Cyber Pulse: Edition 163 | 1 November 2021

Global electric utility sector is facing an increasingly dangerous cyberthreat

The global electric utility sector is facing an increasingly dangerous cyberthreat landscape, even though there hasn’t been a publicly witnessed disruptive attack over the past five years. Utilities worldwide have been strengthening their security against threats to their IT networks but have not paid enough attention to their industrial control systems (ICS) and operational technology (OT) systems. Those are two of the high-level conclusions of a new report, “Global Electric Cyber Threat Perspective,” released by Dragos Inc. The report commended the Biden administration for releasing a 100-day plan in April specifically aimed at strengthening the security of utilities’ ICS and the energy sector supply chain. It’s a positive development that the US government recognises the fact that future threats will be based on the growing connectivity between ICS and the internet.

"Dragos is currently tracking 15 activity groups of hostile or potentially hostile actors," said Pasquale Stirparo, principal adversary hunter at Dragos and author of the report.

Of those 15 active AGs, 11 of them are targeting utilities, and two of those possess enough ICS-specific capabilities and tools to cause disruptive events. In the end, no matter what governments try to do in order to combat cyber threats, it’s up to the individual companies to know their risks and where those risks are in their systems. They then must be responsible for taking the preventive and defensive measures needed to protect their assets and their operations, because ultimately the safety of their facilities and networks falls on them.

QR codes to bypass defences and steal Microsoft 365 usernames and passwords

Cyber criminals are sending out phishing emails containing QR codes in a campaign designed to harvest login credentials for Microsoft 365 cloud applications. One recent campaign detailed by cybersecurity researchers at Abnormal Security sent hundreds of phishing emails that attempted to use QR codes designed to bypass email protections and steal login information. This is known as a "quishing" attack.

QR codes can be useful in attempts at malicious activity because standard email security protections like URL scanners won't pick up any indication of a suspicious link or attachment in the message. The campaign is run from previously compromised email accounts, allowing the attackers to send emails from accounts used by real people at real companies to add an aura of legitimacy to the emails, which could encourage victims to trust them. It's not certain how the attackers initially gain control of the accounts they're using to distribute the phishing emails. While using the QR codes method can more easily bypass email protections, the victim needs to follow many more steps before they reach the point where they could mistakenly give their login credentials to cyber criminals. For a start, the user needs to scan the QR code in the first place – and if they're opening the email on a mobile, they'll struggle to do this without a second phone. In order to stay safe from quishing emails, users should be extremely wary of scanning QR codes presented in unexpected messages, even if they look like they come from known contacts. Applying multi-factor authentication to Microsoft 365 accounts can also help protect login details from being stolen. 

Abuse of Discord CDN witnesses significant rise

The popular Discord reaches a new height as it crosses over 150 million active users. According to a report from the Influencer Marketing Hub, in 2021, the platform hosted over 19 million active servers related to different genres and topics. Unfortunately, the popularity of the cross-platform application has become a significant attack vector for multiple malware attacks. A recent investigation conducted by RiskIQ revealed that threat actors abused the Discord channel to deliver a total of 27 unique malware families. This included backdoors, password stealers, spyware and trojans.

Apart from hosting malware, threat actors have found ways to misuse the core features of Discords for malicious intent. Check Point Research spotted a multifunctional malware that used the features of the platform to take screenshots, download additional files, and perform keylogging. One of the significant reasons for the rise in malware detection on Discord is attributed to the numerous security holes within the platform. Researchers from Sophos had stated that Discord’s API was leveraged in multiple attacks to exfiltrate data and facilitate communication over hackers’ C2 channels. The platform can be used for various malicious purposes like malware development, botnet setups, C2 communication, and hosting malicious files. With so many options available at attackers’ end, researchers highlight that early detection of such threats can prevent users from falling prey to such threats.

Increased activity involving stolen data on dark web

Stolen data travels 11 times faster on the dark web today than it did six years ago. Shocking, isn’t it? New research by Bitglass has found such stark statistics that display the evolution of the dark web and stolen data over the years. In 2015, the firm conducted a data tracking experiment to comprehend how data is viewed and accessed on the dark web. Dubbed Project Cumulus, the research thoroughly combed through the dark web for sites where threat actors deal in stolen identities and cloud app user credentials. The researchers discovered a smattering of communities in the dark web, wherein the members shared tactics to access credentials, leverage stolen data, and buy tools to evade detection. Project Cumulus witnessed a high rate of Tor usage and new document downloads from the data experiment. This signifies that threat actors have become conscious about not leaving behind any traces.

Breach data received around 13,000 views this year as compared to 1,100 views six years ago – a 1,100% increase. While in 2015 it took 12 days to reach that view, it took only 24 hours in 2021. Anonymous viewers on the dark web have reached 93%, including 36% for retail and 31% for the US government networks. The top three threats in the form of the maximum download of stolen data originate from Kenya, the US and Romania. The rising number of data breaches and greater surface area for cybercriminals to monetise the stolen data has incited heightened activity and interest in the dark web. Moreover, the rise in crackdowns on cybercriminals by law enforcement is pushing bad actors to use anonymous VPN services and proxies when accessing breached data. 

Adobe’s surprise security bulletin dominated by critical patches

Adobe has dropped a mammoth out-of-band security update this week, addressing 92 vulnerabilities across 14 products. The majority (66) of the disclosed bugs are critical-severity problems, and most allow arbitrary code execution (ACE). Privilege escalation, denial-of-service and memory leaks/information disclosure are all well-represented as well. There’s plenty of commonality across the advisories. For instance, the lion’s share of the bugs allow access to a memory location after the end of a buffer, leading to ACE (a type of memory issue that can be exploited, like a standard buffer overflow in the worst-case scenario).

The fixes come two weeks after Adobe released its normal monthly Patch Tuesday patches. A company spokesperson characterised the release as “planned” rather than an emergency response – and indeed, Adobe said in its advisories that there’s no evidence that any of the bugs are being exploited in the wild.

All Windows versions impacted by new LPE zero-day vulnerability

A security researcher has disclosed technical details, explained here in the technical writeup, for a Windows zero-day privilege elevation vulnerability and a public proof-of-concept (PoC) exploit that gives SYSTEM privileges under certain conditions. The good news is that the exploit requires a threat actor to know another user's username and password to trigger the vulnerability, so it will likely not be widely abused in attacks. The bad news is that it affects all versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.

The attack relates to a bypass to patched vulnerability, Microsoft released a security update for a Windows User Profile Service Elevation of Privilege Vulnerability tracked as CVE-2021-34484 and discovered by security researcher Abdelhamid Naceri. After examining the fix, Naceri found that the patch was not sufficient and that he was able to bypass it with a new exploit that he published on GitHub.