Cyber Security Training from QA

Cyber Pulse: Edition 12

Read the latest edition of Cyber Pulse, our roundup of Cyber news.

26 April 2018

Internet Explorer has a zero-day bug that Microsoft needs to fix

Internet Explorer is pre-installed on every Windows PC, even though it’s been superseded by Microsoft’s new Edge browser in terms of long-term support. The reason is simple: Many organizations use the archaic browser for legacy applications, and so Microsoft has had to keep it around but isn’t spending a great deal of time on improving it. Unfortunately, according to one security firm, Internet Explorer has a serious flaw that’s leaving it open to malware attacks. ZDNet reports on the zero-day bug, which is coming from Chinese antivirus software company Qihoo 360 Core. The company’s security research team claim that the bug uses a Microsoft Office document that has a vulnerability installed that opens a web page that downloads a piece of malware. According to the researchers, the malware exploits a user account control (UAC) bypass attack, and it also utilizes file steganography, which is the technology of embedding a message, image, or file within another message, image, or file. Microsoft responded to ZDNet’s request for comment with the following rather generic statement: “Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.” Apparently, the attack is being conducted globally by an “advanced persistent threat (APT) group.” That implies a group of hackers with some capabilities that can conduct such a sophisticated attack. Unfortunately, there is not much users can do at this point except follow the usual security advice: Keep your systems and software updated, make sure you’re using sufficient malware protection, and don’t open any files unless you’re absolutely certain that it’s from a trusted source and that it was sent on purpose.

‘Orangeworm’ hacking campaign hits X-ray and MRI machines

Malware from a newly disclosed hacking campaign has infected the networks of multinational health care companies, including some X-ray and MRI machines, cybersecurity firm Symantec warned Monday. The hacking group, dubbed Orangeworm, has hit a relatively small number of companies in more than 20 countries, Symantec said in an advisory. Nearly 40 percent of Orangeworm’s victims are in the health care industry, the advisory said. Manufacturers and IT companies that do business in health care have also been infected. Orangeworm’s custom malware has shown up on machines that control “high-tech imaging devices such as X-ray and MRI machines,” Symantec said. The Orangeworm revelation adds to a slew of cybersecurity challenges, including ransomware, facing the health care sector. An Indiana hospital in January paid roughly $50,000 in bitcoin to hackers that held its computer system hostage. Congress has taken notice of the sector’s vulnerabilities. House lawmakers on Friday issued a request for information asking industry for advice on securing old hospital equipment from hacking. Orangeworm can exploit such outdated technology by spreading across older operating systems like Windows XP, according to Symantec. “Older systems like Windows XP are much more likely to be prevalent within [the healthcare] industry,” the firm said. Like many persistent hackers, Orangeworm has preyed on the supply chain to reach a target. “Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage,” Symantec said.

Next generation of SCADA industrial controls will protect against cyber attack

Oil refineries, paper companies and pharmaceutical firms are developing a new generation of secure industrial control technology that will offer better protection against attacks on critical manufacturing infrastructure from malware and state-sponsored hackers. More than 120 companies, including ExonMobil, DuPont and Lockheed Martin, are taking part in a fast-track collaborative project that aims to develop highly secure, lower-cost ways to control industrial plants. The work comes as new evidence emerges that state-backed hacking groups are targeting vulnerabilities in critical industrial infrastructure in the US and the UK. The UK security services warned last week that Russia is targeting western energy companies with cyber attacks, following US military strikes in Syria. Industrial control systems – known as supervisory control and data acquisition (SCADA) systems – which are used to control valves, motors and other industrial processes, are frequently based on technology that pre-dates the internet, and can be vulnerable to attack in modern control systems which transmit and receive data over the internet. But large oil and manufacturing companies are working on plans to replace existing control system infrastructure with lower-cost alternatives that promise greater security against cyber attacks on control devices connected to the industrial internet of things which links millions of internet-connected industrial devices. The project, co-ordinated by the Open Process Automation Forum, part of independent standards organisation The Open Group, aims to help oil and gas and process companies break free from manufacturer-specific industrial control systems, which are expensive to maintain and upgrade and difficult to patch to protect against the latest security vulnerabilities.

New Desert Scorpion spyware found in malicious chat app aimed at Palestinians

A malicious chat app that was advertised on Facebook and sold in the Google Play store was discovered to execute a previously undiscovered spyware program linked to APT-C-23, an advanced persistent threat group allegedly with ties to Hamas. Michael Flossman, head of threat intelligence at mobile security company Lookout, stated in remarks at the RSA 2018 conference on Friday that the mobile attack specifically targeted Palestinian individuals of interest. According to a blog post from Lookout published a few days earlier, the app was advertised on Facebook as a free Android messaging service called Dardesh, but in reality acted in essence as a downloader for the final payload, a fresh-faced surveillance program named Desert Scorpion. The spyware carries a host of capabilities, including file and data exfiltration (even for docs found in external storage); sending and retrieving SMS messages; tracking the device location; recording video and audio; uninstalling apps; placing calls; retrieving contacts, uninstalling apps, determining if a device is rooted, and more. If running on a Huawei device it will also attempt to add itself to the protected list of apps able to run with the screen turned off, reports Lookout further reported. Google reportedly removed the offending app from its online store promptly after Lookout's private disclosure. Lookout researchers theorize that APT-C-23, aka Two-Tailed Scorpion, is behind Desert Scorpion because the Facebook profile it used to promote the malicious Dardesh app (and link to Google Play) was previously used to post Google Drive links leading to FrozenCell, another spyware family attributed to the same threat group. Moreover, the command-and-control infrastructure used by both malware reside in similar IP blocks, the blog post notes.

