CYBERSECURITY NEWS V. September – BrakTooth vulnerabilities, 500k Fortinet VPN accounts leak, JVC Kenwood hacked

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates

News FYI

Apple Pay with Visa card allows paying with locked iPhones

Researchers discovered a way to make fraudulent payments using Apple Pay from a locked iPhone with a Visa card. This scam works even if the iPhone is in your bag or pocket and has no limit on the number of transactions.

It turned out that an iPhone can confirm almost any transaction under certain conditions. Typically, an iPhone user needs to unlock it using Face ID, Touch ID, or a password for a payment to go through. However, this is inconvenient in some cases, so Apple Pay has the Express Transit feature that allows making transactions without unlocking the device.

Express Transit works with transport turnstiles and card readers that send a non-standard byte sequence bypassing the Apple Pay lock screen. The researchers say that, if combined with a Visa card, “this feature can be used to bypass the Apple Pay lock screen and make illegal payments from a locked iPhone, using any EMV reader, for any amount and without user authorization.”

The researchers were able to simulate a transaction using a Proxmark device. The method is an active replay-and-relay MitM attack, where Proxmark replays “special bytes” on the iPhone, ostensibly paying for a ticket without requiring the user to authenticate.

They also changed the Card Transaction Qualifiers (CTQ), which are responsible for limiting contactless transactions. During the experiment, the researchers performed a transaction of £1,000 from a locked iPhone. The attack was successfully tested on iPhone 7 and iPhone 12.

Today, this vulnerability is still relevant, so Apple Pay users with Visa cards should consider it. A report on this issue will be presented at the IEEE 2022 Symposium.

Conti ransomware stole 1.7 TB of data from JVC Kenwood

Conti ransomware hacked into the servers of a Japanese electronics manufacturer JVCKenwood Group and stole 1.7 TB of data. Now, the group is demanding $7 million from the company for data recovery.

In a press release, JVC Kenwood confirmed the incident without going into details. The attack on the servers took place on September 22 and "may have led to a data leak.”

According to the ransom note, behind the attack is Conti, an extortionist group. As proof of the theft, the group provided a scan of a JVCKemployee’sloyee’s passport.

Hackers leak passwords of 500,000 Fortinet VPN accounts 

A list of nearly 500,000 Fortinet VPN logins and passwords is distributed on hacker forums. These credentials were allegedly copied from vulnerable devices last summer. The attackers say that the vulnerability used to collect information has already been fixed, but many credentials are still valid.

The list of credentials was posted free of charge by Orange, the administrator of the recently launched hack forum RAMP, a spokesman for the new ransomware Groove, and a former operator of Babuk. The file contains the credentials of 498,908 users on 12,856 devices.

To collect the data, the hackers used an old vulnerability (CVE-2018-13379). It was fixed by the Fortinet developers back in 2018, but not all updates have been installed so far. Leveraging this vulnerability, remote and unauthenticated attackers could access system files using specially crafted HTTP requests.

BrakTooth vulnerabilities threaten billions of devices

A group of researchers published information on 16 serious vulnerabilities affecting the Bluetooth stack in many popular SoCs used in laptops, smartphones, industrial and IoT devices. They are collectively known as BrakTooth and allow disabling or "hanging" the device. In the worst case, adversaries could execute arbitrary code and take over the entire system. All BrakTooth attacks can be performed using standard Bluetooth hardware, which costs no more than $ 15.The number of vulnerable devices is in the billions, although the severity depends on the device's SoC and the Bluetooth software stack.

The most severe BrakTooth issue is the CVE-2021-28139 vulnerability, allowing remote attackers to run malicious code on vulnerable devices via Bluetooth LMP. It affects smart devices and industrial equipment based on ESP32 SoC Espressif Systems.

Other BrakTooth bugs are less severe. For example, some of them can be exploited to crash Bluetooth on smartphones and laptops by sending garbled Bluetooth LMP packets to devices. Microsoft Surface laptops, Dell desktops, and several Qualcomm-based smartphones are vulnerable to these attacks.

Representatives of the Bluetooth Special Interest Group, which is leading the development of the Bluetooth standard, say they are aware of the BrakTooth issues but cannot pressure manufacturers to release patches.

Emergency Chrome Update to fix 0-day vulnerability

Google has released an emergency patch for the Google Chrome web browser that fixes a zero-day vulnerability (CVE-2021-37973). It is the 11th zero-day in Chrome that Google has discovered attacks exploiting CVE-2021-37973 in the wild. Chrome users are advised to update to the latest version (94.0.4606.61) for Windows, macOS, and Linux.