Cyber Pulse: Edition 112

Our cyber security round-up of the week:

University supercomputers prioritising Covid research... hacked

Multiple supercomputers across Europe have been infected this week with cryptocurrency mining malware and have shut down to investigate the intrusions. Security incidents have been reported in the UK, Germany and Switzerland, while a similar intrusion is rumoured to have also happened at a high-performance computing centre located in Spain.

The first report of an attack came to light on Monday from the University of Edinburgh, which runs the ARCHER supercomputer. The organisation reported that "security exploitation on the ARCHER login nodes", and they shut down the ARCHER system to investigate, and reset SSH passwords to prevent further intrusions.

None of the organisations published any details about the intrusions. However, earlier today, the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI), a pan-European organisation that coordinates research on supercomputers across Europe, has released malware samples and network compromise indicators from some of these incidents. The credentials appear to have been stolen from university members given access to the supercomputers to run computing jobs. The hijacked SSH logins belonged to universities in Canada, China, and Poland. 

Researchers have reported that while there is no official evidence to confirm that all the intrusions have been carried out by the same group, evidence like similar malware file names and network indicators suggests this might be the same threat actor. According to Doman's analysis, once attackers gained access to a supercomputing node, they appear to have used an exploit for the CVE-2019-15666 vulnerability to gain root access and then deployed an application that mined the Monero (XMR) cryptocurrency.

Making matters worse, many of the organisations that had supercomputers go down this week had announced in previous weeks that they were prioritising research on the Covid-19 outbreak, which has now most likely been hampered as a result of the intrusion and subsequent downtime. 

Hackers preparing to launch ransomware attacks against hospitals arrested in Romania 

Hackers were planning to use Covid-19-themed emails to infect Romanian hospitals with ransomware and disrupt operations. Romanian law enforcement has cracked down – three hackers were arrested and had their homes searched in Romania, and a fourth in the Republic of Moldova.

Romanian authorities said the four were members of a hacking group that went online as PentaGuard. Romania's Directorate for Investigating Organised Crime and Terrorism (DIICOT) said the group's members owned malware such as remote access trojans and ransomware, tools to perform website defacements, and tools to exploit SQL injection vulnerabilities to breach web servers and steal data.

It’s reported that the group was preparing attacks against Romanian hospitals, where they were planning to deploy ransomware via emails with COVID-19 lures to hospitals to infect computers, encrypt files, and disrupt hospital activity. Romanian media reported, citing DIICOT sources, that the hackers were preparing the attacks as a form of protest against the country's Covid-19 quarantine measures.

According to threat intelligence researchers the PentaGuard group has been around since 2000, when they were involved in mass-defacements of several government and military websites, including the website of Microsoft Romania. 

Open-sourcing new Covid-19 threat intelligence 

A global threat requires a global response. While the world faces the common threat of Covid-19, defenders are working overtime to protect users all over the globe from cybercriminals using Covid-19 as a lure to mount attacks. As a security intelligence community, we are stronger when we share information that offers a more complete view of attackers’ shifting techniques. This more complete view enables us all to be more proactive in protecting, detecting, and defending against attacks.

At Microsoft, security products provide built-in protections against these and other threats with detailed guidance to help organisations combat current threats (Responding to COVID-19 together). Microsoft threat experts are sharing examples of malicious lures and have enabled guided hunting of Covid-themed threats using Azure Sentinel Notebooks. Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications and email, which provides visibility into a broad range of Covid-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack.

The indicators are now available in two ways: in the Azure Sentinel GitHub, and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed. 

Top 10 routinely exploited vulnerabilities

According to a new report that covers the Top 10 Routinely Exploited Vulnerabiliti​es, the abrupt shift to work from home that came in March led to rapid, sometimes hasty, deployment of cloud collaboration services. The resulting oversights in security configurations have left some organisations vulnerable to attack. That’s just one of the vulnerabilities that US agencies are seeing being exploited this year by what they say are sophisticated foreign cyber actors.

The top 10 vulnerabilities are: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.

The most commonly exploited vulnerabilities were located in Microsoft’s Object Linking and Embedding (OLE) technology, and the three flaws most favoured by Chinese, Iranian, North Korean, and Russian state-sponsored threat actors all involved OLE.  The agency also notes that Chinese-government-linked groups in 2019 often made use of CVE-2012-0158, a Windows vulnerability disclosed in 2012 that the US government warned in 2015 was the top flaw exploited by Chinese threat actors.

CISA concludes:  "This trend suggests that organisations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective." The lists of associated malware corresponding to each CVE isn’t exhaustive. Rather, it’s intended to identify a malware family commonly associated with exploiting the CVE. You can also access the list as a PDF.

Edison Mail security issue

Edison Mail has rolled back a software update that apparently let some users of its iOS app see emails from strangers’ accounts. Several Edison users contacted The Verge to report seeing the glitch after they applied the update, which was meant to allow users to sync data across devices. According to a reader, after the update he had more than 100 unread messages from the UK-based email account of a stranger. He didn’t have to enter any credentials to see the emails.

The company said it was a bug, not a security breach, and that the issue appeared limited to users of the iOS app. “Ten hours ago a software update was rolled out to a small percentage of our user base. Some of these users who received the update are experiencing a flaw in the app impacting email accounts that was brought to our attention this morning,” the company said. “We have quickly rolled back the update. We are contacting the impacted Edison Mail users (limited to a subset of those users who have updated and opened the app in the last 10 hours) to notify them.

Probably not a bad idea to change your password if you use Edison Mail just to be on the safe side.  

Microsoft adds DNS-Over-HTTPS support for Windows 10 Insiders 

Microsoft is letting Windows Insiders test-drive DNS-over-HTTPS protocol in a pre-release build of Windows 10. Microsoft has announced the first testable version of DNS-Over-HTTPS (DoH) support, available for its Windows 10 operating system. Microsoft’s DoH support allows the Windows OS to use encrypted domain name server (DNS) sessions (as opposed to DNS queries being sent in clear text).

DoH support thus attempts to fix a long-standing privacy issue for internet browsers: Even if users are visiting a site using the secure HTTPS channel, if their DNS query is sent over an unencrypted connection, anyone can sniff out the packets being sent. This can open up victims to MiTM attacks where DNS responses can be manipulated to re-route users to phishing or malware sites. It can also allow intermediaries — such as Internet Service Providers (ISPs) or governments – to see which websites internet users are visiting.

At a closer level, without DoH, DNS queries are made from an app to a DNS server using the settings received from a local network provider (typically an ISP). DoH, on the other hand, encloses DNS requests in encrypted HTTPS packets and sends them to a DoH server (called a DoH resolver), which then processes the request and sends the encrypted response back. In Microsoft’s case, three servers are currently supported that are used as DoH resolvers – Cloudflare, Google and Quad9 (all three provide DoH as part of their public offerings).

Microsoft said that Windows needs to be configured to use one of these as a DNS server in order for DoH to be implemented. The feature will be off by default in the preview build; users need to first make sure their Microsoft account is part of the Windows Insider program and that they are in the Fast Ring (the Fast Ring allows a certain number of Insiders who opted in to receive super-early builds for the next feature update of Windows 10).

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber security courses.