Cyber Security Training from QA

Cyber Pulse: Edition 56

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


7 March 2019

Facebook’s two-factor authentication violates privacy, reveals user profiles through phone numbers

Social networking site Facebook is again facing backlash for privacy matters. This time it was discovered to be coming from one of its security features. It appears that the company’s 2FA could be abused to reveal Facebook users. Jeremy Burge, the creator of Emojipedia, uncovered this issue believed to be lingering in the platform for a long time. Burge found out that the security feature was giving out identities of users when searched for their phone number. In one of his tweets, he also mentioned that the search feature cannot be disabled currently. Whenever users handed their phone numbers for 2FA, Facebook automatically puts up suggestions to connect with them if a person has his/her number. Burge explained in a series of tweets how contact numbers were likely availed by Facebook through its other platforms - Whatsapp and Messenger. Facebook had earlier removed a separate phone-number search feature in its platform in 2018. This was after the company was found using personally identifiable information (PII) such as phone numbers, for its advertising campaigns.

Google’s Project Zero publicly discloses zero-day vulnerability in macOS

Google’s Project Zero publicly discloses the zero-day vulnerability in Apple macOS after the 90-day deadline to fix the issue expired. It is a critical vulnerability marked as ‘High severity’ that allows creating copy-on-write copies of data between processes via a user-owned filesystem image. In Apple macOS, filesystem images can be mounted by users, and it is possible to mutate these files directly by calling pwrite() on the filesystem image without copy-on-write informing the subsystem. “This copy-on-write behavior works not only with anonymous memory but also with file mappings. This means that after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing Filesystem,” Project Zero said. The vulnerability is a local process escalation bug.

Newly discovered vulnerability could allow attackers to take full control of Windows IoT Core devices

A security researcher for SafeBreach, Dor Azouri discovered a new vulnerability that impacts the Windows IoT Core Operating System. Azouri noted that the vulnerability could allow attackers to take full control of the Windows IoT Core devices. The vulnerability affects only the Windows IoT Core and Windows IoT OS version devices that run in a single application such as smart devices, control boards, etc. It impacts the Sirep/WPCon communications protocol included with Windows IoT operating system. However, the vulnerability does not impact the Windows IoT Enterprise advanced version.The security researcher noted that the vulnerability works on a cable-connected Windows IoT Core devices running Microsoft’s official stock image and could allow an attacker to run commands with system privileges on Windows IoT Core devices.During his analysis, Azouri developed a Remote Access Trojan (RAT) dubbed SirepRAT which the security researcher plans to open-source on Github. The advantage of the SirepRAT is that it doesn’t work wirelessly as the testing environment is available only via an Ethernet connection. This implies that the attacker has to be physically present near the target or compromise another device on a company’s internal network and then attack the vulnerable Windows IoT Core devices. Azouri has presented his research paper at the WOPR Summit security conference in Atlantic City on March 2, 2019.

New Ransomware-as-a-Service ‘Jokeroo’ promoted on underground hacking forums

A security researcher named Damian noted that Jokeroo RaaS was first promoted as GandCrab Ransomware RaaS in underground hacking forum Exploit.in. Later, another security researcher named David Montenegro tweeted that the GandCrab Ransomware Rass name has been changed to ‘Jokeroo’. Since then, the service providers have been promoting their service ‘Jokeroo RaaS’ via Twitter. Jokeroo RaaS has been offered in multiple membership packages ranging from $90 to $300 and $600. In the basic package, a member earns 85% of the ransom payments. As members go up the package ladder, they get extra benefits such as Salsa20 encryption, different ransomware variants, and different payment cryptocurrency options. The Jokeroo RaaS dashboard will display members the list of their victims, time of infection, the ransom amount, and the payment status. Members will also be able to see victims’ IP addresses, Windows OS version, and geographic location. Members will also be provided with an option to create their own ransom note depending on the membership package they have chosen.

Cryptojacking campaigns now target exposed Docker containers

Cybercriminals are now targeting vulnerable and exposed Docker containers to deploy cryptojacking campaigns. Research by security firm Imperva showed that attackers relied on the Docker's API to sneakily mine cryptocurrency. The exposed Docker ports were found through the Shodan search engine. Generally, these open ports are required for third-party platforms such as Portainer to manage Docker containers. According to Imperva, 3,822 Docker hosts with remote APIs were available publicly. Out of these IPs, around 400 IPs are accessible by anyone. These were found when connected on port 2735. When the Docker activity was observed, most of them were found to mine the well-known Monero cryptocurrency. Additionally, these ports could be used to perpetrate other malicious tasks such as hosting phishing campaigns, spoofing attacks and pivot attacks. Imperva also revealed how credentials and sensitive data can be stolen due to the Docker’s vulnerability. Imperva emphasized that many organizations fail to configure their Docker services regularly.It is suggested that Docker containers be protected against such attacks by taking the right measures. This can be done by enabling TLS verification and then directing the Docker container's 'tlscacert' flag to a trusted CA certificate. This way, the Docker will communicate securely.

 

Visit cyber.qa.com for more information on how QA can help solve the Cyber Security skills gap and subscribe to Cyber Pulse.

 

Useful links

Cyber Pulse: Edition 55

Cyber Pulse: Edition 54

Cyber Pulse: Edition 53

Cyber Pulse: Edition 52

Cyber Pulse: Edition 51

Cyber Pulse: Edition 50

Cyber Pulse: Edition 49

Cyber Pulse: Edition 48

Cyber Pulse: Edition 47

Cyber Pulse: Edition 46

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.