Cyber Security Training from QA

Cyber Pulse: Edition 65

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


23 May 2019

Another zero-day vulnerability discovered in Windows 10

A new zero-day vulnerability in Windows 10 has been revealed online. The vulnerability was disclosed by a bug hunter called ‘SandboxEscaper’, who had earlier exposed other Windows zero-day flaws. This recent one is a privilege escalation vulnerability, which upon successful exploitation, can allow attackers to take full control of Windows 10 systems. A proof-of-concept(PoC) exploit for this flaw was also published by the bug hunter on GitHub. Apparently, this exploit has been found to work against a fully-patched, latest version of Windows 10 (both 32-bit and 64-bit). It is also reported to affect Windows Server 2016 and 2019. The zero-day vulnerability exists in the Windows Task Scheduler process for Windows 10. The PoC exploit posted by SandboxEscaper abuses a Windows application called schtasks to import a legacy job file into Windows Task Scheduler. This job file is used to modify a system file ‘pci.sys’ in order to change access permissions for users. Therefore, it can lead to attackers have admin-level privileges of the vulnerable Windows system. The exploit was found to work on Windows 10 32-bit systems but has not been tested on 64-bit systems. As of now, there are no patches available to fix this vulnerability. SandboxEscaper mentions that there are four other bugs present in Windows systems, which have not been made public. “Oh and I have 4 more unpatched bugs where that one came from. 3 LPEs (all gaining code exec as system, not lame delete bugs or whatever), and one sandbox escape,” she said, in a blog.

New malware sample uploaded by Cyber Command still used in active attacks

A malware sample uploaded by the U.S. Cyber Command last week was discovered to be involved in ongoing cyber attacks. These attacks are believed to be targeting Central Asian countries along with diplomatic organizations. Security researchers from Kaspersky Labs and ZoneAlarm indicate that the malware in the Cyber Command’s sample was associated with the infamous APT28 a.k.a Fancy Bear group. Both, Kaspersky Labs and ZoneAlarm, suggest that the malware in the sample was XTunnel. This malware was deployed by APT28 to compromise the Democratic National Committee in 2016. Researchers observed that this malware variant had certain differences in code. It also has a file size of over 3MB compared to the below-25kb size. The malware also had some components common with XAgent spyware. As of now, 45 out of 70 antivirus software have flagged this malware. Even though Cyber Command uploaded the sample, it did not mention any specific details. “Cyber Command, which shared the malware sample as part of its effort to boost information sharing, did not announce when it uncovered this particular malware sample and did not attribute it to any group. When it was first posted to VirusToal, Kaspersky Lab and ZoneAlarm were the only anti-virus engines that flagged the file as malicious,” reported CyberScoop.

Personal details of TalkTalk’s 4,545 breached customers found online

In a major security lapse, TalkTalk has exposed the personal details of its 4,545 customers online. These customers are the ones whose data was compromised as a part of the company’s 2015 data breach. Some customers informed BBC Watchdog Live that their details had been breached by TalkTalk. Following this, the BBC consumer show investigated the matter. Upon investigation, it found that personal details of 4,545 customers were available online after a Google Search. The information is likely to have been online since the breach which affected nearly 157,000 customers. The data that was visible online included full names, addresses, email addresses, dates of birth, phone numbers, TalkTalk customer numbers, and bank details. When presented with the findings of the BBC investigation, TalkTalk said it was a ‘genuine error’ and that it has re-sent the apology letters to impacted customers. “A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologize. 99.9% of customers received the correct notification in 2015. On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss,” said the company, BBC reported. In addition, the company has also claimed of offering free credit monitoring services to protect the impacted individuals against fraud.

Satan ransomware evolves to add three new exploits to its source code

A new variant of Satan ransomware has been found leveraging three new vulnerabilities to spread across public and private networks. The malware authors have expanded the codebase of the ransomware in order to add exploits for the Spring Web application framework, the Elasticsearch engine, and ThinkPHP Web application framework. According to a report from Fortinet, the new Satan ransomware variant carries leverages the EternalBlue exploit and the open-source application Mimikatz for propagation into both private and public networks. According to researchers, the new Satan variant implements IP address traversal and multi-threading technique for an effective propagation. “It performs IP address traversal and attempts to scan and execute its entire list of exploits on every IP address encountered, along with its corresponding hardcoded port list that is described below. To be more efficient, it implements multi-threading, in which separate threads are spawned for every propagation attempt for every targeted IP and port,” Fortinet researchers said in a blog post. Depending on the targeted port, the malware variant implements EternalBlue exploit, Mimikatz, an SSH Brute-Force attack or other web exploits for propagation. “For the Windows component, if the port number is 445 (SMB/CIFS), it performs the EternalBlue exploit. If the port number is 22 (SSH), it performs SSH credential brute forcing using a hardcoded list of usernames and passwords. If the port number is not on the aforementioned ports, it attempts to execute its web application exploits,” researchers explained.

Google stored unhashed passwords due to an implementation error

Google accidentally stored unhashed passwords for some of its G suite users for almost 14 years due to an implementation error. Google has been storing passwords in plain text since at least 2005 due to an error in the implementation of a feature that allows users to manually set and recover passwords. Suzanne Frey, Vice President of engineering, Google said that the implementation error led to storing a copy of the unhashed password on Google's encrypted systems. “We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure,” Frey said in a security notice. Google is currently working with G Suite administrators to ensure that their users' passwords are reset. It is also conducting a comprehensive investigation of the incident. Google has confirmed that there has been no evidence of any improper access to or misuse of the impacted G Suite passwords. However, the issue has been fixed. “We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security. Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better,” Frey concluded.

