Cyber Security Training from QA

Cyber Pulse: Edition 49

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


18 January 2019

British Man Behind DDoS Attacks in Liberia Sentenced to 3 Years

Daniel Kaye, the person behind the DDoS attacks that shook down the internet in Liberia, was sentenced to custody by Blackfriars Crown Court on Saturday. The UK court imposed three years of imprisonment for his crime against Lonestar MTN, which lost more than a million dollars of revenue as a result. In December 2018, Kaye pleaded guilty of using a Mirai botnet to conduct the attacks. It is also regarded that the British perpetrator was paid $100,000 by rival company Cellcom despite the company being unaware of these actions. Furthermore, he was also the key player behind the Deutsche Telekom cyberattacks in 2016. Kaye was living in Cyprus when British authorities arrested him in 2017. Mike Hulett of the National Cyber Crime Unit told CNN of his notoriety, “Daniel Kaye was operating as a highly skilled and capable hacker-for-hire. His activities inflicted substantial damage on numerous businesses in countries around the world, demonstrating the borderless nature of cyber crime. The victims in this instance suffered losses of tens of millions of dollars and had to spend a large amount on mitigating action.” Kaye used Mirai as a means to conduct DDoS attacks. Mirai, which means ‘the future’ in Japanese, is a botnet that primarily targets poorly-secured devices and can self-propagate to more than thousands of these devices to perform DDoS attacks. IoT devices with least security features are most vulnerable to Mirai. Mirai is also built to attack different CPU architectures found in IoT devices such as x86, ARM, Sparc, PowerPC, and Motorola. In addition, Mirai comes in different versions which makes it flexible for deployment in a wide range of attacks. A well-known example is an attack against Dyn in 2016. Dyn, a US-based DNS provider was disrupted by a DDoS attack using Mirai which made it incapable of responding to DNS requests.

Suspicious vCards May Compromise Your Windows Computer

vCards, which are known for sharing contact details among people have now become a medium for attackers to load malicious code. What’s frightening here is that these malicious vCards contain malicious code that relies on a Windows OS zero-day vulnerability. John Page, a cybersecurity researcher identified this flaw six months ago. Despite the researcher informing Microsoft, the software giant has yet to release a security patch to fix the issue. Trend Micro’s Zero Day Initiative (ZDI) program has documented the whole issue. The ZDI advisory further explains the flaw stating, “This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of VCard files." As per the researcher, an attacker can fill the website field in a vCard contact with a URL pointing to a local malicious executable file. The local file could be sent to the target user via a phishing email or through drive-by-download techniques. The researcher also published a video demonstrating how the Windows OS runs the malicious executable without any warning if the user clicks on the website URL in a vCard contact file.

Critical Flaw in Schneider Electric’s Vehicle Charging Station

A vulnerability in Schneider Electric’s EVLink Parking devices – a line of electric car charging stations - could have enabled hackers to gain access to the system. Schneider Electric said that the vulnerability is tied to a hard-coded credential bug that exists within the EVLink Parking device. The energy management and automation giant said that the affected devices are EVLink Parking devices. The vulnerability is one of three fixes issued by Schneider last week. The firm also issued warnings and fixes for a code injection vulnerability and SQL injection bug. The code injection vulnerability is rated high and could enable access with maximum privileges when remote code execution is performed. The SQL Injection vulnerability is rated medium and could give access to the web interface with full privileges,” Schneider Electric said. Apart from the patch, the company also offers several ways to mitigate risk such as “set up a firewall to block remote/external access except by authorized users. The EVLink Parking device is part of a full EVLink Parking networked solution that includes the charging station, EVLink insights online portal, and vehicle maintenance and support services. These systems then link to a central system via the cloud for remote management. All an attacker needs to do to conduct an attack is obtain Wi-Fi access to the network the charger is connected to. Since the devices are made for domestic use, security for the wireless network is likely to be limited. This means that attackers could gain access easily, for example by brute-forcing all possible password options. Researchers also found that that EV communication protocols, EV payment systems, and the security of backend communications were vulnerable to attacks.

Top Telecom Companies Spill Customer Location Data

A recent incident uncovered by an expert on Motherboard has shed light into the sale of users’ location data to various entities. In fact, it is purported to be originating from major telephone companies such as T-Mobile, Sprint and AT&T. This particular incident detailed the ease of possibility in locating a person’s phone without using any advanced tracking tools/techniques. Location data was simply bought from a bounty hunter, who in turn contacted his sources who possessed this data. In other words, the information traveled from telcos to the last seeker in the chain. Vulnerabilities such as this might tell us how broken the concept of data privacy is at the service providers end. Microbilt, a company which sells geolocation services to different entities, is under the scanner after this investigation. The reason being that their clients (for example, bounty hunters or other parties) might have unknowingly put out location data in the open. However, to much relief of the users, Microbilt has suspended these services post the incident. On the other hand, AT&T and T-Mobile sharply deny that location data is sold to unauthorized entities. AT&T claims that it violates their contract and privacy policy. Even though these companies are members of CTIA, which has standard guidelines for location-data sharing, sometimes it is unclear as to how much data is being shared. Frederike Kaltheuner, an expert at Privacy International told Motherboard that “it’s part of a bigger problem; the US has a completely unregulated data ecosystem.” Following this incident, telcos are expected to limit data sharing with third parties.

