Cyber Round-up for 5th July
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Following a recent security incident, Microsoft has announced the introduction of mandatory multi-factor authentication for Cloud Solution Providers. CSPs typically offer licenses for a lower price than what Microsoft do, as well as providing management services, making them appealing to most companies. For this reason, one company opted to partner with PCM Inc., the world’s sixth largest CSP, who managed the initial setup of Office365 for them. One PCM employee maintained full access to all the company’s files in Office365 after the initial setup, without the security team realising. This employee, who was not using multi-factor authentication, was later hacked leaving the Office365 documents vulnerable. By forcing CSPs to use MFA, Microsoft hope to prevent these kinds of incidents from happening in the future.
Equifax suffered a massive data breach back in 2017 that allowed attackers to steal the names, addresses, social security numbers and dates of birth of over 150 million consumers. The Equifax IT team was aware of the vulnerability for around 5 months before the breach occurred but failed to patch it. The company kept the breach secret for 40 days before revealing it to the public. During this time, the man next in line to be global CIO of Equifax, Jun Ying, used the confidential information of the breach to sell his shares for almost US $1 million before the public learned of the incident. Ying was sentenced to four months in federal prison for insider trading and was fined accordingly.
Warnings have been issued by the Canadian Communications Security Establishment regarding the upcoming elections. They believe that foreign actors have attempted to influence the country’s October election. The accusation was supported by the Canadian Security Intelligence Service (CSIS), who issued similar warnings. It was unclear in the reports which groups were attempting to tamper the elections, but it was said that threat actors were seeking to influence the Canadian public ahead of the voting period.
The telecoms regulator, Ofcom, plans to introduce a new way to switch UK mobile operators; their new “text-to-switch” system does not require mobile users to speak with their existing provider, which makes the process much less painful. Instead, you must text the word “PAC” to the number 65075; this responds with a code that can be used to switch providers. Despite this process being a much easier alternative to older methods, it opens up the possibility of a significant increase in fraud for mobile users. This new method will provide attackers with another easy route to SIM Swap, further threatening mobile and online account security, including compromising two factor authentication services that use SMS text messaging.
It isn’t a secret that ATMs aren’t very secure, which makes them easy, profitable targets for attackers. We have recently seen a rise in new ATM attacks, that are threatening users, and potentially their bank cards. One of these attacks is Jackpotting, which involves making a hole to plug a laptop into the ATM; this can then be used to force money out of the machine. Thanks to the ATMs minimal encryption, this is extremely easy for attackers to pull off. Another attack that is on the rise is Shimming. Shimming involves using a thin insert in the card reader, which can steal data from chip-enabled cards. The tech required makes this a more expensive attack, but the simplicity of it means anyone can do it. A common way to spot for Shimming is feeling for resistance in the card reader when inserting your card. Users are recommended to use tap and smartphone payments such as apple pay, to bypass the security issues of ATMs.
Attackers have built a new complex loader that ensures antivirus systems do not detect their malicious payload. The loader uses the well-known technique, “Heaven’s Gate”; a trick that allows 32-bit malware running on 64-bit systems to disguise API calls by switching to a 64-bit environment. In this instance, the loader was used in a new campaign to hide and deliver the popular malware, HawkEye Reborn. This malware is never saved to the hard disk of the target machine, it is run in memory to evade detection from standard anti-virus products, and can be adapted to deploy other malware payloads. Advanced Endpoint protection such as Cisco AMP for Endpoints can help in defending this type of fileless malware. In-Depth analysis of how this works is included in the original post by Talos Intelligence.
The two vulnerabilities, SACK Panic (CVE-2019-11477) and SACK Excess Resource Usage (CVE-2019-11478), are affecting over 30 different products. The vulnerabilities exist because of a flaw associated with the Linux kernel implementation of TCP Selective Acknowledgement (SACK), which can be exploited by an attacker to execute a Denial of Service attack against any of the affected products. The flaw was originally discovered by Netflix researchers, who then disclosed it to the public. A list of all affected products is included in the original post, as well as any patches currently available. Keep in mind that VMware is still working on patching these vulnerabilities and have not yet released patches for all products.
And that’s it for this week round-up, please don’t forget to tune in for our next instalment.
Why not follow us on social media using the links provided on the right.
Edition #48 – 5th July 2019
Ironshare – Security Simplified