Cyber Security Training from QA

Cyber Pulse: Edition 34

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


28 September 2018

Chegg Hack Hit 40M Customers

Chegg, a technology giant specializing in textbook rental, suffered a data breach affecting around 40 million customers. According to CNBC, Chegg’s shares fell more than 12 percent on Wednesday (September 26) after the news broke. The breach, which happened in April but was only discovered a week ago, was revealed in a filing with the Securities and Exchange Commission. Chegg explained that hackers gained access to its customer database, which includes users for Chegg’s website as well as other products, such as its citation service EasyBib. The criminals stole usernames, email addresses, shipping addresses and hashed passwords — but there is no evidence that financial data was taken. The company has vowed to change all user passwords as a result of the breach. Chegg said it first learned of the breach on September 19 and plans to start notifying approximately 40 million registered users and regulatory authorities about the incident. “Chegg takes the security of its users’ information seriously and will be initiating a password reset process for all user accounts,” the company said in the SEC filing. But Phil Hill, an ed tech consultant who first spotted the SEC form, reported that Chegg had not started the notification process, even after the 8-K filing. “I get that the company needs to notify the SEC, being a publicly traded company, but they certainly are not notifying the public very well. Seems focus is on guidance for stock price, not transparency,” said Hill, according to ZDNet. Despite its recent stock issues, Chegg said that it does not expect the breach to have a material impact on its financial results. In fact, the company confirmed its previous guidance for the third quarter, which showed expected revenue in the range of $68 million to $69.5 million, including Chegg Services revenue of $52 million to $53.5 million, according to Motley Fool. In addition, its shares had nearly doubled this year before today’s trading.

Uber pays $148m settlement for data breach

Uber has agreed to pay $148m to settle claims related to its 2016 large-scale breach which saw more than 25 million US users' personal information exposed. The data breach, which only came to the public's awareness a full year after the incident following Uber's failure to disclose it, saw hackers obtain 607,000 US drivers' licenses, as well as millions of other personal details such as email addresses and phone numbers. Bloomberg News revealed in 2017 that then Uber CEO Travis Kalanick had been informed of the breach which resulted in the theft of personal data from 57 million global Uber customers. However, instead of informing the necessary authorities, Kalanick opted to pay the hackers $100,000 to delete all the data they had stolen and keep it quiet. This has resulted in the largest fine associated to a data breach in US history. Government officials had stated their intent to take a much harder stance on tech companies who behave recklessly by pursuing profit rather than ensure the safety of their customers' data. Following the settlement, New York State attorney general Barbara Underwood said in a statement: "This record settlement should send a clear message: We have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation."

Cybercriminals turn to Delphi packers to evade malware detection

Cybercriminals are increasingly using legitimate programming tools and their default libraries to evade malware detection. According to a blog post by FireEye, many crypting services are being offered in underground forums by hackers who claim to make any malware “FUD” or “Fully Undetectable” by anti-virus technologies, sandboxes and other endpoint solutions. “We also see an increased effort to model normal user activity and baseline it as an effective countermeasure to fingerprint malware analysis environments,” researchers said. Researchers said that the Delphi programming language has been used by hackers to write applications and programs that leverage Windows API functions. “In fact, some actors deliberately include the default libraries as a diversion to hamper static analysis and make the application “look legit” during dynamic analysis,” said researchers. One such campaign that used this techniques was observed by researchers that drop payloads packed using a Delphi packer. Researchers said that the packer goes to great lengths to ensure that it is not running in an analysis environment. Normal user activity involves many application windows being rotated or changed over a period of time. “The first variant of the packer uses GetForegroundWindow API to check for the user activity of changing windows at least three times before it executes further. If it does not see the change of windows, it puts itself into an infinite sleep,” said the researchers. To confirm user activity, a second variant of the packer checks for mouse cursor movement using GetCursorPos and Sleep APIs, while a third variant checks for system idle state using GetLastInputInfo and GetTickCount APIs. Researchers said that the original payload is split into multiple binary blobs and stored in various locations inside the resource directory. To locate and assemble the real payload bytes, the packer code first directly reads content from a hardcoded resource ID inside the resource section. According to researchers many of unpacked binaries that they were able to extract from the sample set were identified as belonging to the Lokibot malware family. Researchers also identified Pony, IRStealer, Nanocore, Netwire, Remcos, and nJRAT malware families, as well as a coin mining malware family, among others.

Apple 'Security Loophole' Exposes Business Wi-Fi Passwords To Hackers

Researchers claimed on Thursday they've found a novel way to steal business Wi-Fi and application passwords via one of the Cupertino giant's products. They subverted an Apple technology designed to help companies manage and secure fleets of iPhones and Macs. The problem lies in the openness of Apple's Device Enrolment Program (DEP), according to researchers from Duo Security, recently acquired by Cisco for $2.35 billion. They discovered it was possible to steal Wi-Fi passwords and more internal business secrets by enrolling a rogue device within the DEP system. Whilst the researchers exploited Apple's technology, the iPhone maker does support user authentication when enrolling an iPhone on DEP. But Apple doesn't require users to prove who they are. It's up to businesses to decide. They then need to register a DEP-enrolled iPhone, Mac or tvOS on their separate mobile device management (MDM) server. That could be either kept in-house or in a cloud-based service. When a company chooses not to require authentication, it's possible for a hacker to find a registered DEP serial number of a real device but one that's not yet been set up on a company's MDM server. This can either be retrieved via social engineering of an employee or checking MDM product forums where people frequently publish serial numbers, the researchers said. "Brute forcing," where a computer can rifle through all possible numbers on the DEP until it hits on a correct one, is another option. Then the attacker can enrol their a rogue device on an MDM server using the chosen serial number and appear on the target company network as a legitimate user. From there, it's possible to retrieve passwords for applications and Wi-Fi across the victim business, according to the researchers. There's one significant caveat, though: The attacker has to enrol their device on the company's MDM server before the legitimate employee does. It will only accept that required serial number once. But that might not be as big a barrier as one might expect.

