Cyber Security Training from QA

Cyber Pulse: Edition 24

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


19 July 2018

EU Fines Google Record $5 Billion in Android Antitrust Case

Google has been hit by a record-breaking $5 billion antitrust fine by the European Union regulators for abusing the dominance of its Android mobile operating system and thwarting competitors. That's the largest ever antitrust penalty. Though Android is an open-source and free operating system, device manufacturers still have to obtain a license, with certain conditions, from Google to integrate its Play Store service within their smartphones. The European Commission levied the fine Wednesday, saying that Google has broken the law by forcing Android smartphone manufacturers to pre-install its own mobile apps and services, like Google Search, Chrome, YouTube, and Gmail, as a condition for licensing. This tactic eventually gives Google's app and services an unfair preference over other rival services, preventing rivals from innovating and competing, which is "illegal under EU antitrust rules." Google's Android operating system runs on more than 80 percent of the smartphones worldwide, and powers more than three-quarters of Europe's smartphones, which grants the company a dominant position in the mobile market. Google has been ordered to put an end to illegal conduct within 90 days, or the company will face additional penalties—up to 5 percent of Alphabet's average daily worldwide turnover.

Windows Malware Carries Valid Digital Signatures

Researchers from Masaryk University in the Czech Republic and Maryland Cybersecurity Center (MCC) monitored suspicious organizations and identified four that sold Microsoft Authenticode certificates to anonymous buyers. The same research team also collected a trove of Windows-targeted malware carrying valid digital signatures. "Recent measurements of the Windows code signing certificate ecosystem have highlighted various forms of abuse that allow malware authors to produce malicious code carrying valid digital signatures," researchers wrote. In their work, the researchers also discovered several cases of potentially unwanted programs (PUPs), revealing that along with their ability to sign malicious code, bad actors are also able to control a range of Authenticode certificates. Gaining this type of unauthorized access has traditionally been easy for attackers using drive-by downloads and phishing, according to Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies. "And while endpoint security achieved some increases in efficacy over the last five years with the evolution of end point protection platforms, we only ever treated the symptom – and the not cause – of permissive access," Gumbs said. "If an attacker can use a trusted signed certificate to install malware, then the malware will use the access rights granted to that user or the access rights left behind in the form of NTLM hashes to further penetrate the network," he continued. "While this development is a worrying one, applying a least access privilege model would reduce the threat greatly."

Man admits to selling remote access malware used for spying

A US software developer has admitted to selling and supporting spyware after originally claiming his remote access tool was legitimate admin software. Colton Grubbs agreed to plead guilty to three felony charges – two counts of conspiracy, and one count of removal of property to prevent seizure – in a US federal district court in Lexington, Kentucky, in exchange for seven other charges being dropped. Grubbs admitted on Monday to the court that his software, LuminosityLink, was being used for illegal surveillance and remote access, and that he was aware of the fact, and had actively marketed and sold the software with the intent of enabling criminals. At its peak, LuminosityLink, which sold for $39.99, had around 6,000 customers, and could be installed on Windows PCs to spy on the machines' owners. The idea is you sneak it onto a target's computer via malicious downloads, or on an unattended PC, and so on. Once in place, the software can be remotely connected to in order to surveil the target. Perfect for screwing over spouses, partners, bosses, and other victims. Grubbs even enlisted a small group of volunteer staff to help provide tech support for the tool's customers.

Dark Web 'RDP Shops' Offer Access to Vulnerable Systems for as Little as $3

While analysing underground web marketplaces, the McAfee Advanced Threat Research team came across several 'RDP shops' selling access to vulnerable systems. Some of these shops offered access to more than a dozen connections. Others, most notably the Ultimate Anonymity Service (UAS), had more than 40,000 links up for sale. Most of these systems consisted of computers running Windows XP through Windows 10, with Windows 2008 and 2012 Server the most prevalent at 11,000 and 6,500 links, respectively. Access to those systems ranged in value from $3 to $19, with dozens of connections linked to healthcare institutions. McAfee's most significant find was an offering that promised access to the security and building automation systems of a major international airport for just $10. Flashpoint cybercrime analyst Olivia Rowley explained that RDP access is such a hot commodity because attackers can use it to facilitate a wide variety of crimes. "For some cybercriminals, it may be more advantageous to use a compromised RDP as a staging ground for conducting other fraud, such as making a fraudulent purchase," Rowley said, as quoted by Dark Reading in November 2017. "Cybercriminals may also find that the compromised RDP contains sensitive files or other proprietary information, thus making the RDP a tool for conducting data breaches." A proprietary protocol from Microsoft, the RDP potentially leaves enterprises exposed to attackers because it allows users to control computers over a network remotely. While it's designed to help simplify administrative tasks for businesses, attackers can abuse the protocol to remotely access computers on an internal network, including those containing sensitive information. They can then either steal that information or conduct a Samsam ransomware attack to extort payments from victims.

Hacker Sold Stolen U.S. Military Drone Documents On Dark Web For Just $200

Future today reported that it discovered a hacker attempting to sell secret documents about the MQ-9 Reaper drone used across federal government agencies for only a few hundred dollars on a Dark Web forum last month. First introduced in 2001, the MQ-9 Reaper drone is currently used by the U.S. Air Force, the U.S. Navy, U.S. Customs and Border Protection, NASA, the CIA, and the militaries of several other countries. The tech intelligence's Insikt Group analysts found the hacker during their regular monitoring of the dark web for criminal activities. They posed as potential buyers and engaged the newly registered hacker before confirming the validity of the compromised documents. Insikt Group analysts learned that the hacker managed to obtain the sensitive documents by gaining access to a Netgear router located at the Creech Air Force Base that was using the default FTP login settings for file sharing. The authentication vulnerability in Netgear routers that hacker exploits to access the sensitive military data was initially discovered two years ago, and according to Recorded Future, more than 4,000 routers still haven't updated their firmware, and are susceptible to attack.

Independent Inquiry into Child Sexual Abuse fined £200,000 for revealing identities of possible abuse victims in mass email

The Independent Inquiry into Child Sexual Abuse (IICSA) has been fined £200,000 by the Information Commissioner's Office (ICO) after sending a bulk email that identified possible victims of non-recent child sexual abuse. The Inquiry, set up in 2014 to investigate the extent to which institutions failed to protect children from sexual abuse, did not keep confidential and sensitive personal information secure. This is a breach of the Data Protection Act 1998. On 27 February 2017, an IICSA staff member sent a blind carbon copy (bcc) email to 90 Inquiry participants telling them about a public hearing. After noticing an error in the email, a correction was sent but email addresses were entered into the 'to' field, instead of the 'bcc' field by mistake. This allowed the recipients to see each other's email addresses, identifying them as possible victims of child sexual abuse. Fifty-two of the email addresses contained the full names of the participants or had a full name label attached. The Inquiry was alerted to the breach by a recipient of the email who entered two further email addresses into the 'to' field before clicking on 'Reply All'. The Inquiry then sent three emails asking the recipients to delete the original email and not to circulate further. One of these emails generated 39 'Reply All' emails.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 23

Cyber Pulse: Edition 22

Cyber Pulse: Edition 21

Cyber Pulse: Edition 20

Cyber Pulse: Edition 19

Cyber Pulse: Edition 18

Cyber Pulse: Edition 17

Cyber Pulse: Edition 16

Cyber Pulse: Edition 15

Cyber Pulse: Edition 14

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.