Category Archives: cyber attack

Cyber Security headlines of the week

Windows malware opens RDP ports on PCs for future remote access

Security researchers say they’ve spotted a new version of the Sarwent malware that opens RDP (Remote Desktop Protocol) ports on infected computers so hackers could gain hands-on access to infected hosts.

Researchers from SentinelOne, who spotted this new version, believe the Sarwent operators are most likely preparing to sell access to these systems on the cybercrime underworld, a common method of monetizing RDP-capable hosts.

THE SARWENT MALWARE

The Sarwent malware is a lesser-known backdoor trojan that has been around since 2018. In its previous versions, the malware contained a limited set of functionality, such as having the ability to download and install other malware on compromised computers. Read more in

Easyjet Hacks: it wasn’t just a few credit cards: Entire travel itineraries were stolen by hackers

Victims of the Easyjet hack are now being told their entire travel itineraries were accessed by hackers who helped themselves to nine million people’s personal details stored by the budget airline.

As reported earlier this week, the data was stolen from the airline between October 2019 and January this year. Easyjet kept quiet about the hack until mid-May, though around 2,200 people whose credit card details were stolen during the cyber-raid were told of this in early April, months after the attack.

Read more in: https://www.theregister.co.uk/2020/05/22/easyjet_hack_victim_notification/

Ransomware tries to evade antivirus by hiding in a virtual machine on infected systems

With antivirus tools increasingly wise to common infection tricks, one group of extortionists has taken the unusual step of stashing their ransomware inside its own virtual machine.

According to Vikas Singh, Gabor Szappanos, and Mark Loman at Sophos, criminals have slotted the file-scrambling Ragnar Locker nasty into a virtual machine running a variant of Windows XP, called MicroXP. Then, once the crooks have infiltrated a victim’s network and gained administrative access – typically via a weak RDP box or through a compromised managed services provider – they download the VM, along with Oracle’s VirtualBox hypervisor to run it, on each machine they can get into.

Read more in https://www.theregister.co.uk/2020/05/22/byovm_ransomware_in_virtualbox/

Twitter Bots: Roughly half the Twitter accounts pushing to ‘reopen America’ are bots.

As parts of the US have lifted shutdown orders during the COVID-19 pandemic, there’s been a fierce argument online about the risks and benefits of reopening. New research suggests that bots have been dominating that debate.

Read more in https://www.businessinsider.com/nearly-half-of-reopen-america-twitter-accounts-are-bots-report-2020-5?r=US&IR=T

Working from home: Cybersecurity tips for remote workers

One of the key measures to reduce the spread of Covid-19 is social distancing, which for many organisations means encouraging – or instructing– staff to work from home.

But moving at short notice from a trusted office environment to working remotely can create security risks. On top of this, nasty opportunist crooks are already using the coronavirus as subject matter for their phishing scams, hoping that the unwary will click through and hand over passwords or other data.

With the rapid increase in remote working in mind, European cybersecurity agency ENISA has set out a series of recommendation

ENISA’s other security advice for home working for employees also includes:

  • Ensure your Wi-Fi connection is secure. While most Wi-Fi is correctly secured, some older installations might not be, which means people in the near vicinity can snoop your traffic.
  • Ensure anti-virus is in place and fully updated.
  • Check all security software is up to date: Privacy tools, add-ons for browsers and other patches need to be checked regularly.
  • Have a back-up strategy and remember to do it: All important files should be backed up regularly. In a worst case scenario, staff could fall foul of ransomware for instance. Then all is lost without a backup.
  • Lock your screen if you work in a shared space: ENISA said workers should really avoid co-working or shared spaces at this moment and that social distancing is extremely important to slow down the spread of the virus.
  • Make sure you are using a secure connection to your work environment.
  • Check if you have encryption tools installed.

ENISA said employers should:

  • Provide initial and then regular feedback to staff on how to react in case of problems. That means info on who to call, hours of service and emergency procedures.
  • Give suitable priority to the support of remote access solutions. Employers should provide at least authentication and secure session capabilities (essentially encryption).
  • Provide virtual solutions. For example, the use of electronic signatures and virtual approval workflows to ensure continuous functionality.
  • Ensure adequate support in case of problems. This may require setting up special rotas for staff.
  • Define a clear procedure to follow in case of a security incident.
  • Consider restricting access to sensitive systems where it makes sense.

