Cyber Pulse: Edition 113

Here is our cyber security round-up of the week:

Rockwell Automation releases patches for EDS as actors target OT networks

Rockwell Automation recently patched two vulnerabilities related to EDS files that can allow malicious actors to expand their access within a targeted organisation’s OT network. The vulnerabilities were discovered by researchers at industrial cybersecurity firm Claroty. Rockwell Automation and the United States Cybersecurity and Infrastructure Security Agency (CISA) published advisories for the vulnerabilities this week.

The security holes are related to the Electronic Data Sheet (EDS) subsystem used by some Rockwell products. An EDS file contains a device’s configuration data and it’s used by network management tools for identification and commissioning purposes. The researcher says an attacker could exploit the vulnerabilities by impersonating a new device on the network and use it to present a malicious EDS file to any discovery software. When Rockwell network discovery tools such as RSLinx scan the network and come across the attacker’s fake device, they will ask for its EDS file. Once the hacker’s malicious EDS file is parsed, the vulnerability is triggered and a new file can be written to the disk of the engineering workstation or human-machine interface (HMI).

An attacker who has successfully implemented the attack described above can utilise it to expand their access and reach within the network, thus translating access to the network to an actual foothold on Rockwell's workstations, including engineering stations and HMI. More information on affected and patched versions is available in Rockwell’s advisory.

With Spectra, researchers highlight fundamental design flaws in wireless communications chips

Just a few days after the discovery of the Bluetooth-based BIAS attacks, some researchers have made another groundbreaking discovery, which is capable of challenging the fundamentals of architecture design for all wireless devices.

A new attack, dubbed Spectra, is said to be capable of breaking the separation between Wi-Fi and Bluetooth technologies running on the same device, such as laptops, smartphones, and tablets. In May 2020, Spectra was developed by researchers in Germany, which takes advantage of the coexistent mechanisms of multiple wireless technologies included on a single chipset. This attack works against "combo chips" – specialised chips that handle multiple types of radio-wave-based wireless communications, such as Wi-Fi, Bluetooth, LTE, etc. By carrying out side-channel attacks, an attacker can steal data from other wireless technologies the combo chip supports.

The analyzed chipsets include Broadcom and Cypress combo chips, which are used in millions of devices, such as all iPhones, MacBooks, and the Samsung Galaxy S series phones. Other combo chipset manufacturers are likely vulnerable to Spectra attacks as well. The researchers did not provide more technical details about this attack, but they plan to present the details in August at the Black Hat 2020 security conference.

With the explosion of software-based vulnerabilities exploited in hacking attacks, organisations globally have paid less attention to some fundamental flaws in critical hardware components such as wireless communications chipsets and processors. Now, the discovery of the Spectra attack and other such threats have highlighted the need for increased research and mitigation efforts for hardware-based vulnerabilities.

Meanwhile, Samsung has launched a new secure element (SE) chip to protect private and sensitive data on mobile devices. The chip, dubbed S3FV9RR, will be offered as a standalone turnkey with security software, Samsung said. According to Samsung, the new chip provides protection for mobile devices such as smartphones and tablets when performing booting, isolated storage and mobile payment, among other applications. It can also be used for e-passports and cryptocurrency hardware wallets, and to support hardware-based root of trust and device authentication. The chip is also versatile, Samsung added, as it can work independently from the security performance of a device's main processor.

DNS vulnerability could flood websites

Dubbed NXNSAttack, this flaw can be abused to pull off a classic amplification attack: you send a small amount of specially crafted data to a DNS server, which responds by sending a lot of data to a victim's server. If you have an army of hacked PCs or devices – a botnet – at your command, and can find a DNS service that's vulnerable, you can theoretically generate enough network traffic to overwhelm a victim's system and knock it offline for all users.

Although denial-of-service (DoS) attacks are a little 1990s, blasting a business off the web can lead to a loss of sales, reputation damage, and so on. Researchers at Tel Aviv University, found the vulnerability illustrated below. APNIC, which oversees IP address allocation among other duties for the Asia-Pacific region, has a deep dive here:

"Microsoft is aware of a vulnerability involving packet amplification that affects Windows DNS servers," the memo stated. "An attacker who successfully exploited this vulnerability could cause the DNS Server service to become non-responsive." The flaw is not limited to Windows servers; it's just that Microsoft isn't in the business of posting advisories for other platforms.

