Cyber Security Training from QA

Cyber Pulse: Edition 25

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


25 July 2018

Dark web shop was selling access to a major airport's security systems

While McAfee's Advanced Threat Research team was looking into dark web marketplaces, it found a number of shops offering stolen access to various companies' and groups' systems. Disturbingly, among the findings was access to a major international airport's systems, which could be bought for the low price of just 10 dollars. McAfee said the shop appeared to be offering access to the airport's security systems as well as its building automation, surveillance and transit systems. The shop was selling access to the airport's remote desktop protocol (RDP), which gives employees remote access to certain computers on the airport's network. "This access could allow cybercriminals to do essentially anything they want -- create false alerts to the internal security team, send spam, steal data and credentials, mine for cryptocurrency or even conduct a ransomware attack on the organization," McAfee said. The recent SamSam ransomware attacks often used RDP vulnerabilities to gain access to networks. McAfee said that it also came across access to "multiple government systems," some of which were linked to the US, as well as "dozens of connections linked to health care institutions." For security reasons, McAfee didn't name the airport or any other entities that it found access to in its search, but it notified them of the breaches. The company also warned that this is a major problem across industries and it's one that needs to be more effectively addressed. "Governments and organizations spend billions of dollars every year to secure the computer systems we trust," said McAfee. "But even a state-of-the-art solution cannot provide security when the backdoor is left open or carries only a simple padlock."

Hacking Blockchain Explorers Might Be The New Way To Manipulate The Market

Recent reports highlight how a renowned blockchain explorer, Etherscan.io was hacked on Monday, calling into question the potential that this style of hack could have in manipulating the markets in the future. Etherscan.io is a website used to explore the Ethereum blockchain. Blockchain explorers are the premise of transparency and act as a location through which anybody can view transactions on the network, in this instance, the Ethereum network. Now of course, within Etherscan and other similar sites, no crypto is held or directly traded, instead it is a window, yes the blockchain is visible but it can't be altered or amended from here, so to speak. Therefore, within the recent Etherscan hack, no details, data or crypto was compromised. Instead though, this calls something a little more interesting into question. To give you some background, the Etherscan hack on Monday simply allowed a pop-up to appear on users screens that said '1337'. The internet and 'leet' savvy among us will note that this translates to elite, and is a notation often used to indicate that a website had been hacked. Due to the demographic of those using blockchain explorers, it didn't take long for Etherscan customers to notice what had happened. The important thing here is this- hackers have managed to change the way the blockchain explorer looks. They have altered and manipulated what the viewers can see. Therefore, it is possible to suggest that hackers could make the most of this vulnerability to change what users of the explorer are seeing, in order to manipulate the markets. They could use this to simulate coin dumps, mass sell offs or even bigger issues on the blockchain that would in turn encourage people to actually start to sell, or buy, in turn totally altering the market. Since the hackers can use this to accurately predict price changes, they in turn will profit, simply just from a benign alteration of what is visible on a blockchain explorer website. By falsifying figures and graphs, actual and real market values will change, this is a very dangerous prospect indeed. We haven't seen this happen yet, the '1337' hack of Etherscan.io could exist of a sign of things to come. Our advice – be super careful. Use websites you trust and do your research. Just because one website says Bitcoin is crashing to $200.00 it doesn't mean it's true. Be extensive and rely on as many websites as you can, that way, you're far less likely to fall victim to this.

Pen Testers Abuse Configuration, Capture Credentials

Over a period of nearly 10 months, penetration testers conducted external tests where the testers were able to exploit at least one in-production vulnerability in a large majority of the simulated attacks, according to a new report, Under the Hoodie, from Rapid7. The majority, 59%, of the 268 penetration tests performed in the survey period – September 2017 to June 2018 – were externally based, where the targets tend to be internet-facing vectors, such as web applications, email phishing, cloud-hosted assets and VPN exposure. Rapid7’s pen testers were able to abuse at least one network misconfiguration in 80% of engagements and one in-production vulnerability in 84% of all engagements. In 53% of all engagements, the testers were able to capture at least one credential, and that number jumped to 86% when looking solely at internal engagements. The report also revealed the top five security priorities of the participating organizations. When it comes to protecting sensitive information, 21% prioritize sensitive internal data, 20% focus on personally identifiable information (PII). Only 14% of organizations ranked protecting authentication credentials as a top-five priority, 7.8% prioritize payment card data and only 6.5% ranked bank account data. Organizations are more interested in securing their own sensitive data – such as internal communications and financial metrics – than that of their customer and employees. According to the report, humans are predictable when it comes to creating passwords. Given that pen testers captured credentials most of the time, it is more likely than not that an adversary could impersonate at least one authorized user on the network. Malicious actors often find that manual guessing of usernames and passwords to be the most effective method. Some of the most common passwords (5% of total set) captured by pen testers included passwords with the company's name (e.g., PAN123!), while variations of 'password' (e.g., Password1) came in second at 3% of the total set. Seasonal passwords, such as Winter2018, placed third at 1.4% of the total set.

