Cyber Pulse: Edition 183 | 29 April 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

More than $13 million stolen from crypto platform

Two blockchain security firms, PeckShield and CertiK, said Deus Finance was hit with a variation of a “flash loan attack”. Flash loan attacks involve hackers borrowing funds that do not require collateral, buying a significant amount of a cryptocurrency to artificially raise its price and then offloading the coins. The loan is paid back and the borrower keeps any profit.

PeckShield said the attacker stole about $13.4 million (£10.7 million) worth of cryptocurrency but noted that the platform’s actual losses may be larger. CertiK put the losses at 5,446 ETH, or about $15.7 million (£12.5 million). 

The Deus platform gives developers a way to create financial services and is made up of two different coins: DEI and DEUS. Blockchain data shows that the attacker took out $143 million (£114 million) in a flash loan and bought 9.5 million DEI, Deus Finance’s stablecoin, which is pegged to the US dollar. That purchase raised the price of DEI, allowing the attacker to pay the flash loan back and net about $13 million. Blockchain data showed the hacker sent the funds to Tornado Cash, a cryptocurrency mixer that allows people to hide the origin of funds.

PeckShield noted that Deus Finance was hit with another flash loan attack on 15 March in an incident that led to about $3 million (£2.4 million) in losses. 

DeFi platform creators are in a constant game of cat-and-mouse with hackers who pore over their code and the functionality of their smart contracts in order to find vulnerabilities or mistakes that can be abused. Hackers also routinely use the price differences for coins found on different platforms to their advantage when deploying flash loan attacks.

Flash loan attacks have become one of the most popular ways hackers target DeFi platforms. Two weeks ago, hackers stole $11.2 million worth of Binance Coin from DeFi platform Elephant Money. Blockchain analysis firm Chainalysis said at least $2.2 billion was stolen from DeFi protocols in 2021. Last month, the Ronin Network announced that hackers stole more than $500 million worth of cryptocurrency, making it one of the largest attacks ever. 

Edited. Original Source: Record

Cryptomining campaign has been targeting Docker APIs

A large-scale Monero cryptomining campaign has been targeting Docker APIs on Linux servers. The attacks are launched from the LemonDuck botnet targeting misconfigured Docker systems.

According to a report, the operators behind the LemonDuck campaign are hiding their wallets behind proxy pools. LemonDuck gains access to exposed Docker APIs by executing a malicious container to get Bash script disguised as a PNG image. The payload creates a cronjob inside the container to download a Bash file (a[.]asp) that performs different actions. Once the Bash script is downloaded, it executes the cryptomining utility XMRig with a configuration file that hides the attacker’s wallets behind proxy pools. The attackers are trying to disable cloud security services, such as Alibaba Cloud’s monitoring service, to avoid detection and continuously mine Monero, Bitcoin, and Ether for a longer period.

Besides cryptojacking the infected system, the malware further attempts to spread across the network to target more devices. After setting up an infected machine for mining, LemonDuck tries lateral movement using SSH keys. If any keys are found on the filesystem, they are used to repeat the same infection process on other devices. Moreover, the Bash file can: delete known IOC file paths; kill network connections to C2s, daemons like crond, sshd, syslog, processes; and disable Alibaba Cloud’s monitoring service.

The growing adoption of crypto and blockchain technologies and the use of cloud and containers is attracting cybercriminals. Thus, admins are suggested to check and use the built-in features of Kubernetes and integrated container security products for better protection. Ultimately, organisations should invest more in their cloud security.

Edited. Original source: Crowdstrike

Microsoft reports Russian cyber-attacks on Ukraine

The cybersecurity landscape has been going through a lot lately. Take for instance the constant cyber war between Russia and Ukraine. Microsoft released a report detailing the humongous scale of Russian cyberattacks against Ukraine. Multiple threat actors targeted citizens and national infrastructure. The attacks leveraged destructive malware to disrupt critical systems and prevent civilians’ access to information and life services.

Right before the invasion, at least six Russian distinct actors launched more than 237 attacks. All of these attacks were of destructive nature and many are still ongoing.  GRU operators had launched wiper attacks on hundreds of systems belonging to Ukrainian financial, government, energy, and IT organisations. 

Some destructive malware identified by MSTIC includes CaddyWiper, WhisperGate, FoxBlade, DesertBlade, DoubleZero, and Industroyer2. More than 40% of attacks targeted organisations operating in the critical infrastructure sector. These attacks, in turn, affected civilians, the government, the economy, and the military. More than 30% of attacks targeted government organisations at the city, regional, and national levels.

Groups associated with the GRU – APT28, Gamaredon, Sandworm, UNC2452/2652, DEV-0586 and Turla – were found pre-positioning for conflict since at least March 2021. The attackers are using a variety of attack tactics to gain initial access to the target. Some of these include phishing, infecting upstream IT service providers, and abusing unpatched bugs. This access enables them to launch operations for destruction, establishing persistence and data exfiltration. The activities by Russian threat actors mostly comprised disrupting, infiltrating, or destroying a huge range of critical infrastructure and government networks.

