Here is our cyber security news round-up of the week:
Threat Group Abuses Microsoft & Google Cloud Services
Security researchers are watching a threat group that takes advantage of Microsoft and Google cloud services with the goal of exfiltrating data across a broad range of target organizations. These attackers have a "wide set of interests," report researchers with NCC Group and Fox-IT, who note the group is referred to as Chimera. Their target data ranges from intellectual property belonging to victims in the semiconductor industry to passenger data from the airline industry. Attackers begin by obtaining usernames and passwords from victims of previous breaches. The credentials are used in credential stuffing or password-spray attacks against a victim's remote services; for example, Web mail or other online mail services. Once they have a valid account, they use it to access the victim's VPN, Citrix, or another remote service with network access. With a foothold in the network, the attackers check the account permissions and try to get a list of accounts with admin privileges. This list helps them launch another password-spraying attack until a valid admin account is compromised. They use this account to load a Cobalt Strike beacon into memory; this is can be used for remote access and command and control (C2). The researchers explain how the attackers use Microsoft and Google cloud services to achieve their goals. In one case, they collected data from Microsoft SharePoint Online in order to exfiltrate information. In other attacks, they changed their C2 domains: in 2019 they began using subdomains under the parent domain appspot.com, which is owned by Google, and azureedge.net, a domain owned by Microsoft and part of its Azure content delivery network.
Dutch Energy Supplier Blames Cyber Intrusion on Data Breaches Suffered by Other Companies
Dutch energy supplier Eneco has warned tens of thousands of clients, including business partners, to change their passwords amid a recent data breach. Eneco, a producer and supplier of natural gas, electricity and heat in the Netherlands, serves more than 2 million business and residential customers. In a recent statement, the company said that “cyber criminals have used email addresses and passwords from previous thefts at other websites to gain access to approximately 1,700 private and small business My Eneco accounts, the online environment for Eneco customers.” It claims affected customers may have had their data “viewed and possibly changed by third parties,” but doesn’t go into detail about the nature of the data, nor does it mention that attackers may use it to conduct phishing campaigns or fraud – which is typically the case in such attacks. The company adds that “affected customers have been notified and must create a new account with a different password.” The attackers apparently used a classical credential stuffing technique leveraging stolen data from previous breaches, meaning such an attack could have been prevented as easily as by enforcing multi-factor authentication for customer accounts.
Microsoft command ‘bug’ can force Windows 10 to Blue Screen
Bug allows an unprivileged user or program to enter a single command that causes an NTFS volume to become marked as corrupted. While chkdsk resolved this issue in many tests, one of our tests showed that the command caused corruption on a hard drive that prevented Windows from starting. Today, we look at the second bug that causes Windows 10 to perform a BSOD crash by merely attempting to open an unusual path. Since October, Windows security researcher Jonas Lykkegaard has tweeted numerous times about a path that would immediately cause Windows 10 to crash and display a BSOD when entered into the Chrome address bar. When developers want to interact with Windows devices directly, they can pass a Win32 device namespace path as an argument to various Windows programming functions. For example, this allows an application to interact directly with a physical disk without going through the file system. Lykkegaard discovered the following Win32 device namespace path for the 'console multiplexer driver' that he believes is used for 'kernel / usermode ipc.' When opening the path in various ways, even from low-privileged users, it would cause Windows 10 to crash. While it has not been determined if this bug could be exploited for remote code execution or elevation privilege, in its current form, it can be used as a denial of service attack on a computer.
New Zealand central bank governor apologises after cyberattack resulted in serious data breach
The head of the Reserve Bank of New Zealand apologised on Friday after a recent cyberattack led to a serious data breach at the central bank, and brought in an independent investigator to review the incident. The breach was first announced on Sunday and later in the week the RBNZ said a file sharing service provided by California-based Accellion was illegally accessed. The breach comes just months after New Zealand’s stock exchange operator was targeted in a series of distributed denial of service attacks that overwhelmed its website, preventing trading for several days.
