Cyber Security Training from QA

Cyber Pulse: Edition 55

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


1 March 2019

Momo challenge branded as a hoax by cyber expert

A cyber expert has branded the recent online craze ‘Momo challenge’ as a hoax. The infamous "Momo Challenge", which usually culminates with self-harm or suicide of the player, is reportedly hacking into children's programmes on Google-owned video sharing platform YouTube. Videos of popular kid shows like Peppa Pig on YouTube have been showing the "Momo Challenge" character girl popping up in the middle of the episodes, asking children to hurt others and themselves, Manchester Evening News reported on Tuesday. Screenshots of YouTube videos invaded by the game all of a sudden are going viral on social networking platforms. A form of cyber bullying that spreads through social media and smartphones, the "Momo Challenge" much like the "Blue Whale Challenge" entices users to contact a user named "Momo", after which they receive graphic threats from the questionable account and are instructed to perform a series of dangerous tasks. The report comes just days after YouTube was accused of not being careful with exposing minors to objectionable content on its platform. The app faced backlash from users as well as advertisers, leading to several major companies like Nestle deciding to pull out their commercials from the video app. The "Momo Challenge" noticeably started circulating around the web globally in 2018. Earlier in 2018, the "Blue Whale" challenge was alleged to be the reason many youngsters globally attempted to or succeeded at committing self-harm and even suicide. Police around the UK have released statements acknowledging they know of the existence of this challenge and giving advice to worried parents about how best they can protect their children.

British Airways Entertainment System on Boeing 777-36N found to be affected by a privilege escalation issue

A critical vulnerability has been discovered in the British Airways Entertainment System. The flaw in the question is a privilege escalation vulnerability and resides in the USB handler component of the Entertainment System. Tracked as CVE-2019-9019, the security flaw affects all the British Airways Entertainment Systems installed on Boeing 777-36N(ER) and possibly other aircraft. According to the entry in the CVE database maintained by MITRE, the British Airways Entertainment System does not prevent the USB charging/data-transfer feature from interacting with the USB keyboard and mouse devices. This, in turn, can allow attackers in proximity to conduct unwanted attacks against the Entertainment applications. The flaw can even trigger a chat buffer overflow or possibly have unknown other impacts. Apart from triggering a buffer overflow, the flaw can also cause the application to crash. While a remedy for the issue is yet to be released, researchers have cited the future scope of the flaw for the attackers. Explaining it further, Hector Marco Gisbert, an Associate Professor in Cybersecurity and Networks at the University of the West of Scotland, said, “Performing this attack using only the mouse it would have taken quite some time and much more to create a working payload to execute code. Note that we are limited to use ASCII printable characters in our byte-for-byte attack, which introduces a challenge to guess the next byte and to create a working ROP attack.”

Phishing campaign uses fake Office 365 page with live chat support

Cybercriminals have now resorted to false customer support services to lure victims into disclosing their credentials. In a new revelation, security researcher Michael Gillespie has discovered a phishing page that brags of live chat support. This website poses itself as an official Office 365 support resource. It all starts with an email containing a fake Microsoft alert asking victims to renew their Office subscription. When the link present in the message is clicked, it redirects to a genuine-looking Microsoft support site. Here, a live-chat support section is visible where users usually turn to if they encounter any problems. Suppose the users provide their login credentials while conversing with the scammer in the chat, their accounts could be compromised. In addition, if remote access to the computer is provided, the scammers can take away much more than the credentials.To figure out more details about the scam, Michael Gillespie interacted with the fake Microsoft support staff member. The fake support staff asked him if he saw any error on the screen to which, Gillespie replied in affirmative stating that it was a phishing scam. This was the end of the conversation as the scammers closed the chat. The researcher reported the scammer to Tawk.to chat service who then banned their account.

