Cyber Security Training from QA

Cyber Pulse: Edition 36

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


12 October 2018

WhatsApp fixes video call security bug that enable hackers to take over phones

The Facebook-owned messaging service, WhatsApp was found to have had a huge security vulnerability in its video calls. According to Natalie Silvanovich, a digital forensics expert at Google Project Zero, WhatsApp's video calls provided hackers with the opportunity to take control of a user's smartphone. The vulnerability arose due to a "memory corruption bug in WhatsApp's non-Web RTC video conferencing implementation", she explained in a tweet. “Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet,” Silvanovich said in a vulnerability report. “This issue can occur when a WhatsApp user accepts a call from a malicious peer.” Essentially, hackers using this method could hijack a victim's phone if they simply answered a call, with the potential of remotely accessing a device's contents and WhatsApp conversations. WhatsApp has already patched the vulnerability, so users should be sure to update the app to prevent it from happening.

Google+ is Shutting Down After a Vulnerability Exposed 500,000 Users' Data

Google is going to shut down its social media network Google+ after the company suffered a massive data breach that exposed the private data of hundreds of thousands of Google Plus users to third-party developers. According to the tech giant, a security vulnerability in one of Google+'s People APIs allowed third-party developers to access data for more than 500,000 users, including their usernames, email addresses, occupation, date of birth, profile photos, and gender-related information. Since Google+ servers do not keep API logs for more than two weeks, the company cannot confirm the number of users impacted by the vulnerability.However, Google assured its users that the company found no evidence that any developer was aware of this bug, or that the profile data was misused by any of the 438 developers that could have had access.The vulnerability was open since 2015 and fixed after Google discovered it in March 2018, but the company chose not to disclose the breach to the public—at the time when Facebook was being roasted for Cambridge Analytica scandal.

Microsoft October Patch Tuesday Fixes 12 Critical Vulnerabilities

Microsoft has just released its latest monthly Patch Tuesday updates for October 2018, fixing a total of 49 security vulnerabilities in its products. This month's security updates address security vulnerabilities in Microsoft Windows, Edge Browser, Internet Explorer, MS Office, MS Office Services and Web Apps, ChakraCore, SQL Server Management Studio, and Exchange Server. Out of 49 flaws patched this month, 12 are rated as critical, 35 are rated as important, one moderate, and one is low in severity. Three of these vulnerabilities patched by the tech giant are listed as “publicly known” at the time of release, and one flaw is reported as being actively exploited in the wild. According to the Microsoft advisory, an undisclosed group of attackers is actively exploiting an important elevation of privilege vulnerability (CVE-2018-8453) in Microsoft Windows operating system to take full control over the targeted systems. This flaw exists when the Win32K (kernel-mode drivers) component fails to properly handle objects in memory, allowing an attacker to execute arbitrary code in the kernel mode using a specially crafted application.

FruityArmor APT Exploits Yet Another Windows Graphics Kernel Flaw

A recent campaign uncovered by Kaspersky Lab led researchers to the zero-day (CVE-2018-8453), which is a local privilege-escalation flaw that Microsoft fixed. The APT group was seen using a high-quality exploit for the bug to execute the first stage of a malware installer – with the purpose of gaining the necessary privileges for persistence on the victim’s system. Following successful exploitation, the payload (which is bundled with the malware installer) is a sophisticated implant used for stealing token information and acting as a backdoor. “The second stage of the payload is a PowerShell backdoor that leads to a final malware payload we called ‘SoleDragon’ for one of the strings found in the sample,” Stolyarov said. “It is an advanced backdoor that allows an attacker to gain full remote control of an infected machine – to execute shellcode, commands, download subsequent stages of the malware, etc.” The binary also uses Microsoft Background Intelligent Transfer Service (BITS) for communicating with its C2 servers, an unusual technique.

Heathrow Airport Limited fined £120,000 for serious failings in its data protection practices

Heathrow Airport Limited (HAL) has been fined £120,000 by the Information Commissioner’s Office (ICO) for failing to ensure that the personal data held on its network was properly secured. On 16 October 2017 a member of the public found a USB memory stick, which had been lost by a HAL employee. The stick, which contained 76 folders and over 1,000 files was not encrypted or password protected. The member of the public viewed the material it contained at a local library. Although the amount of personal and sensitive personal data held on the stick comprised a small amount of the total files, of particular concern was a training video which exposed ten individuals’ details including names, dates of birth, passport numbers, and the details of up to 50 HAL aviation security personnel. The stick was passed to a national newspaper which took copies of the data before giving the stick back to HAL.

Tens of thousands of credit cards must be reissued after Ticketmaster data hack

Tens of thousands of Lloyds Bank, Halifax and Bank of Scotland customers are being issued with new credit cards after their details were compromised during the Ticketmaster data breach. Customer data was stolen from the ticketing website by hackers earlier this year, with personal details and payment information being exposed. As a result, tens of thousands of Lloyds Banking Group customers will now have their credit cards blocked and replaced by new cards. Affected customers are being notified by letter, with their existing card being blocked from Oct 15 and a replacement card being issued within five working days. This means customers may be without their credit card for up to a week. Customers with debit cards will not be issued with new cards, the bank confirmed. Lloyds is not the only provider that has reacted to the Ticketmaster breach in this way, Barclaycard also confirmed that it had issued new cards to customers as a result of the cyber attack.

Malware 'Hidden Cobra' swindled millions from ATMs

FireEye raised the alarm Wednesday over a North Korean group that it says has stolen hundreds of millions of dollars by infiltrating the computer systems of banks around the world since 2014 through highly sophisticated and destructive attacks that have spanned at least 11 countries. It has links to previous attacks on SWIFT, the transfer network which connects more than 10,000 banks and is poses an active global threat. Capabilities used by Hidden Cobra include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. North Korea, which prohibits access to the world wide web for virtually all its people, has previously denied involvement in cyberattacks, and attribution for such attacks is rarely made with absolute certainty. It is typically based on technical indicators such as the Internet Protocol addresses that identify computers and characteristics of the coding used in malware, which is the software a hacker may use to damage or disable computers.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 35

Cyber Pulse: Edition 34

Cyber Pulse: Edition 33

Cyber Pulse: Edition 32

Cyber Pulse: Edition 31

Cyber Pulse: Edition 30

Cyber Pulse: Edition 29

Cyber Pulse: Edition 28

Cyber Pulse: Edition 27

Cyber Pulse: Edition 26

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.