Sunderland City Council library database suffered cyber attack compromising customer data

Attackers broke into Sunderland City Council’s library database and accessed customers’ personal information. The library database holds information of almost 145,000 customer accounts, out of which, 45 accounts were accessed by hackers. The compromised information includes names, phone numbers, and dates of birth. The external company which provides and hosts the database is unable to identify which 45 customers' details have been accessed, therefore all library users are requested to remain vigilant. Sunderland City Council is working with the external company that hosts and provides the database to determine the impact of the incident. It is also working with the Information Commissioner's Office to investigate the incident. The council is taking the necessary remedial measures to avoid such incidents from happening in the future. It has also taken steps to review and enhance its existing security measures. Further, the council has requested the library users to be extra cautious while providing any personal details online. Fiona Brown, the council's executive director of neighborhoods, said that they have extensive organizational and security measures in place to protect customers’ personal information. However, Brown urges all contractors to provide evidence that they also have the same measures in place. “We take the issue of cyber security extremely seriously and have robust procedures in place to guard against data loss including the use of encryption and other practical measures. That includes reviewing and reinforcing existing security measures, and liaising with the Information Commissioner’s Office and other regulatory authorities,” Brown said.

Over 49 Million Records Belonging to Instagram Influencers Exposed Due to Unprotected AWS bucket

An unprotected AWS bucket has exposed over 49 million records of Instagram influencers on the internet. The affected individuals include celebrities, food bloggers and brand accounts. Discovered by a security researcher Anurag Sen, the unprotected database was hosted by Amazon Web Services. The database contained public data scraped from Instagram accounts including their bio, profile picture and the number of followers. The database also leaked private contact information of some Instagram account owners such as their email addresses, locations, and phone numbers. Each record in the database contained a record that estimated the value of each account based on the various parameters. The parameters are the numbers of followers, engagements, reach, likes and shares of an influencer. Upon discovery, Anurag Sen informed TechCrunch in an effort to find the owner of the database. They traced the database back to an India-based social media marketing firm Chtrbox. TechCrunch contacted Chtrbox to inform them about the incident. Upon learning about the leak, the firm was quick to take remedial steps and secure the database. It is unclear as to how the company obtained the private Instagram account email addresses and phone numbers of celebrities.

Stack Overflow breach exposed user data

In a new revelation, Stack Overflow has acknowledged that attackers made efforts to compromise user data after illegally gaining access to its production systems. In an update, Mary Ferguson, VP of Engineering at Stack Overflow, told that the actors made ‘privileged web requests’ to retrieve data such as IP address, names, or emails of certain users of its owner site Stack Exchange. In the update, Ferguson mentions that a build meant for the development tier for the site had a bug which let attackers log into the tier and access the production version of stackoverflow.com. Attackers could also escalate their access due to this flaw. As a result, an attacker made a change to the production system to grant themselves privileged access. However, the Stack Overflow team took measures to prevent the attacker from spreading into their network. The attacker reportedly accessed the network on May 5 and carried out exploration activities till May 11. The privilege escalation was performed on May 11. Stack Overflow had earlier said that no customer data was accessed or impacted from the breach. Ferguson indicated that the attackers leveraged privilege escalation to obtain user data. “While our overall user database was not compromised, we have identified privileged web requests that the attacker made that could have returned IP address, names, or emails for a very small number of Stack Exchange users. Our team is currently reviewing these logs and will be providing appropriate notifications to any users who are impacted,” she said. As of now, around 250 public network users. Stack Overflow has told that it has taken countermeasures to curtail this incident.

TeamViewer reports it was the target of a cyber attack in 2016

TeamViewer recently disclosed that it had fallen victim to a cyber attack in 2016. The attack is believed to have been launched by Chinese-state sponsored hackers using the Winnti backdoor. The popular remote desktop software company, Teamviewer told German publication, Der Spiegel, that its systems detected the attack before the threat actors could do any massive damage. Due to its diligent action, the company had managed to prevent the hackers from compromising or stealing the source code. The company confirmed that there is no evidence of any data being stolen during the security incident. Furthermore, in a report to ZDNet, TeamViewer has also stated that no customer computer systems have been affected in the attack. "An expert team of internal and external cyber security researchers, working together closely with the responsible authorities, successfully fended off the attack and with all available means of IT forensics found no evidence that customer data or other sensitive information had been stolen, that customer computer systems had been infected or that the TeamViewer source code had been manipulated, stolen or misused in any other way, the company said in an email, ZDNet reported. In a conversation with the BleepingComputer, TeamViewer revealed that it had decided not to publish a security breach notification as there was no loss of data. The company had consulted several authorities and advisories before coming to a conclusion. “Together with the relevant authorities and our security advisors, we came to the joint conclusion that informing our users was not necessary and would have been counterproductive to the effective prosecution of the attackers. Against this backdrop, we decided not to disclose the incident publicly in the interest of the global fight against cybercrime and thus also in the interest of our users,” TeamViewer spokesperson told BleepingComputer.

 

Visit cyber.qa.com for more information on how QA can help solve the Cyber Security skills gap and subscribe to Cyber Pulse.

 

Useful links

Cyber Pulse: Edition 64

Cyber Pulse: Edition 63

Cyber Pulse: Edition 62

Cyber Pulse: Edition 61

Cyber Pulse: Edition 60

Cyber Pulse: Edition 59

Cyber Pulse: Edition 58

Cyber Pulse: Edition 57

Cyber Pulse: Edition 56

Cyber Pulse: Edition 55

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.