Cyber Security Training from QA

Cyber Pulse: Edition 33

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


21 September 2018

Ransomware 'cyber attack' caused Bristol Airport departure boards to go offline

Problems with flight display boards at Bristol Airport in the past few days were caused by a 'cyber attack', according to reports. The airport's flight information screens failed on both Friday and Saturday, with staff having to resort to writing flight details on whiteboards and using the airport's PA system to make important announcements. Although no flights were directly impacted, the issues caused communication problems across the terminal and an airport spokesman has since reportedly said the screens were taken offline to contain a cyber attack. According to the BBC, the airport says the problem was an online attempt replicating a 'ransomware' attack, which is a form of malware where computer viruses threaten to delete files unless a ransom is paid. Airport spokesman James Gore reportedly told the BBC that no ransom was paid to get the systems up and running again, and added: "We believe there was an online attempt to target part of our administrative systems and that required us to take a number of applications offline as a precautionary measure, including the one that provides our data for flight information screens. "That was done to contain the problem and avoid any further impact on more critical systems. "The indications are that this was a speculative attempt rather than targeted attack on Bristol Airport." Mr Gore also said the problem had taken longer to fix than passengers might have expected due to the nature of what had happened, adding that the airport had taken a 'cautious approach' in putting things right. He added: "Given the number of safety and security critical systems operating at an airport, we wanted to make sure that the issue with the flight information application that experienced the problem was absolutely resolved before it was put back online."

Hackers crack Newegg's shell and pilfer customer credit card data

Newegg was found to have suffered a data breach that exposed its customers' credit card information to hackers for a month. The data exposure was found by cyber security firm Volexity and threat sniffer RiskIQ, which explained that hackers had got into the payments page of Newegg's website by injecting 15 lines of JavaScript malicious code into it. The code lurked on the site from 14 August to 18 September, with malicious script placed on the checkout page of the retail site which was found to skim users' credit card info. That data was then sent to a hacker-controlled server that used a similar domain name and HTTPS certificate to the Newegg site. This data breach attack is being attributed to the same hackers who swiped the data of British Airways customers after using a similar skimming code in the airline's payment pages. "The JavaScript leveraged in this attack is very similar to that observed from the British Airways compromise. The code in this case is customised to work with the Newegg website and send data to a different domain the attackers created in an attempt to blend in with the website," explained Volexity. "While the functionality of the script is nearly identical, it is worth noting that the attackers have managed to minimise the size of the script even more, from 22 lines of code in the British Airways attack to a mere eight lines for Newegg, 15 if the code is beautified."

The 'Lazarous' group have targeted both Windows and MacOS with the trojan cryptocurrency software

The infamous cybercrime group Lazarus has resurfaced with its new malicious operation AppleJeus, Kaspersky Lab's ‘Global Research and Analysis Team’ (GReAT) has discovered. The group, known for its sophisticated operations and links to North Korea is noted not only for its cyberespionage and cyber sabotage attacks, but also for financially motivated attacks. The goal of the group’s attack was to steal cryptocurrency from their victims. In addition to Windows-based malware, researchers were able to identify a previously unknown version targeting the macOS platform. A number of researchers, including at Kaspersky Lab, have previously reported on this group targeting banks and other large financial enterprises. “For macOS users this case is a wakeup call, especially if they use their Macs to perform operations with cryptocurrencies,” said Vitaly Kamluk, Head of GReAT APAC team at Kaspersky Lab. “The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future.” According the investigation, the penetration of the stock exchange’s infrastructure began when an unsuspecting company employee downloaded a third-party application from the legitimate looking website of a company that develops software for cryptocurrency trading. The attackers penetrated the network of a cryptocurrency exchange in Asia using infected cryptocurrency trading software. The nefarious software then provides the attackers with almost unlimited access to the attacked computer, allowing them to steal valuable financial information or to deploy additional tools for that purpose.

