Cyber Round-up for 11th March
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The NCSC and the CPNI have come together for the first time, to provide guidance on how to secure data centres. The document is designed to help users and operators of data centres understand threats that they might face and even includes mitigation techniques for them to use. This security strategy will allow data centres across the country to be more aware of the dangers and consequences of hackers and provide suitable protective measures that go beyond the current legislation.
In December, Gloucester City Council was a victim of a cyber-attack where a system breach affected online services. The hack, which has been linked to Russian hackers, gained the attention of the NCSC and the NCA, who are helping the council bring its core systems back online and identify the perpetrators. The council’s reserve of £380,000 and an additional £250,000 from a government grant is thought to not be enough to cover the repair of the attack. Jeremy Hilton, leader of the Liberal Democratic group has said “I suspect the £630,000 already put aside is not nearly enough. I expect many council services to continue to suffer.” It is important to understand the need for cyber security and the potential financial losses a cyber-attack of this nature can cause.
A recent string of cyber-attacks against Ukrainian government agencies has been reported. The attacks have reportedly been targeting government agency devices using the MicroBackdoor malware, a piece of software that utilises command and control capabilities to steal information, initiate a ransomware attack, or even move across the network and infect other devices.
Other reports across eastern Europe have reported sightings of a new data-wiper malware called HermeticWiper infecting machines and destroying information. These kinds of cyber-attacks are expected to become more frequent and damaging as tension between Russia and Ukraine continues to escalate.
Samsung recently announced that a group of cybercriminals, known as Lapsus$, had successfully breached their systems, and were able to steal 190GB of confidential code. According to the attackers the stolen data contains “Galaxy biometric authentication algorithms and bootloader source code”. We do not currently have an exact timeline of the breach, but it was initially discovered on 4th March after Lapsus$ revealed its plans to leak Samsung’s data. The breach was later confirmed by Samsung on 7th March; not much more is known about the attack or the group behind it at this point in time, but we will provide updates when more information is made publicly available.
Vulnerabilities & Updates
Firefox has recently patched two vulnerabilities that are known to be actively exploited in the wild. The out-of-band patch was pushed to users in order to protect their machines from hackers utilising the use after free vulnerabilities. These two vulnerabilities are:
• CVE-2022-26485 – Removing an XSLT parameter during processing could lead to an exploitable use-after-free
• CVE-2022-26486 – An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape
We recommend that any Firefox users update immediately to be protected from these actively exploited vulnerabilities.
A critical vulnerability found to be present in Azure Automation Service has been discovered by Orca Security. The vulnerability known as AutoWarp allows an attacker to gain unauthorised access to other Azure customer accounts also using Azure Automation Service. The flaw allowed interaction with an internal server that manages other customers; through this, authentication tokens could be stolen to authenticate to other account, potentially allowing for full control over resources and data belonging it. If you have used Azure Automation Service before and have the managed identity feature enabled (enabled by default), then you were likely vulnerable to this exploit. Microsoft have since worked with Orca to swiftly fix the issue.
Researchers have found multiple flaws with Amazon’s Echo devices. The Bluetooth speakers integrated within the device can be connected to and used to command Alexa to carry out instructions such as purchase products or unlock doors.
When the wakeup word is said, the device turns down its volume, however researchers have found a flaw which they are calling the “full volume vulnerability” that allowed them to bypass this feature and issue commands. Verbal confirmation is required after a sensitive request, but it was found that making the device say “yes” 6 seconds after the command would bypass this, allowing an attacker to send much longer commands.
The one limitation of this attack is that the Amazon echo would need to be readied in advance or an attacker being near the device and connecting to it through Bluetooth.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #181 – 11th Match 2022
Why not follow us on social media:
Ironshare – Security Simplified