Take a look at this week's Cyber Weekly Digest to find out about some of the biggest cyber security stories from the week including a Toyota data leak and a new NPM timing attack. Keep reading to stay up to date on the latest Cyber Security news.
Threat actors have stolen over $550 million worth of Binance Coins (BNB), from the Binance Bridge. There are very few details at this place in time, but the attack appears to have started at 7pm GMT on Thursday 6th of October with the attacker’s wallet receiving two transactions, each consisting of 1,000,000 BNB. Soon after this, the attacker spread the funds into a variety of liquidity pools, attempting to transfer the BNB into other assets. “An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB” Binance CEO Changpeng Zhao tweeted. Rumors suggest that funds were not necessarily stolen but rather generated through a BSC Token Hub exploit, however, this has the potential to de-value the funds as if the attacker was to dump the BNB into the market, it could cause the value of BNB to plummet.
An underground dark web carding market named “BidenCash” has released a massive dump of 1,221,551 credit cards to promote their marketplace, allowing anyone to download them for free to conduct financial fraud. Carding is the trafficking and use of credit cards stolen through point-of-sale malware, magecart attacks on websites, or information-stealing malware. BidenCash is one of the biggest card trafficking marketplaces that launched in June 2022, leaking a few thousand credit cards as a promotional move. Now, the market’s operators have decided to promote the site with a much more massive dump in the same fashion that the similar competitor platform “All Worlds Cards” did in August 2021. However, the authenticity of the dump is questioned as at least 30% of the dump appears to be recycled, another 30% is blocked by bank fraud monitors, and the final 30% appears to be fresh which means approximately 350,000 cards are valid.
Toyota Motor Corporation is warning that their customer’s personal information may have been exposed after an access key was made publicly available on GitHub for almost five years. The access key was leaked due to the introduction of T-Connect car connectivity app for mobile, where the source code of which was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers. On September 17, 2022, the database’s keys were changed, purging all potential access from unauthorized third parties. Toyota blamed this vulnerability on a development subcontractor for the error but recognised the responsibility for the mishandling of customer data and apologized for any inconvenience caused. This is a common vulnerability that was recently uncovered with over 2000 android and IOS apps that contained hard-coded AWS credentials on them.
A new unofficial WhatsApp Android application named “YoWhatsApp” has been found stealing access keys for users’ accounts. YoWhatApp is a fully working messenger app that uses the same permissions as the standard WhatsApp and is promoted through advertisements on popular Android applications like Snaptube and Vidmate. The app draws in users by offering features over the regular WhatsApp, such as the ability to customise the interface or block specific chats. However, it has been uncovered that YoWhatsApp snatches WhatsApp keys, enabling the threat actors to control users’ accounts. The security analysts, who have been investigating the cases of the Trida Trojan hiding inside modified WhatsApp build last year, have linked this trojan to YoWhatsApp. The modded app sends user’s WhatsApp to the malware developer’s server. Although not all unofficial WhatsApp mods are malicious, avoiding them all together would be wise if you want to minimise the chances of installing malware on your device.
Security researchers have discovered an NPM timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead. The attack relies on a small time difference in the return of a “404 Not Found” error when searching for a private compared to a non-existent package in the repository. While the response time difference is only a few hundred milliseconds, it is enough to determine whether a private package exists to perform package impersonation attacks. Researchers have found that testing the response time of private packages existing and not existing shows that hackers can try out a “blind” dictionary attack or look for naming patterns and combinations in the targeted organization’s public packages to derive possible package names. GitHub has stated that they will not fix the issue because of architectural limitations.