Internet threat news

Much of the world, particularly those living in the Middle East, are collectively holding their breaths hoping a storm may pass. One May 8 US President Donald Trump announced his country would be withdrawing from the Iranian nuclear deal. The president claimed that there is Israeli intelligence proving Iran is not in compliance with the agreement thus providing the reason to withdraw without alliance partner’s support. The move by President Trump sparked fears that the region would further be destabilized. As if to prove the point news broke early on May 10 about Iran using missiles to strike Israeli positions in the Golan Heights and with Israel responding in kind. While there appear to be legitimate fears of a further destabilized geopolitical landscape, there are also many fears regarding a cyber retaliation from Iran.

The battle between the Russian Government and Telegram, a popular instant messaging service, continues to be a long drawn out affair. Russia’s telecommunications watchdog Roskomnadzor seems to be determined to stamp out the offending app once and for all. At the center of the battle between the government and the company is due to Telegram declining  to provide customer encryption keys to Russian intelligence agency FSB so that investigators could decrypt encrypted conversations during investigations. The latest news coming out of Russia is that Roskomnadzor, blocked last week on May 3, 2018, access to over 50 VPN and proxy services. This according to Russian news agency TASS who initially published the story.

According to Russian authorities, the banning of approximately 50 VPN and proxy servers was done because users were utilizing these tools to skirt a nation-wide ban on Telegram. The nationwide ban occurred on April 13, when the Russian courts ruled in the Governments favor to ban the popular messaging service. The court hearing lasted a total of 18 minutes ensuring that justice was indeed swift in this case if you believe the action of banning Telegram is in the interests of justice. Prior to the court ruling which confirmed the government’s permission the company had been fined approximately 14,000 USD for failing to comply with a government order that required the company to provide access to encrypted conversations to Russian intelligence agency FSB. Since these events Telegram has lodged an appeal with the European Court of Human Rights (ECHR) against the 14,000 USD fine.

Malware designed to mine cryptocurrency using a victim’s server or computer is an ever increasing popular choice. Often called crypto jackers or simply miners, many malware authors have seen their potential to make more than a quick buck and are often included in other types of malware packages. Researchers at AlienVault have discovered a new miner, which they have dubbed MassMiner. In a report published by the company, it was revealed that MassMiner employs a who’s who of recent exploits that led to many sleepless nights and loss of earnings in 2017.

As mentioned above MassMiner uses a number of exploits to infect systems in order to mine the cryptocurrency Monero. Those exploits include the following: CVE-2017-10271 (https://nvd.nist.gov/vuln/detail/CVE-2017-10271) (Oracle WebLogic), CVE-2017-0143 (Windows SMB), and CVE-2017-5638 (Apache Struts). Each one of the above-mentioned vulnerabilities has become the equivalent of cyber celebrities in their own right and have become infamous for different reasons.

Following from Microsoft’s announcement that it will be looking to build better partnerships with other industry-leading companies to prevent tech support scams the Redmond giant has made another important announcement. While much of the tech industry was looking at the release of the new Windows 10 update, at the Hannover Messe 2018, an industrial trade show, Microsoft announced plans to secure both IoT (Internet of Things) devices and ICS (Industrial Control Systems) operations. The new project has been codenamed Trusted Cyber-Physical Systems or TCPS for short.

According to Microsoft, TCPS systems are designed to utilize three elements to catch and block intrusions. The first being is a hardware-level Trusted Execution Environments (TEEs). Simply put a TEE is a secure area of the main processor. It guarantees code and data loaded inside to be protected from attacks. Such systems were designed to process highly-sensitive information, information hackers are always trying to get at. The reason for this is that many low-level IoT or ICS systems lack a hardware level TEE making them incredibly vulnerable to attack. For such systems Microsoft will be able to provide what they term is a “brownfield gateway,” which operates as an intermediary point that funnels all commands from upstream equipment to IoT devices, sensors, actuators, or safety control systems through one server/host thus supporting a TEE.

In the realm of cybersecurity, good news or even slightly positive news is rare. The community as a whole moves from crisis to crisis, malware variant to malware variant. There was perhaps more than a little surprise within the community when Microsoft published a veritable call to arms for teaming up with key players to put an end to the problem of tech support scams. All too often the Redmond tech giant is criticised for putting profit ahead of security, however, in recent months Microsoft has been working hard to correct this reputation. The latest article can be seen as a step in the right direction for the often criticised company.

A sizable botnet made up of servers and numerous smart devices have begun the mass exploitation of a severe Drupal CMS vulnerability. Drupal is an open source Content Management System (CMS) often used in the creation and modification of digital content. Drupal is often used in the creation and management of web pages and is a popular tool used by web developers. What makes this new botnet campaign interesting, although becoming increasingly less novel, is the way it searches for and infects new machines. Such behavior is generally a characteristic of worms rather than traditional botnet campaigns.

The botnet is currently exploiting CVE-2018-7600, often referred to as Drupalgeddon 2 by the Drupal community after the Drupalgeddon security bug, CVE-2014-3704 disclosed in 2014 that led to numerous Drupal sites getting hacked for years afterward. CVE-2018-7600 if exploited correctly allows an attacker to run any code he desires against the CMS' core component, effectively taking over the site. What made the above-mentioned vulnerability deserving of more attention was that to exploit it the attacker does not need to be registered or authenticated on the targeted site, and all the attacker must do is simply access a URL.

Given the recent Facebook and Cambridge Analytica scandal users of social media platforms, not just Facebook, should be considering what information they are allowing corporations access to. If those self-same users are still wondering about what information is left online the article that follows may help in their decision.

