Cyber Security Training from QA

Cyber Pulse: Edition 23

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


13 July 2018

Facebook privacy loophole allowed personal data of 'closed' group members to be downloaded

A Chrome browser extension called Grouply.io allowed marketers to harvest the personal information of members of private Facebook groups. The loophole was investigated by security researcher Fred Trotter. Trotter had been contacted by Andrea Downing, a moderator of a members-only Facebook group for women with a high genetic risk of developing breast cancer. The Facebook group's members frequently shared highly personal information about their conditions, including surgical details. Facebook groups have three accessibility categories: public, closed and secret. In public groups, the list of members and all posts of the group publicly accessible. In closed groups, the messages are private, while secret groups cannot be searched. The BRCA Sisterhood group used the 'closed' rather than the ‘secret' setting as its moderators wanted posts to be searchable. However, Downing was shocked to discover that the names, employers, locations and email addresses of the group's members could be downloaded easily by anyone using the Grouply.io extension. Trotter, a specialist in health data security, found that the Grouply.io extension was taking advantage of a Facebook privacy loophole. He was also able to obtain this information manually without having to use the extension. He reported the issue to Facebook on 29 May. Facebook denied the glitch was a loophole.

Arch Linux PDF reader package poisoned

Arch Linux has pulled a user-provided AUR (Arch User Repository) package, because it contained malware. If you're an Arch Linux user who downloaded a PDF viewer named "acroread" in the short time it was compromised, you'll need to delete it. While the breach isn't regarded as serious, it sparked a debate about the security of untrusted software. The user repository included the acroread package, which had been abandoned by its maintainer. Someone using the handle “xeactor” adopted the package and modified it to download malicious scripts from a remote server. When that was discovered, maintainer Eli Schwartz reverted the commits, suspended xeactor's account, and discovered (and removed) two other packages with similar modifications. A later post in the Arch Linux mailing list suggested the “attack” was a warning of another issue. As Bennett Piater wrote: “A script that creates 'compromised.txt' in the root and all home folders looks like a warning to me.”

Compromised JavaScript Package Caught Stealing npm Credentials

Hacker gained access to a developer's npm account. The hack took place on the night between July 11 and 12, according to the results of a preliminary investigation posted on GitHub a few hours ago. "One of our maintainers did observe that a new npm token was generated overnight (said maintainer was asleep)," said Kevin Partington, ESLint project member. Partington believes the hacker used the newly-generated npm token to authenticate and push a new version of the eslint-scope library on the npm repository of JavaScript packages. The malicious version was eslint-scope 3.7.2, which the maintainers of the npm repository have recently taken offline. Malicious code steals npm credentials. "The published code seems to steal npm credentials, so we do recommend that anyone who might have installed this version change their npm password and (if possible) revoke their npm tokens and generate new ones," Partington recommended for developers who used esling-scope.

Hacker exploits FTB flaw in Netgear routers to steal US military documents

Insikt Group, part of security research firm Recorded Future, was surprised to find a seller claiming to have 'highly sensitive' information about the USA's MQ-9 Reaper military drone on sale for just $150. Military documents tend to be one of those 'rare and expensive' propositions, so the offer could have been written off as a hoax. However, Insikt Group analysts confirmed the documents' validity after establishing contact, as well as learning how they were obtained. The hacker told the analysts that s/he had exploited a known FTP vulnerability in Netgear routers. They used the Shodan search engine to scour the internet for high-profile vulnerable routers, of which there are still many, despite the flaw being exposed more than two years ago. The attacker gained access to the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at a base in Nevada. Ironically, this individual had recently completed the Cyber Awareness Challenge, but had still failed to change the FTP password from its default setting. Using the compromised router, the hacker was able to steal documents including Reaper maintenance course books and the list of airmen assigned to Reaper AMU. Although these aren't classified, they could still give an adversary an advantage in combat against the drone.

