Cyber Pulse: Edition 146 | 4 March 2021

Here is our cyber security news round-up of the week:

Ransomware gang hacks Ecuador's largest private bank, Ministry of Finance

A hacking group called Hotarus Corp has hacked Ecuador's Ministry of Finance and the country's largest bank, Banco Pichincha, where they claim to have stolen internal data. The ransomware gang first targeted Ecuador's Ministry of Finance, the Ministerio de Economía y Finanzas de Ecuador, where they deployed a PHP-based ransomware strain to encrypt a site hosting an online course. Researcher Germán Fernández revealed that the threat actors are using a commodity PHP ransomware called Ronggolawe (or AwesomeWare) to encrypt the site's contents. Soon after the attack, the threat actors released a text file containing 6,632 login names and hashed password combinations on a hacker forum.

The bank has confirmed the attack in an official statement but states that it was a hacked marketing partner and not their internal systems. Banco Pichincha goes on to say that the attackers used the compromised platform to send phishing emails to customers to attempt to steal sensitive information to carry out "illegitimate transactions". Through this attack, the hacking group claims to have stolen 31,636,026 million customer records and 58,456 sensitive system records, including credit card numbers.

Amazon dismisses claims Alexa "skills" can bypass security vetting process

Researchers found a number of privacy and security issues in Amazon’s Alexa skill-vetting process, which could lead to attackers stealing data or launching phishing attacks. Researchers warn that Amazon’s voice assistant Alexa is vulnerable to malicious third-party “skills” – voice assistant capabilities developed by third parties – that could leave smart-speaker owners vulnerable to a wide range of cyberattacks.

The security-threat claim is roundly dismissed by Amazon. Researchers scrutinised 90,194 unique skills from Amazon’s skill stores across seven countries. The report, presented at the Network and Distributed System Security Symposium 2021, found widespread security issues that could lead to phishing attacks or the ability to trick Alexa users into revealing sensitive information.

Researchers said they found several glaring issues with Amazon’s skill-vetting process. For one, developers can get away with registering skills that use some (but not others) well-known company names – such as Ring, Withings or Samsung. Bad actors could then leverage these fake skill brand names by sending phishing emails to users that link to the skill’s Amazon store webpage – ultimately adding an air of legitimacy to the phishing message and tricking users into handing over valuable information.

Four new hacking groups are targeting critical infrastructure

More hacking groups than ever before are targeting industrial environments as cyber attackers attempt to infiltrate the networks of companies providing vital services, including electric power, water, oil and gas, and manufacturing.

Threats include cyber-criminal groups looking to steal information or encrypt systems with ransomware, as well as nation-state-backed hacking operations attempting to determine the potential disruption they could cause with cyberattacks against operational technology (OT).

According to cybersecurity researchers at Dragos, four new hacking groups targeting industrial systems have been detected over the past year – and there's an increased amount of investment from cyber attackers targeting industry and industrial control systems. The four new groups identified over the course of the past year – named by researchers as Stibnite, Talonite, Kamacite, and Vanadinite – come in addition to 11 previously identified hacking groups targeting industrial control systems.

The discovery of four additional hacking operations targeting industrial systems does represent a cause for concern – but their discovery also indicates that there's increasing visibility of threats to industrial systems. These threats might have been missed in previous years. In many cases, hackers are able to combine this lack of visibility with the ability to hide in plain sight by abusing legitimate login credentials to help move around the network. This activity could have physical effects away from a network environment, as recently demonstrated when a malicious hacker was able to modify the chemical properties of drinking water after compromising the network of the water treatment facility for the city of Oldsmar, Florida.

Google funds Linux kernel developers to work exclusively on security

Linux is more secure than most operating systems, but that doesn't mean it can take security for granted. So, Google and the Linux Foundation are funding a pair of top Linux kernel developers to focus on security.

Hardly a week goes by without yet another major Windows security problem popping up, while Linux security problems, when looked at closely, usually turn out to be blunders made by incompetent system administration. But Linux can't rest on its laurels. There are real Linux security concerns that need addressing. That's where Google and the Linux Foundation come in with a new plan to underwrite two full-time maintainers for Linux kernel security development, Gustavo Silva and Nathan Chancellor. On average, open-source programmers use just 2.27% of their total contribution time on security. Worst still, most open-source developers feel little desire to spend more of their time and effort on security. 

