Cyber Security Training from QA

Cyber Pulse: Edition 39

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


2 November 2018

Eurostar data breach: what happened and are you affected?

Eurostar has been forced to reset the passwords of some customers’ online accounts after becoming the latest company to be hit by hackers. A spokesperson for the cross-Channel rail service told the BBC that an “unauthorised automated attempt to access customer accounts” occurred between 15 and 19 October. Once the hack was identified, the company “blocked access and asked customers to reset their passwords as a precautionary measure”, the spokesperson added. It also claims that no credit card details were exposed during the attack, as Eurostar “deliberately” never stores card information. However, Alphr says the company has yet to confirm “whether any data has actually been taken” and how many customers were affected. Eurostar alerted the Information Commissioner’s Office (ICO), an independent body that handles data protection enquiries, after the breach was discovered “as required by law”, according to the tech site. The ICO has confirmed that it has received a “breach report from Eurostar and are making enquiries”. Given that Eurostar has not disclosed any specific details about the hack, it’s difficult to pinpoint whether any customers have been affected by the breach. One Twitter user, though, has posted an email they received from Eurostar to explain why it reset customer passwords. The company wrote: “We’ve since carried out an investigation which shows that your account was logged into between the 15 and 19 October. If you didn’t log in during this period, there’s a possibility your account was accessed by this unauthorised attempt.”

FIFA says information gained ‘illegally’ in cyberattack

FIFA president Gianni Infantino is braced for a release of private information gained by hackers after world football's governing body said its computer network was subject to another cyberattack. The disclosure comes in the same month the US Department of Justice and the FBI said Russia's military intelligence body was responsible for a hack on FIFA in 2016, which led to evidence from anti-doping investigations and lab results being published. FIFA did not provide details about the data gained in the latest attack this year on e-mail systems, but it has been contacted by media outlets about internal information contained in private exchanges. UEFA has also been subject to phishing attempts to gain access to its email accounts, but said it could find no evidence of a hack. Still, UEFA has received dozens of questions about cases going back several years and the contents of private exchanges. In a separate statement, FIFA said it 'condemns any attempts to compromise the confidentiality, integrity and availability of data in any organization using unlawful practices.' Through the European Investigative Collaborations, it has released details on the financial arrangements of top footballers, which have led to tax evasion convictions. The leaks group also obtained a 2010 non-disclosure agreement that saw five-time world player of the year Cristiano Ronaldo accused of a rape allegation he denies. The EIC did not respond to emails in the last week about the potential release of information from FIFA and UEFA. Cybersecurity is under constant review at FIFA, which organizes the World Cup.

Outlaw threat actor uses Shellbot variant to form new botnet

An unknown threat actor has been targeting organizations with botnet malware that communicates with its command-and-control server via the Internet Relay Chat application layer protocol. Nicknamed Outlaw, the hacking group developed the botnet as a Perl language-based variant of Shellbot, according to a Nov. 1 blog post from Trend Micro, whose researchers uncovered the threat. Shellbot is a trojan horse malware that’s typically installed on computers via the Shellshock Unix Bash shell vulnerability that was found back in 2014. In this case, however, the Perl Shellbot attackers are instead infecting victims via a command injection vulnerability that’s commonly found on IoT devices and Linux servers, but can also affect Windows environments and Android devices. They are also distributing the malware through previously brute-forced or compromised hosts, Trend Micro notes. Trend Micro theorizes that the botnet has been built with “cybercriminal purposes” in mind, adding that Outlaw has “looked into targeting big companies,” even though its attacks have not been widespread. As part of this operation, the threat actors have already compromised an unspecified Japanese art institution’s FTP server, as well as a Bangladeshi government website via a Dovecot mail server vulnerability. “They then used two compromised servers and linked them to a high availability cluster to host an IRC bouncer, which was used to command and control the emerging botnet,” the Trend Micro blog post explains. Upon infection, the Perl Shellbot allows the attackers to send commands to the victimized machine via the IRC channel, including commands to conduct a port scan, execute a distributed denial of service attack, download a file, and more. “The Outlaw group here used an IRC bot, which isn’t a novel threat,” the blog post reports. “The code used is available online, making it possible to build such a bot (with a fully undetectable toolset) and operate it under the radar of common network security solutions.”

