Cyber Pulse: Edition 124 | 11 August 2020

Here is our cyber security news round-up of the week:

Canon falls victim to ransomware

Researchers broke the story that Canon’s IT department sent out a company-wide notice informing workers that “Canon USA is experiencing widespread system issues, affecting multiple applications, Teams, Email and other systems may not be available at this time.” Multiple Canon-related websites are also down, including canonusa.com, usa.canon.com, canonhelp.com, imageland.net, consumer.usa.canon.com, cusa.canon.com, and more. Visiting them brings up an Internal Server Error message.

The security and technology news publication says it obtained a snippet of the alleged ransom note left behind by the attackers:

“We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in 3 days we will post information about your breach on public news websites and after 7 days the whole downloaded info.”

The letter continues with specifics on how to contact the Maze ransomware operators and a warning that the only way to restore encrypted data is by paying up.

Bleeping Computer says it contacted the ransomware gang, which confirmed that the attack was conducted on 5 August. Although the cybercriminals refused to reveal any additional information such as ransom amount or screenshots of exfiltrated data, they claimed that “10TB of data and private databases” were stolen from Conon’s servers. A suspicious incident regarding an outage impacting users of image.canon website was also reported on 30 July. A notification read:

“On July 30, 2020, we identified an issue involving the 10GB long-term storage on image.canon. In order to conduct further investigation, we temporarily suspended both the mobile application and web browser service of image.canon. After the investigation, we identified that some of the photo and video image files saved in the 10GB long-term storage prior to June 16, 2020 9:00am (JST) were lost. We confirmed that the still image thumbnails of the affected files were not affected, and there was no leak of image data. After having resolved the issue that resulted in the loss of the photo and video image files, we resumed the image.canon service as of August 4, 2020.”

However there is no evidence that the two incidents are related, and the ransomware attackers have denied any involvement in the outage. Canon has yet to release a statement detailing the incident. But taking into consideration their outage and internal communication, the alleged ransomware attack will likely be confirmed.

Intel sustains intellectual property breach

Intel has suffered a breach involving 20gigabytes of internal documents, many of which include sensitive corporate intellectual property, researchers report. According to Engadget, the documents were published by Swiss software engineer Till Kottmann, who says he received them from a source who claims to have hacked the company earlier this year. Intel disputes that it was hacked, saying it believes an insider leaked the data. The company said in a statement to the media:

“We are investigating this situation. The information appears to come from the Intel Resource and Design Center, which hosts information for use by our customers, partners and other external parties who have registered for access. We believe an individual with access downloaded and shared this data."

The Intel Resource and Design Center is a web portal where Intel provides non-public technical documents to business partners integrating Intel chipsets into their respective products. Researchers say the leaked documents match this description.

Operation Skeleton Key targets Taiwan's semiconductor sector

This week, researchers from CyCraft Technology described a suspected Chinese government threat group, Chimera, that's successfully targeted Taiwan's semiconductor industry. According to researchers, the hackers were after source code, chip designs, software development kits, and similar intellectual property. The group targeted at least seven chip manufacturers in 2018 and 2019. CyCraft doesn't name the victims, but says they were based in the Hsinchu Science Industrial Park. CyCraft calls the campaign "Operation Skeleton Key" after its use of SkeletonKeyInjector, which "implanted a skeleton key into domain controller (DC) servers to continuously conduct lateral movement."

The researchers found that in at least some cases, the hackers appeared to gain initial access to victim networks by compromising virtual private networks, though it wasn't clear if they obtained credentials for that VPN access or if they directly exploited vulnerabilities in the VPN servers. The hackers then typically used a customised version of the penetration testing tool Cobalt Strike, disguising the malware they planted by giving it the same name as a Google Chrome update file. They also used a command-and-control server hosted on Google's or Microsoft's cloud services, making its communications harder to detect as anomalous.

From their initial access points, the hackers would attempt to move to other machines on the network by accessing databases of passwords protected with cryptographic hashing and attempting to crack them. Whenever possible, CyCraft's analyst says, the hackers used stolen credentials and legitimate features available to users to move through the network and gain further access, rather than infect machines with malware that might reveal their fingerprints. Stealing chip schematics, he points out, could potentially allow Chinese hackers to more easily dig up vulnerabilities hidden in computing hardware.

