Cyber Security Training from QA

Cyber Pulse: Edition 46

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


21 December 2018

US and UK accuse China of sustained hacking campaign

Beijing has been accused of a worldwide campaign of cyber attacks against the US, Britain and their allies aimed at stealing trade secrets from governments and high-tech companies in one of the most wide-ranging cases of corporate espionage on record. The charges, made by US and British authorities, allege a Chinese hacking group known as APT-10 led the two-year effort against the west and allies such as Japan, which included targeting 45 American technology companies, more than 100,000 US navy personnel, and computers belonging to NASA. The US justice department charged two Chinese nationals — Zhu Hua and Zhang Shilong — with conducting the attacks on behalf of the Chinese Ministry of State Security, the country’s main intelligence service. In a co-ordinated offensive led by Washington, Rod Rosenstein, US deputy attorney-general, said the two Chinese defendants were part of a group that had targeted at least a dozen countries in an effort that “gave China’s intelligence service access to sensitive business information”. The Chinese hackers are accused of stealing technology related to a host of industries, including aviation, satellites, factory automation, finance and consumer electronics. On Friday, the Chinese government denied any involvement in the theft of commercial secrets, and said it had lodged “stern representations with the US”. It demanded that Washington stop slandering China over cyber security and urged that the charges against the two men be dropped. The charges come amid a dramatic escalation of tensions between China and the US, which recently filed criminal charges against the chief financial officer of one of China’s most successful tech companies, telecom equipment maker Huawei, alleging sanctions busting in Iran. The UK security official said the plan was to use the service providers as a “landing point for exfiltration of further information” and that it involved “very widespread targeting and in some cases deep penetration of globally significant companies”.

Gatwick airport restarts flights after drone disruptions

As the Christmas getaway starts, flights in and out of Gatwick were been suspended after drones were spotted in the area. Police have identified “persons of interest” in the hunt for the drone operator, or operators, who caused Gatwick to close for 36 hours, as services at the airport resumed on Friday. Despite the runway re-opening briefly in the early hours, it was closed again after another drone sighting. Inbound flights are being diverted to other airports while passengers who are due to travel from the airport have been told to check with their airline before setting out. The airport's chief operating officer, Chris Woodroofe, says a drone is still on the airfield and 10,000 people were disrupted yesterday alone. Superintendent Justin Burtenshaw is in charge of policing at Gatwick, he said: "I've got resources from Surrey and Sussex right the way across the outside of Gatwick trying to identify who's operating this drone and I'm absolutely certain this is a deliberate act to disrupt the airfield." Experts are now calling for a change in the law to try and prevent this sort of thing from happening again in future. But, Dr Alan McKenna, who is based at the Kent Law School at the University of Kent, has suggested that electronic solutions will also most likely be required to stop other incidents from occurring.

Widespread Apple ID Phishing Attack Pretends to be App Store Receipts

A widespread and sneaky phishing campaign is underway that pretends to be a purchase confirmation from the Apple App store. These emails contain a PDF attachment that pretends to be a receipt for an app that was purchased by your account and tells you to click a link if the transaction was unauthorized. Once a user clicks the link, down the rabbit hole they go. The campaign works by a victim receiving an email that pretends to be a receipt for a recent purchase from the Apple App Store. The email contains a PDF attachment that states it's a receipt for the purchase, but there is nothing telling you to open the attachment. Instead the attackers are relying on the victim saying "What the... ? I didn't purchase an app" and opening the PDF to see what's going on. When a user opens the PDF they will be shown what appears to be a receipt from Apple for an app that they purchased. Sprinkled throughout the PDF are links that the recipient can use to report a problem or that the purchase was unauthorized. All of these links are for a shortened URLs so a recipient does not know the URL of the page that it ultimately goes. If a user had entered their information, the attackers will now have enough to perform a complete identify theft of the victim. This include opening bank or credit card accounts, accessing other accounts with the information, or filing tax returns under the victim's name. As stated previously, the weakness of this campaign is their use of very suspicious URLs. An observant person will easily see that the URLs are not legitimate, look strange, and should be avoided. For this reason, it is very important that users do not open links from strange emails and instead go directly to a company's web site. If they do open links from emails, it is always important to analyze the URL of the landing page to make sure you are at a legitimate site.

Facebooks New API Bug in its Photo-sharing system

Facebook's newest screw up is a programming bug in Facebook website which accidentally gave 1,500 third-party apps access to the unposted Facebook photos of as many as 6.8 million users. Facebook today quietly announced that it discovered a new API bug in its photo-sharing system that let 876 developers access users' private photos which they never shared on their timeline, including images uploaded to Marketplace or Facebook Stories. Facebook said, "When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories." The bug even exposed photos that people uploaded to Facebook but chose not to post or didn't finish posting it for some reason. The flaw left users' private data exposed for 12 days, between September 13th and September 25th, until Facebook discovered and fixed the security blunder on the 25th September. The social media giant has started notifying impacted users of the flaw through an alert on their Facebook timeline that their photos may have been exposed, which will direct them to its Help Center page with more information. Facebook also says the social media network will soon be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug.

