ra2 studio - Fotolia
SS7 vulnerability allows attackers to drain bank accounts
News roundup: Attackers exploit SS7 vulnerability and drain bank accounts. Plus, Trump signs government IT executive order, an Intel AMT flaw threatens millions and more.
A longtime vulnerability in Signaling System 7, the international telecommunications standard used by cellphone providers, helped attackers breach the accounts of bank customers in Germany.
Over the last few months, attackers used a security flaw in Signaling System 7, or SS7, to intercept two-factor authentication codes sent to online banking customers trying to transfer money. The German newspaper Süddeutsche Zeitung reported that the attackers first compromised the bank accounts of customers using traditional bank fraud Trojans to steal passwords and log into the accounts. They then used the SS7 vulnerability to redirect text messages containing one-time passwords to attackers' devices instead of customers. They then used mobile transaction authentication numbers (mTANs) to transfer money out of the targeted accounts.
A representative from O2 Telefonica, an affected telecom in Germany, confirmed the attacks to Süddeutsche Zeitung stating that, "criminals carried out an attack from a network of a foreign mobile network operator in the middle of January. The attack redirected incoming SMS messages for selected German customers to the attackers."
This SS7 vulnerability is not new; it was first discovered by German researchers in 2014 and reported by The Washington Post.
The discovery of this abuse of the SS7 vulnerability follows an open letter two U.S. congressmen wrote to U.S. Homeland Security Secretary John Kelly asking both for an update on the progress in dealing with SS7 security flaws and why the agency isn't doing more about it.
One of the authors behind the letter, Rep. Ted Lieu (D-Calif.), has firsthand experience with the SS7 vulnerability. With Lieu's permission, security researchers were able to essentially stalk the congressman using only his cellphone number and an SS7 network. The researchers were able to record his phone calls and monitor his exact location in real time. The exploit of Lieu's cellphone was featured on the television show 60 Minutes, and following its airing in April 2016, the FCC opened an investigation into the SS7 vulnerability. A report from the FCC was expected in March 2016, but has yet to appear.
In response to the draining of bank accounts using the same SS7 vulnerability, Lieu issued a statement calling for congressional action on the matter.
"Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw," Lieu said. "Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cellphone number. It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security. I urge the Republican-controlled Congress to hold immediate hearings on this issue."
In other news
- A critical security vulnerability was found in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 through 11.6. According to an Intel advisory, the vulnerability can "allow an unprivileged attacker to gain control of the manageability features provided by these products." Maksim Malyutin, a researcher at embedded security company Embedi, was the first to discover the vulnerability, and though Embedi has yet to publish details of the vulnerability at the request of Intel, it did clarify that, "with 100% certainty," it is a logical vulnerability and not a remote code execution flaw. The vulnerability could be exploited in two different ways, according to Intel. Either "an unprivileged network attacker could gain system privileges to provision Intel manageability SKUs" or "an unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs." The vulnerability doesn't affect Intel consumer PCs, but there could still be millions of affected enterprise systems. Unfortunately, Embedi said the only way to fix the flaw is through firmware updates, which could take a long time to roll out.
- On May 1, President Donald Trump signed an executive order creating the American Technology Council to "transform and modernize" the federal government's information technology and "how it uses and delivers digital services." The function of the American Technology Council will be to advise the president on matters related to the federal government's use of IT and to "coordinate the vision, strategy, and direction for the federal government's use of information technology and the delivery of services through information technology." The American Technology Council will be chaired by the president and involve nearly 20 other agency officials such as the Secretary of Homeland Security and the Director of the Office of Management and Budget. President Trump had previously promised to issue an executive order on cybersecurity not just for government but for organizations and businesses dealing with cyberattacks as well. While a draft copy of that executive order leaked in February, a full version has yet to be signed or released.
- Shodan, a search engine for internet-connected devices, partnered with threat intelligence company Recorded Future to create a new tool called Malware Hunter, which is a specialized scanner that searches for control panels for different remote access Trojan (RAT) programs like Gh0st RAT. According to Shodan, "it does this by pretending to be an infected client that's reporting back to a [C&C]. Since we don't know where the [C&Cs] are located the crawler effectively reports back to every IP on the Internet as if the target IP is a [C&C]. If the crawler gets a positive response from the IP then we know that it's a [C&C]." Malware Hunter has reportedly identified over 5,700 RAT servers so far.