LoJax campaign reveals first documented use of UEFI rootkit in the wild

Researchers have uncovered what appears to be the first case of a UEFI rootkit in the wild, changing the concept of active UEFI exploit from a conference topic to reality. The UEFI rootkit was found bundled together with a toolset able to patch a victim's system firmware in order to install malware at this deep level, ESET researchers said on Thursday. In at least one recorded case, the threat actors behind the malware were able to write a malicious UEFI module into a system's SPI flash memory -- leading to the drop and execution of malicious code on disk during the boot process. Not only do such methods circumvent operating system reinstall, but also hard disk replacement. The only way to remove such malware -- assuming victims know they have been compromised in the first place -- is to flash the firmware, a process not often conducted by typical users. According to ESET, the rootkit installation observed is the first case of a UEFI rootkit recorded as active in the wild. The rootkit is being used by advanced persistent threat (APT) group Fancy Bear, also known as Sednit, APT28, STRONTIUM, and Sofacy. The APT has been in operation since at least 2004. Allegedly directed by the Russian government, the hacking group has been connected to attacks against the US Democratic National Committee (DNC) ahead of the US elections, the World Anti-Doping Agency (WADA), the Association of Athletics Federations (IAAF), the German government, and the Ukrainian military, among others.

New VPNFilter Modules Reveal Extensive Capabilities

The recently discovered VPNFilter malware has even more capabilities than previously thought, researchers at Cisco Talos determined after identifying seven new modules. VPNFilter’s existence was brought to light in May after the malware was analyzed by several cybersecurity firms. The malware infected at least half a million routers and network-attached storage (NAS) devices across more than 50 countries – it targets over 50 types of devices from Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE. The malware, whose main target appears to be Ukraine, has been linked to Russia. Cybersecurity firms and authorities in the United States have taken steps to neutralize VPNFilter, but Cisco Talos, which has spearheaded the investigation, says it can still be difficult to detect the malware in the wild. The modules found initially by researchers allow VPNFilter to intercept data passing through the compromised device, monitor the network for communications over the Modbus SCADA protocol, and make an infected device unusable. Additional modules described later by Talos are designed for data exfiltration and JavaScript injection, and removing the malware from a device. Talos has now published the results of its analysis into seven other VPNFilter modules that allow attackers to map networks and exploit endpoints connected to infected devices, obfuscate and encrypt data exfiltration and C&C communications, find new potential victims that can be reached from a compromised device, and build a distributed network of proxies that may be useful in other operations for obfuscating the source of attack traffic. The company has shared detailed technical information for each of the newly analyzed modules. The discovery and analysis of these modules has answered most unanswered questions about the malware itself, Talos said, but researchers have yet to determine exactly how the malware gains initial access to devices. While it doesn’t have definitive proof, Talos believes the most likely attack vector is through the exploitation of known vulnerabilities affecting devices.

Bitcoin Core Software Patches a Critical DDoS Attack Vulnerability

The Bitcoin Core development team has released an important update to patch a major DDoS vulnerability in its underlying software that could have been fatal to the Bitcoin Network, which is usually known as the most hack-proof and secure blockchain. The DDoS vulnerability, identified as CVE-2018-17144, has been found in the Bitcoin Core wallet software, which could potentially be exploited by anyone capable of mining BTC to crash Bitcoin Core nodes running software versions 0.14.0 to 0.16.2. In other words, Bitcoin miners could have brought down the entire blockchain either by overflooding the block with duplicate transactions, resulting in blockage of transaction confirmation from other people or by flooding the nodes of the Bitcoin P2P network and over-utilizing the bandwidth. The vulnerability had been around since March last year, but the team says nobody noticed the bug or nobody was willing to incur the expense of exploiting it. According to the bitcoin core developers, all recent versions of the BTC system are possibly vulnerable to the Distributed Denial of Service (DDoS) attacks, though there's a catch—attacking Bitcoin is not cheap. The DDoS attack on the BTC network would cost miners 12.5 bitcoins, which is equal to almost $80,000 (£60,000), in order to perform successfully. The Bitcoin Core team has patched the vulnerability and are urging miners to update with the latest Bitcoin Core 0.16.3 version as soon as possible.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 33

Cyber Pulse: Edition 32

Cyber Pulse: Edition 31

Cyber Pulse: Edition 30

Cyber Pulse: Edition 29

Cyber Pulse: Edition 28

Cyber Pulse: Edition 27

Cyber Pulse: Edition 26

Cyber Pulse: Edition 25

Cyber Pulse: Edition 24

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.