Cyber Pulse: Edition 134 | 21 October 2020

Here is our cyber security news round-up of the week:

Discord security vulnerabilities nets bug bounty

A security researcher has discovered a way of utilising multiple Discord security vulnerabilities in order to commit remote code execution (RCE) attacks. The exploit, which only affects the desktop version of the messaging app, allows attackers to access and run code remotely. The RCE made use of a complex bug chain that took advantage of the fact that Discord had disabled the ‘contextIsolation’ feature in its Electron build, allowing JavaScript code written outside the app to influence internal code. In addition, a cross-site scripting flaw and a navigation restriction bypass in Electron's "will-navigate" event code were also utilised to make RCE possible. The vulnerabilities were discovered by Masato Kinugawa, a self-confessed bug hunter who reported the issues as soon as he could verify them. Discord acted swiftly to patch the flaws and an RCE attack no longer appears to be possible. Kinugawa explained:

“These issues were reported through Discord's Bug Bounty Program. First, the Discord team disabled the Sketchfab embeds, and a workaround was taken to prevent navigation from the iframe by adding the sandbox attribute to the iframe. After a while, the contextIsolation was enabled. Now even if I could execute arbitrary JavaScript on the app, RCE does not occur via the overridden JavaScript built-in methods. I received $5,000 as a reward for this discovery.”

British Airways fined £20m for data breach

British Airways have been fined £20 million by the ICO for a data breach in which the personal details of more than 400,000 customers were leaked after BA suffered a two-month cyberattack and lacked adequate security to detect and defend itself against it. The ICO had originally planned to fine BA nearly £184 million, but it reduced the penalty in light of the economic impact that BA (like other airlines) has faced as a result of Covid-19, as well as work BA had undertaken to address the issue, and the ICO learning more about the nature of the attack in a further investigation. Customers' names, addresses, payment card numbers and security numbers were among the details compromised in the attack.

The ICO said BA appeared to have breached requirements of payment card information data security standards (PCI DSS) in relation to its storage of payment card data. According to the ICO, the attacker had gained initial access to BA's network using compromised credentials of a user within a third-party supplier who was accessing the BA network remotely. The attacker was then able to "breakout" from the remote access systems into the wider network BA operated. Even with the reduced penalty size, the ICO is sticking by its original conclusions, described in its statement related to the breach penalty.

SIEM platform exposed to remote code execution attack

A Java deserialisation bug in QRadar, IBM’s enterprise security information and event management (SIEM) platform, allowed hackers to conduct various attacks, including remote code execution. The bug, found by a security researcher at Netherlands-based start-up Securify, could be triggered by passing objects containing malicious code to a Servlet component of QRadar Community Edition.

Java client applications convert objects into streams of bytes – or ‘serialise’ them – and send them to servers, which deserialise them into their original structure before processing. If deserialisation is not handled properly, hackers can exploit the process to send malicious data to Java application servers. While the vulnerability was dangerous, exploiting it required an attacker to have access to a valid user account in the QRadar installation because the Servlet was only accessible to authenticated user sessions. Researchers also found and reported the deserialisation vulnerability along with nine other bugs in January while actively researching QRadar CE. Most were fixed in April.

Cruise operator Carnival latest ransomware victim

Carnival Corporation disclosed in a filing with the US Securities and Exchange Commission that one of its brands suffered a ransomware attack that resulted in hackers gaining access to internal IT systems, encrypting a portion of the systems, and stealing the personal data of guests and employees. The company also stated that as soon as the ransomware attack was detected, it launched an investigation, notified law enforcement authorities, and engaged legal counsel and other incident response professionals.

Recently, the cruise line giant, which operates a number of renowned cruise line brands such as Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, Cunard, AIDA Cruises, Costa Cruises, and P&O Cruises in the UK and Australia, said the August ransomware attack resulted in hackers gaining access to the personal information of a number of guests, employees, and crew. The cruise line company also announced in a separate press release that the ransomware attack on its IT systems affected three cruise lines, namely Carnival Cruise Line, Holland America Line and Seabourn, as well as the company's casino operations. 

Microsoft announces its own Project Zero for Edge

Microsoft has announced plans for a Project Zero-style security research program focused on Chromium, after rebuilding the Edge browser using the open-source codebase. Having relaunched Internet Explorer’s successor as a Chromium-based browser, the tech giant tasked a team of browser security experts to undertake research into Google’s browser-building repository. The research will be published in accordance with responsible disclosure guidelines.

Edge, which was hitherto based on Microsoft’s own proprietary browser and JavaScript engines, was relaunched in January 2020 as a Chromium-based web browser. Containing 25 million lines of code, Chromium is one of the largest, most complex open-source projects in the world. With a 7.5% market share, Edge is currently the third most popular browser after Google Chrome, which also runs on Chromium, and Firefox, which doesn’t. Microsoft is emulating Trend Micro's Zero Day Initiative and Google's Project Zero, established in 2005 and 2014 respectively to research zero-day security vulnerabilities and publicly disclose the findings for the benefit of the wider security community.

New Zealand announces new privacy breach service

New Zealand's Office of the Privacy Commissioner (OPC) this week launched NotifyUs – a new online tool enabling businesses and organisations to easily assess whether a privacy breach is notifiable. Under the New Zealand Privacy Act 2020, which comes into effect on 1 December 2020, it will be mandatory for organisations to notify OPC if a privacy breach has caused, or is likely to cause, serious harm. Businesses and organisations which fail to report a notifiable privacy breach to OPC may receive fines of up to NZ$10,000.

Privacy Commissioner John Edwards says NotifyUs will help organisations determine whether a breach has caused, or could cause, serious harm, and guide them through the reporting process:

“We want the privacy breach pre-assessment and reporting process to be straightforward. NotifyUs has undergone extensive testing ahead of today’s launch to ensure the guidance is clear and easy to follow. I encourage people to use it in advance of the new legislation taking effect on 1 December.”

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber-security courses.