To mitigate the problem, the researchers suggest name servers implement an algorithm they devised dubbed Max1Fetch that reduces the storm of traffic between the DNS components involved. You should check for updates for your DNS server installation, and install them to avoid being blown over by a distributed denial-of-service attack.

ZLoader banking malware returns

A banking malware called ZLoader, last seen in early 2018, has been spotted in more than 100 email campaigns since the beginning of the year. Researchers at Proofpoint note in a report today that the ZLoader distributed this way is different from the original variant observed between 2016 and 2018. They believe the new version is a fork of the previous one.

Multiple actors are currently spreading this strain in at least one malicious email campaign per day. They’re using PDF files that link to a Microsoft Word document laced with macro code that downloads and runs a version of the ZLoader. Since March, they started using Covid-19-themed phishing, pretending to warn recipients of scams related to the new coronavirus pandemic. The current variant lacks some advanced features seen in its predecessor. For instance, code obfuscation and string encryption are missing. Despite this, it still poses a significant threat.

It uses web injects to steal credentials and private banking information from victims along with sensitive data stored in browsers, like cookies and passwords. The threat actor uses this data to log into the victim’s online banking account. Using a VNC (Virtual Network Computing) client, they make transactions from the compromised computer. This does not raise any suspicion with the bank since the transfer is initiated from the customer’s computer using correct credentials. It also makes it more difficult to dispute the fraudulent transaction.

ZLoader is also known as Zeus Sphinx, Terdot, and DELoader. It is variant of the infamous Zeus used by a major theft ring to steal tens of millions of dollars before they were caught in 2010.

Chafer APT active in Middle East

According to some cybersecurity researchers, they have found an Iranian cyber espionage campaign which is targeting crucial and confidential information in Kuwait and Saudi Arabia. It is to be known that such intelligence-gathering operations are being carried by Chafer APT (some people know it as Remix Kitten or APT39). They are a threat group that attacks travel and telecommunication industries in the Middle East to gather confidential information which is mostly linked to that country’s geopolitical interests.

In one of the reports shared by the researchers, it does seem that the involved victims in the campaign such as air transport and government sector in the Middle East fall under this group’s trap. The Chafer APT has also aimed at the Turkish government and foreign diplomatic entities of Iranian to hack and extract critical information. It was reported by FireEye last year that Chafer’s new focus is on telecommunications and travel industries as they store a large amount of personal data of customers.

APT39 made this possible by launching spear-phishing emails containing malicious attachments that in turn used several backdoor tools to achieve a foothold, eliminate their privileges, establish persistence in the victim environment, and conduct internal reconnaissance. Social engineering was used to trick the Saudi Arabian entity into working on a remote administration tool (RAT), and similar attacks happened against Kuwait and Turkey. However, it is important to note that such attacks can happen anywhere in the world while critical infrastructure like air transportation and the government are their obvious targets.

EasyJet to face legal action post-data breach

A law firm specialising in group legal action has issued a class action claim under Article 82 of the General Data Protection Regulation (GDPR) in the High Court on behalf of nine million easyJet customers whose details were exposed in a data breach. The group action, worth £18bn, could see each affected customer receive a £2,000 pay-out if successful. The personal data leaked includes names, email addresses, and travel data – such as dates of departure and arrival, reference numbers and booking values. The exposure of personal travel patterns may pose security risks to individuals and was a “gross invasion of privacy”. In addition, more than 2,000 customers had their credit card data exposed.

Since easyJet formally disclosed the breach on 19 May 2020, it has emerged that its systems were breached in January, meaning it has waited four months to inform its customers that they were at increased risk of being targeted by cyber criminals. The law firm is inviting any affected easyJet customers, wherever in the world they may be located, to join the claim on a no-win, no-fee basis. Despite the airline’s tardiness in informing its customers, it is understood the Information Commissioner’s Office (ICO) was informed of the incident in good time. An ICO spokesperson confirmed a live investigation into the cyber attack is in progress.

The UK National Cyber Security Centre (NCSC) has advised affected customers to:

• Be vigilant against any unusual activity in their bank accounts or suspicious phone calls and emails asking them for further information;
• Change their password on their EasyJet accounts (and other accounts that have the same password);
• Check if their account has appeared in any other public data breaches; and to
• Report any fraud attempts to the police, the NCSC, and their bank’s fraud department, depending on their nature.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber security courses.