Cyber Security Training from QA

Cyber Pulse: Edition 41

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


15 November 2018

British Airways data breach: Russian hackers sell 245,000 credit card details

Russian hackers may have made millions selling credit card details stolen from almost 245,000 British Airways customers during a major cyberattack in August, according to experts. Research by cybersecurity firms Flashpoint and Risk IQ found that the hackers were charging between $9 (£6.95) and $50 (£38.60) for each card’s worth of information, The Daily Telegraph reports. The stolen data was put up for sale on the dark web about a week after the BA breach, which occurred between 21 August and 5 September. The researchers estimate that Magecart, the Russia-linked group reportedly behind the attack, may have raked in up to $12.2m (£9.4m). Vitali Kremez, Flashpoint’s director of research, said the hackers charged varying amounts for the stolen cards because some European accounts are considered to be worth more than others. According to the Daily Mail, they breach affected 244,000 credit cards belonging to customers from European countries including France, Germany, Italy, Spain and the UK. Passengers from Argentina, Brazil, Canada, China, Korean, Mexico and the US were also hit. The newspaper says Magecart has targeted other major companies, including event ticket website Ticketmaster, which suffered a breach affecting tens of thousands of its customers in June. BA says it has not received reports of fraud resulting from the attack on its own systems. A spokesperson for the airline told The Daily Telegraph: “We contacted affected customers and their card companies at the time so that any necessary action could be taken.” British Airways says it will be contacting customers who made bookings between 10:58pm on 21 August and 9:45pm on 5 September, and will advise them to contact their bank and “follow their recommended advice”.BA has assured customers that they will be “fully reimbursed”.

63 New Flaws (Including 0-Days) Windows Users Need to Patch Now

This month Windows users and system administrators need to immediately take care of a total of 63 security vulnerabilities, of which 12 are rated critical, 49 important and one moderate and one low in severity. Two of the vulnerabilities patched by the tech giant this month are listed as publicly known at the time of release, and one flaw is reported as being actively exploited in the wild by multiple cybercriminal groups. The zero-day vulnerability, tracked as CVE-2018-8589, which is being exploited in the wild by multiple advanced persistent threat groups was first spotted and reported by security researchers from Kaspersky Labs. The flaw resides in the Win32k component (win32k.sys), which if exploited successfully, could allow a malicious program to execute arbitrary code in kernel mode and elevate its privileges on an affected Windows 7, Server 2008 or Server 2008 R2 to take control of it. The other two publicly known zero-day vulnerabilities which were not listed as under active attack reside in Windows Advanced Local Procedure Call (ALPC) service and Microsoft's BitLocker Security Feature. The flaw related to ALPC, tracked as CVE-2018-8584, is a privilege escalation vulnerability that could be exploited by running a specially crafted application to execute arbitrary code in the security context of the local system and take control over an affected system. Advanced local procedure call (ALPC) facilitates high-speed and secure data transfer between one or more processes in the user mode. The second publicly disclosed vulnerability, tracked as CVE-2018-8566, exists when Windows improperly suspends BitLocker Device Encryption, which could allow an attacker with physical access to a powered-off system to bypass security and gain access to encrypted data.

Government accidentally leaks counter-terrorism tools

Details about the inner workings of the UK government have been accidentally leaked online, thanks to insecure use of a web-based project management tool. Hundreds of confidential documents from the Cabinet Office and Home Office were reportedly available via a Google search, including details of government anti-terrorism tools and instructions for how to go about obtaining entry passes for government buildings. The calendar appointments of civil servants were also allegedly accessible, allowing hackers to potentially trace who government figures are meeting and what they are meeting about. The trove even included names, phone numbers and personal email addresses for top civil servants like the prime minister's head of cross-government business engagement, potentially leaving senior government figures open to phishing attacks like the one that allegedly allowed Russian hackers to sway the US elections. The alarming news was revealed by a Sunday Telegraph investigation, which found that the information - which may have been available for up to four years - was leaked via poor configuration and use of Trello, a cloud-based project management tool. Trello is commonly used to manage the workflows of individual teams within an organisation, using a system of kanban-style 'boards'. By default, these boards are set to 'private', so that only members of the relevant team can access them. They can, however, be set to 'public', which allows anyone with the correct link to access them. Crucially, it also allows those boards to be indexed by search engines like Google, which means that searching for certain keywords found within the boards - such as government departments, topic areas or civil servants - would result in the boards themselves (as well as specific files and task cards within them) showing up on a Google search. The use of Trello within government is part of a wider digital transformation drive, encouraging civil servants to use mobile, cloud-based collaboration and productivity tools, rather than relying on older, less agile methods like email.