"If you have a really deep understanding of these chips at a schematic level, you can run all sorts of simulated attacks on them and find vulnerabilities before they even get released," Duffy says. "By the time the devices hit the market, they're already compromised."

CyCraft concedes it can't determine what the hackers are doing with the stolen chip design documents and code. And the more likely motivation of the hacking campaign is simply to give China's own semiconductor makers a leg up over their rivals.

Snapdragon digital signal processor (DSP) chip vulnerability

Several security vulnerabilities found in Qualcomm's Snapdragon Digital Signal Processor (DSP) chip could allow attackers to take control of more than 40% of all smartphones without user interaction, spy on their users, and create unremovable malware capable of evading detection.

DSPs are system-on-chip units used for audio signal and digital image processing, and telecommunications, in consumer electronics including TVs and mobile devices. Despite their complexity and the number of new features and capabilities DSP chips can add to any device, unfortunately, they also introduce new weak points and expand the devices' attack surface.

The vulnerable DSP chip "can be found in nearly every Android phone on the planet, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus, and more," according to researchers who found these vulnerabilities. Apple's iPhone smartphone line is not affected by the security issues discovered and disclosed by researchers in their report. They disclosed their findings to Qualcomm, who acknowledged them, notified device vendors, and assigned them with the following six CVEs: CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209. According to researchers, these vulnerabilities make it possible for attackers to:

• Turn the phone into a perfect spying tool, without any user interaction required. The information that can be exfiltrated from the phone includes photos, videos, call-recording, real-time microphone data, GPS and location data, etc.
• Render the mobile phone constantly unresponsive. This would make all the information stored on this phone permanently unavailable – including photos, videos, contact details, etc – in other words, a targeted denial-of-service attack.
• Use malware and other malicious code to completely hide their activities and become un-removable.

Although Qualcomm has already patched the six security flaws found to affect the Qualcomm Snapdragon DSP chip, mobile vendors still have to implement and deliver security fixes to their devices' users, and the threat is still there since the devices are still vulnerable to attacks. But we have no evidence it is currently being exploited. We encourage end-users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store. 

Mercedes-Benz E-Class remotely hackable

Chinese researchers discovered tens of vulnerabilities in a Mercedes-Benz E-Class, including issues that can be exploited to remotely hack it. A team of Chinese experts from Sky-Go, the Qihoo 360 division focused on car-hacking, discovered 19 vulnerabilities in a Mercedes-Benz E-Class, including some issues that can be exploited by attackers to remotely hack a vehicle.

The experts analysed a Mercedes E-Class model because it is a connected car with a powerful infotainment and a rich set of functionalities. The research began in 2018 and in August 2019, the experts reported their findings to Daimler, which owns the Mercedes-Benz. In December 2019, the carmaker announced a partnership with the 360 Group to strengthen car IT security for the industry. The research paper states: 

“In 2018, we begin research on Mercedes-Benz, since it is one of the most famous car brands in the world and an industry benchmark in the automotive industry. We analyse the security of Mercedes-Benz cars. There are so many models from Mercedes-Benz, and we finally chose the research target on Mercedes-Benz E-Class, since the E-Class’s in-vehicle infotainment system has the most connectivity functionalities of all.”

The team of experts was able to exploit the flaws to remotely unlock the car’s doors and start the engine of a Mercedes-Benz E-Class. According to the experts, the flaw could have affected 2 million vehicles only in China. The experts initially collected relevant information from the target devices, such as network topology, pin definitions, chip model, and enable signals in the car. Then they disassembled the centre panel in the car to analyse the wiring connections between the Electronic Control Units (ECUs). Through analysis of the file system of the vehicle’s Telematics Control Unit (TCU), to which they gained access by obtaining an interactive shell with root privileges, they uncovered passwords and certificates for the backend server.

Experts noticed the lack of authentication between the backend servers and the “Mercedes Me” mobile app, which allows users to remotely control multiple functions of the car. The researchers explained that once they got access to the backend, they could control any car in China. The experts said that they did not manage to hack any critical safety functions of the tested vehicles.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber-security courses.