Two New Bluetooth Chip Flaws Expose Millions of Devices to Remote Attacks

Security researchers have unveiled details of two critical vulnerabilities in Bluetooth Low Energy (BLE) chips embedded in millions of access points and networking devices used by enterprises around the world. Dubbed BleedingBit, the set of two vulnerabilities could allow remote attackers to execute arbitrary code and take full control of vulnerable devices without authentication, including medical devices such as insulin pumps and pacemakers, as well as point-of-sales and IoT devices. Discovered by researchers at Israeli security firm Armis, the vulnerabilities exist in Bluetooth Low Energy (BLE) Stack chips made by Texas Instruments (TI) that are being used by Cisco, Meraki, and Aruba in their enterprise line of products. Armis is the same security firm that last year discovered BlueBorne, a set of nine zero-day Bluetooth-related flaws in Android, Windows, Linux and iOS that affected billions of devices, including smartphones, laptops, TVs, watches and automobile audio systems. The first vulnerability, identified as CVE-2018-16986, exists in TI chips CC2640 and CC2650 and affects many Cisco and Meraki's Wi-Fi access points. The bug takes advantage of a loophole in the way Bluetooth chips analyze incoming data. According to the researchers, sending more traffic to a BLE chip than it's supposed to handle causes memory corruption, commonly known as a buffer overflow attack, which could allow an attacker to run malicious code on an affected device. The second vulnerability, identified as CVE-2018-7080, resides in CC2642R2, CC2640R2, CC2640, CC2650, CC2540, and CC2541 TI chips, and affects Aruba's Wi-Fi access point Series 300. This vulnerability stems from an issue with Texas Instruments' firmware update feature in BLE chips called Over the Air firmware Download (OAD).

Advanced Malware Protection Affected by Bug That Can Inhibit Intrusion Detection

Cisco announced in a security advisory that a DLL preloading vulnerability in the DLL loading component of the Advanced Malware Protection (AMP) for Endpoints allows authenticated local attackers to block Windows from detecting future intrusions on the system. "The vulnerability is due to the improper validation of resources loaded by a system process at run time. An attacker could exploit this vulnerability by crafting a malicious DLL file and placing it in a specific location on the targeted system," as described in Cisco's advisory. "A successful exploit could allow the attacker to disable the targeted system's scanning services and ultimately prevent the system from being protected from further intrusion." The medium risk CVE-2018-15452 security issue allows potential local attackers with administrative privileges to block the Windows built-in intrusion detection mechanisms from detecting and reporting future infiltration attempts.The CVE-2018-15452 issue allows local attackers with elevated privileges to block Windows from detecting intrusion attempts. As Cisco also points out, "To exploit this vulnerability, the attacker would need to have administrative credentials on the Windows system." There are no workarounds available at the moment for this DLL preloading security bug and users can find further information on the Cisco Advanced Malware Protection (AMP) for Endpoint versions affected by this vulnerability by taking a closer look at the Cisco bug ID at the top of the advisory. Furthermore, the bug was detected during a Cisco Technical Assistance Center support case's resolution and the Cisco Product Security Incident Response Team (PSIRT) has not observed any instances of this security issue being exploited in the wild.

Windows 10 Bug Let UWP Apps Access All Files Without Users' Consent

Microsoft silently patched a bug in its Windows 10 operating system with the October 2018 update (version 1809) that allowed Microsoft Store apps with extensive file system permission to access all files on users' computers without their consent. With Windows 10, Microsoft introduced a common platform, called Universal Windows Platform (UWP), that allows apps to run on any device running Windows 10, including desktop PC, Xbox, IoT, Surface Hub, and Mixed-reality headset. UWP apps have the ability to access certain API, files like pictures, music, or devices like camera and microphone, by declaring required permissions in their package manifest (configuration) file. By default, UWP apps have access to directories, where the app is installed on the users’ system and where the app can store data (local, roaming and temporary folders). However, to access other files on a system, including sensitive resources, Microsoft offers several types of capabilities that an application can use by declaring their permission in the manifest file. One such extensive capability, called broadFileSystemAccess (Broad Filesystem Access), allows an application to access the file system at the same level as the user who launched the app. However, according to Microsoft, this is a restricted capability that, if used, will trigger a user-consent prompt while users first launch the app, asking them to grant or deny this permission to the app. According to Windows app developer Sébastien Lachance, Windows 10 version prior to October 2018 Update failed to display prompts for permission to access the file system due to a bug, apparently leaving users sensitive data exposed to apps downloaded from Windows Store. In other words, until version 1809, the apps could actually be used to access the entire file system without prompting users for the permission. Lachance learned about the bug when one of his application that uses broadFileSystemAccess permission started crashing after he installed the Windows 10 October 2018 Update.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 38

Cyber Pulse: Edition 37

Cyber Pulse: Edition 36

Cyber Pulse: Edition 35

Cyber Pulse: Edition 34

Cyber Pulse: Edition 33

Cyber Pulse: Edition 32

Cyber Pulse: Edition 31

Cyber Pulse: Edition 30

Cyber Pulse: Edition 29

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.