Cyber Pulse: Edition 111

Our cyber security round-up of the week:

Hackers linked to Iran target Covid pharmaceuticals Gilead Sciences

In recent weeks, hackers linked to Iran have targeted pharmaceuticals giant Gilead Sciences, according to publicly available web archives reviewed by Reuters and three cybersecurity researchers, as the company races to deploy a treatment for the Covid-19 virus. In one case in April, a fake email login page designed to steal passwords was sent to a top Gilead executive involved in legal and corporate affairs, according to an archived version on a website used to scan for malicious web addresses. Reuters was not able to determine whether the attack was successful.

Ohad Zaidenberg, lead intelligence researcher at Israeli cybersecurity firm ClearSky, who closely tracks Iranian hacking activity and has investigated the attacks, said the attempt was part of an effort by an Iranian group to compromise email accounts of staff at the company using messages that impersonated journalists.

The hacking attempts show how cyber spies around the world are focusing their intelligence-gathering efforts on information about Covid-19. The joint statement did not name any of the attacked organisations, but two people familiar with the matter said one of the targets was Gilead Sciences, whose antiviral drug remdesivir is the only treatment so far proven to help patients infected with Covid-19.

The hacking infrastructure used in the attempt to compromise the Gilead executive's email account has previously been used in cyberattacks by a group of suspected Iranian hackers known as Charming Kitten, said Priscilla Moriuchi, director of strategic threat development at U.S. cybersecurity firm Recorded Future, who reviewed the web archives identified by Reuters. There are 11,340 Gilead employees on LinkedIn, easily cross-referenced to personal social accounts that can provide the context used for tailored spear-phishing attacks. 

Microsoft investigates as hacker claims to access Microsoft's private GitHub

A hacker has gained access to a Microsoft employee's GitHub account and has downloaded some of the company's private GitHub repositories. The compromise is considered harmless as the hacker did not gain access to the source code of any major Microsoft apps. The intrusion is believed to have taken place in March, and came to light this week when the hacker announced plans to publish some of the stolen projects on a hacking forum. 

While researchers have confirmed with multiple Microsoft employees that at least a small portion of the stolen files are authentic, we have been told that the hacker did not gain access to the source code of any major Microsoft core projects, such as Windows and Office. The number of private repos believed to have been acquired by the hacker is believed to be around 1,200. Sources have now confirmed that files and directories included on the list shared by the hacker did indeed contain projects that were stored in Microsoft's GitHub account as private repositories. It is unclear how these GitHub repositories got on the hacker's list.

Internal policy is that the Microsoft GitHub account is to be used to host and share open-source projects and documentation. The Microsoft GitHub account is also used to host private projects that are to be made available under an open-source license in the future. 

Malware jumps the air gap

Cybersecurity researcher Mordechai Guri, from Israel's Ben Gurion University of the Negev, recently demonstrated a new kind of malware that could be used to covertly steal highly sensitive data from air-gapped and audio-gapped systems, using a novel acoustic quirk in power supply units that come with modern computing devices.

Dubbed POWER-SUPPLaY, the latest research builds on a series of techniques leveraging electromagnetic, acoustic, thermal and optical covert channels, and even power cables to exfiltrate data from non-networked computers. The developed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities.

Air-gapped systems are considered a necessity in environments where sensitive data is involved in an attempt to reduce the risk of data leakage. The devices typically have their audio hardware disabled so as to prevent adversaries from leveraging the built-in speakers and microphones to pilfer information via sonic and ultrasonic waves. POWER-SUPPLaY functions in the same way in that the malware running on a PC can take advantage of its PSU and use it as an out-of-band speaker, thus obviating the need for specialised audio hardware.

The air-gap malware regulates the workload of modern CPUs to control its power consumption and the switching frequency of the PSU to emit an acoustic signal in the range of 0-24kHz and modulate binary data over it.  According to the researcher, an attacker can exfiltrate data from audio-gapped systems to the nearby phone located 2.5 meters away with a maximal bit rate of 50 bit/sec. With air-gapped nuclear facilities in Iran and India, the target of security breaches, the new research is yet another reminder that complex supply-chain attacks can be directed against isolated systems. 

Malware attacks Taiwanese energy companies 

Taiwan's state-owned oil and gas company CPC Corporation suffered a ransomware attack on Monday. The attack didn't impact production, but it temporarily took down the company's electronic payment system. Researchers revealed on Wednesday that the attack involved a new ransomware strain that bears similarities to the Freezing and EDA2 ransomware families, along with tenuous ties to LockerGoga.

The company calls the new malware "ColdLock" and says it targets databases and email servers. The researchers state that ColdLock infected several organisations in Taiwan, adding that "[t]here have been no indications that this attack has hit any other organisation outside of those targeted; we do not believe that this family is currently in widespread use."

