Cyber Security Training from QA

Cyber Pulse: Edition 35

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


5 October 2018

Chinese ‘bugging’ chips found in US technology

Bloomberg has revealed in its recently published report that a nation-state has launched a significant supply chain attack. It is believed to be one of the largest corporate spying and hardware hacking campaigns ever launched by a nation-state. The espionage campaign is launched through a very small surveillance chip, which is only the size of a grain of rice. This chip is hidden in the servers currently in use by about 30 US firms including the bigwigs Apple, Amazon, and Elemental. According to Bloomberg, these chips weren’t part of the server motherboard originally. These have been designed by Super Micro, a US-based firm. Reportedly, the malicious chips were inserted when the server motherboards were undergoing manufacturing process, which was carried out in China by their subcontractors. Amazon notified the US authorities about the discovery, which sent shockwaves across the intelligence fraternity since these servers are also in use at the Department of Defense data centers, the Navy warships’ onboard networks, and the drone operations from the CIA. The probe has been active for over three years and investigators believe that the chips have been inserted to let the attackers get an entry to any network that is connected to the servers. This attack is a lot more serious and severe than other software-based attacks identified so far considering that hardware attacks are quite difficult to identify immediately, and by the time these are, a lot of information has been leaked. Spy agencies are the most important beneficiaries of such campaigns and are keen on investing into such a campaign.

Australia, UK accuse Russia of cyber attacks aimed at undermining Western democracies

In a British assessment based on work by its National Cyber Security Centre (NCSC), Russian military intelligence (GRU) was cast as a pernicious cyber aggressor which used a network of hackers to spread discord across the world. In a statement, Australian Prime Minister Scott Morrison said that Australian intelligence agencies in consultation with international allies had determined the GRU was responsible for a "pattern of malicious cyber activity". While Australia was not significantly impacted, this activity affected the ability of the public in other parts of the world to go about their daily lives. It caused significant, indiscriminate harm to civilian infrastructure and resulted in millions of dollars in economic damage. Britain said the GRU was associated with a host of hackers including APT 28, Fancy Bear, Sofacy, Pawnstorm, Sednit, CyberCaliphate, Cyber Berkut, Voodoo Bear and BlackEnergy Actors.

Bupa fined £175,000 after employee puts customers' data up for sale on the dark web

The UK’s Information Commissioner’s Office (ICO) has fined Bupa £175,000 after an investigation found the health insurer failed to have "effective security measures in place to protect customers' personal information" in the wake of an incident that saw an employee extract data of 547,000 global customers during January and March 2017 and put it up for sale on the dark web. The employee accessed the sensitive information through Bupa's customer relationship management system, SWAN, which stored at the time records relating to 1.5 million people and was used to manage claims under customers' international health insurance policies. According to the UK regulator, the employee sent "bulk data reports" to his personal email account, which included information on names, dates of birth, nationality and email addresses. An external partner spotted the records for sale on a popular dark web site reported to have had more than 400,000 users at the time, which was shut down by US authorities in July last year. The ICO found that Bupa was not "routinely" monitoring the activity log of the SWAN system and was unaware of an error that meant they were unable to spot unusual activity - such as extracting large amounts of data. The watchdog said its investigation uncovered "systemic failures in Bupa's technical and organisational measures".

Facebook security breach affects 50 million users

Facebook faced one of its biggest security breaches this week where over 50 million accounts were hacked. The breach was discovered on Tuesday and the company had informed the police. At a press conference that was also attended by CEO Mark Zuckerberg, Guy Rosen, the Vice-President of Product Management said that a feature was added to the software for a video function in July 2017. The vulnerability had already started affecting the system when the company discovered unusual activities such as a spike in the number of users. The company discovered a breach on September 25th and fixed it in two days. The current security breach is being looked into and as a precaution, all the affected accounts have been reset along with 40 million more, Rosen said according to BBC. The vulnerability impacted the Facebook's 'View as' feature which lets people see how their profile would appear to others. The attackers could access user accounts through digital tokens (equivalent to passwords or keys) by taking advantage of the vulnerabilities in the functions. Digital tokens keep the apps logged in the background. With this, users need not log into the app every time they open it. This breach will give the hackers user information as well as access to third-party sites like Instagram, Tinder, Airbnb.

