Cyber Security Training from QA

Cyber Pulse: Edition 51

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


1 February 2019

Malware Written in Go Spotted in the Wild

These days, malware authors turn to every possible trick to come up with new threats. One good example is a new strain discovered by the security firm Malwarebytes. Reportedly, this malware is written in Golang/Go, which is a relatively new language as compared to other programming languages typically used for by malware authors. It appears that this malware targets cryptocurrency wallets on the infected systems which is why the researchers named it as Trojan.CryptoStealer.Go. Malwarebytes researchers who conducted an extensive analysis of this malware, pointed out that the malware specifically gathers information on online activity. The malware searches for data from web browsers under various file system paths. As Go uses WindowsAPI to perform searchers, the researchers could detect the paths searched by the malware using tools like PIN tracers. “We can see that the browser’s cookie database is queried in search data related to online transactions: credit card numbers, expiration dates, as well as personal data such as names and email addresses. The paths to all the files being searched are stored as base64 strings. Many of them are related to cryptocurrency wallets, but we can also find references to the Telegram messenger,” explained the researchers in a blog.

DailyMotion Hit by a Credential Stuffing Attack

DailyMotion is a video sharing platform which is available worldwide in 18 languages. It is one of the most visited sites on the internet with a rank of #134 on the Alexa traffic ranking. The video sharing platform announced on January 25, 2019, that it has been hit by a credential stuffing attack. Credential stuffing attack is a type of cyber attack where attackers use a combination of usernames and passwords that have been stolen from other online sites where the credentials have been exposed. Attackers use the stolen credentials to gain unauthorized access on users accounts. DailyMotion learned the incident from its security team who discovered the attack. Upon learning the incident, DailyMotion took necessary measures to stop the attack. The company has notified the CNIL on the incident as per the new GDPR legislation. The Video-sharing platform has been logging off user accounts and resetting passwords of those users who have been potentially affected by the attack. The company has also notified the potentially affected users via email and have requested them to reset their passwords.

WordPress Zero-day Vulnerability in ‘Total Donations’ Plugin

WordPress site owners are being alerted about an unpatched vulnerability discovered in ‘Total Donations’ plugin. The vulnerability, identified as CVE-2019-6703, could allow attackers to take over affected sites. Security expert Mikey Veenstra from Defiant observed that attackers have been using this zero-day vulnerability to infect several WordPress sites over the past week. The zero-day affects all versions of Total Donations plugin, a commercial plugin that is used to gather and manage donations from the respective user bases. Giving more details, Veenstra explained that the plugin’s code contains several design flaws that inherently expose the plugin and the WordPress site as a whole to external manipulation. “Searching the site’s codebase for the strings migla_getme and miglaA_update_me revealed the installed Total Donations plugin, and we quickly identified the exploited vulnerabilities as well as the attacker’s workflow,” said Veenstra in a blog post. The plugin in question contains an AJAX endpoint that can be queried by any unauthorized person. “Total Donations registers a total of 88 unique AJAX actions into WordPress, each of which can be accessed by unauthenticated users by querying the typical /wp-admin/admin-ajax.php endpoint. We have determined that 49 of these 88 actions can be exploited by a malicious actor to access sensitive data, make unauthorized changes to a site’s content and configuration, or take over a vulnerable site entirely,” Veenstra added.

Airbus Hit by Data Breach Compromising Employees’ Private Data

Aerospace corporation Airbus announced on January 30, 2019, that it detected a cyber attack on Airbus' Commercial Aircraft business information systems resulting in attackers gaining unauthorized access to data. However, the European company confirmed that the data breach did not impact its commercial operations. Airbus disclosed that some private data of some of its employees in Europe was compromised in the incident. The compromised private data included employees’ professional contact details and IT identification details. “Investigations are ongoing to understand if any specific data was targeted, however, we do know some personal data was accessed. This is mostly professional contact and IT identification details of some Airbus employees in Europe,” Airbus said in a statement. Upon learning about the incident, Airbus’ experts carried out investigations on the incident to determine its origins. Airbus experts investigated the incident and took immediate actions to reinforce existing security measures. The Aerospace Corporation also took appropriate actions to mitigate the potential impact of the incident. The company is also working closely with the regulatory authorities and data protection authorities. Furthermore, the company advised its employees to take all necessary precautions to avoid such incidents from happening in the future.

A Critical Bug in Apple iOS Facetime

Researchers uncovered a critical bug in Apple iOS devices that could allow Facetime users to access the microphone and front camera of who they are calling even if the call recipient does not answer the call. The bug was first reported by 9to5Mac which stated that the bug could allow Facetime users to listen to the audio of the person they are calling even before the recipient accept the call. Later, Buzzfeed reported that this bug allows Facetime users to access the front camera as well. To use this bug an iOS user should call a person via Facetime and should add themselves as an additional contact to Group Facetime before the recipient answers the call. By doing so, the microphone of the call recipient will be turned on and the caller can listen to what's happening in the room. Furthermore, if the recipient presses the power button to mute the Facetime call, the front camera will be enabled. This means that the Facetime caller could listen and watch the recipient without their knowledge. BleepingComputer tested this bug and confirmed that this bug exists in iOS 12.1.2 version. However, when the researchers tested this bug against Apple Watch, they were not able to get the microphone working. A Google Project Zero security researcher Natalie Silvanovich explained the theory behind this bug in a tweet, “Theory: FaceTime stores call participants in a list that doesn't allow duplicates, and uses the indexes for signaling. When the caller is added a second time, the entry at index 1 is set to answer, with the expectation that it is the caller.” Researchers suggest iOS users disable Facetime until Apple releases a fix to the issue as this bug could allow people to take compromising videos and audio without your knowledge. Once Facetime is disabled, Facetime users will not be able to abuse this bug to listen and watch users without permission. However, Apple stated that they were aware of this issue and are working on the fix which will be released in a security update later this week.

Unsecured B&Q Database Spills Shoplifter Data

British retail firm B&Q was subject to a data breach last week. However, instead of sensitive data getting leaked out in the open, a surprising list of shoplifters was revealed. Furthermore, the database exposed additional details such as product codes of the products being stolen, store locations with shoplifting instances and financial losses. Cybersecurity expert Lee Johnstone who ascertained the details of this breach explained that the B&Q subsidiary Trade Point used an Elasticsearch instance for indexing data which was found to be exposed. Shockingly enough, the database was not found to have any authentication at all. Interestingly enough, the database contained the information on around 70,000 shoplifters and the products they stole. Meanwhile, Johnstone immediately contacted B&Q regarding this issue but the company is still yet to respond to fix this issue. However, their Elasticsearch server has since gone offline. Recently Elasticsearch databases have witnessed more breaches due to use of poor security measures by database owners. Even worse, some of them have been found with basic authentication missing. Just few days ago, the data breach of 24 million loan documents in the US was the result of an unprotected Elasticsearch database too.

 

Visit cyber.qa.com for more information on how QA can help solve the Cyber Security skills gap and subscribe to Cyber Pulse.

 

Useful links

Cyber Pulse: Edition 50

Cyber Pulse: Edition 49

Cyber Pulse: Edition 48

Cyber Pulse: Edition 47

Cyber Pulse: Edition 46

Cyber Pulse: Edition 45

Cyber Pulse: Edition 44

Cyber Pulse: Edition 43

Cyber Pulse: Edition 42

Cyber Pulse: Edition 41

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.