Cyber Pulse: Edition 121 | 21 July 2020

Here is our cyber security round-up of the week:

Critical ‘wormable’ vulnerability in Microsoft’s Windows DNS Server

Microsoft released a patch for a 17-year-old critical remote code execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability (CVE-2020-1350) and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Dubbed SIGRed, this critical RCE vulnerability affects all Windows Server versions 2003 through 2019 and, if exploited, could be used to compromise a company’s entire IT infrastructure. Non-Microsoft DNS Servers are not affected.

Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction. Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible.

The flaw, which can be triggered by a malicious DNS response, was discovered by researchers, who reported it to Microsoft in May. According to their detailed write-up, an attacker who can exploit the vulnerability would gain Domain Administrator rights and seize control of the target’s entire IT infrastructure. This could entail accessing and stealing documents and tampering with emails or network traffic. The likelihood of the vulnerability being exploited was deemed high.

SIGRed brings echoes of other wormable vulnerabilities, notably BlueKeep in Remote Desktop Protocol (RDP) as well as the vulnerability in the Server Message Block (SMB) protocol that was exploited by EternalBlue. The patch for the newly-identified vulnerability is part of Microsoft’s Patch Tuesday rollout, which fixed a total of 123 security flaws this month, including 18 rated as critical.

Twitter breach: 130 high-profile accounts hacked

The social media giant Twitter confirmed that hackers compromised 130 accounts in last week's hack and downloaded data from eight of them. During the attack, one of the biggest cyberattacks in Twitter's history, hackers breached a number of high-profile accounts, including those of Barak Obama, US presidential candidate Joe Biden, Amazon CEO Jeff Bezos, Bill Gates, Elon Musk, Uber, and Apple.

The malicious attackers had posted on these accounts that they would return double the amount of money sent to several Bitcoin addresses, duping some of their followers. Although Twitter has stated that it was a coordinated social engineering attack, there are still a number of ongoing investigations to determine who the attackers are and how the breach was conducted. The malicious hackers seemed to have been able to change the email address of any Twitter account through Twitter’s administrator tools, without any notifications sent to the users, seemingly to delay the response to the hijack.

According to public records of the cryptocurrency transactions, the attackers were able to gain about $118,000 USD, which is – in most experts’ minds – a minor haul for such a major breach. You can imagine the impact that could’ve been made to markets, public safety and more. The payload was amateurish, but the compromise itself is a wake-up call for all organisations.

Twitter provided an update on the security incident confirming that attackers targeted certain Twitter employees through a social engineering scheme.

“The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts,” reads the update provided by Twitter.

For up to eight of the Twitter accounts targeted by the hackers, the intruders also downloaded the account’s information through Twitter’s “Your Twitter Data” tool. This is a tool that is meant to provide an account owner with a summary of their Twitter account details and activity. They are reaching out directly to any account owner where we know this to be true. None of the eight were verified accounts. Twitter pointed out that its incident response team immediately acted once it discovered the hack, and it secured and revoked access to internal systems to lock out the attackers.

The company decided to share online only a few details on its remediation procedure to protect its effectiveness, but plans to provide more technical details about the remediation procedure in the future. This New York Times published a report that revealed that hackers breached Twitter’s internal Slack messaging channel where they found credentials for the backend systems of the social network.

European Court of Justice invalidates the EU-US Privacy Shield

On 16 July 2020, the Court of Justice of the European Union (the “CJEU”) issued its landmark judgment in the Schrems II case (case C-311/18). The CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. Unexpectedly, the Court invalidated the EU-U.S. Privacy Shield framework.

About 5,000 companies currently rely on the framework to transfer personal data to the US, and these transfers contribute to transatlantic trade, which is worth about £5.6 trillion. The ICO have issued a statement:

“The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy. We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”

Supervisory authorities, EU Commission and governments will clearly be digesting this decision.  With so many looking to the digital economy to drive growth out of recession and recovery, there will be a very sharp focus on this.  In the current geo-political and economic climate, this may sadly become something of a gift to those who might wish to disrupt flows of data to other countries. Many are also looking somewhat dismayed when considering the ongoing debate in relation to transfers of data to the UK in the “Brexit” negotiations with the EU, and the broader chilling effect this may have on determinations of adequacy by the EU Commission.

ATM black box attack across Europe

ATM maker Diebold Nixdorf is warning banks about a new ATM black box attack technique that was recently employed in cyber thefts in Europe. Black box attacks are a type of jackpotting attack aimed at forcing an ATM to dispense the cash by sending a command through a “black box” device. In this attack, a black box device, such as a mobile device or a Raspberry, is physically connected to the ATM and is used by the attackers to send commands to the machine.

ATM black box attacks are quite popular in the cybercrime underground and several threat actors offer the hardware equipment and malware that could be used to compromise ATMs. The alert was issued after the Agenta Bank in Belgium was forced to shut down 143 ATMs after a jackpotting attack. All the compromised machines were Diebold Nixdorf ProCash 2050xe devices. This is the first time that Belgian authorities observe this criminal practice in the country.