Western Digital's My Cloud NAS Devices Turn Out to Be Easily Hacked

Security researchers have discovered an authentication bypass vulnerability in Western Digital's My Cloud NAS devices that potentially allows an unauthenticated attacker to gain admin-level control to the affected devices. Western Digital's My Cloud (WD My Cloud) is one of the most popular network-attached storage (NAS) devices which is being used by businesses and individuals to host their files, as well as backup and sync them with various cloud and web-based services. The WD My Cloud devices let users not only share files in a home network but its private cloud feature also allows them to access their data from anywhere around the world at any time. However, security researchers at Securify have discovered an authentication bypass vulnerability on the WD My Cloud NAS boxes that could allow unauthenticated attackers with network access to the device to escalate their privileges to admin-level without needing to provide a password. This would eventually allow attackers to run commands that would typically require administrative privileges and gain complete control of the affected NAS device, including their ability to view, copy, delete and overwrite any files that are stored on the device. The vulnerability, designated CVE-2018-17153, resides in the way WD My Cloud creates an admin session tied to an IP address. By simply including the cookie username=admin to an HTTP CGI request send by an attacker to the device's web interface, the attacker can unlock admin access and gain access to all the content stored on the NAS box.

$60 Million Bitcoin and Bitcoin Cash Stolen In Latest Japanese Exchange Hack

Japan, the home of cryptocurrency, or is it now the home of the cryptocurrency hack? Although Japan now has some of the tightest regulations surrounding the operations of cryptocurrency exchanges, it seems these regulations haven’t been enough to stop yet another devastating hack take place, this time, seeing around $60 million stolen in Bitcoin, Bitcoin Cash and MonaCoin from Tech Bureau owned Zaif. Zaif is a cryptocurrency exchange with a trading volume just shy of $72,000,000.00. Active markets within Zaif include Bitcoin, NEM, MonaCoin, Ethereum and of course, Bitcoin Cash. Of course, by all accounts Zaif is not the biggest exchange in Japan, even with this in mind though the exchange is still a hot spot for the exchange of a range of altcoins, with quite a large customer base too. Zaif have declined to comment on exactly how the hack has taken place, which leads us to believe it can only be down to a major security flaw or vulnerability that existed as a result of a lack of care and attention by Zaif. We know that this hack was carried out through some sort of malicious server access, though we can’t tell if it’s remote, or perhaps even something internal, therefore we could speculate that this may have taken place from inside the walls of Zaif so to speak. For now, we expect to hear a more formal announcement with regards to what has happened, after this, we will expect to see a more detailed plan about how Zaif and Tech Bureau aim to overcome this. Indeed, Zaif will bounce back with tighter security protocols and will eventually be able to operate as they where, however,, this event will have a very damaging impact on the reputation of Zaif and of course, we expect that over the afternoon that it could have a slight impact on the value of the markets, which otherwise at the time of writing are looking quite stable.

This new Netflix scam has been catching people out

Police have urged Netflix customers to be vigilant following a Netflix email scam which asks customers to update their payment information. The scam has escalated in recent weeks with people receiving emails from fraudsters pretending to be Netflix, saying that the account has been suspended and they must update their personal information. The user is then required to follow a link to 'correct' their account. The link directs them to a genuine-looking, fake Netflix page where the scammers can obtain your username, password and payment details. The issue was highlighted this week by Greater Manchester Police who confirmed they had seen a rise in reports, according to the Manchester Evening News. Websites like these are known as 'phishing' sites - designed to gain your personal information. Action Fraud, a national fraud and cyber crime reporting centre, have issued a warning to Netflix users. A statement said: "Watch out for these fake Netflix emails claiming there's an issue with your account. The links lead to convincing looking sites that are designed to steal your Netflix password and payment details." Greater Manchester Police Trafford South has also given advice: "We’ve seen an increase in reports about fake Netflix emails claiming that there’s an issue with your account, or that your account has been suspended. Always question unsolicited requests for your personal or financial information in case it’s a scam. Never automatically click on a link in an unexpected email or text."

