Here is our cyber security news round-up of the week:
Discord security vulnerabilities nets bug bounty
A security researcher has discovered a way of utilising multiple Discord security vulnerabilities in order to commit remote code execution (RCE) attacks. The exploit, which only affects the desktop version of the messaging app, allows attackers to access and run code remotely. The RCE made use of a complex bug chain that took advantage of the fact that Discord had disabled the ‘contextIsolation’ feature in its Electron build, allowing JavaScript code written outside the app to influence internal code. In addition, a cross-site scripting flaw and a navigation restriction bypass in Electron's "will-navigate" event code were also utilised to make RCE possible. The vulnerabilities were discovered by Masato Kinugawa, a self-confessed bug hunter who reported the issues as soon as he could verify them. Discord acted swiftly to patch the flaws and an RCE attack no longer appears to be possible. Kinugawa explained:
“These issues were reported through Discord's Bug Bounty Program. First, the Discord team disabled the Sketchfab embeds, and a workaround was taken to prevent navigation from the iframe by adding the sandbox attribute to the iframe. After a while, the contextIsolation was enabled. Now even if I could execute arbitrary JavaScript on the app, RCE does not occur via the overridden JavaScript built-in methods. I received $5,000 as a reward for this discovery.”
British Airways fined £20m for data breach
British Airways have been fined £20 million by the ICO for a data breach in which the personal details of more than 400,000 customers were leaked after BA suffered a two-month cyberattack and lacked adequate security to detect and defend itself against it. The ICO had originally planned to fine BA nearly £184 million, but it reduced the penalty in light of the economic impact that BA (like other airlines) has faced as a result of Covid-19, as well as work BA had undertaken to address the issue, and the ICO learning more about the nature of the attack in a further investigation. Customers' names, addresses, payment card numbers and security numbers were among the details compromised in the attack.
The ICO said BA appeared to have breached requirements of payment card information data security standards (PCI DSS) in relation to its storage of payment card data. According to the ICO, the attacker had gained initial access to BA's network using compromised credentials of a user within a third-party supplier who was accessing the BA network remotely. The attacker was then able to "breakout" from the remote access systems into the wider network BA operated. Even with the reduced penalty size, the ICO is sticking by its original conclusions, described in its statement related to the breach penalty.
SIEM platform exposed to remote code execution attack
A Java deserialisation bug in QRadar, IBM’s enterprise security information and event management (SIEM) platform, allowed hackers to conduct various attacks, including remote code execution. The bug, found by a security researcher at Netherlands-based start-up Securify, could be triggered by passing objects containing malicious code to a Servlet component of QRadar Community Edition.
Java client applications convert objects into streams of bytes – or ‘serialise’ them – and send them to servers, which deserialise them into their original structure before processing. If deserialisation is not handled properly, hackers can exploit the process to send malicious data to Java application servers. While the vulnerability was dangerous, exploiting it required an attacker to have access to a valid user account in the QRadar installation because the Servlet was only accessible to authenticated user sessions. Researchers also found and reported the deserialisation vulnerability along with nine other bugs in January while actively researching QRadar CE. Most were fixed in April.
Cruise operator Carnival latest ransomware victim
Carnival Corporation disclosed in a filing with the US Securities and Exchange Commission that one of its brands suffered a ransomware attack that resulted in hackers gaining access to internal IT systems, encrypting a portion of the systems, and stealing the personal data of guests and employees. The company also stated that as soon as the ransomware attack was detected, it launched an investigation, notified law enforcement authorities, and engaged legal counsel and other incident response professionals.
Recently, the cruise line giant, which operates a number of renowned cruise line brands such as Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, Cunard, AIDA Cruises, Costa Cruises, and P&O Cruises in the UK and Australia, said the August ransomware attack resulted in hackers gaining access to the personal information of a number of guests, employees, and crew. The cruise line company also announced in a separate press release that the ransomware attack on its IT systems affected three cruise lines, namely Carnival Cruise Line, Holland America Line and Seabourn, as well as the company's casino operations.
Microsoft announces its own Project Zero for Edge
Microsoft has announced plans for a Project Zero-style security research program focused on Chromium, after rebuilding the Edge browser using the open-source codebase. Having relaunched Internet Explorer’s successor as a Chromium-based browser, the tech giant tasked a team of browser security experts to undertake research into Google’s browser-building repository. The research will be published in accordance with responsible disclosure guidelines.
