Cyber Pulse: Edition 161 | 27 August 2021

86% of critical infrastructure organisations in the UK attacked

A study from Bridewell Consulting reveals that 86% of critical infrastructure organisations in the UK have suffered some sort of cyber attack in the last 12 months. The majority (79%) of the organisations surveyed in the study use Operational Technology (OT) systems that are 6 to 20 years old, while a third of them use systems that are 11 to 20 years old. Ransomware gangs have become more ruthless as they pick victims with no tolerance for downtime, including critical infrastructure operators. According to another recent study from Fireeye, 41% of all ransomware attacks in 2020 involved OT networks.

Amateur attacks have impacted various industries, such as water control systems, solar panels and building automation systems, in both private and academic residences. These attacks often abuse graphical user interfaces and human-machine interfaces, as they allow the attackers to alter control variables of a process. While most of these attacks are by nature opportunistic, some of them are suspected to have political motivations. Every attack allows attackers to gain knowledge about OT systems, including their operations, physical processes and technology. This knowledge allows attackers to enhance their capabilities.

According to the NERC 2021 Reliability Risk Priorities Report, there has been an increase of 156% of vulnerability-related incidents, followed by a 170% increase in ransomware-related incidents and a 111% increase in suspicious incidents against the critical infrastructure. The risks associated with attacks on critical infrastructure are not limited to only financial losses but can also incur a loss of human safety and lives. Therefore, it is crucial that OT & ICS security leaders incorporate best practices in the current security plan.

Kubescape helps admins manage Kubernetes securely

Kubescape is an open-source tool for testing if Kubernetes is deployed securely, as defined in the recently released Kubernetes Hardening Guidance by NSA and CISA. Kubernetes is an open-source platform for automating the deployment, scaling and management of application containers across clusters of hosts.

“Kubernetes is commonly targeted for three reasons: data theft, computational power theft, or denial of service. Data theft is traditionally the primary motivation; however, cyber actors may attempt to use Kubernetes to harness a network’s underlying infrastructure for computational power for purposes such as cryptocurrency mining,” the NSA noted when it released the aforementioned guide.

Kubescape is based on OPA (Open Policy Agent), an open-source policy engine that uses the popular rule language Rego. The tool retrieves the Kubernetes objects from the API server and scans them by running a set of Rego snippets developed by Israeli company ARMO.

Malicious actors escape detection with CAPTCHAs

Cybercriminals are now taking advantage of Google’s reCAPTCHA to hide their phishing or malware campaigns. CAPTCHAs, in simpler terms, are challenges to prove that a user is human. According to a report from researchers at Palo Alto Networks’ Unit 42, malicious campaigns are reusing CAPTCHA service keys to avoid being blocked by reCAPTCHA providers. The goal of such attacks is to hide phishing content behind CAPTCHAs that stop security defences from detecting malicious content while adding some legitimacy to pages. The security firm spotted 7,572 malicious URLs over 4,088 pay-level domains with obfuscation techniques in the last month itself. Moreover, scam campaigns and malicious gateways are using CAPTCHA evasion as well in their campaigns.

Phishing and malware campaigns are employing new evasion techniques and becoming technically advanced. The use of CAPTCHAs is a prime example, where attackers are escaping detection from security crawlers. However, such phishing pages can be detected with the association of CAPTCHA identifiers that can be used as IOCs to detect such attacks.

OpenSSL high-severity vulnerability patched

The OpenSSL Project patched a high-severity vulnerability, tracked as CVE-2021-3711, that can allow an attacker to change an application’s behaviour or cause the app to crash. The vulnerability, discovered by John Ouyang, affects versions prior 1.1.1. It ties the decryption of SM2 encrypted data, the changes depend on the targeted application and data it maintains (i.e. credentials), in the heap while the issue is exploited.

“A malicious attacker who is able to present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes, altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k),” reads the description for this flaw.

OpenSSL Project also fixed a medium-severity vulnerability, tracked as CVE-2021-3712, that can be exploited by attackers to trigger a denial-of-service (DoS) condition.

Android games maker leak exposed

In a report shared with ZDNet, vpnMentor's cybersecurity team led by Noam Rotem and Ran Locar, revealed EskyFun as the owner of a 134GB server exposed and made public online. EskyFun is the developer of Android games including Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M. In total, the team said that an alleged 365,630,387 records contained data from June 2021 onward, leaking user data collected on a seven-day rolling system. The team says that the developers impose aggressive and deeply troubling tracking, analytics, and permissions settings when their software is downloaded and installed, and as a result, the variety of data collected was, perhaps, far more than you would expect mobile games to require.

"Much of this data was incredibly sensitive, and there was no need for a video game company to be keeping such detailed files on its users," the researchers commented. "Furthermore, by not securing the data, EskyFun potentially exposed over one million people to fraud, hacking, and much worse."

The records included IP and IMEI numbers, device information, phone numbers, the OS in use, mobile device event logs, whether or not a handset was rooted; game purchase and transaction reports, email addresses, EskyFun account passwords stored in plaintext, and support requests, among other data. 

vpnMentor suspects that up to, or more than, one million users may have had their information exposed. 

Peer-to-peer botnet targeting network vendors

Mozi, the peer-to-peer botnet, is now updated to target network gateways made by multiple vendors such as Netgear, ZTE, and Huawei. Furthermore, attackers can perform Man-in-the-Middle (MitM) attacks via DNS spoofing and HTTP hijacking. Upgrading Mozi capabilities to target network gateways allow attackers to compromise endpoints and spread ransomware or leads to safety issues in OT facilities. Meanwhile, research from Microsoft has found that the malware takes certain actions, such as ignoring some domains, to improve its survival chances on reboot.

It has been upgraded with new commands that allow it to hijack HTTP sessions and perform DNS spoofing to redirect traffic to a domain controlled by an attacker. Mozi propagates by exploiting weak and default remote access passwords and unpatched vulnerabilities. The IoT malware communicates using a Distributed Hash Table (DHT). The DHT is used to record the contact info of other nodes in the botnet. The infected devices wait for commands from controller nodes and try to compromise other exposed targets.