Cyber Security Training from QA

Cyber Pulse: Edition 38

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


26 October 2018

Second hack attack on British Airways uncovered

More than 185,000 people may have had payment card details stolen in a hack attack on the British Airways website, according to BBC. BA only discovered the breach while investigating a breach of its website that took place in September 2018, which affected 380,000 transactions. The victims were caught out by a website compromise that had gone undetected for months. However, both attacks seemed to have been carried out by the same group or gang, and BA owner IAG announced it would contact the customers to let them know that their information had gone astray. IAG said two separate groups of customers were affected by the hack attack: 77,000 people had their name, address, email address and detailed payment information taken, while 108,000 people lost personal details apart from the CVV number for their payment cards. So far, few other details have been revealed about this attack, the online publication continues. BA and IAG could face huge fines because the breach took place after stringent European privacy and data rules such as the General Data Protection Regulation came into force.

Millions of Cathay passengers hit in worst airline data hack

CATHAY Pacific Airways Ltd became the target of the world's biggest airline data breach after a hacker accessed credit card, passport and personal details of some 9.4 million customers. The airline's shares slumped to the lowest intraday level in nine years, shaving as much as US$361 million off its market value, after the Hong Kong-based carrier said it discovered suspicious activity on its network in March and confirmed the unauthorised access in May. Flight safety wasn't compromised and there was no evidence any information has been misused, it added, without disclosing details of the origin of the attack. Impacting more people than the population of Cathay Pacific's home base of Hong Kong, the hack is in another league to breaches reported by British Airways plc (BA) and Delta Air Lines Inc this year. Those carriers boosted spending on cybersecurity after hacks, which saw personal and financial information of hundreds of thousands of customers illegally accessed.

Hacker Discloses New Windows Zero-Day Exploit On Twitter

A security researcher with Twitter alias SandboxEscaper—who two months ago publicly dropped a zero-day exploit for Microsoft Windows Task Scheduler—has yesterday released another proof-of-concept exploit for a new Windows zero-day vulnerability. SandboxEscaper posted a link to a Github page hosting a proof-of-concept (PoC) exploit for the vulnerability that appears to be a privilege escalation flaw residing in Microsoft Data Sharing (dssvc.dll). The Data Sharing Service is a local service that runs as LocalSystem account with extensive privileges and provides data brokering between applications.The flaw could allow a low-privileged attacker to elevate their privileges on a target system, though the PoC exploit code (deletebug.exe) released by the researcher only allows a low privileged user to delete critical system files—that otherwise would only be possible via admin level privileges. Since the Microsoft Data Sharing service was introduced in Windows 10 and recent versions of Windows server editions, the vulnerability does not affect older versions of Windows operating systems including 7 or 8.1.

Russian Research Lab Aided the Development of TRITON Industrial Malware

Cybersecurity firm FireEye claims to have discovered evidence that proves the involvement of a Russian-owned research institute in the development of the TRITON malware that caused some industrial systems to unexpectedly shut down last year, including a petrochemical plant in Saudi Arabia. TRITON is a piece of ICS malware designed to target the Triconex Safety Instrumented System (SIS) controllers which are often used in oil and gas facilities. Triconex Safety Instrumented System is an autonomous control system that independently monitors the performance of critical systems and takes immediate actions automatically if a dangerous state is detected. Since malware of such capabilities can't be created by a computer hacker without possessing necessary knowledge of ICS, researchers believe with "high confidence" that Moscow-based lab Central Scientific Research Institute of Chemistry and Mechanics helped attackers, dubbed "TEMP.Veles," with institutional knowledge develop the TRITON framework and test its components in a targeted environment. An IP address [87.245.143.140] registered to Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM) has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support of the TRITON intrusion.

Unusual Remote Execution Bug in Cisco WebEx Discovered by Researchers

An unusual remote execution bug has been discovered in Cisco's WebEx online and video collaboration software. Its alot different because users can remotely execute commands through a component of the WebEx client even when WebEx does not listen for remote connections. Remote code execution vulnerabilities are bugs that allow a users to remotely connect to a vulnerable application and cause commands to be executed on the remote computer. These are critical bugs because they commonly allow commands to run with elevated privileges. Researchers noticed that Cisco WebEx uses a service called "WebexService" that could be started and stopped by anyone and ran under System privileges. Even better, the service used the executable WebExService.exe that could be modified by anyone as the Everyone group had full permissions to it. As the executable could be accessed by anyone, including a standard user, they realized that they could replace the executable with another one of their choice in order to elevate their privileges. While they found the privilege elevation they were looking, this bug had already been discovered by other researchers and Cisco had released a new update for it in September. The researchers then decided to to take a deeper look at the WebexService.exe to determine what it does. Using debug information, trial-and-error, and reverse engineering, they were able to determine that even though this service is designed to update WebEx, it could also be used to launch other programs.

Hacker Tries to Blackmail Apple for $150,000 in BTC After Compromising 319 Million iCloud Accounts

A computer analyst named Kerem Albayrak, 21, reportedly attempted to blackmail Apple Inc, the California-based multinational technology firm, for £115,000 (appr. $150,000) in bitcoin (BTC) and £800 (appr. $1,045) worth of iTunes vouchers. According to the DailyMail, Albayrak had published a video on YouTube that showed him hacking into iCloud accounts. The analyst, who is a resident of Hornsey, North London, had allegedly demanded Apple a large payment in exchange for him not exploiting the private information of the accounts he claimed to have hacked. Shortly after, Albayrak was taken into police custody, after which he appeared at Westminster Magistrates’ court and was reportedly charged with “blackmail” and “unauthorized acts intending to hinder access to a computer”, the DailyMail wrote. During the court hearing, it was determined that Albayrak first demanded that £50,000 (appr. $65,000) in BTC be transferred to a bitcoin address he provided. However, he later increased the amount to £115,000 (appr. $150,000), in addition to £840 (appr. $1,100) in iTunes gift cards. The computer analyst had reportedly promised Apple that he would not sell the hacked personal information belonging to over 319 million Apple iCloud users if the giant tech firm paid the amount he had demanded.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 37

Cyber Pulse: Edition 36

Cyber Pulse: Edition 35

Cyber Pulse: Edition 34

Cyber Pulse: Edition 33

Cyber Pulse: Edition 32

Cyber Pulse: Edition 31

Cyber Pulse: Edition 30

Cyber Pulse: Edition 29

Cyber Pulse: Edition 28

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.