Cyber Weekly Flash Briefing 17 July 2020: Major US Twitter accounts hacked, Malware in Chinese Tax Software, NK steals $2bn through cyber heists, Counterfeit Cisco kit, Windows DNS vulns, Citrix vuln
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Major US Twitter accounts hacked in Bitcoin scam
Billionaires Elon Musk, Jeff Bezos and Bill Gates are among many prominent US figures targeted by hackers on Twitter in an apparent Bitcoin scam.
The official accounts of Barack Obama, Joe Biden and Kanye West also requested donations in the cryptocurrency.
"Everyone is asking me to give back," a tweet from Mr Gates' account said. "You send $1,000, I send you back $2,000."
The US Senate Commerce committee has demanded Twitter brief it about the incident next week.
Twitter said it was a "co-ordinated" attack targeting its employees "with access to internal systems and tools".
"We know they [the hackers] used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf," the company said in a series of tweets.
It added that "significant steps" had been taken to limit access to such internal systems and tools while the company's investigation was ongoing.
The firm has also blocked users from being able to tweet Bitcoin wallet addresses for the time being.
Read more here: https://www.bbc.co.uk/news/technology-53425822
More Malware Found Hidden in Chinese Tax Software
A malware campaign hiding backdoors in mandatory Chinese corporate tax software is far more extensive than at first thought, according to researchers from Trustwave.
The vendor warned last month that it discovered several clients had unwittingly installed the GoldenSpy backdoor after agreeing to download the Intelligent Tax software product, produced by Aisino Corporation.
China’s banks require all companies to download software from either Aisino or Baiwang to comply with its Golden Tax VAT scheme, indicating that the malware campaign has either direct sponsorship from the government, or is happening with its blessing.
Soon after Trustwave reported on the powerful GoldenSpy backdoor, which it said could not be removed, an uninstaller appeared out of the blue which directly negates the threat.
Now the vendor has discovered a second piece of malware, dubbed GoldenHelper, which dates back to before GoldenSpy. It’s found in the Golden Tax Invoicing Software (Baiwang edition), which is digitally signed by a subsidiary of Aisino, Nou Nou Technologies.
The malware, while functionally different to GoldenSpy, has a similar delivery mechanism and it utilises three DLL files to: interface with the Golden Tax software; bypass Windows security and escalate privileges; and download and execute arbitrary code with system-level privileges.
It also uses multiple techniques to hide its presence and activity, including randomization of name whilst in transit and of file system location, timestomping, IP-based Domain Generation Algorithm (DGA), and UAC bypass and privilege escalation.
Read more here: https://www.infosecurity-magazine.com/news/more-malware-hidden/
How North Korea’s army of hackers stole $2bn through cyber bank heists
Towards the end of last year, a series of seemingly innocuous LinkedIn messages were sent to employees of aerospace and military companies in the UK, Europe and the Middle East. Curious engineers who replied to the job offers were sent further messages urging them to download files to find out more about the opportunities.
The file contained a list of available jobs and the salaries for each role. While recipients read through the list of highly paid positions, their computers were silently taken over by hackers who implanted software that allowed them to peer through all of their files and emails.
The lucrative jobs weren’t real, and neither were the recruiters. Instead the messages were sent by Lazarus, a notorious North Korean hacking group, which in 2014 had managed to break into the servers of Sony Pictures and in 2017 brought parts of the NHS to a standstill during the WannaCry ransomware attack.
Once the hackers had gained access to their target’s computer, the fake LinkedIn profiles vanished.
One hacker then used his access to a victim’s email account to find an outstanding invoice. He sent an email to another business demanding payment, but asked for the money to be sent to a new bank account controlled by the hacking group.
This cyber attack is a typical example of North Korea’s unique approach to hacking. As well as attacks to make political statements, the country uses its legions of hackers to generate billions of dollars for the regime through a series of audacious cyber bank heists.
A United Nations report published last year estimated that North Korean hackers have stolen more than $2bn (£1.5bn) and said the money was being funneled into the regime’s missile development programmes.
Cut off from almost all of the world’s financial systems, North Korea has for years relied on a series of illegal activities to bolster its income. As well as thriving drug trafficking and counterfeiting schemes, the regime has also funded hundreds of its own digital bank heists.