“I own this issue and I am disappointed and sorry,” said Governor Adrian Orr, adding that the ongoing investigation showed the breach is “serious and has significant data implication. While a malicious third party has committed the crime, and we believe service provisions have fallen short of our agreement, the Bank has also fallen short of the standards expected by our stakeholders.”
The bank has said the system that was breached has been secured and closed, and New Zealand’s financial system remains sound and open for business. Apart from the forensic cyber investigation underway, the bank also appointed an independent third party to undertake a review of the incident. Orr said he could not provide any further details as it could adversely affect the investigation and the steps being taken to mitigate the breach.
A Sophisticated Windows and Android Hacking Operation Using Zero-Day Exploits
Google has published a report, describing a sophisticated hacking operation that targeted owners of both Windows and Android devices. The attacks were using two exploit servers spreading different exploit chains via watering hole attacks. Both were using exploits as initial remote code execution. While one server targeted Windows, the other targeted Android users. The exploit servers included four renderer bugs in Google Chrome, one was zero-day at the time of its discovery. Two sandbox escape exploits utilized three zero-day vulnerabilities in the Windows OS. In addition, a privilege escalation kit was used that consisted of publicly known n-day exploits for older versions of the Android OS. The four zero-days discovered in these chains are CVE-2020-6418, CVE-2020-0938, CVE-2020-1020, and CVE-2020-1027, which were fixed between February to April 2020. Recently, Microsoft patched a Defender antivirus zero-day vulnerability (CVE-2021-1647) that was being exploited in the wild. In addition, a patch was released to fix a zero-day LPE vulnerability in the Windows PsExec management tool. The recent attacks were well-engineered and had complex code with a mixture of novel exploitation methods. To avoid any risks from such threats, experts suggest organizations take proactive measures such as regularly patching up software, using reliable anti-malware, deploying a Host Intrusion Protection System (HIPS), and using only essential applications on business devices.
Edited and compiled by QA's Director of Cyber, Richard Beck.
Stay in the know
Subscribe to our monthly Learning Matters newsletter and stay up to date with QA's latest news, views, offers, must-go-to events and more.
And if you want to keep up with the latest cyber news, why not subscribe to our weekly Cyber Pulse newsletter.
Richard Beck is Director of Cyber at QA. He works with customers to build effective and successful learning solutions tailored for business needs, helping to solve business problems. Richard has designed and architected numerous enterprise and nationwide cyber programmes for QA customers. Responsible for the QA cyber portfolio, products, proposition and cyber partner community. He has over 15 years' experience in senior Information Security roles.
Prior to QA, Richard was Head of Information Security for an organisation who underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts in Defence, Financial Services and HMG. He holds a number of leading cyber professional certifications, including CISSP, CISM, CISA.
Richard sits on a number of industry boards and security advisory panels, and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI). He is the work stream lead for Cyber Skills & Diversity on the techUK Cyber Management Committee, in addition Richard is also supporting a work stream for the UK Cyber Security Council Formation project. Richard is a regular contributor for cyber insights and industry collaboration including speaker engagements.
He is also a STEM Ambassador working to engage and enthuse young people in the area of cyber security. Providing a unique perspective on the world of cyber security to teachers and encourage young people to consider a career in cyber security.
More articles by Richard
Cyber Pulse: Edition 145 | 19 February 2021
Cyber Pulse: Edition 144 | 5 February 2021
Cyber Pulse: Edition 143 | 27 January 2021
CISOs should prioritise the “human firewall” during Covid-19
Cyber Pulse: Edition 141 | 11 January 2021
Cyber Pulse: Edition 140 | 4 January 2021
Cyber Pulse: Edition 139 | 18 December 2020
Cyber Pulse: Edition 138 | 8 December 2020
Cyber Pulse: Edition 137 | 13 November 2020
Cyber Pulse: Edition 136 | 5 November 2020