Cyber Security Training from QA

Cyber Pulse: Edition 48

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


11 January 2019

Student Held for Leaking Data of Almost 1000 German Politician

The German police have identified a 20-year old student in a massive leak that exposed the personal data of almost 1000 German politicians and public figures online. The hacker went by the pseudonyms ‘G0T’ and ‘Orbit’ and has been accused of spying, leaking data and unwarranted publication of personal data. "During the interrogation, the defendant stated that he had acted alone in the data spying and unauthorized data releases. The investigation has so far revealed no evidence of third-party participation. As to his motivation, the suspect stated that he acted out of annoyance over public statements made by the politicians, journalists and public figures concerned,” said Federal Criminal Police Office of Germany in a press release, Bank Info Security reported. The links to caches of personal data of German politicians were published on two different Twitter accounts in December and this remained unnoticed until January. The data leak detected after it was reported by major media outlets. The leak contained mostly the contact information of the affected individuals. This includes private emails and phone numbers. Around 50 to 60 individuals had their Facebook messages, photos, home addresses and bank account details exposed. Those affected in the hack includes journalists, elected officials and politicians. However, no information related to the right-wing Alternative for Germany (AfD) was released in the breach. Investigators believe that no malware or exploit kit was used to obtain the data. Instead, the hacker may have gained access by cracking the passwords. Bad password is suspected to be the primary reason for the hack.

OXO International Data Breach Linked to MageCart Attack

Houseware manufacturing firm OXO International disclosed that it has suffered a data breach that may have exposed the payment information of its customers. The breach is believed to have spanned for a period of two years. In a data breach notification, the company revealed the exact time period of the hack - from June 9, 2017 to November 28, 2017, from June 8, 2018 to June 9, 2018, and from July 20, 2018 to October 16, 2018. The information compromised in the hack includes name, billing and shipping address and credit card information of customers. On December 17, 2018, OXO along with the help of forensic investigators found that the security of certain personal information available on its e-commerce site may have been compromised. It was found that an unauthorized and malicious piece of code that is capable of collecting customers’ information from the order page, was inserted on OXO’s website. Research by BleepingComputer highlights that Magecart threat actor group is likely to be behind this hack. Over the past six months, the group has been actively hacking several e-commerce sites. BleepingComputer claims that the malicious JavaScript loaded on the checkout page of OXO website matches the script designed by MageCart. The malware is used to steal payment information and contact information of oxo.com customers.

Advanced Phishing Tool With Automation Can Now Bypass Two-Factor

A new tool has has been released that targets 2FA or Two-factor Authentication. Known as Modlishka -- translating to ‘mantis’ in English, this tool not only automates phishing but also knocks down 2FA. Piotr Duszynski, the researcher behind this tool says that it can bypass most of the current 2FA authentication schemes. Duszynski came up with Modlishka to help red-team penetration testers reinforce their own phishing attacks. The striking feature of this tool is its reverse proxy functionality which can totally overcome most 2FA. A brief video demo is presented here. In essence, Modlishka places itself as a server between a user and website (Gmail, for example). So, the server captures every action (including passwords and 2FA tokens) by the user without his knowledge, and is readily available at the attackers’ disposal. Modlishka’s ease of use makes it an ideal tool for automated phishing. In addition, attackers need not work with different phishing templates that are time-consuming. All Modlishka requires is a domain name and a TLS Certificate to operate flawlessly on the host environment. “At the time when I started this project (which was in early 2018), my main goal was to write an easy-to-use tool, that would eliminate the need of preparing static web page templates for every phishing campaign that I was carrying out.” said Duszynski to ZDNet. While automated phishing has not been tested extensively with Modlishka, only time will tell of its effectiveness. Interestingly, this tool fails on a U2F protocol which is hardware-dependent. Future releases might even see improvements over U2F and make it more capable than it is currently.

New Phishing Kit Found Using Fake Web Fonts to Evade Detection

Researchers detected a new malware strain dubbed as ‘IcePick-3PC’ which is capable of stealing device IP addresses by hacking a website’s third-party tools. The malware has affected several publishers and e-commerce businesses including industries such as retail and healthcare. Researchers from The Media Trust spotted the malware when it was used to spam device owners via a phishing campaign. The phishing scam offered gift cards from Amazon and Walmart, urging users to share their personal information for claiming their prizes. Michael Bittner, Digital Security & Operations Manager at The Media Trust explained in a blog post that IcePick-3PC malware steals device IP addresses by hacking a website’s third-party tools which are often pre-loaded onto client platforms by self-service agencies. The tools are designed to incorporate animation content via HTML5. When a user visits a website with a compromised third-party library, the malware runs a series of checks on the user’s device before running. “The malware conducts the usual checks on user agent, device type, whether the device is an Android device, battery level, device motion and orientation, and referrer,” the blog post read. Once the checks are completed, the malware makes an RTC peer connection between the infected device and a remote peer before sending the extracted device’s IP to the attacker. “The DSO suspects, given the malware’s level of sophistication and advanced techniques, that it is likely the product of dark code from organized cybercrime rings. If this is the case, the attack on recognized publishers and e-commerce businesses might portend a larger-scale attack, or, at the minimum, the illegal trading of user information in the near future,” the blog post added.

