Cyber Security Training from QA

Cyber Pulse: Edition 30

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


31 August 2018

Instagram adds new features for security and account recognition

A brand-new addition to Instagram profiles will be the “About This Account” page. There, users will be able to see information about the account such as: date of creation, country, username changes, and if there are any ads that the account is running. This page will be available only for popular accounts at first, but will soon be added for all Instagram users. Beyond that, Instagram will also allow a larger part of its members to have their accounts verified. Verified accounts receive a blue badge that guarantees its authenticity, so you can be sure that really is the account of your favourite actor or band. Technically, every user will be able to apply for verification after the changes, but Mike Krieger, Instagram's co-founder, notes that not all applications for verification will be approved. Lastly, the app will allow the use of third-party authenticator apps for improved login security. From the “Two-Factor Authentication” menu you can select an “Authentication App” and Instagram will send login codes to it. There’s no list of supported authentication apps yet, but if you don’t have one installed, Instagram will direct you to download one that’s compatible. While these new features aren’t really something to be excited about, they are meant to save users some headaches that might come from people with malicious intent. It’s always good to see that the developers are putting an effort towards changes that improve the user experience.

Iran hackers target UK universities

A hacking group linked to Iran may have targeted British universities as part of a campaign to steal student credentials, cyber security experts have said. Researchers from the Secureworks Counter Threat Unit (CTU) said the group, called Colbalt Dickens, was “likely responsible” for an attack on 76 universities in 14 countries, including the UK. The researchers found more than 300 spoofed websites and login pages for the different institutions, which would ask users to enter their usernames and passwords before re-directing them into the legitimate website. Evidence was found to suggest the hackers were intending to gain access to the universities’ online library systems. CTU said the targeting of online academic resources showed similarities to previous operations by Cobalt Dickens, where the group created lookalike domains and used credentials to steal intellectual property from specific resources, including library systems. In March, nine Iranian nationals were charged by the US Department of Justice with cyber theft, and were accused of hacking into hundreds of university systems. A spokesman for CTU said: “Universities are attractive targets for threat actors interested in obtaining intellectual property. “In addition to being more difficult to secure than heavily regulated finance or healthcare organisations, universities are known to develop cutting-edge research and can attract global researchers and students.” Most of the spoof domains were registered between May and August this year, with the most recent being created on August 19. The universities targeted in the alleged attack have not been named, but some are reported to be among the Times Higher Education’s list of the UK’s top 50.

Spammers Target Financial Institutions With IQY Files That Conceal Malware

Researchers at Proofpoint observed four large spam email campaigns. One of the campaigns carried undisguised IQY attachments with names such as “sales” and “major bank” to prey upon financial organisations. Two of the other operations passed around IQY files hidden within ZIP archives or embedded in PDF documents, while the other campaign used Microsoft Word documents containing malicious macros. All of these attachments led to the same payload: Marap, a downloader malware that uses a custom application programming interface (API) hashing algorithm, timing checks and media access control (MAC) address comparisons to avoid analysis by security professionals. Marap has the ability to download other modules and payloads, including a fingerprinting plugin that steals and exfiltrates key system information. Marap isn’t the first malware to rely on IQY attachments for distribution. Trend Micro recently discovered a campaign in which Necurs, a botnet that has a history with malicious spam, used IQY file attachments to begin a PowerShell process and thereby download the backdoor FlawedAMMYY. Soon after making that observation, researchers at the Japanese security firm detected the Cutwail botnet leveraging IQY files to target Japanese users with BEBLOH or URSNIF malware. Security researchers at Barkly noted that malware actors are increasingly turning to IQY files. These attachments appeal to digital attackers because they are capable of bypassing most filters and antivirus software, since Microsoft Excel can legitimately use this type of file format to download web data directly into a spreadsheet.

