Cyber Pulse: Edition 109

Our cyber security round-up of the week:

Weaponising the Covid-19 pandemic: WHO, CDC, Gates Foundation... all hacked!

It couldn't come at a worse time, but the US Centres for Disease Control and Prevention (CDC), Gates Foundation, US National Institutes of Health (NIH), World Health Organisation (WHO), and the World Bank have been hacked, and close to 25,000 email addresses and passwords were leaked online. The SITE Intelligence Group, which monitors online extremism and terrorist organisations, said that the email logins were shared – and 24 hours later they were used in hacking and harassment attempts by "far-right extremists".

The distribution of these alleged email credentials was just another part of a months-long initiative across the far right to weaponise the Covid-19 pandemic. The posts started on 4chan, but then were quickly moved to Pastebin, then to Twitter, and finally to "far-right extremist channels" on Telegram. 

The report from SITE states that NIH was the worst affected with 9,938 leaked email addresses and passwords, followed by the CDC at 6,857. The World Bank had 5,120, and WHO had 2,732 employee email credentials that were leaked. SITE also found that the data dump carries email addresses and passwords of a virology centre in Wuhan, which has been at the centre of many conspiracy theories related to the ongoing pandemic.

Unbelievably, 48 people who work for the World Health Organisation (WHO) have "password" as their password! The NCSC has launched the pioneering Suspicious Email Reporting Service, which will make it easy for people to forward suspicious emails to the NCSC – including those claiming to offer services related to coronavirus.

Serious security flaw in Apple iOS

Apple acknowledges claims made by a security firm that iOS suffers from a serious flaw that can allow bad actors to steal users’ files and data. Earlier this week, reports broke that the iOS Mail app contained a zero-day flaw, one that had been around for eight years and actively exploited for at least two years.

The claims came from ZecOps, a San Francisco-based security firm that said it had found evidence of hackers targeting high-profile individuals leveraging the bug to spy on them. These high-profile targets allegedly included executives from a Fortune 500 organisation in North America, an executive from a Japanese telecoms company, a Germany-based VIP, several figures in Saudi Arabia and Israel, an executive from a Swiss enterprise, and a journalist in Europe. Apple's response:

04/25 Update: “Apple has now gone a step further in talking about this security breach and it has met a controversial response. In an official statement, the company played down ZecOps' findings, saying:

'Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher's report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.'"

Apple has reportedly included fixes for the controversial bugs in its upcoming iOS 13.4.5 update, a copy of which is currently in the hands of enrolled Apple developers worldwide in the form of a beta. Despite Apple downplaying the dangers of ZecOps’s findings, installing the update is highly recommended when it becomes available. A confirmed vulnerability will eventually get weaponised by hackers if left unpatched for too long, especially on iOS where critical bugs are scarce.

ZecOps states that there are two ways to stay safe: disable the Mail app (Apple has a guide here), and use a third-party app instead. Notably, it found both Outlook and Gmail are not vulnerable to the exploit.

Nintendo confirms 160,000 accounts accessed in huge privacy breach 

Nintendo announced its account system has suffered a privacy breach affecting up to 160,000 people. In the statement, Nintendo says that, at present, there was no evidence to suggest Nintendo's own databases, servers or services have been accessed. This again suggests the log-in data used to access accounts was obtained elsewhere – a tactic known as credential stuffing.

To protect accounts going forward, Nintendo will not detail more of how the attack took place. In a statement on its Japanese support site, Nintendo confirmed the issue was related to the company's own Nintendo Network ID (NNID) log-in system – one of several methods used to log into your Nintendo account. NNID usernames and passwords were obtained illegally outside Nintendo's service, the company said, and then used to access accounts and make purchases. Some people whose accounts had been accessed had seen charges on their account via linked payment methods for up to £100 worth of digital items – most commonly, Fortnite's VBuck currency.

Nintendo strongly encourages users to enable two-step verification for their Nintendo Account.

24 million adware attacks found on Windows 

Security researchers at Avast have discovered in their research the growing scale of adware. According to the report, around 72% of malware on Android was adware. Another report by Malwarebytes reveals some shocking numbers with 24 million Windows adware detections and 30 million on Macs.

Nowadays, with good search engines and added internet security, we hardly consider adware as a severe threat. But the numbers show that adware is still very much present and thriving. "Adware is unwanted software designed to throw advertisements up on your screen, most often within a web browser."

This adware campaign can have malicious intents, especially using Covid-19, to fulfil their purposes. Kaspersky released a report in which more than 120,000 malware and adware were impersonating meeting software like Zoom. Most evident were: DealPly and DownloadSponsor. This adware has evolved from their previous counterparts to a high capacity. Now they display that install, and download other adware software. In some cases, the adware DealPly and ManageX can be installed automatically with the legitimate installer and other potentially unwanted applications (PUAs).

In March, Google banned 56 malicious applications, but by then, they already had around a million downloads. It is effortless for these apps to pose as legitimate and carry adware along with them. Adware is often ignored in the shadows of more severe security threats, and even though it is less harmful, it nonetheless is far more ubiquitous. Security teams must be cautious of adware and take preventive steps. 

Hackers are exploiting a Sophos Firewall zero-day 

Cyber-security firm Sophos said it first learned of the zero-day late on Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing "a suspicious field value visible in the management interface." After investigating the report, Sophos determined this was an active attack and not an error in its product. "The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices," Sophos said in a security advisory today. 

Hackers targeted Sophos XG Firewall devices that had their administration (HTTPS service) or the User Portal control panel exposed on the internet.  Sophos said the hackers used the SQL injection vulnerability to download a payload on the device. This payload then stole files from the XG Firewall. Stolen data could include usernames and hashed passwords for the firewall device admin, for the firewall portal admins, and user accounts used for remote access to the device. For companies that had devices hacked, Sophos is recommending a series of steps, which include password resets and device reboots: 

• Reset portal administrator and device administrator accounts; 
• Reboot the XG device(s);
• Reset passwords for all local user accounts.

Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused. Sophos also recommends that companies disable the firewall's administration interfaces on the internet-facing ports if they don't need the feature.

Crypto-mining botnet “VictoryGate” is back!

Cybersecurity researchers from ESET on Thursday said they took down a portion of a malware botnet comprising at least 35,000 compromised Windows systems that attackers were secretly using to mine Monero cryptocurrency.  "The main activity of the botnet is mining Monero cryptocurrency," ESET said. "The victims include organisations in both public and private sectors, including financial institutions."

ESET said it worked with dynamic DNS provider No-IP to take down the malicious command-and-control (C2) servers and that it set up fake domains (aka sinkholes) to monitor the botnet's activity.  The sinkhole data shows between 2,000 and 3,500 infected computers connected to the C2 servers on a daily basis during February and March this year. The C2 server receives a secondary payload that injects arbitrary code into legitimate Windows processes, such as introducing XMRig mining software into the ucsvc.exe process (or Boot File Servicing Utility), thus facilitating Monero mining. 

"From the data collected during our sinkholing activities, we can determine that there are, on average, 2,000 devices mining throughout the day," the researchers said. "If we estimate an average hash rate of 150H/s, we could say that the authors of this campaign have collected at least 80 Monero (approximately $6,000) from this botnet alone."

One of the interesting characteristics about VictoryGate is that it shows a greater effort to avoid detection. And, given the fact that the botmaster can update functionality of the payloads that are downloaded and executed on the infected devices from crypto mining to any other malicious activities at any given time, this poses a considerable risk. 

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber security courses.