Edge, which was hitherto based on Microsoft’s own proprietary browser and JavaScript engines, was relaunched in January 2020 as a Chromium-based web browser. Containing 25 million lines of code, Chromium is one of the largest, most complex open-source projects in the world. With a 7.5% market share, Edge is currently the third most popular browser after Google Chrome, which also runs on Chromium, and Firefox, which doesn’t. Microsoft is emulating Trend Micro's Zero Day Initiative and Google's Project Zero, established in 2005 and 2014 respectively to research zero-day security vulnerabilities and publicly disclose the findings for the benefit of the wider security community.
New Zealand announces new privacy breach service
New Zealand's Office of the Privacy Commissioner (OPC) this week launched NotifyUs – a new online tool enabling businesses and organisations to easily assess whether a privacy breach is notifiable. Under the New Zealand Privacy Act 2020, which comes into effect on 1 December 2020, it will be mandatory for organisations to notify OPC if a privacy breach has caused, or is likely to cause, serious harm. Businesses and organisations which fail to report a notifiable privacy breach to OPC may receive fines of up to NZ$10,000.
Privacy Commissioner John Edwards says NotifyUs will help organisations determine whether a breach has caused, or could cause, serious harm, and guide them through the reporting process:
“We want the privacy breach pre-assessment and reporting process to be straightforward. NotifyUs has undergone extensive testing ahead of today’s launch to ensure the guidance is clear and easy to follow. I encourage people to use it in advance of the new legislation taking effect on 1 December.”
Edited and compiled by QA's Director of Cyber, Richard Beck.
Subscribe to our weekly Cyber Pulse newsletter below.
Click here to find out about QA's extensive cyber-security courses.
Stay in the know
Subscribe to our monthly Learning Matters newsletter and stay up to date with QA's latest news, views, offers, must-go-to events and more.
And if you want to keep up with the latest cyber news, why not subscribe to our weekly Cyber Pulse newsletter.
Richard Beck
Richard is an experienced security professional, turned educator, with over 15 years in operational security roles. He is driven by a commitment to helping address immediate and longer-term cyber skills shortages and bring a more diverse range of individuals and experiences into cyber through eco-system collaboration.More articles by Richard
Securing the Supply Chain: Embracing Zero Trust for Digital Trust
QA's Director of Cyber Security, Richard Beck, looks into the adoption of Zero Trust in the Cyber Security supply chain.
18 January 2024How AI-Powered Cyber Range Elevates Teamworking Success
QA's Director of Cyber Security, Richard Beck, takes a look at the benefits of utilising AI in Cyber Ranges, including collaboration and teamwork.
02 November 2023Guardians of the Future: Ensuring AI Safety
In this blog, QA's Director of Cyber Security, Richard Beck, delves into the latest developments behind AI safety and governance, and its impact for businesses.
31 October 20238 Benefits of Converged OT Cybersecurity
With the number of cyber attacks on the rise, QA's Director of Cyber Security, Richard Beck, lists the key benefits of OT Cybersecurity.
06 October 2023Is Your Business Quantum Safe?
QA's Director of Cyber Security, Richard Beck, looks into the impact that quantum science and technologies will have on businesses.
06 October 2023The Future of Cyber-Enabled Fraud
Deepfake, biometrics and artificial intelligence, QA's Cyber Practice Director, Richard Beck, takes a look at the future of cyber-enabled fraud.
15 March 2023Cyber Pulse: Edition 144 | 5 February 2021
Read the latest edition of Cyber Pulse: Microsoft Office 365 attacks sparked from Google Firebase, Otorio releases open-source tool for hardening commonly used HMI/S…
05 February 2021Cyber Pulse: Edition 146 | 4 March 2021
Read the latest edition of Cyber Pulse: Ransomware gang hacks Ecuador's largest private bank, Ministry of Finance, Amazon dismisses claims Alexa "skills" can bypass…
04 March 2021Cyber Pulse: Edition 154 | 14 June 2021
In this edition of Cyber Pulse: Volkswagen discloses data breach impacting 3.3 million, nuclear weapons subcontractor hit by cyber attack, industrial automation gian…
14 June 2021Cyber Pulse: Edition 121 | 21 July 2020
Read the latest edition of Cyber Pulse: Critical ‘wormable’ vulnerability in Microsoft’s Windows DNS Server, Twitter breach: 130 high-profile accounts hacked, Cozy B…
14 July 2020