Cyber Round-up

Cyber Round-up for 22nd April

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

Russian Hackers Responsible for Energy Plant Cyber Attacks Named by FBI

Four Russian hackers have been named by the FBI for their involvement in the hacking of energy companies around the world. Most recently, the hackers have been linked to an attack on a petro-chemical plant in Saudi Arabia, which “had the capability to cause significant impact” and could have potentially resulted in many people being killed. The four men have also been accused of breaking into US infrastructure and targeting UK energy companies; while these were not as serious as the attacks in Saudi Arabia, it has put the hackers on the FBI’s radar.


Downing Street Systems Infected with Spyware

A Canadian investigative group has been looking into an incident regarding the Pegasus spyware, which has reportedly made its way onto Downing Street and Foreign Office computer systems. This spyware was made by the NSO Group and is often used to help government agencies investigate terrorism. The incident has been linked to operators in the UAE, however the NSO Group has denied these allegations and claim to have no involvement.


iCloud Hackers Stole $650,000 from Victim’s Cryptocurrency Wallet

Users of Metamask, a cryptocurrency wallet maker, are being warned about using Apple’s iCloud for backups, after hackers stole $650,000 worth of cryptocurrency. User, Domenic Lacovone, disclosed that he was a victim of hackers impersonating Apple Support Staff using social engineering techniques. Lacovone received multiple spoofed messages and phone calls requesting for him to reset his Apple ID password, after he did, he received another phone call requesting the one-time verification code he received when changing the password. This allowed the hackers to gain access to his Apple iCloud data containing app data from Metamask including recovery phrase, passwords and private keys, before gaining access to Domenic’s Metamask account. It appears that this data is uploaded to iCloud by default and users are advised to check their iCloud backups settings.


Beanstalk Cryptocurrency loses $182 million to hackers

Beanstalk is a decentralised finance project providing an approach to balancing the supply and demand of different cryptocurrencies. All users contribute to a money pool called “the silo” in return for tokens called “beans”. A governance mechanism exists where users could vote on changes to code, their votes would be in proportion to their held share of tokens. Flash loans allow users to borrow large amounts of cryptocurrency for a short period of time usually to provide liquidity or take advantage of price opportunities, but are known to be used for criminal purposes. Hackers took out a flash loan of $1 billion in cryptocurrency and brought Beans to hold a super-majority stake. Code was then executed transferring funds to the wallet of the attackers, allowing them to pay back the loans and take a net total of $80 million in cryptocurrency. This complex attack took less than 13 seconds to complete, and Beanstalk founders have said that it is “highly unlikely” they will get a bailout. Many users are unhappy with this situation and have lost tens of thousands of invested cryptocurrencies.


Funky Pigeon Reports “Cybersecurity Incident”

Funky Pigeon, a business allowing people to create and send celebration cards, was recently hit by a cyberattack. Funky Pigeon has said all customer banking details are safe as they are processed “via accredited third-parties and is securely encrypted”. They also stated they are currently looking into other personal data that may have been compromised, such as names, addresses, e-mail addresses and personalised card and gift designs which may have been accessed. Beyond this, Funky Pigeon has failed to offer any more information on the attack and cards remain unavailable for purchase until systems are restored and the breach investigated and patched.


Vulnerabilities & Updates

Java Encryption Flaw Allows Credential Forging

A vulnerability was recently found in Java JDK that could allow an attacker to easily forge counterfeit credentials. This flaw exists in the implementation of some encryption operations within the Java Development Kit and affects versions 15 and later. A patch for this vulnerability was made available on the 19th April; we highly recommend applying the latest update for both Oracle Java and OpenJDK to ensure you are not at risk of exploitation.


Windows Print Spooler Flaw Being Actively Exploited

The CISA list of actively exploited flaws recently gained three new additions, one of which is a privilege escalation bug existing in the Windows Print Spooler. This vulnerability, tracked as high severity, currently impacts all versions of Windows and was addressed in the February 2022 Patch Tuesday. Proof-of-concept was released for this flaw, and exploitation is very simple with no user interaction required. The other two additions to CISA’s list are a cross-site scripting flaw in the Zimbra Collaboration Suite and a WhatsApp VOIP Stack Buffer Overflow vulnerability.

More details on these can be found here and, as always, we recommend applying the latest updates available as soon as possible.


Log4Shell AWS Patch Vulnerable to Exploits

AWS has recently revealed several solutions that look for vulnerable Java applications or containers and patch them automatically. These solutions were specifically designed in response to the Log4Shell flaw and can be implemented in any cloud or on-prem environment, not just AWS. While this sounds like a great idea, Amazon are already encountering issues, some of which were discovered by Unit 42. Unit 42 found that installing the patching service to a server or cluster will allow every container in the cluster to exploit it and take over the host. In addition, if the patch is installed to a Kubernetes cluster, all containers are able to escape. Anyone who has installed one of these hot patches is advised to upgrade to the new fixed version, to ensure you do not encounter any of the issues detailed above.


And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #186 – 22nd April 2022

Why not follow us on social media:

Ironshare – Security Simplified