Cyber Security Training from QA

Cyber Pulse: Edition 28

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


16 August 2018

Major flaw uncovered in Intel chips that could let hackers access your files

A major flaw has been uncovered in the chips that power most of the PCs and laptops made over the last ten years. The vulnerability, named ‘Foreshadow’ , was found by researchers to be within computer processors made by Intel since 2008. Security experts are warning that the bug might not only affect most of the computers we use, but in theory, would allow a hacker access to the files on our hard drive. They are also warning that the security hole could allow cyber crooks to compromise files stored in the cloud. Contributing to what has been a terrible year for the US chip maker, Foreshadow is third major flaw that has been discovered this year inside the firm's processors, alongside ‘Spectre’ and ‘Meltdown’ , which were uncovered in January. The Foreshadow vulnerability is a flaw foudn within Intel's Software Guard Extensions technology - or SGX. SGX is a instruction codes within the central processing unit (CPU) of a computer that creates a digital lockbox within a processor called a "secure enclave". This is supposed to keep the data and applications inside isolated from the rest of a computer, to make it more secure, so even if a security vulnerability compromises the entire machine, the data protected by SGX is supposed to remain inaccessible to everyone but the owner of the data.

DeepLocker demonstrates how AI can create a New Breed of Malware

While artificial intelligence is changing our world for the better, if put in the wrong hands, cybercriminals can figure out how to use the technology in a negative way. To stay ahead of the curve, IBM Research has announced it has been studying the evolution of this technology in order to predict new potential threats that could come from cybercriminals. One of the outcomes of the company’s research is DeepLocker, which was presented at Black Hat USA 2018 this week in Las Vegas. According to Marc Ph. Stoecklin, principal research scientist at IBM Research, DeepLocker is a “new breed of highly targeted and evasive attack tools powered by AI.” DeepLocker was designed in an attempt to improve understanding of how AI models can be combined with malware techniques to create a “new breed of malware,” Stoecklin explained in a post. This new type of malware can disguise its intent until it reaches an intended victim, which could be determined by taking advantage of facial recognition, geolocation, and voice recognition. “The DeepLocker class of malware stands in stark contrast to existing evasion techniques used by malware seen in the wild. While many malware variants try to hide their presence and malicious intent, none are as effective at doing so as DeepLocker,” Stoecklin wrote. DeepLocker avoids detection from malware scanners by hiding in normal applications, such as video conference software. It is designed to continue to behave normally until it confirms that it has reached the intended target, Stoecklin wrote. It uses a deep neural network AI model to ensure that the malicious payload is only unlocked once it reaches the intended target. The conditions that have to be met to unlock an attack are nearly impossible to reverse engineer because of the incorporation of AI. This is because it can use several attributes to identify a target, so it would not be practical to exhaust all possible trigger conditions. “The security community needs to prepare to face a new level of AI-powered attacks. We can’t, as an industry, simply wait until the attacks are found in the wild to start preparing our defenses. To borrow an analogy from the medical field, we need to examine the virus to create the ‘vaccine,’” Stoecklin wrote.

Fortnite Players using Android phones at Risk of Malware Infections

Fortnite players risk becoming victims of malware infections on their phones, following the decision of developer Epic Games to bypass the Google Play Store in favour of publishing the game to its own website, security experts have warned. The popular battle royale game, which is already available on PC, home consoles and iOS, is now available on select Samsung devices – and will be on other Android phones soon. But in an unusual decision, Epic Games won’t publish Fortnite to Google’s main Android App Store, instead hosting the app for download itself. Unlike iOS, Android allows users to install apps downloaded from the internet, and even to install competing app stores altogether. But the option is disabled by default, and security experts have warned that this is for good reason. “Epic Games’ decision to publish the Android version of Fortnite outside of the Play Store is a very poor choice for the security of their players,” said Rob Shapland, principle cyber security consultant at Falanx Group. “Android devices are already far more susceptible to malware than Apple devices, with the greatest protection being to always download apps from the Play Store as these apps are screened for malware, which prevents most malicious apps from being installed,” Shapland added. “By encouraging users to download Fortnite outside of the Play Store, Epic Games leave their players vulnerable to malicious copycat apps being installed accidentally if they go to the wrong site.” The threat of an attack isn’t hypothetical. Even before Epic announced that Fortnite would be coming to Android, the game was frequently used by malicious actors as bait to encourage naive users to install malware, hand over their payment details or simply watch adverts, said Sean Sullivan, a security adviser at F-Secure. “One useless app would prompt for installation of three additional apps.

