Cyber Security Training from QA

Cyber Pulse: Edition 13

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


4 May 2018

Change Your Twitter Password Now - And Add Two-Factor Authentication While You're At It

Twitter made a significant security announcement on Thursday evening (ironically on National Password Day - it was yesterday in case it somehow passed you by): a bug exposed passwords to internal Twitter staff. All users were advised to change their login information. But there's another step users should take, possibly even before they change their password: add a second factor of authentication. All it requires is a phone. You give Twitter your mobile number, turn on two-factor authentication and every time you login via a different device, it'll ask for a unique code. This should protect you every time Twitter has a mishap such as yesterday's. A hacker (or a Twitter staffer) might have access to your password, but they can’t get in the account unless they have that code. Now, there are two different versions of this kind of login verification; one sends codes over SMS, which is slightly less secure than the other option, as texts can be intercepted by any hacker sitting on the telecoms networks. It's best to select the "mobile security app" option in Twitter settings and use an application like Google Authenticator. It's super simple to set up: it just requires a barcode to be scanned and a one-time code to be entered, then everything's set up. As it sent out an alert to its 330 million users via the web and mobile apps, Twitter gave a few details about the bug. In a blog post that it stored passwords "unmasked in an internal log." It was fixed and Twitter found no indication of breach or misuse by anyone. Due to a bug, passwords were written to an internal log before completing the hashing process.

SirenJack flaw exposes problems in emergency alert system

Security researchers have found a flaw in the alert warning siren system used by many local authorities. According to a report released by security firm Bastille Networks, the vulnerability, it called 'SirenJack', could allow a hacker to broadcast false alarms, potentially affecting millions of people. The flaw effects warning sirens developed by ATI Systems and is deployed in multiple locations around the world. ATI customers include the City of San Francisco, other large urban and rural communities, military installations, universities, and industrial sites including oil and nuclear power generation plants. In the US these emergency alert systems are implemented at the One World Trade Center, Indian Point Energy Center nuclear power stations, UMass Amherst, and the West Point Military Academy. The SirenJack vulnerability can be exploited remotely via radio frequencies to activate all the sirens at will and trigger false alarms with the attendant chaos and panic. Security researchers found that an unencrypted and therefore insecure radio protocol controls the ATI sirens it monitored. This unencrypted protocol allows a bad actor, which could be an individual, hacktivist, terrorist, or hostile nation state, to find the radio frequency assigned to a system, craft malicious activation messages, and transmit them from their own radio to set off the system.

Spartacus ransomware shows sparse features can still fight hard

A new ransomware named after a gladiator is demonstrating how even malware with sparse features can get still get wreak havoc on unsuspecting users. Dubbed 'Spartacus', Malwarebytes researchers described the malware as a relatively straight forward sample that uses similar techniques and code as ShiOne, Blackheart, and Satyr ransomware variants, according to an Aprils 30 blog post. “In the case of Satyr and Blackheart, the code is nearly identical, with Spartacus following almost the same code flow with some modifications,” Malwarebytes Researchers Vasilios Hioureas said in the post. “If I were to make an assumption, I would say they are either the same actor or the actors for each of them used the same code.” At the moment, there aren't any clear relationships between the malware samples and the threat actors, however, the variants share similar functionality and are basic in form. Researchers noted the string of .NET ransomware popping up, all of which were more or less the same or similar and said Spartacus was an easy form of ransomware that criminals are creating since it does not take much time or thought to make. The malware starts by generating a unique encryption key for each victim done with the Rijndael algorithm version of AES, then saves the key which is used t encrypt every file. This means that two identical files will have the same cipher-text, researchers said. Spartacus uses the CheckRunProgram function to make sure there is only one instance of this malware running on the system and operates purely offline with no network communications back to the author or any C2 server. The malware author doesn't know who is infected until the victim emails them with their personal ID which is the AES key. Unfortunately, there are no decryptors available for the malware as the decryption tool is likely embedded in the AES key and is unique to each victim.

Roaming Mantis malware on the loose in Asia

More than 150 Asian attacks by Roaming Mantis, a new Android malware that steals user information, have been detected. The malware, identified by researchers of cybersecurity firm Kaspersky Lab, gives attackers full control over the compromised Android device. Between February and April 2018, researchers found the malware in more than 150 user networks, mainly in South Korea, Bangladesh and Japan, but there are likely many more victims. Researchers believe that a cybercriminal group looking for financial gain is behind the operation. “The story was recently reported in the Japanese media, but once we did a little more research, we found that the threat does not originate there,” said Vitaly Kamluk, director of global research analysis for Asia-Pacific. “In fact, we found a number of clues that the attacker behind this threat speaks either Chinese or Korean. Further, the majority of victims were not located in Japan either. Roaming Mantis seems to be focusing mainly on Korea, and Japan appears to have been a kind of collateral damage.” While Kaspersky Lab’s detection data uncovered about 150 targets, further analysis revealed thousands of connections hitting the attackers’ command and control servers on a daily basis, pointing to a far larger scale of attack.

