed the vulnerabilities with the release of the patches as of August, 2024. Vehicle owners should make sure that their cars run the latest OS to avoid the chances of such exploitation.

That said, the users of Kia services should be vigilant about their accounts and ensure that only proper authorities can access their cars. Also, the KIA security teams should carry out regular audits of the service’s API endpoints and the authentication procedures in order to avoid having such vulnerabilities.

To conclude, it is recommended to have rate-limiting, secure token generation, and the validation of the user’s input on fraudulent access efforts.

New North Korean Malware Strains KLogEXE and FPSpy Observed in Targeted Attacks

Overview

According to recent reports, two new pieces of malware, KLogEXE and FPSpy, have been actively deployed by North Korean threat actors in targeted attacks. These actions have been attributed to the Kimsuky group, also referred to as APT43. This malicious actor has been active since 2012, with highly developed skills in spear-phishing. Overall, the identified changes demonstrate the evolution of the group’s tools compromising organizations in South Korea and Japan.

Impact

KLogEXE and FPSpy are tools created to increase the potential of Kimsuky’s operations in collecting and exfiltrating information.

KLogEXE is a C++ implementation of the previously known keylogger based on PowerShell, InfoKey. It allows the threat actors on a compromised machine to track keystrokes, capture data about the active application, and log mouse activities.

FPSpy is a more advanced threat, which includes far more functionalities than a simple keylogger. The malware may collect a wide range of information about the system, download and execute other payloads sent by the operators, execute almost any commands, and explore other drives, folders, and files on the infected device. Overall, the malicious tools provide the attackers with significant space for manoeuvre.

That said, such activities have been targeting organizations in South Korea and Japan. Moreover, the source code of both threats has a number of similarities.

Recommendation

The malware is target-specific, so organizations similar to these targets should try to update all security measures. IT specialists should make sure that all types of security software, including antivirus and antimalware tools, are perfectly operational and capable of detecting the threat.

Beware that Kimsuky bases its strategy on spear-phishing, so employees should be trained to follow safe Internet navigation and email using practices. Furthermore, all advanced email security solutions should be deployed.

Also, it is crucial to use network monitoring tools to capture any unusual types of activity. Also, strengthen access controls using techniques like MFA, etc.

Ongoing Watering Hole Attack Targets Kurdish Websites with Malicious APKs and Spyware

Overview

A watering hole attack against Kurdish minority websites has been detected. The campaign, SilentSelfie, began in December 2022 and has so far compromised around 25 Kurdish-affiliated sites. This compromise of websites is being used as a platform to distribute malicious Android applications and spyware.

The dropped APKs track the victims’ GPS location, call information, SMS, camera, and more, with some including more advanced features. The targeted websites included various Kurdish press and media outlets, Rojava administration, its armed forces, and political organizations in Turkey and the Kurdish regions.

Impact

The SilentSelfie campaign is quite threatening to the victims’ security and privacy. This attack involves injecting malicious JavaScript into compromised websites in an attempt to extract sensitive information i.e. user’s location, device information, and public IP. The agents use data to create visitor profiles and then cause particular users to download specific APKs. Once the APK is installed on the victim’s device, it can access information about the phone or tablet’s systems, contact list, location, and files in the external storage.

The apps do not have a persistent mechanism, meaning they only operate when opened. However, the APK is designed to forward the victim’s location to a remote server and await further orders, which is highly dangerous for users involved.

Previous campaigns have used similar attacks against Kurdish websites and particular persons, with similar operations being carried out by groups like StrongPity and BladeHawk.

Recommendation

WME warns administrators and users who frequently visit Kurdish sites to be cautious.

  • Do not download APKs of dubious origin and use only reliable platforms like the Google Play Store.
  • Install reliable and proven antivirus software on your devices that can detect and remove the threat.
  • Admins should monitor network traffic. Especially pay attention to frequent POST requests to unknown URLs.

India-Linked Hackers Targeting South and East Asian Organizations

Overview

There have been malicious cyber activities from a sophisticated threat group, SloppyLemming. They seem to have connections with India. This group is reportedly using multiple cloud to carry out credential harvesting. They are also deploying malware and carrying out command-and-control (C2) operations. The group’s activities have been identified across a variety of sectors in South and East Asian regions.

Impact

SloppyLemming has been active since July 2021. They targeted entities in Pakistan, Sri Lanka, Bangladesh, China, Nepal, Indonesia, including other countries. Their attack vectors involve spear-phishing campaigns, typically deceiving victims under the pretext of urgency of doing some actions. The malicious URLs lead to credential harvesting sites. Ultimately, they allow undetected unauthorized access to organizational emails.

They have employed custom tools like CloudPhish to execute data exfiltration. That said, they have utilized malware strains like Ares RAT and WarHawk, linked to threat actors like SideWinder and SideCopy.

In some instances, SloppyLemming exploits WinRAR vulnerabilities (CVE-2023-38831) using booby-trapped archives. Their targets span across fields like govt, law enforcement, energy, telecommunications, etc.

Recommendations:

WME advises the affected organizations to review their security infrastructure and apply necessary measures. The enterprises should safeguard their email system by using the security features like MFA and modern threat detection for spear-phishing attacks.

They should monitor suspicious activities in the cloud and ensure all the software used by the potential victims, notably WinRAR, which processes archives, are updated. This is particularly crucial to prevent from the known threat:  CVE-2023-38831.

Chinese State-Sponsored Cyber Espionage Targeting U.S. Internet Providers

Overview

Some U.S. internet service providers have come under a series of attacks orchestrated by Beijing to execute a highly-sophisticated cyber espionage campaign. A known nation-state hacking group, Salt Typhoon, also identified as FamousSparrow and GhostEmperor, conducted these attacks to collect valuable data and remain persistently embedded in the crucial networks due to their high criticality.

They have performed multiple high-profile cyber intrusions across the Southeast Asia region and other parts of the world. Also, Salt Typhoon has been specifically linked to unauthorized access of Cisco Systems routers, a significant component of the internet’s heart. So, exploiting this leverage can help them facilitate large-scale data breaches and potential disruptions.

Impact

The primary objective of these cyber incursions is to infiltrate and maintain long-term access to target networks. By compromising core network equipment, Salt Typhoon can intercept and manipulate internet traffic, exfiltrate sensitive information, or potentially disable critical services.

The campaign’s impacts are far-reaching, with victims spanning across multiple regions. Notable previous targets include high-profile organizations in Malaysia, Thailand, Vietnam, and Indonesia, as well as in Egypt, Ethiopia, and Afghanistan. The attack methodology typically involves deploying a range of advanced tools and rootkits like Demodex to ensure evasion and persistence within the network.

The influence of the campaign is extensive. The campaign has affected countries like Malaysia, Thailand, Vietnam, etc. where high-profile organizations were in danger. In Egypt, Ethiopia, and Afghanistan, smaller organizations were targeted. The attack technique is still the same, deploying a variety of advanced tools and rootkits i.e. Demodex, etc.

Recommendation

Organizations, especially ISPs and those running critical infrastructure should act immediately to protect their networks. That said, get a comprehensive security audit. This should include all possible security measures. Specific attention has to be paid to network routers and those critical infrastructure components which can be hacked by the means described above. That said, upgrade network systems and make sure that all systems, specifically those susceptible to salt typhoon attacks, are patched.

Share:

Facebook
Twitter
LinkedIn
Picture of Matt Tinney

Matt Tinney

Professional IT executive & business leader having decades of experience with Microsoft technologies delivering modern-day cloud & security solutions.

Contact Us

=
On Key

More Posts

Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=