Cyber Pulse: Edition 148 | 1 April

Here is our cyber security news round-up of the week:

Australia investigates reported hacks aimed at parliament impacting live broadcast

An apparent cyber incident knocked Australia’s Parliament House’s email system offline just as Australia’s Channel Nine broadcasting was interrupted by hackers over the weekend. The suspected attack on Parliament has reportedly left MPs and senators without email access, while the incident affecting Channel Nine has primarily interrupted the broadcasting and corporate business departments, leaving the network unable to air its Weekend Today show on Sunday, the network said.

It was not immediately clear if the attacks were linked.

Local media outlets reported that the incident was the largest cyberattack to ever affect an Australian media company. The publishing and radio departments appeared to continue functioning without issue. Meanwhile, smartphones and tablets at the Department of Parliamentary Services were malfunctioning as a result of an attack there, DPS said in a statement.

The Australian Cyber Security Centre is working with both Channel Nine and parliament to address the interruptions, according to Channel Nine and a DPS spokesperson. The Australian Signals Directorate is also working with DPS, according to Assistant Minister for Defence Andrew Hastie. Channel Nine said it is not clear if suspected hackers behind the network attack are cybercriminals or state-backed, although journalist Alicia Loxley said the network was hit by ransomware, which could indicate a financial motive, according to TV Blackbox. Australia’s shadow treasurer Jim Chalmers said in a statement the attack was from a “serious, sophisticated” actor.

Rise of Linux malware

IBM has revealed several trends dominating the threat landscape in its X-Force Threat Intelligence Index 2021 report. It is a yearly assessment, covering data and findings from January to December 2020. The latest report discovers that Linux-related malware threats are rising and cybercriminals are spoofing top technology brands and shifting their tactics in response to the evolving CovidD-19 situation. Researchers discovered that Linux-based malware rose at 40% year-over-year from 2019 to 2020. It has recorded a growth of 500% from 2010 to 2020. Cybercriminals are making heavy investments in creating new Linux crypto-mining malware. 

Besides the creation of Linux malware variants, big-game-hunting ransomware groups were discovered to be exploiting cloud services, such as MEGA or pCloud, to save and leak victim data. In such situations, reports like these can assist organisations to better understand the evolution of threats, assess risk, and prioritise cybersecurity efforts. The report's data shows that ransomware is the top attack type for 2021, and attackers are increasingly stealing and leaking sensitive company data in addition to encrypting it. Have a response plan that addresses these techniques.

Attackers target cloud tool Docker Hub for cryptojacking

Container images are known as a simple way to distribute software, yet malicious cryptojacking images are also a simple way for attackers to distribute their cryptominers. In the last several years, Unit 42 researchers have been witnessing cloud-based cryptojacking attacks in which miners are deployed using an image in Docker Hub. The cloud consists of many instances for each target (eg lots of CPUs, lots of containers, lots of virtual machines), which can translate to big mining profits. The cloud is hard to monitor. Miners can run undetected for a long time, and without any detection mechanisms in place, they may run until the user finds an inflated cloud usage bill and realises that something is wrong.

Modern cloud technology is largely based on containers, and in some environments, Docker Hub is the default container registry. Attackers can take advantage of it to deploy miners on compromised clouds. Individuals improve their mining efficiency by using mining pools, and so do adversaries. It is possible to check how many cryptocurrencies were mined to a mining pool account by inspecting the mining pool. Half of the images found used a mining pool that shares this information, and by extrapolating from that an estimated US$200,000 worth of cryptocurrencies were mined. The researchers discovered parallels with the campaign described in recent Unit 42 findings on azurenql, adding over 10 million more pulls under the attacker’s name.

Instagram and Facebook business accounts under attack

Proofpoint researchers spotted and blocked a cookie and password stealer named CopperStealer. This malware is now targeting Instagram and Facebook business accounts to steal passwords stored in Edge, Chrome, Opera, Firefox, and Yandex. The unauthorised access was then used by the operators to place malicious adverts on the platforms and profit from them. Other CopperStealer samples have been found to be targeting popular platforms, such as Google, Tumblr, PayPal, Apple, Amazon, Twitter, and Bing. In the first quarter of this year, the malware compromised up to 5,000 hosts per day. CopperStealer usually targets social media and search engine accounts to advertise malware and make profits from them. The attacks point to the desperation of attackers to leverage social media for maximum monetary gain. Folks, keep your credentials safe.

Industrial control systems critical vulnerability in Wintek cMTs

A cybersecurity researcher who specialises in industrial control systems (ICS) has identified three types of critical vulnerabilities in products made by human-machine interface (HMI) manufacturer Weintek. The Taiwan-based vendor’s products are used worldwide. The company has posted a technical advisory instructing customers to install available patches and take steps to mitigate risks. It noted that the risk of exploitation is more significant if the devices are connected to an open network.

The vulnerabilities were discovered by Marcin Dudek, a senior ICS/OT security researcher at Poland’s CERT Polska. The security holes have been found to impact the EasyWeb web-based configuration interface available for Weintek cMT products. Affected products include HMIs (including screenless HMIs), programmable logic controllers (PLCs) and gateways. Dudek noted on Twitter that there are more than 170 cMT HMIs connected directly to the internet, including systems located in Europe, Asia and North America.

The researcher explains that, in the worst-case scenario, an attacker can exploit the vulnerabilities to take complete control of the targeted device with root privileges, which in a real-world environment could have serious consequences.

According to the US Cybersecurity and Infrastructure Security Agency (CISA), which issued an advisory for the Weintek cMT vulnerabilities this week, the impacted products are mostly used in the water and commercial facilities sectors.

German Parliament targeted again by hackers

Email accounts of multiple German Parliament members were targeted in a spear-phishing attack. It is not yet known if any data was stolen during the incident. The attack was carried out by sending phishing emails to the German politicians' private emails, as reported by Der Spiegel. It is believed the attackers were able to gain access to the email accounts of seven members of the German federal parliament (Bundestag) and 31 members of German regional parliaments. Most parliament members targeted in this attack are part of the CDU/CSU and SPD governing parties. A Bundestag spokesperson said that the attackers didn't target the Bundestag's network. After the attack was detected, all targeted parliament members were immediately notified.

Vulnerability discovered in netmask networking tool

Popular npm library netmask has a critical networking vulnerability. netmask is frequently used by hundreds of thousands of applications to parse IPv4 addresses and CIDR blocks or compare them. The component gets over 3 million weekly downloads, and as of today, has scored over 238 million total downloads over its lifetime. Further, about 278,000 GitHub repositories depend on netmask.

The bug present in the library means when parsing an IP address with a leading zero, netmask sees a different IP due to improper validations in place. The vulnerability, tracked as CVE-2021-28918 and more recently as CVE-2021-29418, concerns how netmask handles mixed-format IP addresses, or more specifically when a decimal IPv4 address contains a leading zero. Various network infrastructure and security products, such as Web Application Firewalls, rely on netmask to filter out IPs present on blocklists and allow lists. This also means flaws like these, if left unchecked, can lead to serious slip-ups in perimeter security controls.

The researchers have disclosed their findings in a GitHub advisory and a blog post. The Perl component Net::Netmask also suffered from this flaw (tracked under a separate identifier CVE-2021-29424), and its maintainer, Joelle Maslak, has released a fix in the 2.0000 version today. Developers using the Perl components Netmask and some others (eg Net-IPAddress-Util, Net-CIDR-Lite, Net-CIDR, etc) are advised to ensure their applications sanitise and normalise IP addresses prior to passing these as inputs to such components, or preferably upgrade to the fixed version wherever applicable.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter Find out about QA's extensive cyber-security courses