Read more here: https://www.telegraph.co.uk/technology/2020/07/12/north-koreas-army-hackers-stole-2bn-cyber-bank-heists/
UK ‘on alert for China cyber attack’ in retaliation for Hong Kong
The government must be alert to potential cyber attacks from countries such as China, ministers have said as tensions increase between London and Beijing.
Last month relations between the UK and China soured after Boris Johnson pledged to offer refuge to millions of Hong Kong citizens if the country implements its planned national security law. The government is also reported to have ‘changed its view’ on plans for Chinese tech company Huawei to play a role in developing the UK’s 5G network due to growing unease over security risks.
Now senior sources claim the worsening ties could see Britain be targeted by Chinese-backed hackers in a so-called ‘cyber 9/11’. This could damage computer networks, cause power and phone blackouts and bring hospitals, government and businesses to a standstill.
Britain’s National Cyber Security Centre says it is not ‘expecting’ a rise in attacks. However, one senior minister said the threat was ‘obviously part of conversations’, but added that ‘all risk must be looked at in the round’.
Read more: https://metro.co.uk/2020/07/12/ministers-fear-cyber-attack-uk-relations-worsen-china-12978970/
Ransomware warning: Now attacks are stealing data as well as encrypting it
There's now an increasing chance of getting your data stolen, in addition to your network being encrypted, when you are hit with a ransomware attack – which means falling victim to this kind of malware is now even more dangerous.
The prospect of being locked out of the network by cyber criminals is damaging enough, but by leaking stolen data, hackers are creating additional problems. Crooks use the stolen data as leverage, effectively trying to bully organisations who've become infected with ransomware into paying up – rather than trying to restore the network themselves – on the basis that if no ransom is paid, private information will be leaked.
Ransomware groups like those behind Maze and Sodinokibi have already shown they'll go ahead and publish private information if they're not paid and now the tactic is becoming increasingly common, with over one in ten attacks now coming with blackmail in addition to extortion.
Organisations in the legal, healthcare and financial sectors are among the most targeted by these campaigns, based on the assumption that they hold the most sensitive data.
Read more here: https://www.zdnet.com/article/ransomware-warning-now-attacks-are-stealing-data-as-well-as-encrypting-it/
Stop Ignoring Two-Factor Authentication Just Because You’re Lazy
A large number of people and businesses are missing out on a simple, effective online security solution by ignoring two-factor authentication (2FA), also called multi-factor authentication (MFA). The only requirement is to enter a code or press a button on a separate device from the one being used, yet for many, that effort seems too great. Laziness literally becomes the weakest point in their data protection systems.
If this sounds familiar, it’s time to change, as 2FA strengthens the security of all-important apps, including those where you share financial details such as banking and shopping apps – but to work, it has to be used.
Read more here: https://www.infosecurity-magazine.com/opinions/authentication-lazy/
Russian hackers ‘try to steal vaccine research’ in cyber attack on labs
Hackers linked to Russian intelligence agencies are targeting British scientists seeking to develop a coronavirus vaccine, spooks in the US, UK and Canada have warned.
In a joint statement Britain’s National Cyber Security Centre (NCSC), the US National Security Agency and the Canadian Communication Security Establishment, said that the APT29 hacking group, also known as the ‘Dukes’ or ‘Cozy Bear’ has been hitting medical organisations and universities with cyber attacks which they believe have had the Kremlin’s blessing.
These attacks are part of a global campaign to steal research secrets of research. While the institutions targeted have not been revealed, the UK is home to two of the world’s leading coronavirus vaccine development programmes based at Oxford University and Imperial College London.
Read more: https://metro.co.uk/2020/07/16/russian-hackers-launch-cyber-attack-uk-vaccine-researchers-12998769/
Counterfeit Cisco switches raise network security alarms
In a disconcerting event for IT security professionals, counterfeit versions of Cisco Catalyst 2960-X Series switches were discovered on an unnamed business network, and the fake gear was found to be designed to circumvent typical authentication procedures, according to a report.
researcher say their investigators found that while the counterfeit Cisco 2960-X units did not have any backdoor-like features, they did employ various measures to fool security controls. For example, one of the units exploited what F-Secure believes to be a previously undiscovered software vulnerability to undermine secure boot processes that provide protection against firmware tampering.
