Cyber Round-up for 28th June
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Hackers have found a way to obtain complete control of mobile carrier networks after infiltrating over a dozen companies since 2012. The hackers have been using their power to steal sensitive data and monitor users, whilst also having the potential to do so much more; they even have the control to shut down communications if they wanted. Despite this, it is believed that the hackers care little about disruption and are more focused on espionage. The attack seems targeted, as only a small portion of the users they are monitoring have had data stolen (likely high-profile military and government figures).
It appears that the hackers exploited old vulnerabilities to infiltrate the carriers, and spread the malware by flooding all the computers on a network to achieve successful login attempts; this led to the creation of user accounts with escalated privileges, which they used to blend in as company staff. Researchers recommended that mobile carriers closely monitor high-privilege accounts and servers, however users can do nothing to protect themselves from being monitored.
NASA recently revealed that 500 MB of data has been stolen from its Jet Propulsion Laboratory (JPL) by an attacker using a Raspberry Pi. The stolen files detail the transfer of military technology, as well as space technology related to the Mars Science Laboratory Mission. Auditors learned that users were able to access applications on JPL’s network that they should not have had access to, meaning the attacker could also gain similar access to the network. Since the system admins didn’t effectively monitor devices that were added to the network, the hacker went undiscovered for a very long time.
Upon discovery, NASA officials were worried that the attacker would be able to disrupt their mission systems and intercept messages, and so they disconnected the Johnson Space Center from the core Gateway. The Johnson Space Center is responsible for the ISS (International Space Station) program, which puts into perspective the scale of the breach. The hacker went 10 months before being discovered and was not the first person to target NASA. The massive amount of data regarding cutting-edge technology has made NASA a profitable target for malicious actors over the years.
The bad actors responsible for the Wipro phishing attack have been spotted targeting several other big companies, including Expedia, Rackspace and Western Union. The hacker group is also responsible for a large campaign of phishing attacks, intended to obtain cash from vulnerable businesses. The group was described as ‘reasonably sophisticated’, and it is believed that they used obscure phishing templates to carry out the attacks. The templates used in these attacks are identical to those marketed by pentesting firm, Lucy Security, although they deny their that software products were used in the Wipro attack.
A new method of phishing has been recently discovered that attackers are taking advantage of. Commonly referred to as Calendar Phishing, attackers are making use of the default google calendar settings that allow invitations and events to be sent to users, even if that user hasn’t responded to the invite. The victims are typically caught off guard by calendar phishing, and are likely to dismiss the possibility of a link being malicious if it comes from a trusted google app. This method of phishing, although effective, can be prevented very easily. Simply changing your event settings in Google Calendar to stop automatic invitations will resolve this issue; details on how to do this are included in the original post.
A recent security failure has resulted in WeTransfer, a popular online file sharing service, sending file transfer links to the wrong recipients. This could potentially lead to unauthorised parties accessing sensitive files. Despite acknowledging the security incident, WeTransfer did not reveal how many users were affected, who the emails were sent to and it is also unclear whether this was a malicious attack, or a mistake made by the company. Users are recommended to encrypt sensitive files before using file sharing services, and to use a medium other than email when transferring files.
Vulnerabilities & Updates
Programming tricks such as Rambleed allow an attacker to read bits in memory without directly accessing your memory space, due to a reliability issue in DRAM cells. Rambleed attacks have their flaws, and only allow the attacker to make educated guesses as to where bits are stored, however the authors of the Rambleed paper managed to successfully read OpenSSH private keys from memory without root privileges. In response to the extraction of private keys, OpenSSH have released new code, which works by only keeping private keys in memory for the short time it is required. OpenSSH’s aim is to reduce the time that keys are exposed to danger, thus making RAM-sniffing attacks much harder. The functions for the key-shielding code are included in the original post.
And that’s it for this week round-up, please don’t forget to tune in for our next instalment.
Why not follow us on social media using the links provided on the right.
Edition #47 – 28th June 2019
Ironshare – Security Simplified