'SquirtDanger' Swiss Army Knife malware steals cryptocurrency, takes screenshots

Palo Alto's Unit 42 researchers identified a new botnet malware family described as “Swiss Army Knife Malware” that was designed by a veteran threat actor and is capable of taking screenshots and draining cryptocurrency wallets. Dubbed “SquirtDanger,” the malware family likely was created by a Russian hacker using the handle “TheBottle” and delivered via illicit software downloads also known as “Warez,” according to an April 17 blog post. The malware is also capable of stealing passwords, deleting malware, sending files, clearing browser cookies, listing processes, kill processes, getting directory information, downloading files, as well as uploading, deleting and executing files. “Once run on the system, it will persist via a scheduled task that is set to run every minute,” researchers said in the post. “SquirtDanger uses raw TCP connections to a remote command and control (C2) server for network communications”. The malware's suspected author is a well-known Russian cybercriminal who has been active on global underground marketplaces for years. So far, researchers have spotted 1,277 unique SquirtDanger samples used across multiple campaigns.

New hacks siphon private cryptocurrency keys from airgapped wallets

Researchers have defeated a key protection against cryptocurrency theft with a series of attacks that transmit private keys out of digital wallets that are physically separated from the Internet and other networks. Like most of the other attacks developed by Ben-Gurion University professor Mordechai Guri and his colleagues, the currency wallet exploits start with the already significant assumption that a device has already been thoroughly compromised by malware. Still, the research is significant because it shows that even when devices are airgapped—meaning they aren't connected to any other devices to prevent the leaking of highly sensitive data—attackers may still successfully exfiltrate the information. Past papers have defeated airgaps using a wide array of techniques, including electromagnetic emissions from USB devices, radio signals from a computer's video card, infrared capabilities in surveillance cameras, and sounds produced by hard drives. On Monday, Guri published a new paper that applies the same exfiltration techniques to "cold wallets," which are not stored on devices connected to the Internet. The most effective techniques take only seconds to siphon a 256-bit Bitcoin key from a wallet running on an infected computer, even though the computer isn't connected to any network. Guri said the possibility of stealing keys that protect millions or billions of dollars is likely to take the covert exfiltration techniques out of the nation-state hacking realm they currently inhabit and possibly bring them into the mainstream. One technique can siphon private keys stored in a cold wallet running on a Raspberry Pi, which many security professionals say is one of the best ways to store private cryptocurrency keys. Even if the device became infected, the thinking goes, there's no way to for attackers to obtain the private keys because it remains physically isolated from the Internet or other devices. In such cases, users authorize a digital payment in the cold wallet and then use a USB stick or other external media to transfer a file to an online wallet. As the following video demonstrates, it takes only a few seconds for a nearby smartphone under the attacker's control to covertly receive the secret key.

Former hospital worker prosecuted for inappropriately accessing patient records

A former employee of a Milton Keynes hospital trust has been prosecuted for accessing patient records without authorisation. Michelle Harrison, of Milton Keynes, inappropriately accessed the records of 12 patients outside of her role as receptionist/general assistant in the Orthotics Department at Milton Keynes University Hospital NHS Foundation Trust between March 2016 and January 2017. These included the patient records of her ex-partner and a woman who claimed that Ms Harrison had used the information to harass her and had complained to the Trust. The Trust contacted the Information Commissioner’s Office in March 2017 after they had received the complaint. Harrison pleaded guilty to unlawfully accessing personal data and unlawfully disclosing personal data in breach of s55 of the Data Protection Act 1998 at Milton Keynes Magistrates' Court on Friday 20 April. She was sentenced to offence 1 - £134, offence 2 - £166 and victim surcharge of £30. Mike Shaw, Head of Criminal Investigations at the ICO, said "This abuse of a position of trust has caused significant distress to a number of people. The laws on data protection are there for a reason and people have the right to know their highly sensitive personal information will be treated with appropriate privacy and respect. The ICO will continue to take action against those who abuse their position and potentially jeopardise the important relationship of trust between patients and the NHS”.

Facebook moves nearly 1.5bn accounts out of European HQ

Facebook is risking yet another privacy backlash after reports that it is moving the accounts of nearly 1.5 billion users out of its Irish HQ to its US headquarters, meaning that they will not longer be covered by GDPR. Facebook set up its international headquarters in Ireland in 2008 to take advantage of the country's low corporate tax rates but it also meant all users outside the US, Canada and Europe were protected by European regulations. While the changes do not affect Facebook's 239 million users in North America and 370 million in Europe, members based in Africa, Asia, Australia and Latin America will no longer be protected under the new privacy laws coming into force in May. The change will affect over 70% of its two billion-plus user base. However, the company refuted suggestions that the move was designed to swerve the new regulation. Facebook deputy chief global privacy officer Stephen Deadman said: "The GDPR and EU consumer law set out specific rules for terms and data policies which we have incorporated for EU users. "We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live." Earlier this month, Facebook admitted that the Cambridge Analytica data scandal had actually affected way more people than first revealed, with up to 87 million consumers – including over a million Brits – now thought to have had their information exploited.

Visit for more information on how they can help solve the Cyber Security skills gap.


Useful links

Cyber Pulse: Edition 1

Cyber Pulse: Edition 2

Cyber Pulse: Edition 3

Cyber Pulse: Edition 4

Cyber Pulse: Edition 5

Cyber Pulse: Edition 6

Cyber Pulse: Edition 7

Cyber Pulse: Edition 8

Cyber Pulse: Edition 9

Cyber Pulse: Edition 10

Cyber Pulse: Edition 11


Edited and compiled by


James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.