Obscure SEO injection in WordPress

Unfortunately, SEO spammers often target WordPress websites. A clever malware built for SEO injection, where a hacker loads up a webpage with spam links, redirects and ad keywords, unbeknownst to the site owner, has been seen evading detection with an innovative approach that involves appending itself in an unusual place in the back-end code of a WordPress site. Sucuri Researchers have seen the malware crop up in two unrelated sites recently, targeting both English and Korean speaking searchers who are looking for various “free” downloads. Upon analysis, the researchers discovered that the malware has two functions. First, it can add hidden links for indexing by search engines, and secondly, it can redirect site visitors to spam content. The latter function is more advanced than usual, because it only redirects unregistered site users. And, it redirects visitors to certain pages based on their profile. So, malefactors can inject SEO terms, hidden from site users, into the web page’s code, which will be indexed and move the site up in the search engine results. That improves the exposure for the true purpose of the campaign, which is to redirect visitors to sketchy external sites, which could be carrying out ad fraud or serving malware, among other things.

Malware that Retrieves Commands From Memes Posted on Twitter

You have probably seen dank memes that really speak to you, but research shows that memes can also be made to speak to malware that has infected a computer. Trend Micro researchers have found a new piece of malware that retrieves commands from memes posted on a Twitter account controlled by the attackers. Most malware relies on communication with their command-and-control server to receive instructions from attackers and perform various tasks on infected computers. Since security tools keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly using legitimate websites and servers as infrastructure in their attacks to make the malicious software more difficult to detect. In the recently spotted malicious scheme, which according to the researchers is in its early stage, the hackers applies Steganography - a technique of hiding contents within a digital graphic image in such a way that's invisible to an observer to hide the malicious commands embedded in a meme posted on Twitter, which the malware then parses and executes. The malware can also be given a variety of other commands, such as to retrieve a list of running processes, grab the account name of the logged in user, get filenames from specific directories on an infected machine, and grab a dump of the user’s clipboard. The malware appears to be in the early stages of its development as the pastebin link points to a local, private IP address, which is possibly a temporary placeholder used by the attackers.

Microsoft issues a rare emergency fix as criminals exploit hole in Internet Explorer

Criminals are currently exploiting a newly found flaw in several popular versions of Microsoft’s Internet Explorer browser, according to the company, security researchers at Google and the Department of Homeland Security. Attackers can use the vulnerability to gain broad access to computer systems, according to the U.S. Computer Emergency Response Team (CERT). The flaw works by driving users to an infected website via a fraudulent “phishing” email, according to the CERT. Once there, you unknowingly download malware that grants the attacker rights to any system you are able to access, according to Microsoft. “An attacker could then install programs; view, change or delete data; or create new accounts with full user rights,” Microsoft said in an update on the vulnerability. The issue was discovered by Google’s Threat Analysis Team, Microsoft said. The flaw affects older Internet Explorer browser versions including Windows 7 and 10 and Windows Server 2012, 2016 and 2019 versions of Explorer 11, Explorer 10 for Windows Server 2012 and Explorer 9 for Windows Server 2008, according to Carnegie Mellon’s Software Engineering Institute. The issue is also significant because it comes as companies prepare for the weekend before Christmas, one of the busiest shopping days of the year. Once victim clicks on a link to the fraudulent site, they can have their current session hijacked. Make sure you are always operating on the latest version of anything that is touching the internet. You should also be particularly mindful of phishing campaigns, especially those that may spoof popular retailers with holiday offers.

Police warn of new Netflix email phishing scam

Authorities are warning Netflix customers about a new scam that’s making the rounds, in which scammers attempt to extract users’ personal information via email. In the email, customers are told their account is on hold because the streaming service is “having some trouble with your current billing information.” The email begins, “Hi Dear,” instead of the recipient’s actual name and invites users to click on a link to update their payment method. “We’ll try again, but in the meantime you may want to update your payment details,” the email says. On its website, Netflix advises users never to enter their login or financial details after following a link in an email or text message. “If you're unsure if you're visiting our legitimate Netflix website, type www.netflix.com directly into your web browser,” Netflix said. Users who receive a suspicious email or text message claiming to be from Netflix are advised to forward the message to phishing@netflix.com for further review by the company.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 45

Cyber Pulse: Edition 44

Cyber Pulse: Edition 43

Cyber Pulse: Edition 42

Cyber Pulse: Edition 41

Cyber Pulse: Edition 40

Cyber Pulse: Edition 39

Cyber Pulse: Edition 38

Cyber Pulse: Edition 37

Cyber Pulse: Edition 36

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.