New Malware Removes Cloud Security Products From Systems

A cryptomining malware has now emerged which uninstalls various cloud security protection and monitoring products. Research by experts at Palo Alto Networks' (PAN) Unit 42 division has revealed that this new form of malware is disrupting security services in Linux servers. The researchers have identified the malware creator group as “Rocke", and have found that the coin mining application affects five cloud security solutions. According to the firm’s research, the malware only removes the security products. “In our analysis, these attacks did not compromise these security products: rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would.” said the report. Back in 2018, the Rocke group was reported by Cisco Talos. The modus operandi remained the same: mining cryptocurrency from flawed Linux machines. Cloud security products by Tencent Cloud and Alibaba Cloud were the primary targets of this malware. However, PAN has informed Tencent Cloud and Alibaba Cloud of this flaw, and are collaboratively working to fix this threat. The cryptomining malware is also packed with evasion techniques to avoid getting detected. This malware variant by the Rocke group has specifically targeted public cloud infrastructure. A large scale attack of this kind could wreak havoc on systems present worldwide.

Data Protection and Brexit - ICO advice for organisations

The basis on which the UK will leave the EU has still to be decided. The Government has made clear that the General Data Protection Regulation (GDPR) will be absorbed into UK law at the point of exit, so there will be no substantive change to the rules that most organisations need to follow. But organisations that rely on the transfers of personal data between the UK and the European Economic Area (EEA) may be affected. ICO published guidance and practical tools to help organisations understand the implications and to help you plan ahead. Many organisations have already been making preparations in case the UK leaves the EU without a withdrawal agreement in place. This includes those that are involved in transfers of personal data to and from the EEA. Organisations will need to carefully consider alternative transfer mechanisms to maintain data flows and the guidance ICO have produced will help you weigh the options and take action if this proves necessary. Many may decide that one potential solution is to put in place what are known as Standard Contractual Clauses between themselves and organisations outside the UK. The Government has also made clear its intention to seek adequacy decisions for the UK. An adequacy agreement would recognise the UK’s data protection regime as essentially equivalent to those in the EU. It would allow data flows from the EEA and avoid the need for organisations to adopt any specific measures. ICO has assured that they will provide further information to the small number of organisations in the UK that rely on approved Binding Corporate Rules for their transfers to explain how they may be affected.

SEC Charges The Attackers Behind The EDGAR Hack in 2016

The US Security and Exchanges Commission (SEC) filed charges against ten people related to a major hack that happened in 2016. Ukranian nationals, Oleksandr Ieremenko and Artem Radchenko were the key people convicted in the attack. Authorities told media that the two attackers broke into the corporate filing system thereby stealing confidential information of many companies. “The defendants charged in the indictment announced today engaged in a sophisticated hacking and insider trading scheme to cheat the securities markets and the investing public,” told US Attorney Craig Carpenito. Consequently, this information was passed to traders who banked this info to sell stocks. In the press release put out by the Department of Justice (DOJ), it says that Radchenko, Ieremenko, and others conspired to gain unauthorized access to the computer networks of the SEC’s EDGAR system. SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system allows companies to make test filings in advance of a public filing. These test filings often contain information that is the same or similar to the information in the final filing. Radchenko and Ieremenko allegedly stole these test filings and distributed it to traders who used it to make profitable trading. Apparently, EDGAR had a software vulnerability which the attackers exploited to gain unauthorized access. It is reported that a profit of around $270,000 was made the first day as a result. Subsequent transactions amounted to 4.1 million for the next year until SEC realized the hack. SEC has said that EDGAR was patched after the attack. Radchenko and Ieremenko are yet to be brought to court post this allegation. As of now, the charges stand pending.

 

Visit cyber.qa.com for more information on how QA can help solve the Cyber Security skills gap and subscribe to Cyber Pulse.

 

Useful links

Cyber Pulse: Edition 48

Cyber Pulse: Edition 47

Cyber Pulse: Edition 46

Cyber Pulse: Edition 45

Cyber Pulse: Edition 44

Cyber Pulse: Edition 43

Cyber Pulse: Edition 42

Cyber Pulse: Edition 41

Cyber Pulse: Edition 40

Cyber Pulse: Edition 39

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.