Vulnerability in Microsoft Office exposes user information and local machine information

A vulnerability in Microsoft Office allowed documents with embedded ActiveX controls to leak local machine information and user information including passwords. The vulnerability was detected by Mimecast Research Labs in November 2018. Mimecast has reported the vulnerability to Microsoft on November 6. Mimecast in a report explains that the vulnerability exists as the MSO.DLL appears to improperly leak the contents of its process memory. An attacker who exploits this vulnerability could gain access to information stored in the memory such as passwords, http requests, certificates, domain information, and other user information. This information could further allow attackers to compromise systems. “This memory leak leads to the permanent writing of memory content into different Microsoft Office files and thus, the potential for the unintended leakage of sensitive information and local machine information. If known, this is the type of data could be useful to cybercriminals for executing a malware-enabled, remote execution attack and at least as important—to steal sensitive information,” Matthew Gardiner, Director of Product Marketing, explained, Softpedia reported. Microsoft explained that in order to exploit the vulnerability, the attacker could create a special document and then would trick the victim into opening the document. For this, the attacker must know the memory address location where the object was created. However, Microsoft has already released patches for all the affected Office products with an ‘Important’ severity rating. Installing the January 2019 security updates resolves the vulnerability.

Unprotected MongoDB instance containing almost 200 million CVs exposed online

An open and unprotected MongoDB instance which contained 202,730,434 resumes of Chinese jobseekers was left publicly accessible for at least one week. The database held almost 854 GB of data. On 28, December 2018, Bob Diachenko, Director of Cyber Risk Research at Hacken and bug bounty platform HackenProof, discovered the unsecured database while analyzing the data stream of BinaryEdge search engine. The exposed CVs contained personal information such as full names, dates of birth, addresses, phone numbers, email addresses, marital status, number of children, political affiliations, body measurements like height and weight, literacy level, salary expectations, education, previous job experience, and more, Diachenko explained in a blog. Diachenko couldn't find the owner of the database so he took to Twitter to look for the owner. He tweeted, “Just came across a giant database with more than 202 Million Chinese CVs, with pretty much detailed info. - name, email, phones, genders, child counts, marriage status, politics stat (?) - and, of course, skills, work history etc. Any ideas where to report?” One of Diachenko’s follower pointed out a Github repository for an app named data-import which contained source code of the app. The app’s purpose was to scrape CVs from legitimate job-finding portals. “One of the primary sources from where the app appears to have scraped CVs is bj.58.com, a popular Chinese job portal, however other portals could have been scraped as well,” Diachenko told ZDNet. Diachenko contacted bj.58.com and one of its representatives confirmed that the data came from a data scraper and did not leak from its storage. “We have searched all over the database and investigated all the other storage, and concluded that the sample data is not leaked from us,” a representative for bj.58.com said. “It seems that the data is leaked from a third party who scrapes data from many CV’s websites,” the representative concluded. Interestingly enough, the unprotected open database was secured a week later.

DNS hijacking campaign traced back to Iran

A recent DNS hijacking campaign has been successful in targeting organizations globally. The series of attacks affected commercial entities, government agencies, Internet infrastructure providers, and telecommunications providers across North America, North Africa, and the Middle East. Researchers believe that a group operating out of Iran to be responsible for the DNS hijacking attacks. Researchers from FireEye have been tracking the DNS attacks for the last several months. They published a blog based on their analysis on January 9, 2019. “We have so far not been able to attribute the attacks to any particular threat group. However, available evidence including IP addresses and the machines used to intercept, record, and forward network traffic suggests the attacker is based in Iran,” researchers said. Researchers said that the attackers have manipulated DNS records with at least three different methods. In the first technique, the attackers modified the ‘DNS A’ records that are used for mapping domain names to IP addresses, so the traffic bound for one domain gets redirected via the domain controlled by the attackers. In the second technique, the attackers modified the ‘DNS NS’ records and pointed a victim organization's nameserver record to a domain controlled by attackers. The third technique uses a combination of the previous two techniques, to return legitimate IP addresses for users outside the targeted domains.

Privilege escalation flaws discovered in the IntelHD5000 kernel extension of Apple OSX 10.13

Researchers from Cisco Talos have discovered critical vulnerabilities in the IntelHD5000 kernel extension of Apple OSX 10.13. The flaws could allow attackers to gain escalated privileges on targeted devices. The bugs are tracked as CVE-2018-4456 and CVE-2018-4421 and exist in the kernel extension when dealing with the graphics resources inside of macOS High Sierra. Commenting on the specification of the flaws, Tyler Bohan of Cisco Talso said, “A library inserted into the VLC media application can cause an out-of-bounds access inside of the KEXT leading to a use after free and invalid memory access in the context of the kernel. This can be used for privilege escalation.” The two vulnerabilities are slightly different from each other - depending on the values that can be replaced and the values they can be replaced with. “The issue itself arises in the IntelAccelerator user client type 6, IGAccelSharedUserClient. The kernel extension is responsible for resource delegation in regards to graphics processing. The data stored and returned here gets passed through into the GPU for rendering and processing. There are multiple methods for allocating and deleting resources as well as creating shared memory with userspace,” said Bohan. Exploitation of vulnerabilities would require for a library to be inserted into the VLC media application. This would cause an out-of-bounds access inside of the KEXT (Kernel Extension). “Apple kernel extension shows that it uses a restricted subset language and a unique way of communication between userspace and the kernel known as IOKit,” Bohan added. Apart from these two vulnerabilities, the researchers also claim to have discovered a third issue but no CVE number has been assigned yet. The issues in question are found affecting Apple OSX 10.13.4 running on MacBookPro11.4. Given the potential risks associated with the vulnerabilities, Bohan advises the users to patch their systems with a security update that was released in early December 2018.

 

Visit cyber.qa.com for more information on how QA can help solve the Cyber Security skills gap and subscribe to Cyber Pulse.

 

Useful links

Cyber Pulse: Edition 47

Cyber Pulse: Edition 46

Cyber Pulse: Edition 45

Cyber Pulse: Edition 44

Cyber Pulse: Edition 43

Cyber Pulse: Edition 42

Cyber Pulse: Edition 41

Cyber Pulse: Edition 40

Cyber Pulse: Edition 39

Cyber Pulse: Edition 38

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.