July 2020 Tech Round-Up

Just like last month, July 2020 was a pretty busy month in security and tech circles. Here are some of the biggest things to know as we head into August:

  • Email spam is on the rise.
  • There are lots of stolen credentials floating out there.
  • If you have a D-Link router, you need to secure it ASAP.
  • More WordPress vulnerabilities disclosed.
  • Macs aren’t safe from malware.
  • Google doesn’t have a budget Android phone any more.
  • And more…

Internet

Web Hosting Phishing

A new phishing campaign pretends to be from your web hosting company. This time, it’s offering to upgrade your website to secure DNS (DNSSEC).

This scam is targeting users of several different hosting companies. These inclue HostGator, Lindoe, Microsoft Azure, Network Solutions, and more. Clicking on the links in the scam email will lead you to reasonably-authentic looking login screen, where you’ll be asked to enter your hosting credentials. It should go without saying, but don’t do this!

If you get an email like this, always visit your host by inputting their web address directly into your browser. NEVER click links in emails that you’re not expecting.

Netflix Phishing

Another recent phishing attack is masquerading as a “failed payment” notification from Netflix.

The emails appear to be from Netflix, and the attackers do a good job of duplicating the Netflix login page. One unique aspect to this attack is the inclusion of a CAPTCHA challenge before submitting the login info. This unique inclusion probably makes the email and phony Netflix site feel more authentic.

With the number of active Netflix users going up because of COVID-19, I can imagine some people might rush to enter account information before making sure an email like this is authentic.

If you get a questionable email like this (from Netflix or any other service), do not click any link in the email. Instead, visit the site directly in your browser.

15 Billion Compromised Accounts

That’s the number of username/password combinations floating around hacker forums as a result of more than 100,000 data breaches. One charitable hacker group, ShinyHunters, (that I mentioned back in May) has decided to leak the results of these breaches for free on hacker forums.

If you reuse passwords between websites, it’s past time to stop. It’s only a matter of time before one of your compromised accounts is discovered. Make sure to use a password manager, and spend a few hours setting up long and unique passwords on all of your accounts.

D-Link Router Vulnerabilities

Five severe vulnerabilities have been disclosed in three popular D-Link routers (DAP-1520, DAP-1522, DIR-816L).

These vulnerabilities are very bad. If your router has remote administration enabled, one vulnerability allows an attacker to bypass authentication and gain access to your network with just a few lines of text. Another can show user names/hashed passwords, or execute code on the router (and other devices on the network).

The stopgap solution for now is to turn off remote administration on your router. Generally speaking, you should never enable this function. An even better solution is to turn off Wi-Fi administration altogether. That will then require using a “wired” connection to handle router administration, which isn’t usually a big deal.

The good news, D-Link has released an update for the DAP-1520, but the other two router models (DAP-1522 and DIR-816L) are end-of-life and will receive no further updates. If you have one of these affected models disable remote management immediately and, replace your router as soon as possible*.*

Remember, routers are computers, and you must keep them updated in order to keep your network secure!

WordPress

The good news: there were only a few big WordPress vulnerabilities announced this month. The bad news: they have a pretty large combined user base, so the chances that they will be used is high.

If you want some help administering your WordPress site, contact me!

All-In-One SEO Pack

An XSS vulnerability in this plugin allows an authenticated user (with contributor-level access or higher) to inject malicious scripts into your site. These would be executed if the site owner then accessed the site’s “All Posts” page.

This can result in a site takeover, so if you’re using this plugin, make sure you’re up-to-date!

All-In-One SEO has about 2 million installations, so this could be a very big issue if these site owners don’t promptly update their sites.

King Composer

This plugin also contained an XSS vulnerability that could allow the execution of malicious JavaScript on a victims site. With this vulnerability, any number of bad things could happen (like the automatic creation of a malicious admin account).

This vulnerability was patched late in June, so if you use King Composer, make sure you’re running the most recent version.

King Composer is smaller than All-In-One SEO, but it still has around 100,000 active installations.

wpDiscuz Vulnerability

The forum software wpDiscuz has a major vulnerability that could lead to a site takeover with a single file upload. Even worse, if you have multiple sites on the same hosting account, all of them could be compromised with a single attack.

The vulnerability lies in the ability of a user to upload non-image files (like PHP files) that can then be leveraged into a remote code execution.

Luckily the install base for wpDiscuz is (relatively) small, at around 70,000 active installs. If you’re using this forum software, make sure you update it now. The newest version of wpDiscuz (7.0.5) fixes this vulnerability.

Apple

Mac Malware

While Mac users are typically glad [read: smug] to point out the lack of viruses and ransomware as a benefit over Windows, a new strain of malware should make all Mac users a bit more cautious.

The ransomware, known as ThiefQuest, is an insidious combination of ransomware and spyware. In addition to encrypting and locking you our of your computer, the ransomware can instead lie in the background, stealing files, search the system for passwords and cryptocurrency data, and run a key-logger to detect everything you type.

The “good” news is that if you don’t run pirated software, you should be safe. It has only appeared in torrents of popular (and usually expensive) software. If you get your software from legitimate sources, you shouldn’t have much to worry about.

Apple and 2FA

Google embraced hardware 2-Factor Authentication with it’s Advanced Protection Program almost 3 years ago.

Finally Apple has improved support for hardware keys on iOS and iPadOS devices. It’s not as good as hardware 2FA support on Android or computers (yet), but it is a step in the right direction.

If you don’t know what 2FA is, here’s a short blog I wrote about the topic a little while ago. It really is the “new minimum” in terms of security you should have for your important online accounts, although you don’t (yet) need to worry about hardware 2FA.

Android

RIP Pixel 3A

One of the best Google Pixel phones out there, the mid-tier Pixel 3a, was discontinued this month.

It’s successor, the Pixel 4a, has been likely delayed, with no announcement of when it will actually be released. It was expected to be announced in May 2020 at Google I/O, but since that event was cancelled, Google hasn’t mentioned it. The delay is likely due to COVID-related supply issues, but the lack of an announcement is a bit strange.

The Pixel 3a will still receive software support until May of 2022.

Android 10 Updates

Speaking of software, a bit of good news regarding Android updates.

Android 10, the newest current version of Android, has hit a new record for speed of adoption. After 10 months, 400 million users have updated to the newest version.

While this is a lot of users, keep in mind that there are about 2.5 billion active Android devices out there, so in terms of percentage, it’s not that great.

Still, regular and consistent updates are one of the biggest problems with the Android ecosystem as a whole, so it’s great to hear that Google (and device OEMs) are making improvements in this area.

Banking Trojan Targets Social Accounts

A banking trojan discovered in May of this year not only steals credentials from banking apps, it also targets a variety of social, communication, and dating apps.

The trojan, known as BlackRock, can also log text entered by the user, text all contacts in the victim’s phone, block apps (like antivirus apps), and send notifications to a privately-controlled server.

As with many of these things, the best way to protect yourself is to only download and install apps from the Google Play Store.