Stolen certificates from D-Link used to sign password-stealing malware

Criminals recently stole code-signing certificates from router and camera maker D-Link and another Taiwanese company and used them to pass off malware that steals passwords and backdoors PCs, a researcher said Monday. The certificates were used to cryptographically verify that legitimate software was issued by D-Link and Changing Information Technology. Microsoft Windows, Apple’s macOS, and most other operating systems rely on the cryptographic signatures produced by such certificates to help users ensure that executable files attached to emails or downloaded on websites were developed by trusted companies rather than malicious actors masquerading as those trusted companies. Somehow, members of an advanced persistent-threat hacking group known as BlackTech obtained the certificates belonging to D-Link and Changing Information Technology, the researcher with antivirus provider Eset said in a blog post. The attackers then used the certificates to sign two pieces of malware, one a remotely controlled backdoor and the other a related password stealer. Both pieces of malware are referred to as Plead and are used in espionage campaigns against targets located in East Asia. The Japan Computer Emergency Response team recently documented the Plead malware here. AV provider Trend Micro recently wrote about BlackTech here. “The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region,” Eset researcher Anton Cherepanov wrote in Monday’s post.

Timehop data breach is worse than they initially said

Time capsule app Timehop has revealed that it made a boo-boo when it initially shared details over the weekend of a data breach involving millions of users’ names, email addresses, and phone numbers. An updated advisory from the firm reveals that the hackers, who initially struck last December but made off with the organisation’s data on July 4th, also purloined users’ dates of birth, gender, and country codes. The company has also provided a breakdown of the breached Personally Identifiable Information (PII), noting that the figures should be considered separately of one another and are not additive. The total number of breached records was approximately 21 million, says Timehop. No company relishes the idea of updating a security advisory to detail that the situation is actually worse than initially thought, but Timehop should be applauded for its openness and transparency. I’m impressed that after realising it had been breached on July 4th Timehop took prompt action, and has been upfront in both its customer advisory and the technical security report it has published. A hacker first broke into a third-party cloud service used by Timehop in December 2017 using an administrator’s password. That account should have been protected with multi-factor authentication, but wasn’t. mThe hacker was then able to create his or her own admin account, meaning even if the original breached account’s password was changed they still had access to Timehop’s cloud services.

Proofpoint Cloud Account Defense detects compromised Microsoft Office 365 accounts

Proofpoint announced the availability of Proofpoint Cloud Account Defense (CAD) to detect and protect Microsoft Office 365 accounts, preventing attackers from causing financial and data loss. Cybercriminals have a way to compromise corporate email systems, this time by using brute force attacks to steal Microsoft Office 365 login credentials of corporate users and then logging in as an imposter on the system. These hacking techniques work even if the company has deployed single sign on or multi-factor authentication (MFA) as part of their security system. Once the hacker has logged in masquerading as a real employee, they have a spectrum of choices while operating within a corporation’s email instance to cause financial harm and data loss. The Proofpoint CAD solution helps organizations detect, investigate, and remediate Microsoft Office 365 compromises. CAD provides user-centric visibility necessary to detect and investigate compromised accounts and thwart email account compromise (EAC) credential theft tactics including credential reuse, brute force attacks, and credential-stealing malware. EAC tactics, combined with business email compromise (BEC) social engineering, are hallmarks of groups like the 70+ cybercriminals arrested during the recent Operation Wire Wire federal effort that recovered approximately $14 million in lost funds.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 22

Cyber Pulse: Edition 21

Cyber Pulse: Edition 20

Cyber Pulse: Edition 19

Cyber Pulse: Edition 18

Cyber Pulse: Edition 17

Cyber Pulse: Edition 16

Cyber Pulse: Edition 15

Cyber Pulse: Edition 14

Cyber Pulse: Edition 13

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James has worked on many high complexity eDiscovery Projects and Forensic Investigations involving civil litigation, arbitration and criminal investigations for large corporation and international law firms across UK, US, Europe and Asia. James has assisted on many notable projects involving: one of the largest acquisition and merger case of all time – a deal worth $85 billion, multijurisdictional money laundering matter for Government bodies, and national cyber threat crisis including the more recent ransomware, phishing campaigns, and network intrusion. James has comprehensive knowledge of the eDiscovery lifecycle and forensic investigation procedures in both practise and theory with deep focus and interest in Forensic Preservation and Collection and Incident Response. In addition, He holds a first class bachelor’s degree in Computer Forensics and is accredited as an ACE FTK certified examiner.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.