Cyber hackers make 111,000 attempts a day to break council IT systems

More than 40 million attempts to break into Aberdeen council’s computer systems have been fought off in the past year – but a dozen made it through the net. A new report to the council’s audit committee reveals there had been a staggering number of “external cyber incident attempts” in the 12 months to June. The 40,790,746 efforts made to circumvent security equates to more than 111,000 attempts a day to access potentially sensitive information and compromise council systems. That is vastly in excess of the 18,089,194 attempts made in the year to June 2017. Of the 40,7 million incidents recorded, almost one quarter were attempts to access or take over parts of council computer systems, while about 75% were phishing attempts, often classed as “spam”. Twelve separate attempts were successful – with ten being “phishing” attempts through which scammers attempt to gain sensitive information by pretending to be legitimate. Hundreds of firms across the region are having to improve cyber security in light of new digital threats that can originate anywhere in the world. Last June, more than £60,000 was pledged by Aberdeen City Council chiefs to replace and upgrade council computer systems, while part of the controversial restructuring of the council involves moving more services online in an attempt to save £125 million in five years. It is understood staff at the local authority have been offered additional training to reduce the risk of further threat. In January last year, the hacking group Team System DZ successfully breached security on the Aberdeen City Council site in an incident lasting two hours.

Hackers Are Already Uploading Additional Games To The Switch NES Library

The NES library associated with Nintendo Switch Online has just been released and already hackers have found a way to upload additional titles to the service. According to reports from Kotaku, the NES emulators on the Switch and the NES Classic function in a similar way - making it possible for hackers with modified systems to easily add more NES games to the Switch service. It was a chain reaction of sorts, with one hacker uploading the opening of Battletoads operating on the service, which inspired another hacker to share their own findings - revealing all existing games on the service could be replaced with other ROM files. The opening of Kirby's Adventure has also been shown running on the NES service via a ROM located under the River City Ransom box art. One of the hackers warned Kotaku about the associated risks: I would highly advise against anyone else doing it as I’ve been told there’s a lot of data from the app being sent to Nintendo and that it has a fair few legitimacy checks that occur at random. The same hacker also noted how modified systems can put Nintendo accounts at risk - with the constant threat of being banned - and is of the belief Nintendo won't be ironing out these vulnerabilities in the online NES library anytime soon.

Iranian Hackers Step Up Attacks On Energy Firms

Iranian cybercrime group APT33 has stepped up its attacks on a variety of companies in the Persian Gulf, including energy firms, The National reports, citing research from security company FireEye. The National notes that there is wide belief that the hacker group is linked to the government in Tehran and adds that the attacks became more frequent after President Trump pulled the Untied States out of the Joint Comprehensive Plan of Action, more commonly known as the Iran nuclear deal. As an example of the step-up in attacks from APT33, FireEye describes a spear phishing attack against companies in the Gulf, disguised as an email from an oil and gas company from the region. Phishing attacks as a rule aim to trick recipients into clicking a malicious link and inadvertently sharing sensitive information with the attackers. The National quoted a FireEye official as saying the hacker group likely targeted energy industry companies because of the impact U.S. sanctions are having on its own energy industry. Although the executive declined to give any specific numbers with regard to the attacks, Alister Shepherd noted that the increase had been tenfold, adding that most of the attacks took place during days coinciding with the Iranian week. “Its operatives primarily worked “Saturday through Wednesday…which fits with the Iranian week. When it happens consistently over time that’s a strong indicator.”

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 32

Cyber Pulse: Edition 31

Cyber Pulse: Edition 30

Cyber Pulse: Edition 29

Cyber Pulse: Edition 28

Cyber Pulse: Edition 27

Cyber Pulse: Edition 26

Cyber Pulse: Edition 25

Cyber Pulse: Edition 24

Cyber Pulse: Edition 23

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.