Siri and Google Assistant hacked in new ultrasonic attack

Abstract

Voice assistants – the demo targeted Siri, Google Assistant, and Bixby – are designed to respond when they detect the owner’s voice after noticing a trigger phrase such as ‘Ok, Google’.

Ultimately, commands are just sound waves, which other researchers have already shown can be emulated using ultrasonic waves which humans can’t hear, providing an attacker has a line of sight on the device and the distance is short.

What SurfingAttack adds to this is the ability to send the ultrasonic commands through a solid glass or wood table on which the smartphone was sitting using a circular piezoelectric disc connected to its underside.

Although the distance was only 43cm (17 inches), hiding the disc under a surface represents a more plausible, easier-to-conceal attack method than previous techniques.

As explained in a video showcasing the method, a remote laptop generates voice commands using text-to-speech (TTS) Module to produce simulated voice commands which are then transmitted to the disc using Wi-Fi or Bluetooth.

The researchers tested the method on 17 different smartphones models from Apple, Google, Samsung, Motorola, Xiaomi, and Huawei, successfully deploying SurfingAttack against 15 of them.

Read more in

Russian Targeting US Energy and Other Critical Infrastructure Sectors

The Department of Homeland Security and the FBI issued a joint alert last week:

Russian government cyber actors” have been targeting U.S. critical infrastructure sectors, including energy, nuclear and commercial facilities, since at least March 2016.

This alert isn’t for any other data breach. but it is nation state sponsor cyber war and now they are targeting energy sector (e.g power grid). Trying to kill life line of every citizen. Russian has done this before in Ukraine and it is well documented. Recently North Korean was almost successful in targeting Indian Nuclear plant. This seems beginning a new norm in complex Information era.

Following techniques are being used:

  • spear-phishing emails (from compromised legitimate account),
  • watering-hole domains,
  • credential gathering,
  • open-source and network reconnaissance,
  • host-based exploitation, and
  • targeting industrial control system (ICS) infrastructure.

Systems Affected

  • Domain Controllers
  • File Servers
  • Email Servers
  • Power Grids

Reads more in below document and how cyber activity happens in different stages.

https://www.us-cert.gov/ncas/alerts/TA18-074A

Read General Best Practices Applicable to this Campaign.

https://www.us-cert.gov/ncas/alerts/TA18-074A

NotPetya: Story of a Cyberwar

“Somehow the vulnerability of this Ukrainian accounting software affects the US national security supply of vaccines and global shipping?” asks Joshua Corman, a cybersecurity fellow at the Atlantic Council, as if still puzzling out the shape of the wormhole that made that cause-and-effect possible. “The physics of cyberspace are wholly different from every other war domain.”

In those physics, NotPetya reminds us, distance is no defense. Every barbarian is already at every gate. And the network of entanglements in that ether, which have unified and elevated the world for the past 25 years, can, over a few hours on a summer day, bring it to a crashing halt.

The code that the hackers pushed out was honed to spread automatically, rapidly, and indiscriminately. “To date, it was simply the fastest-propagating piece of malware we’ve ever seen,” says Craig Williams, director of outreach at Cisco’s Talos division, one of the first security companies to reverse engineer and analyze Not­Petya. “By the second you saw it, your data center was already gone.”

——

On a national scale, NotPetya was eating Ukraine’s computers alive. It would hit at least four hospitals in Kiev alone, six power companies, two airports, more than 22 Ukrainian banks, ATMs and card payment systems in retailers and transport, and practically every federal agency. “The government was dead,” summarizes Ukrainian minister of infrastructure Volodymyr Omelyan. According to ISSP, at least 300 companies were hit, and one senior Ukrainian government official estimated that 10 percent of all computers in the country were wiped. The attack even shut down the computers used by scientists at the Chernobyl cleanup site, 60 miles north of Kiev. “It was a massive bombing of all our systems,” Omelyan says.

Read extraordinory full story here

https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/