Another Facebook Bug Could Have Exposed Your Private Information

Another security vulnerability has been reported in Facebook that could have allowed attackers to obtain certain personal information about users and their friends, potentially putting the privacy of users of the world's most popular social network at risk. Discovered by cybersecurity researchers from Imperva, the vulnerability resides in the way Facebook search feature displays results for entered queries. According to Imperva researcher Ron Masas, the page that displays search results includes iFrame elements associated with each outcome, where the endpoint URLs of those iFrames did not have any protection mechanisms in place to protect against cross-site request forgery (CSRF) attacks. It should be noted that the newly reported vulnerability has already been patched, and unlike previously disclosed flaw in Facebook that exposed personal information of 30 million users, it did not allow attackers to extract information from mass accounts at once. To exploit this vulnerability, all an attacker needs to do is simply tricking users into visiting a malicious site on their web browser where they have already logged into their Facebook accounts. The malicious site contains a javascript code that will get executed in the background as soon as the victim clicks anywhere on that page.

Critical vulnerabilities in WordPress GDPR plugin let hackers seize control of websites

The flaws, present for at least four months, led attackers to change URL settings and add their own administrator accounts. Attackers have been exploiting a flaw in a GDPR-compliance plugin on WordPress to hijack vulnerable websites and implement remote code execution. The privilege escalation flaw had been present in the 'GDPR Compliance' plugin developed by security provider Wordfence for at least four months, and allowed hackers to use an exploit to execute any action, and update any database value. There are examples of live sites infected using this attack method, including instances of malicious actors installing several administrator accounts, according to WordPress threat analyst Mikey Veenstra. "The reported vulnerabilities allow unauthenticated attackers to achieve privilege escalation, allowing them to further infect vulnerable sites," Veenstra said. Any sites making use of this plugin should make it an immediate priority to update to the latest version, or deactivate and remove it if updates are not possible. The exploit resulted in malicious actors adding administrator accounts that are normally a variation on 't2trollherten' and 't3trollherten', as well as 'superuser', according to security blog Sucuri's Pedro Peixoto. The exploit has also been associated with uploading a malicious webshell, named wp-cache.php, to allow attackers unauthorised access to sites. Peixoto added a growing number of WordPress-based sites had their URL settings changed to hxxp://erealitatea[.]net, with a Google query returning more than 5,000 results for the malicious URL. A patch with three security fixes was released last week in the form of version 1.4.3, but the bug existed for at least four months since version 1.4.2 was released in July, and possibly prior to that. Users who have not upgraded to the latest version are still vulnerable.

Hackers Discover iPhone X Bug Exposing Files, Including Deleted Photos

Richard Zhu and Amat Cama compromised an iPhone X running iOS 12.1, which is the latest version of Apple’s mobile operating system, and extracted data from the device, including a photo that was previously deleted. The complex nature of the hack makes it highly unlikely to be used by other malicious actors out there, and the hackers have already reported the bug to Apple. A patch is already on its way, the Cupertino-based company explains, though an ETA hasn’t been provided just yet. But as reported by Forbes, the method used to break into the iPhone can expose not only the available and deleted photos, but also other content on the device. The JIT compiler was exploited with a crafted Wi-Fi access point, and hackers were able to extract file from the Recently Deleted folder where iPhones store photos that were removed by the user within the last 30 days. After this period expires, images are automatically deleted forever. The two security researchers earned $50,000 for their finding, and according to the rules of the hacking contest, the bug was reported to Apple for patching. As we reported earlier this week, iPhones weren’t the only ones compromised during the event. Samsung’s Galaxy S9, which is actually one of the top iPhone X rivals, also fell victim to the hackers, and so did the Xiaomi Mi6. A potential fix for the found iPhone X exploit may be included in the next beta build of iOS 12.1.1 which Apple is expected to release in the coming weeks.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 40

Cyber Pulse: Edition 39

Cyber Pulse: Edition 38

Cyber Pulse: Edition 37

Cyber Pulse: Edition 36

Cyber Pulse: Edition 35

Cyber Pulse: Edition 34

Cyber Pulse: Edition 33

Cyber Pulse: Edition 32

Cyber Pulse: Edition 31

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.