Stockport firms fined for nuisance calls and spam texts

The Information Commissioner’s Office (ICO) has fined two firms in Stockport for disrupting the public with nuisance marketing. IAG Nationwide Limited has been fined £100,000 for making more than 69,000 calls to people registered with the Telephone Preference Service (TPS). Recipients described the calls as “frightening”, “threatening” and “aggressive”. IAG also failed to correctly identify itself in the calls, did not give people the chance to opt-out of receiving them and provided misleading information about the nature of the call. On top of the fine, the company has been issued with an enforcement notice by the ICO, ordering it to stop illegal marketing. In a separate ICO investigation, Bramhall-based Costelloe and Kelly Limited has been issued with a £19,000 fine for sending more than 260,000 spam texts promoting funeral plans. Andy Curry, ICO Enforcement Group Manager, said: “Both these firms showed disregard for both the law and people’s right to privacy when they embarked on their unlawful marketing campaigns. We heard about the harassing nature of the calls made by IAG Nationwide, whilst Costelloe and Kelly ploughed ahead with their spam texts despite the fact the content was about funeral plans – a sensitive area which could cause upset to recipients. Reports from the public about these firms helped our investigations, leading to action to hold those responsible to account. I’d urge others targeted by nuisance calls, emails or texts, to report them to the ICO.”

GravityRAT malware detects virtualized environments by taking infected machines' temperature

Previously unidentified remote access tool (RAT) primarily targeting Indian organizations uses seven different techniques for sniffing out researchers' virtual machines and sandbox environments, including taking the temperature of an infected computer. Dubbed GravityRAT, the malware has largely stayed under the radar for at least two years, and allows adversaries to perform reconnaissance on affected machines, exfiltrate files, and execute arbitrary code, according to a new blog post analysis from Cisco Systems' Talos threat research division. GravityRAT infects computers by way of Microsoft Office documents containing a small, embedded malicious macro, which victims are tricked into enabling while at the same time disabling Protected Mode. The macro includes three functions: one that copies the active document in a temporary directory and renames it as a ZIP archive, one that decompresses the .zip file and extracts the malicious executable inside it, and one that creates a scheduled task to execute this file each day.

Critical Flaws in Industrial Software Left US Infrastructure Wide Open to Hackers

Vulnerabilities in two applications widely used by manufacturers and power plant operators may have given hackers a foothold in America’s critical infrastructure, prior to being discovered by a Maryland-based cybersecurity firm. Tenable announced Wednesday that flaws in two human-machine interface (HMI) tools developed by Schneider Electric, a global energy management and automation company, are being fixed after Tenable’s researchers discovered that remote attackers could easily access the tools. According to Tenable, the flaws researchers say they found in Schneider’s software would have allowed a malicious hacker to execute arbitrary code without the use of credentials. Worse, it may have also enabled the attacker to move laterally through the victim’s network and gain access to other critical systems, the company said.

FacexWorm Spreads via Facebook Messenger, Malicious Chrome Extension

Researchers with cybersecurity firm Trend Micro have uncovered a malicious extension in Google’s Chrome web browser that uses a multitude of methods to steal and mine cryptocurrency from infected users. The malware, which Trend Micro calls “FacexWorm”, makes its way onto a victim’s browser via social engineering tactics conducted through Facebook Messenger. A target would receive a link leading to a fake YouTube page that would prompt the user to install an extension in order to play the video. Once the extension is installed, it’s programmed to hijack users’ Facebook accounts and spread the link throughout their friends list. If an affected user appears to be trying to remove the malicious plugin, it has ways of stopping them, Trend Micro says. If a user tries opening Chrome’s extension management page, the malware will simply close the tab. FacexWorm reportedly first surfaced last year. But it appears to be adware-oriented in its first iteration and hasn’t been very active until Trend Micro noticed it last month. Trend Micro says it’s only discovered one instance in which FacexWorm compromised a bitcoin transaction, according to the attacker’s digital wallet address, but that that there’s no way to tell for sure how much the attackers have actually profited. The attacker is persistently trying to upload more FacexWorm-infected extensions to the Chrome Web Store, the researchers say, but Google is proactively removing them. Trend Micro says Facebook, with which it has a partnership, has automated measures that detect the bad links and block their spread.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 12

Cyber Pulse: Edition 11

Cyber Pulse: Edition 10

Cyber Pulse: Edition 9

Cyber Pulse: Edition 8

Cyber Pulse: Edition 7

Cyber Pulse: Edition 6

Cyber Pulse: Edition 5

Cyber Pulse: Edition 4

Cyber Pulse: Edition 3

Cyber Pulse: Edition 2

Cyber Pulse: Edition 1

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.