Cyber Round-up for 19th April
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
- Easter Attack on Apple iOS
- EA’s Origin Client Exposes Gamers to Malicious Activity
- Microsoft-based Email Accounts Compromised
- Cisco Talos: Sea Turtle DNS Hijacking Campaign
- Facebook Grabs Email Contacts for 1.5million Users
An unpatched bug in the Google Chrome browser is being exploited by cybercriminals targeting Apple iOS devices. The attack is being spread via a malvertising campaign, which is relying on iOS users to be more active with browsing on their Apple devices, during the Easter period.
The exploit relies on hijacking browser sessions by redirecting the user to another site, pop-up or landing page. If the user clicks on one of these redirected sites, or pages a malicious payload is downloaded to the device and compromise can occur.
Sandboxing evasion techniques are also in use by the exploit, to ensure that these pop-ups are not blocked and it can bypass the security mechanisms that are in place to prevent redirections.
According to ThreatPost, although the campaign has only been running for a few days, it is highly active in the US, with activity also witnessed across Europe, leading to a possible impact of half a billion user sessions.
Apparently, this threat is not just isolated to Google Chrome and may also be affecting the Safari browser, but information on this is limited.
Please stay vigilant this Easter Bank Holiday, as hackers take advantage of these extended holiday periods to go undetected.
Be careful what you click, especially when presented with pop-ups and redirects to other sites.
EA’s Origin Client Exposes Gamers to Malicious Activity
Researchers at Underdog Security have identified a security flaw in Electronic Arts Origin gaming client that can allow the bad guys to launch malicious code on the gamer’s computer.
The Origin client app is used to buy and download games from Electronic Arts and is in use by millions of gamers worldwide.
The researchers discovered that the Origin app, running on Windows PCs, could be tricked into running any other app on the victim’s computer. They have provided proof of concept code and video footage, that shows the exploit launching the Windows Calculator app.
Their investigation shows that common attacks using PowerShell can be used to compromise a target machine and could result in the download and installation of other malicious code, such as ransomware.
EA have issued a fix for this vulnerability and users are urged to update the client as soon as possible.
Microsoft-based Email Accounts Compromised
Earlier this week Microsoft confirmed they had discovered a breach on their web-based email platforms that has resulted in the compromise of numerous customer email accounts.
Although the number of users impacted is said to be limited, the breach affected multiple services including MSN, Hotmail and Outlook.com, between 1st January 2019 and 28th March 2019.
Enterprise accounts using paid for services were apparently not impacted by this breach.
The cause of this initial breach was down to one of Microsoft’s support agents having their credentials stolen, which allowed a remote attacker to gain access to customer email accounts.
Upon detection Microsoft has notified all users, disabled access to the compromised accounts and put controls in place to prevent the attacker’s access.
These types of account compromise hacks are now all too common as more people and organisations move to web and cloud-based services. Never assume that just because you are moving to the cloud that these services are fully secure. Always review and understand the security that is in place so you can fill any gaps that exist.
Email Phishing attacks are the primary method for hackers trying to steal user credentials (username and passwords). Always checks emails thoroughly to ensure they are from a trusted source and never click on any misspelt or suspicious links. If in doubt with an email just delete it.
Cisco Talos: Sea Turtle DNS Hijacking Campaign
A new DNS Hijacking campaign has been discovered by the Talos research team which has been targeting national security, public and private organisations since early 2017.
The campaign, dubbed ‘Sea Turtle’ by Talos, has been primarily focused on countries in the Middle East and North Africa, and has so far impacted at least 40 organisations across 13 different countries. In addition, a secondary group of victims have also been targeted which includes Internet Service Providers and Domain registrars.
DNS hijacking is technique that allows an actor to control an organisations domain name space, giving them the ability to redirect traffic to hacker-controlled servers.
Talos believe that this is the work of a state sponsored actor that is trying to achieve persistent access to its target network environments, with a goal of gaining access to sensitive information and intelligence. These are highly capable actors, who are responsible for the first confirmed case of a Domain name registry compromise.
Organisations typically forget about securing their external services such as DNS, but these can be an easy target if not included in your overall security strategy. Where available it is recommended to implement Multi-Factor Authentication (aka Two Factor Authentication or Two Step-Verification) on your external DNS accounts. As per Talos recommendations you can also consider a registry lock service, that requires separate authentication / approval before any DNS changes can be made.
Facebook Grabs Email Contacts for 1.5million Users
Well it wouldn’t seem a normal week without mentioning another Facebook privacy issue. This time the social media giant is being criticised for the harvesting of email contact information of 1.5 million new users.
We mentioned in a previous issue how Facebook were requesting access to users email accounts in order to verify their identity, well it seems from this latest issue that this was not the only reason they wanted access to the email accounts of new users.
As part of this verification process which appears to have run for almost 3 years, Facebook used the email verification process to take copies of the email accounts contact list without the explicit permission of the user.
Facebook have stated that they have now changed the way they process new users and that email contacts are no longer being uploaded to its platform.
What is evident is that users are no longer going to tolerate the poor privacy and data handling practices of Facebook, with approx. 15 million users in the US alone closing their accounts in the last 2 years and looking for alternative social media platforms.
And that’s it for this week round-up, we hope you have a happy Easter and enjoy the bank holiday weekend. Please don’t forget to tune in for our next instalment.
Why not follow us on social media using the links provided on the right.
Edition #37 – 19th April 2019
Ironshare – Security Simplified