Hackers faked Cosmos backend to hoodwink bank out of $13.5m

Security researchers have taken a deep dive into the cyber attack on the SWIFT/ATM infrastructure of Cosmos Bank, the recent victim of a $13.5m cyber-heist. Experts at Securonix have outlined the most likely progression of the attack against the bank, the latest financial institution to face hacks blamed on state-backed North Korean hackers. The breach involved an ATM switch and related SWIFT environment compromise that created two routes through which hackers cashed out, according to Securonix. Either targeted spear phishing and/or a hack against a remote administration/third-party interface allowed hackers to gain an initial foothold in the Indian bank's network. Following subsequent lateral movement, the bank's internal and ATM infrastructure was compromised. After the initial break-in, attackers most likely either leveraged the vendor ATM test software or made changes to the deployed ATM payment switch software to create a malicious proxy switch. Hackers were then in a position to establish a malicious ATM/POS switch in parallel with the existing (legit) system before breaking the connection to the backend/Core Banking System (CBS) and substituting their own counterfeit system in its place. Details sent from a payment switch to authorise transactions were never forwarded to backend systems so the checks on card number, card status, PIN, and more were never performed. Requests were handled by the shadow systems deployed by the attackers sending fake responses authorising transactions. This bogus system was used to authorise ATM withdrawals for over $11.5m through more than 2,800 domestic (Rupay) and 12,000 international (Visa) transactions using 450 cloned (non-Europay, MasterCard or Visa) debit cards in 28 countries, Securonix said.

Fortnite on Android installer leaves users vulnerable to hackers

A serious vulnerability has been disclosed in the Fortnite installer for Android phones. The vulnerability has since been patched but it allowed malware to use the Fortnite installer to install anything - including apps with full permissions - in the background. The Fortnite on Android vulnerability occurred because, when you download Fortnite from Epic’s website on Android, you’re actually just downloading an installer, rather than the full game. The Fortnite installer then does the heavy lifting, downloading the game in its entirety directly from Epic’s servers. The problem with this, as Google’s security team discovered, is that Epic’s Fortnite installer was very easy to exploit. A user could hijack the request from the Fortnite installer to Epic’s servers and instead download anything when you tap the “download” button in the app. You may think this isn’t much of an issue, after all, who’s going to be sitting around to jump on a lead like that? However, all you have to have is one unsavoury app on your phone that’s just waiting for an exploit and you’re vulnerable. Given the popularity of Fortnite, and its highly anticipated release on Android, it’s more than likely many of these apps do exist already and could be lying in wait on a device.

Hacking the Hackers: Honeypots on Ethereum Network

It’s not a secret that, unfortunately, scams occur in the cryptocurrency space much more often than they should. What’s worse is that most of the time, those affected are innocent crypto holders who were somehow misled into handing their funds over to a malicious actor. However, a new kind of scam turns the typical crypto scam narrative on its head. In a so-called ‘Honeypot’ scam, the targets are the very same malicious actors who seek to take advantage of someone who doesn’t know any better. Black hats try to employ their reverse engineering and research skills to find vulnerable smart contracts. Comparing to breaches found in regular software, vulnerabilities in smart contracts are more devastating and can yield immediate profit to attackers. $30M stolen from Parity MultiSig wallet and another $300M frozen by second attack are just two examples of the stakes at play. Some of them even try to exploit the greed of their own kind! Enter honeypots. Honeypots are smart contracts designed to look like an easy target while in fact they are not. They look vulnerable to an unsophisticated attacker, but if he tries to “break it” he will loose his money instead. Hunting the hunter. Hacking the hackers! Here is an interesting address, Alex Sherbachev of Hackernoon spotted recently: 0x4ba0d338a7c41cc12778e0a2fa6df2361e8d8465.

Dark Web Hackers Sell Data Of 130 Million Consumers For 8 Bitcoin

One of the largest data leaks in China’s history has potentially just occurred, with a hacker or group of hackers recently revealing that he/she/they had garnered sensitive data from over 130 million individuals. As per a report from The Next Web’s Hard Fork column, the hacker recently made a move to sell the aforementioned data for 8 Bitcoin ($56,000) on a China-based dark web portal. According to a post made by the seller, the data was gathered from a security breach of the Huazhu Hotels Group, which is one of China’s most influential local hotel chains, with over 10 individual brands that span across 3,800 hotels in over 380 mainland cities. Per a report from the Bleeping Computer, the data, which amasses to a reported 141.5 gigabytes in size, is believed to contain 240 million individual records from 130 million guests that have stayed at any number of Huazhu’s establishments in the past. Zibao, a China-based cybersecurity group, speculated that the data was likely leaked when Huazhu programmers or developers uploaded some segments of their firm’s database to Github earlier this month. Since finding out about the hack, the hotel chain has acknowledged this unfortunate occurrence, revealing that some progress has been made in a company-run investigation, but did not give any specifics regarding the case.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 29

Cyber Pulse: Edition 28

Cyber Pulse: Edition 27

Cyber Pulse: Edition 26

Cyber Pulse: Edition 25

Cyber Pulse: Edition 24

Cyber Pulse: Edition 23

Cyber Pulse: Edition 22

Cyber Pulse: Edition 21

Cyber Pulse: Edition 20

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.