Taiwan News notes that Formosa Petrochemical, a privately-owned Taiwanese refinery, also sustained a ransomware attack on Tuesday, but it's not clear which malware was involved and authorities are still investigating to determine if the incidents are related. Formosa said the incident caused its gas stations to lose track of their income for Tuesday, but production and customer service were unaffected. 

An anonymous official in Taiwan's national security community told Taiwan Focus that the attacks may have been motivated by President Tsai Ing-wen's upcoming inauguration on 20 May, although the official didn't say whether there was evidence suggesting this was the case. Another official at the country's Ministry of National Defense said it's a "reasonable conclusion" to expect more attacks before the inauguration. So far no-one has ventured to attribute the attacks to any specific actor or nation-state. 

Ransomware gang steals legal documents from law firm to the stars

The Sodinokibi ransomware gang claims to have stolen 756 gigabytes of legal documents from the entertainment law firm Grubman Shire Meiselas & Sacks (GSMLaw), which counts dozens of international stars and celebrities among its clients. The client list includes Chris Brown, Madonna, Lady Gaga, Nicki Minaj, Elton John, Timbaland, Robert de Niro, Usher, U2 and Timbaland. The entertainment law firm claims their “ability to advise and service clients in all aspects of their careers and businesses is unparalleled.”

The Sodinokibi ransomware gang has published a screenshot of the folders they have stolen from the law firm and threatens to release the stolen documents if the firm will not pay the ransom. The huge trove of documents includes contracts, phone numbers, email addresses, personal correspondence, non-disclosure agreements, and social security numbers. The hackers also provided excerpts from legal agreements signed by artists, including Christina Aguilera. 

The Sodinokibi ransomware operators are considered a dangerous threat that already targeted several organisations worldwide, including the SeaChange video platform, the Kenneth Cole fashion firm, and the UK-based currency exchange Travelex currency exchange. Since April, the gang has started accepting the Monero cryptocurrency instead of Bitcoin to make investigation harder for law enforcement agencies. 

Samsung released a set of security updates for Android smartphones

The security updates include a patch for a critical vulnerability impacting all of its devices since 2014.  In addition to the fixes in the Android Security Bulletin – May 2020, the phone maker’s updates patch 19 vulnerabilities specific to Samsung smartphones.

The most important of these are two critical flaws in secure bootloader and in Quram library with decoding qmg.  The first of the issues is a heap based buffer overflow that could allow for the bypass of secure boot and potentially result in arbitrary code execution. Samsung says it addressed the bug with proper validation, but does not provide further details on the vulnerability. The researcher says that, since there are four major versions of Qmage, Samsung’s Android smartphones released since late 2014/early 2015 are affected to different degrees. The most recent devices are likely impacted by the largest number of issues, given their included support for all versions of Qmage.  

“The vulnerable codec executes in the context of the attacked app processing input images, so the attacker also gets the privileges of that app. In the case of my demo, that's Samsung Messages, which has access to a variety of personal user information: call logs, contacts, microphone, storage, SMS etc,” Jurczyk says. 

Only Samsung’s devices are affected, because the piece of vulnerable software ships only on the company’s devices.  High-severity flaws the South Korean phone maker patched this month include arbitrary code execution in Quram library with decoding jpeg, a possible brute-force attack in Gatekeeper Trustlet, and possible spoofing in selected Broadcom Bluetooth chipset (which uses PRNG with low entropy).  

Samsung did not provide information on all of the vulnerabilities addressed this month, but revealed that it patched five low-severity flaws: leak of clipboard information via USSD in the locked state; possible heap overflow in bootloader; unauthorised change of preferred SIM card in locked state; possible relative buffer write in S.LSI Wi-Fi drivers; and FRP bypass with SPEN. 

Malware sample uses code from the NSA and Chinese hackers 

According to new research from ESET, a code obfuscation tool that’s been linked to a Chinese-based hacker group has been used in tandem with an implant that has been attributed to Equation Group, a hacking faction that is broadly believed to have ties to the National Security Agency. The tool is linked with Winnti Group, while the implant, known as PeddleCheap, appeared in an April 2017 leak from the mysterious group known as the Shadow Brokers.

It’s unclear if the sample was used in a malicious campaign or if it’s the product of a security researcher experimenting with different tools, according to Marc-Étienne Léveillé, a malware researcher at ESET. It was uploaded to malware-sharing repository VirusTotal in 2017, according to Léveillé. The Winnti-linked packer was used in a series of intrusions at gaming organisations in 2018, which ESET has previously documented. 

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber security courses.