According to a security alert issued by Diebold Nixdorf, the new variation of black box attacks has been used in certain countries across Europe.

“In the recent incidents, attackers are focusing on outdoor systems and are destroying parts of the fascia in order to gain physical access to the head compartment,” reads the alert issued by the vendor. “Next, the USB cable between the CMD-V4 dispenser and the special electronics, or the cable between special electronics and the ATM PC, was unplugged. This cable is connected to the black box of the attacker in order to send illegitimate dispense commands. Some incidents indicate that the black box contains individual parts of the software stack of the attacked ATM.”

The experts are still investigating how these portions of the stack code were obtained by the crooks; they speculated that attackers could have had offline access to an unencrypted hard disc.

Telco Orange confirms ransomware attack

Orange, the fourth-largest mobile operator in Europe has confirmed it fell prey to a ransomware attack wherein hackers accessed the data of 20 enterprise customers. The attack targeted the Orange Business Services division, and started on the night of 4 July and into the next day. Orange is a France-based multinational IT and telecommunications corporation with 266 million customers worldwide and a total of 1,48,000 employees. 

The attack was brought to light by Nefilim Ransomware, who announced on their data leak site that they acquired access to Orange's data through their business solutions division. Orange announced: "Orange teams were immediately mobilised to identify the origin of this attack and has put in place all necessary solutions required to ensure the security of our systems."

Orange further said that the attack affected an internal IT platform known as Le Forfait Informatique, which was hosting data belonging to 20 SME customers, however there were no traces of the attack affecting any other internal server. As part of the ransom operators' leak, a 339MB archive file titled 'Orange_leak_part1.rar', which contained data that was allegedly stolen from Orange, was published.

Researchers uncover inner workings of hacking group

An OPSEC error by an Iranian threat actor has laid bare the inner workings of the hacking group, providing a rare insight and a behind-the-scenes look into their methods. IBM's X-Force Incident Response Intelligence Services (IRIS) got hold of nearly five hours’ worth of video recordings of the state-sponsored group it calls ITG18 (also called Charming Kitten, Phosphorous, or APT35) that it uses to train its operators.

Some of the victims in the videos included personal accounts of U.S. and Greek navy personnel, in addition to unsuccessful phishing attempts directed against U.S. state department officials and an unnamed Iranian-American philanthropist. The videos showed the operator managing adversary-created accounts while others showed the operator testing access and exfiltrating data from previously compromised accounts, the researchers said.

The IBM researchers said they found the videos on a virtual private cloud server that was left exposed due to a misconfiguration of security settings. The server, which was also found to host several ITG18 domains earlier this year, held more than 40 gigabytes of data. The discovered video files show that ITG18 had access to the targets' email and social media credentials obtained via spear-phishing, using the information to log in to the accounts, delete notifications of suspicious logins so as not to alert the victims, and exfiltrate contacts, photos, and documents from Google Drive.

"The operator was also able to sign into victims' Google Takeout (takeout.google.com), which allows a user to export content from their Google Account, to include location history, information from Chrome, and associated Android devices," the researchers noted. Outside of email accounts, the researchers said they found the attackers employing a long list of compromised usernames and passwords against at least 75 different websites ranging from banks to video and music streaming to something as trivial as pizza delivery and baby products.

"The compromise of personal files of members of the Greek and U.S. Navy could be in support of espionage operations related to numerous proceedings occurring in the Gulf of Oman and Arabian Gulf," IBM X-Force researchers concluded. "The group has shown persistence in its operations and consistent creation of new infrastructure despite multiple public disclosures and broad reporting on its activity."

Cozy Bear targets Covid-19 vaccine research

Russia's Foreign Intelligence Service (SVR) has been conducting espionage against UK, US, and Canadian organisations involved in the development a Covid-19 vaccine, according to an advisory issued by the UK's National Cyber Security Centre (NCSC), Canada’s Communications Security Establishment (CSE), and the US National Security Agency. Australian intelligence services also declared their agreement with the advisory, stating, "The targeting of Covid-19 vaccine development and research during a pandemic is completely unacceptable behaviour."

The NCSC's report assessed that APT29 (also known as "Cozy Bear" or "the Dukes"), a threat actor commonly attributed to the SVR, has been delivering custom malware dubbed "WellMess" and "WellMail" via publicly available exploits and spearphishing. “It is strongly recommended that organisations use the rules and IOCs [indicators of compromise] in the [report] appendix in order to detect the activity detailed in this advisory,” it adds, flagging compromise indicators and detection and mitigation advice contained in the document. The vulnerabilities exploited include CVE-2019-19781 in Citrix Application Delivery Controllers (ADC) and Gateways, CVE-2019-11510 in Pulse Secure VPNs, CVE-2018-13379 in Fortinet's SSL VPNs, and CVE-2019-9670 in the Zimbra Collaboration Suite.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber security courses.