'Customised, uniquely tailored' malware not seen elsewhere used in SingHealth cyberattack

Phishing was likely used as a tool to gain access to a front-end computer at Singapore General Hospital, the Committee of Inquiry (COI) into the SingHealth cyberattack heard on Friday (Oct 5). The attacker then installed customised malware before laying dormant to execute their plan months later. Forensic investigations found signs of call-backs to an overseas command and control server, said Solicitor-General Kwek Mean Luck as he presented a report by the Cyber Security Agency of Singapore (CSA) on the "modus operandi" of the cyber attackers. Such servers are used by attackers to talk to compromised computers within a target network. The malware was “customised, uniquely tailored to the targeted systems, and had not been observed elsewhere”, the report said. The “skilful and technically advanced” attacker also used modified open-source tools that evaded anti-virus software, it added. CSA said that the tools, techniques and procedures, as well as some of the malware that the attacker used fit the profile of an Advanced Persistent Threat (APT) group that it has previously encountered in other investigations. The cyberattack, which was Singapore’s most serious breach of public data to date, saw a total of 1.5 million patient records accessed and 160,000 records of outpatient dispensed medicine taken. Database administrators from the Integrated Health Information Systems (IHiS) - the central IT agency for the healthcare sector - discovered the breach on Jul 4 and acted immediately to stop it. It also saw the personal particulars of Prime Minister Lee Hsien Loong, as well as information on his outpatient dispensed medicines, being “specifically and repeatedly” targeted.

GRU Officers Allegedly Hacked Wi-Fi Networks Worldwide

Russian military intelligence officers allegedly travelled in person to the offices of targeted organizations in Switzerland, Brazil, Malaysia and the Netherlands to compromise Wi-Fi networks in a wide-ranging cyber-espionage campaign, it has emerged. The allegations were made by the US Department of Justice (DoJ) as it indicted seven GRU officers yesterday for computer hacking, wire fraud, aggravated identity theft, and money laundering. When the officers couldn’t obtain targeted users' log-ins or the hacked accounts didn’t give them the necessary privileged access, they allegedly travelled physically to hack them via Wi-Fi connections, including hotel Wi-Fi networks. Anti-doping agency WADA, and the Organisation for the Prohibition of Chemical Weapons (OPCW) — which was investigating the Salisbury poisoning and use of chemical weapons in Syria — are said to have been among the targets. Reports suggest four GRU officers set up hacking equipment in the boot of a car parked in the OPCW’s offices in The Hague. They are said to have been disrupted by Dutch intelligence officers, who confirmed the equipment had also been used at the Swiss hotel used by the Canadian Centre for Ethics in Sport (CCES) and a hotel in Kuala Lumpar, where investigations were underway into the downing of Malaysia Airlines flight MH17 over Ukraine.

Zoho Heavily Used by Keyloggers to Transmit Stolen Data

CRM software and free mail provider Zoho was taken offline by their domain registrar for alleged Phishing violations. This week, new research was released that states Zoho is being heavily used by keylogger distributors as a way to transmit their stolen data. Keyloggers are malware that silently monitor a victim's computer and collect account credentials, trade secrets, or spy on a user's behaviour. When stealing information, it can be done through monitoring and logging what is typed on the keyboard, recording webcams and microphones, taking screenshots of active windows, and performing other malicious activity. This information is then collected and either transmitted directly to a server under the attackers control or compiled into an email and sent to the attackers. If sending the stolen data by email, attackers typically rely on free throw-away email accounts to transmit their emails. According to research by mail security provider Cofense, 40% of the keyloggers that they have analysed were using Zoho to email stolen information from a victim's machine. Cofense told BleepingComputer via email that the most common keyloggers that they see abusing Zoho have been Hawkeye and Agent Tesla. Both of these keyloggers will compile the data they steal and then use a mail provider like Zoho to transmit it back to the attackers. Zoho is attractive to attackers for several reasons. First, they're a SaaS solution. Cloud-based organizations are a major target for threat actors because of the sheer number of, and variance in, their end-user demographics. For example: If a platform has 30M+ users, even if a tiny fraction of a percent have their accounts compromised, it generates a huge command and control footprint for the threat actors. Additionally, by not enforcing strict security features such as multifactor authentication, and with loose controls around account creation, it creates additional risk exposure. A somewhat simple script, for example, could potentially provide an attacker the ability to fully automate account creation in this type of scenario."