In an article published by ZDNet it was revealed that information concerning 48 million users was left publicly accessible. The information was publicly accessible via an Amazon Web Services (AWS) S3 bucket, according to an UpGuard security researcher who discovered the data on February 28. The company responsible for the potential oversight is LocalBlox, a company that scrapes data from public web profiles. The company quickly corrected the oversight once contacted by the UpGuard researcher.

In a collaborative effort between researchers working at Abuse.ch, BrillantIT, and Proofpoint have managed to sinkhole the command and control infrastructure behind EITest. What has been referred to as the “King of Traffic Distribution” EITest is a network of hacked servers abused by cyber-criminals to redirect users to malware, exploits kits, and tech support scams. This collection of compromised servers is used by cybercriminals to siphon off legitimate traffic from these sites and redirect users to malicious web pages. This is done by hackers installing backdoors on the servers. This type of malicious activity is called “traffic distribution” within the infosec community. It has become a major source of income for cybercriminals and those involved have gone so far as to build such botnets of hacked sites and then rent them out as a service to fellow crooks. They then do with them as they please.

Security firm Lookout has released a report which shows an alarming increase in the rate at which users are receiving and clicking on phishing URLs on their mobile devices. The firm witnessed an average rate of 85% per year increase since 2011. What is perhaps more worrying is that 56% of users received and clicked on a phishing URL that bypasses existing layers of defense, the security firm says. On average, a user clicked on a mobile phishing URL six times per year.

The security company set out with the aim of analyzing the mobile phishing threat landscape, the company found that attackers are successfully circumventing existing phishing protections to target the mobile devices. This circumvention of existing protections allows the attacker to expose sensitive data and personal information relatively easily. With over 66% of emails first opened on a mobile device and email arguably the first point of attack for a phishing campaign, unprotected emails on a mobile device are becoming the chosen attack vector for many such campaigns.

Late on April 7, reports began emerging that a significant number of Cisco switches located in Iran and Russia were being hijacked. The attack appears to have been done by a hacktivist group calling themselves “JHT” and may be in response to and in protest to election-related hacking. Cisco switches are network switches sold by the company. A network switch connects computers, printers, phones, cameras, lights, and servers in an office building or campus for example. A switch serves as a controller, enabling networked devices to talk to each other efficiently as opposed to a router which allows for connection to a particular network. The attack targeted internet service providers, data centers, and in turn some websites within Iran and Russia. It is yet unclear on how exactly the attack was carried out but it is believed the attacks involve a recently disclosed vulnerability (CVE-2018-0171).

While the Facebook and Cambridge Analytica saga still dominates most infosec headlines with an estimated 87 million user’s data exploited rather than the initial 50 million, those behind cyber attacks are still active. On April 4, Bloomberg reported that at least four U.S. pipeline companies have seen their electronic systems for communicating with customers shut down over the last few days. Three of those companies report that the shutdown was as a result of a cyber attack.  On Tuesday, Oneok Inc., which operates natural gas pipelines in the Permian Basin in Texas and the Rocky Mountains region, said it disabled its system as a precaution after determining that a third-party provider was the “target of an apparent cyber attack.” Previously, Energy Transfer Partners LP, Boardwalk Pipeline Partners LP, and Chesapeake Utilities Corp.’s Eastern Shore Natural Gas reported communications breakdowns, with Eastern Shore saying its outage occurred on March 29.

Based on several reports from research firms it would appear that AutoHotKey is been used in the creation of malware. AutoHotKey, often simply referred to as AHK, is an open-source scripting language developed for the Microsoft Windows operating system back in 2003. AHK was born when its creator tried and failed to add support for keyboard shortcuts (hotkeys) in AutoIt, a similar Windows scripting language. Since its creation, it has become a major Windows scripting language. Besides original support for remapping keyboard shortcuts, AutoHotKey is now a powerful system that can now interact with the local file system, monitor or close programs, set up scheduled tasks, but also important for the novice hacker it can automate repetitive operations inside third-party software packages. Added to that obvious advantage for the novice, AHK scripting language uses a simple syntax that even non-technical users can understand.

Based on the languages ease of use, ease of understanding, and the ability to automate repetitive operations AHK historically has been used by gamers to create aimbots, an auto-aim cheating tool used in first-person shooters. While being abused by gamers to try and get an edge a few have been at work subverting the language for hacking purposes. Researchers believe this may be the start of a new trend in malware development. This would certainly be the case when considering the recently published reports by Ixia and Cybereason.

Readers would be forgiven for thinking this an old news story from last year. However, as of Wednesday, March 28, 2018, the Seattle Times reported that Boeing, a world leader in aircraft design and their sales, was experiencing a WannaCry attack. The same WannaCry ransomware that made international headlines the year before.In May 2017 reports began surfacing of a ransomware worm that spread rapidly across numerous networks. The ransomware was dubbed WannaCry and once it infected a Windows-based system it encrypts files on the PC's hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them. Based on that one would think it was just a run of the mill ransomware. There were, however, a few factors that made the new ransomware strain noteworthy. It struck a number of important and high-profile systems, including many in Britain's National Health Service; it exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency; and it was tentatively linked by Symantec and other security researchers to the Lazarus Group, a cybercrime organization that may be connected to the North Korean government. All this combined made the attack a perfect cybercrime storm.

Since news broke surrounding the whole scandal involving Cambridge Analytica and their misuse of data provided by Facebook the story has evolved somewhat. The excellent work of investigative journalists who published the initial shocking report on the matter has now come to head with many vocal voices demanding the truth and eventually, justice for the betrayal of what they hoped was private. It is also felt that such abuse of the democratic principles held dear by many western governments needs to be bolstered to prevent such abuse in future. The article which follows details events in line with the public demanding answers to such questions as well as further details on how Facebook manages your data.