As David A. Wheeler, The Linux Foundation's director of open-source supply chain security, said in the Report on the 2020 FOSS Contributor Survey:

"It is clear from the 2020 findings that we need to take steps to improve security without overburdening contributors." 

The solution, the report authors suggested, was to devote money and resources to specific security purposes. This includes adding security-related tools to the continuous integration (CI) pipeline, security audits, and computing resources. In other words, make it easier for developers to add security to their projects.

ENISA releases guidelines for cloud security for healthcare services

The healthcare sector is undergoing digitalisation and adopts new technologies to improve patient care, offer new services for remote patients and reach operational excellence. The integration of new technologies in the complex healthcare IT infrastructure creates new challenges regarding data protection and cybersecurity. To help IT professionals in healthcare security to establish and maintain cloud security while selecting and deploying appropriate technical and organisational measures, ENISA issued a study that aims to provide cloud security practices for the healthcare sector.

According to the European Union NIS Directive, hospitals are defined as Operators of Essential Services (OES), while cloud providers are Digital Service Providers (DSP). Therefore, both hospitals and cloud vendors must comply with the NIS Directive security requirements when contracting with cloud services.

At the same time, the GDPR defines medical data as a “special category” of personal data, which is sensitive by nature and imposes a higher standard of protection for their processing. Healthcare organisations as data controllers that are processing medical data must implement appropriate technical and administration measures to ensure the security of systems, services and data. Further, cloud providers are considered data processors under GDPR as they are acting on behalf of the data controllers; hence, they have obligations as data controllers.

The report reminds healthcare organisations migrating to the cloud that the Shared Responsibility Model applies – that is, cloud customers and cloud providers have certain security requirements in the cloud (the customers) and of the cloud (the providers).

CNAME cloaking threat to privacy

With browser makers steadily clamping down on third-party tracking, advertising technology companies are increasingly embracing a DNS technique to evade such defences, thereby posing a threat to web security and privacy. Called CNAME Cloaking, the practice of blurring the distinction between first-party and third-party cookies not only results in leaking sensitive private information without users' knowledge and consent, but also "increases [the] web security threat surface," said a group of researchers Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen, and Tom Van Goethem in a new study.

"This tracking scheme takes advantage of a CNAME record on a subdomain such that it is same-site to the including web site," the researchers stated in the paper. "As such, defences that block third-party cookies are rendered ineffective."

Over the past four years, all major browsers, with the notable exception of Google Chrome, have included countermeasures to curb third-party tracking. Apple set the ball rolling with a Safari feature called Intelligent Tracking Protection (ITP) in June 2017, setting a new privacy standard on desktop and mobile to reduce cross-site tracking by "further limiting cookies and other website data." Two years later, the iPhone maker outlined a separate plan dubbed "Privacy Preserving Ad Click Attribution" to make online ads private.

Although Google early last year announced plans to phase out third-party cookies and trackers in Chrome in favour of a new framework called the "privacy sandbox", it's not expected to go live until sometime in 2022. In the meantime, the search giant has been actively working with ad tech companies on a proposed replacement called "Dovekey" that looks to supplant the functionality served by cross-site tracking using privacy-centred technologies to serve personalised ads on the web.

In the face of these cookie-killing barriers to enhance privacy, marketers have begun looking for alternative ways to evade the absolutist stance taken by browser makers against cross-site tracking. CNAME cloaking makes tracking code look like it's first-party when in fact, it is not, with the resource resolving through a CNAME that differs from that of the first-party domain. The researchers, in their study, found this technique to be used on 9.98% of the top 10,000 websites, in addition to uncovering 13 providers of such tracking "services" on 10,474 websites. What's more, the study cites a "targeted treatment of Apple's web browser Safari" wherein ad tech company Criteo switched specifically to CNAME cloaking to bypass privacy protections in the browser.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter Find out about QA's extensive cyber-security courses