Cyber Security Training from QA

Cyber Pulse: Edition 15

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


18 May 2018

Adware Launches In-Browser Mining Sites Pretending to be Cloudflare

FileTour is an adware bundle that is commonly spread as cracks or cheats for games and other software. This bundle is notorious for crossing the line between what is traditionally known as adware and PUPs and more dangerous computer infections such as password-stealing Trojans and miners. This adware bundle has started to create a Windows autorun that automatically launches Chrome and connects to a in-browser mining page when a user logs into Windows. To make matters worse, it does it in a way that makes it so Chrome is invisible to the user. When the browser opens this page in the background, it will execute embedded JavaScript that launches a CoinCube in-browser miner script. This will cause Chrome to spike up to 70-80% CPU utilization in Task Manager as it mines cryptocurrency, even though the Windows is not visible. Miners are becoming an epidemic and in-browsing mining is only going to continue to get worse. Therefore, it is important that all users protect themselves by installing antivirus software that detects when a browser connects to known mining services such as CoinCube. Unfortunately, new in-browsing mining services keep popping up and it has become a game of whack-a-mole for the security industry. Therefore, your installed software may not detect the URL or scripts associated with a new in-browser miner. To add further protection, you can use an adblocker with Chrome, which will block in-browser mining scripts. For those looking for a more granular approach, you can use the CoinBlockerLists site to download lists of IP addresses and domains affiliated with in-browser mining.

CPS fined £325,000 after losing victim interview videos

The Crown Prosecution Service (CPS) has been fined £325,000 by the ICO after they lost unencrypted DVDs containing recordings of police interviews. The DVDs contained recordings of interviews with 15 victims of child sex abuse, to be used at the trial. This is the second penalty imposed on the CPS following the loss of sensitive video recordings. The DVDs contained the most intimate sensitive details of the victims, as well as the sensitive personal data of the perpetrator, and some identifying information about other parties. The DVDs were sent by tracked delivery between two CPS offices, with the recipient office being in a shared building. The delivery was made outside office hours, and the DVDs – which were not in tamper-proof packaging – were left in the reception. Although the building’s entry doors were locked, anyone with access to the building could access this reception area. The DVDs were sent in November 2016, but it was not discovered that they were lost until December. The CPS notified the victims in March 2017 and reported the loss to the ICO the following month. It is not known what has happened to the DVDs. The ICO ruled that the CPS was negligent when it failed to ensure the videos were kept safe and did not consider the substantial distress that would be caused if the videos were lost. It also found that, despite being fined £200,000 following a separate breach in November 2015 – in which victim and witness video evidence was also lost – the CPS had not ensured that appropriate care was being taken to avoid similar breaches re-occurring.

New cryptocurrency mining malware takes your PC down if you try to kill it

A particularly deadly form of cryptocurrency malware that not only hijacks your computer’s resources for mining, but also crashes your PC if an anti-virus tries to remove it, or if you try to kill it manually, has emerged. The so-called WinstarNssmMiner malware is designed to mine the Monero currency and is estimated to have already successfully mined over £18,500-worth of it —equivalent to 133 tokens. To date there have been around half a million attempted attacks, according to ZDNet. So how is the malware so lethal? It’s a process that comes in two stages, first by running a pair of processes that allow it to check behind its shoulder for anti-virus protection while it mines the digital currency, before it then tampers with your system to allow it to crash it at will. This crash will occur either if your anti-virus software discovers the malware and attempts to remove it, or if you try to terminate the process directly. It all sounds pretty bleak, but the malware is reportedly a little bit of a coward and will refuse to run at all if you’ve got a halfway decent piece of anti-virus software installed. So, as with most threats to your PC, the solution is to always be prepared for the worst. Make sure your system is running all the latest security updates, and use a decent anti-virus program to keep threats like this at bay.

'Allanite' Group Targets ICS Networks at Electric Utilities in US, UK

A threat actor has been targeting business and industrial control networks at electric utilities in the United States and United Kingdom, according to industrial cybersecurity firm Dragos. The group, tracked as “Allanite,” has been linked to campaigns conducted by Dragonfly (aka Energetic Bear and Crouching Yeti) and Dymalloy, which Dragos discovered while analysing Dragonfly attacks. According to Dragos, a report published by the DHS in October 2017 combined Dragonfly attacks with Allanite activity. The company also noted that Allanite’s operations closely resemble the Dragonfly-linked Palmetto Fusion campaign described by the DHS in July 2017. However, while their targets and techniques are similar, Dragos believes Allanite is different from Dragonfly and Dymalloy. Allanite leverages phishing and watering hole attacks to gain access to targeted networks. The group does not use any malware and instead relies on legitimate tools often available in Windows, Dragos says. While the U.S. government and private sector companies have linked Allanite activity to Russia, Dragos says it “does not corroborate the attribution of others.” In July 2017, US officials told the press that the hackers had not gained access to operational networks, but Dragos confirmed third-party reports that Allanite did in fact harvest information directly from ICS networks. Allanite has been active since at least May 2017 and continues to conduct campaigns. Its operations target both business and ICS networks at electric utilities in the US and UK in an effort to conduct reconnaissance and collect intelligence.

Many Vulnerabilities Found in OPC UA Industrial Protocol

Researchers at Kaspersky Lab have identified a significant number of vulnerabilities in the OPC UA protocol, including flaws that could, in theory, be exploited to cause physical damage in industrial environments. Developed and maintained by the OPC Foundation, OPC UA stands for Open Platform Communications Unified Automation. The protocol is widely used in industrial automation, including for control systems (ICS) and communications between Industrial Internet-of-Things (IIoT) and smart city systems. Researchers at Kaspersky Lab, which is a member of the OPC Foundation consortium, have conducted a detailed analysis of OPC UA and discovered many vulnerabilities, including ones that can be exploited for remote code execution and denial-of-service (DoS) attacks. OPC Foundation patches 17 vulnerabilities in OPC UA protocol There are several implementations of OPC UA, but experts focused on the OPC Foundation’s implementation – for which source code is publicly available – and third-party applications using the OPC UA Stack. A total of 17 vulnerabilities have been identified in the OPC Foundation’s products and several flaws in commercial applications that use these products. Most of the issues were discovered through fuzzing.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 14

Cyber Pulse: Edition 13

Cyber Pulse: Edition 12

Cyber Pulse: Edition 11

Cyber Pulse: Edition 10

Cyber Pulse: Edition 9

Cyber Pulse: Edition 8

Cyber Pulse: Edition 7

Cyber Pulse: Edition 6

Cyber Pulse: Edition 5

Cyber Pulse: Edition 4

Cyber Pulse: Edition 3

Cyber Pulse: Edition 2

Cyber Pulse: Edition 1

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James has worked on many high complexity eDiscovery Projects and Forensic Investigations involving civil litigation, arbitration and criminal investigations for large corporation and international law firms across UK, US, Europe and Asia. James has assisted on many notable projects involving: one of the largest acquisition and merger case of all time – a deal worth $85 billion, multijurisdictional money laundering matter for Government bodies, and national cyber threat crisis including the more recent ransomware, phishing campaigns, and network intrusion. James has comprehensive knowledge of the eDiscovery lifecycle and forensic investigation procedures in both practise and theory with deep focus and interest in Forensic Preservation and Collection and Incident Response. In addition, He holds a first class bachelor’s degree in Computer Forensics and is accredited as an ACE FTK certified examiner.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.