Vulnerability in Windows DNS servers
Microsoft has reported a critical vulnerability in Windows DNS server under CVE-2020-1350.
Bad news: The vulnerability scored 10 on the CVSS scale, which means it’s critical. Good news: Cyber criminals can exploit it only if the system is running in DNS server mode; in other words, the number of potentially vulnerable computers is relatively small. Moreover, the company has already released patches and a workaround.
The vulnerability lets a malefactor force DNS servers running Windows Server to execute malicious code remotely. In other words, the vulnerability belongs to the RCE class. To exploit CVE-2020-1350, one just has to send a specially generated request to the DNS server.
Installing the Microsoft patch modifies the method of handling requests by DNS servers. The patch is available for Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server version 1903, Windows Server version 1909, and Windows Server version 2004.
Read more here: https://www.kaspersky.com/blog/cve-2020-1350-dns-rce/36366/
Threat actors are scanning the Internet for Citrix systems affected by the recently disclosed vulnerabilities.
This week Citrix has addressed 11 vulnerabilities affecting the ADC, Gateway, and SD-WAN WANOP networking products. The vulnerabilities could be exploited by attackers for local privilege escalation, to trigger a DoS condition, to bypass authorization, to get code injection, and to launch XSS attacks.
Some of the addressed flaws could be exploited only if the attackers have access to the targeted system and request user interaction, or other conditions must be verified. For this reason, Citrix believes the flaws are less likely to be exploited.
Now, hackers are scanning the web for systems affected by the recently disclosed Citrix vulnerabilities.
Read more here: https://securityaffairs.co/wordpress/105776/hacking/vulnerable-citrix-systems-scan.html
Iranian Spies Accidentally Leaked Videos of Themselves Hacking
A security team obtained five hours of Iranian state actor group APT35 hacking operations, showing exactly how the group steals data from email accounts—and who it’s targeting.
Normally security researchers need to painstakingly piece together the blow-by-blow of a state-sponsored hacking operation, they're usually following a thin trail of malicious code samples, network logs, and connections to faraway servers. That detective work gets significantly easier when hackers record what they’re doing and upload the video to an unprotected server on the open internet. Which is precisely what a group of Iranian hackers may have unwittingly done.
Read more here: https://www.wired.com/story/iran-apt35-hacking-video/
Amazon-Themed Phishing Campaigns Swim Past Security Checks
A pair of recent campaigns aim to lift credentials and other personal information under the guise of Amazon package-delivery notices.
Amazon in the era of COVID-19 has become a staple of many people’s lives, as they order everything from sourdough starter to exercise equipment. Cybercrooks have latched onto the delivery behemoth as a lure for phishing emails, knowing that plenty of legitimate delivery messages are also making it into people’s inboxes and offering cover.
Researchers recently spotted a pair of savvy campaigns leveraging Amazon: A credential-phishing attempt using a purported Amazon delivery order failure notice; and a voice phishing (vishing) attempt also using Amazon delivery order. Both are examples of the ever-more sophisticated phishing efforts being developed by fraudsters that are aimed at gaming traditional email security efforts, researchers said.
Read more here: https://threatpost.com/amazon-phishing-campaigns-security-checks/157495/
Malicious Router Log-Ins Soar Tenfold in Botnet Battle
Home users are being urged to ensure their routers are adequately protected after experts revealed a tenfold spike in brute force log-in attempts.
According to the latest research from Trend Micro “Worm War: The Botnet Battle for IoT Territory”, describes a threat landscape in which rival cyber-criminals are competing against each other in a race to compromise as many devices as possible, to conscript into botnets.
The vendor claimed that automated log-in attempts against routers rose from 23 million in September to nearly 249 million attempts in December 2019. As recently as March this year, it detected almost 194 million brute force logins.
The report also revealed an uptick in routers attempting to open telnet sessions with other devices. As telnet is unencrypted it’s a favorite way for hackers or their botnets to sniff user credentials and therefore infect more routers or IoT devices.
Nearly 16,000 devices attempted to open telnet sessions with other IoT devices in a single week in mid-March, according to the data.
The report warned that these mass compromises could cause serious disruption for home networks at a time when many global users are being forced to work and study from home.
Read more here: https://www.infosecurity-magazine.com/news/malicious-router-logins-soar/