Edited. Original Source- Microsoft

Global phishing attacks hit a new high

Global phishing attacks have hit a new high in 2021 as new attack vectors and phishing-as-a-service methods emerged. One of the reasons that this type of attack grows in prevalence every year is its low barrier to entry. Moreover, cybercriminals take advantage of current events such as the Covid-19 pandemic or cryptocurrency to trick victims to hand over their confidential data.

A new report from Zscaler reveals that phishing attacks showed a dramatic 29% growth as a record  874 million attacks were observed globally in 2021. A majority of these attacks used productivity tools, illegal streaming sites, shopping sites, social media platforms, financial institutions, and logistical services as a lure to target victims. Organisations in the retail and wholesale sectors were the most targeted entities, experiencing more than a 400% increase in phishing attacks in the last 12 months. The US was the most targeted country, accounting for 60% of all phishing attacks. The next frequently attacked countries were Singapore, Germany, the Netherlands, and the UK. Researchers also noted that SMS phishing is emerging as one of the prevalent attack methods of intrusion as users become more cautious of suspicious emails.

While phishing has long been one of the most common tactics used in cyberattacks by sophisticated threat actors, it has become more accessible to low-skilled cybercriminals due to a maturing underground marketplace for attack frameworks and services. A new phishing technique, recently demonstrated by a researcher, is capable of making phishing attacks nearly invisible. Dubbed Browser-in-the-Browser, the technique relies on single sign-on options on websites and can enable attackers to harvest credentials from Facebook, Google, Apple, or Microsoft without users’ knowledge.

Researchers claim that an average-sized organisation receives dozens of phishing emails every day. This means that employees at all levels must be aware of the most common phishing tactics and trained to spot phishing attempts that can result in financial loss and damage an organisation’s reputation.

Edited. Original Source: Zscaler 

Google’s Project Zero tracked 58 zero-day exploits last year

Attackers are quick to zero in on zero-days these days. Google’s Project Zero tracked 58 zero-day exploits last year, implying that this is the highest number of zero-days detected. However, the researchers concluded that the rise in the number of zero-day exploits is mainly because of greater detection and disclosure rates. 

The good news comes with a bad one. Attackers are having more success using the same exploitation techniques and bug patterns on the same attack surfaces. The attack methodology hasn’t changed much since previous years. The flaws catalogued by the team are only the ones that have been identified and disclosed. Therefore, the actual proportion of zero-day exploits remains unknown.

Of the 58 zero-day vulnerabilities reported in 2021, 56 were similar to previously disclosed flaws. Of these, 67% or 39 accounted for memory corruption bugs, followed by 17 use-after-free, 6 out-of-bounds read-and-write, 4 buffer overflow, and 4 integer overflow bugs.

Only two vulnerabilities were distinguished. First of them is the CVE-2021-30860 in iMessage, which was abused by NSO’s Pegasus spyware. The second one was a sandbox escape, dubbed FORCEDENTRY, that affected iOS and exploited only logic bugs instead of memory corruption, to escape the sandbox.

Chrome/Chromium had the most number of vulnerabilities (14), followed by Windows (10), Safari and Android (7 each), Microsoft Exchange Server and iOS/macOS (5 each), and Internet Explorer (4). The exploitation of zero-days is increasing as threat actors are still abusing unreported flaws through stealthy campaigns. Organisations are recommended to create a proactive defense strategy to deal with such threats. This 2021 data indicates that the security community is on the right path and is working toward making the abuse of zero-day bugs challenging.

Edited. Original source: Google

Cisco announces host of security advisories

Cisco this week announced the release of its April 2022 bundle of security advisories for Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC). The semiannual bundled advisories describe a total of 19 vulnerabilities in Cisco’s security products, including 11 that were assessed with a severity rating of “high”. The most severe of these is CVE-2022-20746 (CVSS score of 8.8), an FTD security hole that exists because TCP flows aren’t properly handled, and which could be exploited remotely without authentication to cause a denial of service (DoS) condition.

“An attacker could exploit this vulnerability by sending a crafted stream of TCP traffic through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition,” Cisco explains in an advisory. The tech giant has addressed the issue with the release of FDT versions 6.6.5.2 and 7.1.0.1. The company also plans the inclusion of fixes in FDT releases 6.4.0.15 and 7.0.2, which are planned for next month. Cisco also resolved an ASA-specific vulnerability that allows an attacker to retrieve process memory containing sensitive information. The company’s semi annual bundled publication of security advisories also details patches for eight medium-severity flaws in these security products. Cisco is not aware of any attacks exploiting these vulnerabilities. 

Edited. Original source: Cisco

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.