Microsoft is still Offering a $250,000 bounty to catch the creators of the Conficker malware

Microsoft is still offering a bounty for the capture of the creators of the Conficker malware – 11 years after the virus first started to infect machines worldwide. Conficker is one of these most infamous and invincible viruses on the internet. The malware was spread across low security networks and lurked on USB memory sticks to seek out new devices without the latest security updates. It targeted machines running Windows XP and was deemed to be such a threat that Microsoft touted a bounty of $250,000 (£193,000) for any information that would lead to the capture of its creators. The perpetrators behind Conficker – which still infects thousands of devices each year – were never found and the reward money remains active and unclaimed. Computer viruses can last for decades, swirling around the darkest regions of the internet – ready to strike vulnerable devices. One of the best examples of the durability of online malware is Conficker, which successfully infiltrated more than 9.5 million devices worldwide, including the French navy, UK warships, and Greater Manchester Police computer systems after it was deployed in 2007. The virus was weaponised to take control of the infected computers, with some experts believing Conficker escaped too early in its development process – leaving the creators unable to add the ability to remotely control Windows XP devices. Conficker is a worm – one of the most durable types of all malware. Worms infect a device and then scan the internet and local network for other vulnerable targets to infect.

Synthetic clicks' Exploit can help Attackers Install Malware on Macs

A presentation at Def Con 2018 last week revealed an unpatched vulnerability in macOS devices that can allow malware to bypass certain security checks using a technique that fakes user mouse clicks. Patrick Wardle, founder and chief research officer at Digita Security, reportedly demonstrated a zero-day exploit for the flaw, which takes advantage of a "synthetic clicks" feature that allows certain programs to generate virtual clicks using code instead of human power. According to various reports, the vulnerability is a variation of a similar flaw Wardle had already discovered in the macOS mouse keys function, which Apple previously patched so that synthetic clicks would be prohibited when a potentially malicious program produces a prompt asking users to allow certain permissions. But while normally a synthetic click requires both a "down" and "up" command in the code, Wardle during his research accidentally inserted two "down" commands and found that it actually resulted in a synthetic click that was not blocked. Even more concerning: the technique was effective when used to click on an "allow" prompt for installing a kernel extension -- a scenario that attackers could exploit with a malicious extension in order to hijack the kernel. However, for this exploit to work, attackers would first have to infect a targeted machine with malware capable of gaining a foothold in the device and generating the synthetic click code -- preferably during times of inactivity when the user may be unaware of what's taking place. Wardle publicly revealed the exploit without giving Apple prior knowledge of the flaw because he felt the company should have been more diligent when it originally tried to fix the security issue, Wired reports. SC Media has reached out to Apple for comment.

India's Cosmos Bank falls victim to Global ATM Cash-out Fraud

Indian co-operative Cosmos Bank has fallen victim to a sophisticated malware and ATM cash-out attack that saw 94.24 crore ($13.4 million) stolen in 14,000 transactions across 29 countries including the UK. The attackers infiltrated the bank's ATM switch system, passing and approving transactions from cloned Visa and Rupay debit cards through a proxy switch. Milind Kale, chairman Cosmos Co-Operative Bank says: "We suspect the malware attack to be done from Canada. The money was withdrawn from ATM machines from 28 countries through around 12,000 international transactions and around 2,849 domestic transactions. The transactions were carried out using fake debit cards. The deposit of account holders is safe and intact. However, as a precautionary measure, we have stopped the online system for two days." News of the incident comes just days after the FBI sent out an alert to banks, warning that cybercrooks were planning an 'unlimited' global ATM cash-out operation. The alert states: "Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities."

Bitcoin User sues AT&T for $240m over Stolen Cryptocurrency

A bitcoin investor is suing AT&T for $240m after it allegedly ported his phone number to a hacker, allowing the criminal to steal $24m in cryptocurrency. Michael Terpin is suing the phone giant for the value of the three million electronic coins plus $216m in punitive damages after he claims an AT&T employee at a store in Connecticut agreed, in person, to transfer his personal phone number to a new SIM card, despite the account having "high risk" protection following an earlier hacking effort. The anonymous hacker then used his access to Terpin's phone number to bypass security on his cryptocurrency accounts, thanks to two-factor authentication sent by text, and transferred millions of dollars to a different account: an approach known as "SIM swap fraud." Terpin claims AT&T admitted to him that the employee in question agreed to shift the SIM despite the security requirement that they ask for a valid form of ID and having ignored an additional "VIP" requirement that they provide a special six-digit passcode before changes are allowed on the account. That six-digit extra security step was introduced after Terpin says his account had been targeted – and hacked – six months earlier through the same approach. That time, he says, a hacker made no less than 11 in-store attempts to steal his SIM information before finally succeeding. On both occasions, the first Terpin knew of the hack was when his phone went dead. The second time, he says he knew immediately what had happened and tried immediately to contact AT&T to shut the phone down but was stymied by the fact it was a Sunday and "AT&T's fraud department apparently does not work on Sundays." By the time he regained access, $23.8m in bitcoin had gone missing, he claims. By failing to follow procedures and given the extra security on his accounts, Terpin claims that AT&T has broken multiple laws and lists no less than sixteen claims for relief ranging from negligence to breach of contract to insufficient security and providing unlawful access to personal information.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 27

Cyber Pulse: Edition 26

Cyber Pulse: Edition 25

Cyber Pulse: Edition 24

Cyber Pulse: Edition 23

Cyber Pulse: Edition 22

Cyber Pulse: Edition 21

Cyber Pulse: Edition 20

Cyber Pulse: Edition 19

Cyber Pulse: Edition 18

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.