Cyber Pulse: Edition 127 | 1 September 2020

Here is our cyber security news round-up of the week:

Bug lets you bypass the PIN authentication for Visa contactless transactions

Swiss security researchers have discovered a way to bypass the PIN authentication for Visa contactless transactions. A bug in the communication protocols lets attackers mount a man-in-the-middle attack without entering the PIN code. EMV is the protocol used by all the world’s major banks and financial institutions. Europay, Mastercard and Visa developed the standard, and it’s been around for more than 20 years. The most important reason for the widespread adoption of the EMV protocol has to do with “liability shift”, a procedure that ensures that as long as the customer approves the transaction with a PIN or signature, the financial institution is not liable. It stands to reason that EMV is one of the most scrutinised communication protocols, but the Swiss research shows that any software or hardware can have vulnerabilities. 

The researchers used an application named Tamarin, developed explicitly to probe the security of communication protocols. They created a working model that covers all the roles in a regular EMV session: the bank, the card and the terminal. The researchers state in their paper:

“Using our model, we identify a critical violation of authentication properties by the Visa contactless protocol: the cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification. We developed a proof-of-concept Android application that exploits this to bypass PIN verification by mounting a man-in-the-middle attack that instructs the terminal that PIN verification is not required because the cardholder verification was performed on the consumer’s device."

Criminals can use a stolen Visa card and pay for goods without access to the PIN, making the PIN completely worthless. A real-world scenario tested the Visa Credit, Visa Electron, and VPay cards, and it was successful. Of course, the attack used a virtual wallet instead of a card, as the terminal can’t distinguish between a real credit card and a smartphone.

The researchers discovered another issue affecting VISA and some older models of Mastercard cards, in addition to the initial problem.

“The card does not authenticate to the terminal the Application Cryptogram (AC), which is a card-produced cryptographic proof of the transaction that the terminal cannot verify (only the card issuer can). This enables criminals to trick the terminal into accepting an unauthentic offline transaction.”

The only good news delivered by the researchers is that the fix doesn’t require an update for the EMV standard, only updates for the terminal. Given that there are about 161 million POS terminals in the entire world, the updating process will be a long one.

New Zealand's stock exchange disrupted by DDoS attacks

New Zealand’s NZX stock exchange continued to sustain crippling distributed denial of service (DDoS) attacks on Friday, the Guardian reports. The attacks, which began on Tuesday, caused the exchange to intermittently halt trading throughout the week as it struggled to recover connectivity.  The Associated Press says New Zealand's Government Communications Security Bureau intelligence agency has been brought in to assist with the incident.

The Australian Broadcasting Corporation quotes the country's finance minister Grant Robertson as saying:

"I can't go into much more in terms of specific details other than to say that we as a government are treating this very seriously. NZX is a private company. We recognise that it is important that the government works with private companies like them when they are faced with issues like the cyber attack that they are currently experiencing. There are limits to what I can say today about the action the government is taking behind the scenes due to significant security considerations."

The attackers' motive is unclear, as is their identity. The AP notes that "neither the NZX nor Robertson said if the attackers sought a ransom, as some have speculated."

Cyber mercenary groups are conducting corporate espionage

Researchers describe DeathStalker as "a threat actor that primarily targets law firms and companies in the financial sector to steal sensitive business information". Researchers also identified similarities between Powersing, Evilnum, and another malware family called "Janicab." The researchers assess "with medium confidence" that all three malware families are operated by the same threat actor. The group doesn't limit its activities to any particular region, and the researchers conclude that "any company in the financial sector could catch DeathStalker's attention, no matter its geographic location."

Researchers have also identified another mercenary group that targeted a company "engaged in architectural projects with billion-dollar luxury real-estate developers in London, Australia, and Oman." The group gained entry to the company's networks using a maliciously crafted plugin for the widely used 3D computer graphic tool Autodesk 3ds Max. The plugin exploits a recently disclosed vulnerability to deploy a backdoor, which then exfiltrates a list of files based on their extensions. The attackers then "look at the file listings from each of their victims and then compile a HdCrawler binary specific to the victim."

Denial of service extortion attacks on the rise

Over the last few weeks, a cybercrime group has been extorting various organisations all over the world by threatening to launch distributed denial-of-service (DDoS) attacks against them unless they pay thousands of dollars in Bitcoin. The attackers have been targeting organisations operating in various industries, notably finance, travel, and e-commerce. However, they don’t seem to be targeting any specific region, as ransom letters have been sent to organisations residing in the United Kingdom, the United States and the Asia-Pacific region.

According to researchers, the group is also behind a string of attacks against MoneyGram, YesBank, Braintree, Venmo, and most recently also the New Zealand stock exchange, which has been forced to stop its trading for three days running. The ransom note discloses specific assets at the victim company that will be targeted by a ‘test attack’ to demonstrate the seriousness of the threat. Akamai, which has been tracking the attacks, has recorded some of the DDoS attacks reaching almost 200 Gb per second, while previously an attack targeting one of its customers was recorded coming in at ‘only’ 50 Gb per second.

As part of their scare tactics, the cybercriminals take up the guise of notorious hacking groups, to wit Sednit, also known as Fancy Bear, and Armada Collective.

The extortionists contact their victims with an email, warning them of a looming DDoS attack unless they pay the demanded ransom in Bitcoin within a specified timeframe. The fee varies based on the group they are impersonating and ranges from 5 BTC (some US$57,000) to 20 BTC (US$227,000) with the prices increasing if the deadline is missed. Indeed, reputational damage combined with downtime could cost the targeted companies millions in lost revenue. However, even if the targeted organisations would consider paying the ransom, there is no guarantee that the black hats would cease their attacks; a quick payday may even encourage them to target other companies as well.

Foiled cyber attack targeted Tesla

A Russia-based hacker group tried and failed to recruit a Tesla employee to instal malware on the car manufacturer's internal corporate networks, security researchers report. The FBI arrested a 27-year-old Russian national on Monday in Los Angeles in connection with the scheme. The US Justice Department didn't name the company in question, but Elon Musk confirmed on Twitter that it was Tesla.

According to the criminal complaint, the defendant, Egor Igorevich Kriuchkov, allegedly contacted a Russian-speaking Tesla employee with whom he had previously been acquainted and arranged to meet with the employee while Kriuchkov was vacationing in the US. Kriuchkov socialised with the employee and the employee's friends for several days in Nevada and California, with Kriuchkov covering all their expenses. After a few days, while the two were drinking heavily at a bar, Kriuchkov revealed that he was working for a "group" on a "special project", and offered the employee $500,000 (later upped to $1,000,000) to plant custom-made malware within Tesla's network. Kriuchkov said the group was paying $250,000 to develop the malware specifically for Tesla's network. The attackers' plan was apparently to steal sensitive files and threaten to publish them unless the company paid a ransom of several million dollars. The group would also launch a DDoS attack to distract Tesla's security team while the data was being exfiltrated. 

After Kriuchkov revealed his intentions, the employee reported the incident to Tesla and worked with the FBI to record subsequent meetings with Kriuchkov. During these meetings, Kriuchkov said his group had successfully extorted at least two other companies in this manner. Kriuchkov was arrested on 22 August while trying to leave the US and has been charged with one count of conspiracy to intentionally cause damage to a protected computer.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber-security courses.