Smoke Loader: Old malware reborn

Back in 2011, when the internet still felt new and young and when data breaches were relatively unheard of, cybercriminals developed a tool for distributing malware called Smoke Loader. Back then, Smoke Loader was used to send out seemingly legitimate emails with seemingly legitimate attachments: Word documents or PDF files. Then, when an unsuspecting victim opened the file, Smoke Loader would download and execute additional malware, accomplishing the cybercriminals' unknown goals. Since 2011, cybercrime has evolved by leaps and bounds. Today, hackers can take advantage of built-in device vulnerabilities to gain access to otherwise super-secure networks; they can build AI-backed malware capable of morphing to elude discovery and defence; they can sneak malware into apps and onto machines and lurk for years without detection. Yet, researchers have just discovered that despite these notable enhancements to committing cybercrime, hackers just can't quit Smoke Loader. While the rest of the infosec industry has moved onward and upward, Smoke Loader has largely remained the same: It hides in email-attached Microsoft Word documents and installs malware onto victims' computers with the intent of stealing login credentials and other valuable data. Still, the bot has gained some new tricks in the past seven years. For one, it has updated with variations of Windows, so it can still function effectively when installed on the latest devices and operating systems. For another, it has gathered a few other bits and bobs of malware, including the Trickbot Trojan. Trickbot, like Smoke Loader, is an old malware that targets major bank customers, tricking them into revealing their banking credentials so it can pilfer their hard-earned money. Also like Smoke Loader, Trickbot has gained a few new wiles, including the ability to utilize vulnerabilities in operating systems and other software.

US Department of Homeland Security says Russia hacked networks of major US energy firms

Russian hackers broke into the networks of some of the biggest energy companies reports have suggested. According to the Wall Street Journal, the cyber attacks were on such a scale that they might have even been responsible for causing blackouts. Citing officials at the Department of Homeland Security (DHS), the hacks were first detected in the spring of 2016 and continued throughout 2017, carried out by hackers who worked for a Russian state-sponsored group previously known as Dragonfly or Energetic Bear. DHS officials did not immediately respond to request for comment but said the hacking campaign will most likely to continue. The report also suggests there might even be a some US companies that were compromised and don't know about it because the hackers used the identities of actual employees to enter the utility networks, which made efforts to detect the intrusions even more difficult. However, the journal said Russia denies targeting "critical infrastructure" in the US. The news comes after the DHS and the FBI released a report earlier this year accusing Russian hacking of attempting to break-in to US government organisation networks and even trying to penetrate US infrastructure, including the power sector. The attacks included hacks in energy, nuclear, commercial, water, and aviation sectors, with the agencies claiming that they have been continuing for at least the past year. The DHS report described the attacks as "a multi-stage intrusion campaign by Russian government cyber actors" and claims that those behind the attacks are targeting two types of entities. The first group was organisations linked to their ultimate targets, such as third-party suppliers with networks that may be less secure than those of their main targets. Then, after gaining a foothold on their networks and gathering useful information, they apparently conducted malware-bearing phishing campaigns on their main targets. However, the report didn't say what sort of impact the attacks may have had on the US infrastructure organisations.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 24

Cyber Pulse: Edition 23

Cyber Pulse: Edition 22

Cyber Pulse: Edition 21

Cyber Pulse: Edition 20

Cyber Pulse: Edition 19

Cyber Pulse: Edition 18

Cyber Pulse: Edition 17

Cyber Pulse: Edition 16

Cyber Pulse: Edition 15

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.