Malicious remote admin tool seemingly linked to KONNI malware

Palo Alto Networks’ Unit 42 threat research team, which uncovered the malware, refers to it as NOKKI because it shares overlapping code and infrastructure with KONNI, another RAT that for the last four years has been spread through phishing documents. NOKKI is most like KONNI in the manner it collects information from an infected machine, including its IP address, host name, user name, driver information, operating system and installed programs. “Based on the similarities witnessed, we think it is highly probable there is some amount of code sharing and likely a single adversary group involved,” stated researchers and blog post co-authors Josh Grunzweig and Bryan Lee in the first of two reports. The malware, which can also drop and execute payloads and produce decoy documents, is also distributed similarly to KONNI — via email phishing campaigns. However, NOKKI differs from its predecessor in that it is highly modular in nature, its infection chain involves more steps, and it and relies on compromised legitimate servers for its command-and-control communications. Researchers say the NOKKI attacks can be divided into two waves of attacks — the first beginning in January 2018 and the second running through at least July. The attacks from January through May relied on the FTP protocol for C2 communications, while later attacks used a separate NOKKI variant that relies on HTTP. But it’s the July attacks that are perhaps the most interested, due to their use of an unusual string obfuscation routine that researchers observed in a previous phishing scheme targeting fans of the World Cup in Russia. This phishing campaign infected users with ROKRAT malware, which is associated solely with Reaper/Group 123 threat group. The earlier wave of NOKKI phishing attacks attempted to trick victims into opening a malicious Microsoft Windows executable file disguised as PDF file, using lures featuring a Cambodian political theme, written in Cambodian. Later, the perpetrators switched gears to target Russian interests, distributing malicious emails written in Cyrillic. Further investigation turned up an additional dropper malware family called Final1stspy that delivers a payload in the ROKRAT/DOGCALL family that has various spyware capabilities, including taking screenshots, keylogging, capturing microphone data, collecting files and user information, and downloading more payloads.

Betabot trojan packed with anti-malware evasion tools

A banking trojan packing anti-malware evasion techniques that features an exhaustive blacklist of security software. Cybereason researchers have spotted multiple Betabot, aka Neurevt, infections over the past few weeks and have noted the malware has now been packed with features that allow its operators to practically take over a victim’s machine to steal sensitive information, according to an Oct. 3 blog post. “Other programs remove malware and bots that are already on a person’s machine, eliminating the competition with heuristic approaches that would put many security products to shame,” researchers said in the post. “Betabot stands out because it implements all of these self-defence features and has an exhaustive blacklist of file and process names, product IDs, hashes and domains from major antivirus, security and virtualization companies.” The malware has been active since late 2012and began as just a banking trojan but the most recent version include browsers form grabber, FTP and mail client stealer, banker modules, and running DDoS attacks. The trojan also uses a USB infection module, Robust Userland Rootkit (x86/x64), arbitrary command execution via shell, the ability to download additional malware, persistence, and a crypto-currency miner module. Betabot spreads by exploiting an 18-year-old zero-day vulnerability in the Equation Editor tool in Microsoft Office that wasn’t discovered and patched by Microsoft until 2017. Infections are spread via phishing campaigns which leverage social engineering to convince victims to download what appears to be a Word document email attachment. The malware also uses interesting persistence techniques one of which was implemented via Windows Task Scheduler and was observed in some infections. Researchers also noted infections which used a simple registry Autorun.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 34

Cyber Pulse: Edition 33

Cyber Pulse: Edition 32

Cyber Pulse: Edition 31

Cyber Pulse: Edition 30

Cyber Pulse: Edition 29

Cyber Pulse: Edition 28

Cyber Pulse: Edition 27

Cyber Pulse: Edition 26

Cyber Pulse: Edition 25

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.