New security flaw patched by Drupal last week exploited by cybercriminals

Within days of Drupal patching a remote code execution (RCE) vulnerability in its platform, attackers have carried out many cryptomining attacks on Drupal-based sites, likely using PoC exploits released by some researchers. The big picture - In exclusive research by Imperva, the security firm has identified more than 100 exploit attempts on Drupal sites. The vulnerability, CVE-2019-6340, allowed arbitrary code execution in the REST module in specific versions of the open-source content management platform. After Drupal released a patch for the vulnerability, proof-of-concept (PoC) exploit codes were developed by other security firms which were still able to exploit the vulnerability. Usually, PoCs are meant to highlight the flaws and in some cases, provide temporary measures to block the attacks. In this case, attackers took advantage of this opportunity to target vulnerable Drupal sites, likely using the information gained from the PoCs. The first PoC detailed an attack aimed at Drupal 8, which exploited the RCE vulnerability in a different way. “The RCE is triggerable through a GET request, and without any kind of authentication, even if POST/PATCH requests are disabled in the REST configuration,” the researchers wrote, explaining their approach. The other PoC was created by a developer at Tencent which was also similar to the one mentioned above with minor variations in the code. This vulnerability mainly affects Drupal 8, which forms a small fraction of the total number of Drupal-based sites. Drupal is expected to release another update in the coming days to fix this vulnerability.

Google Chrome zero-day vulnerability could allow attackers to collect user information via PDF files

Researchers from EdgeSpot detected malicious PDF files that exploit a Google Chrome zero-day vulnerability. The vulnerability could allow the sender of the PDF files to collect users’ information when users opened the PDF files via Google Chrome’s PDF viewer. The collected information included the users’ system details such as IP addresses, OS versions, Chrome versions, the path of the PDF files on the user's machine. The PDF files did not perform any malicious activities when opened in Adobe Reader, but the malicious behavior was observed only in Google Chrome. EdgeSpot researchers noted that they observed two unique sets of malicious PDF files exploiting the Google Chrome zero-day. The first set of PDF files collects user information and sends to ‘readnotify[.]com’ domain. The second set of PDF files sends the collected information to ‘zuxjk0dftoamimorjl9dfhr44vap3fr7ovgi76w.burpcollaborator[.]net. EdgeSpot notified Google about the issue in December 2018. However, researchers detected more samples in February 2019. Google acknowledged the Chrome zero-day exploit and promised a fix in late April. EdgeSpot notified Google and made the public disclosure on February 26, 2019. “We decided to release our finding prior to the patch because we think it's better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away,” EdgeSpot said.

Vulnerability could allow attackers to implant backdoor in the BMC firmware

Researchers detected a new vulnerability dubbed ‘Cloudborne’ that could allow attackers to implant backdoor in the firmware or BMC of bare metal servers causing a variety of attack situations. The Baseboard Management Controller (BMC) is a third-party component designed to enable remote management of a server for initial provisioning, operating system reinstall, and troubleshooting. The various attack situations an attacker could perform by exploiting this vulnerability includes, Perform a permanent denial-of-service (PDoS) attack, Steal data from the application running on the cloud service and Execute a ransomware attack by disabling the application. IBM published the details of the vulnerability assigning a low severity rating for the vulnerability. However, Eclypsium denied that a low severity rating is not appropriate and that they would classify the vulnerability as a critical vulnerability with 9.3 severity rating.

4G and 5G protocols prone to privacy attacks, new study reveals

A new research study has uncovered serious privacy risks associated with 4G as well as the latest 5G protocols. The researchers discovered that attackers could break into devices running on these protocols to conduct denial-of-service attacks. The study, which was done by scholars from Purdue University and the University of Iowa, analyzed cellular paging in 4G and 5G devices. Paging protocol balances the device’s energy consumption for different processes (for example, phone calls) running in the device. Attackers can inject malicious paging messages into this protocol to perpetrate denial-of-service attacks. Information such as device location, phone number, Twitter handles etc., could be compromised in 4G and 5G devices. ToRPEDO, short for Tracking via Paging Message Distribution, is the method proposed by the researchers to exploit privacy. IMSI-Cracking and PIERCER were the other two methods devised in the study. The development of 5G -- the soon-to-be norm for mobile network protocols -- will vastly be affected by this privacy issue. Identities of 4G and 5G phone users could be exposed. Sensitive information such as payment data of users could also be at risk.Though the paper details loopholes in the telecommunication protocols, it also delineates the limitations associated with their attack methods.

 

Visit cyber.qa.com for more information on how QA can help solve the Cyber Security skills gap and subscribe to Cyber Pulse.

 

Useful links

Cyber Pulse: Edition 54

Cyber Pulse: Edition 53

Cyber Pulse: Edition 52

Cyber Pulse: Edition 51

Cyber Pulse: Edition 50

Cyber Pulse: Edition 49

Cyber Pulse: Edition 48

Cyber Pulse: Edition 47

Cyber Pulse: Edition 46

Cyber Pulse: Edition 45

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.