CYBER PULSE: EDITION 140 | 4 JANUARY 2021

Cyber Security Training Courses In association with QA present the latest cyber security news stories.

Law enforcement takes down global cybercrime VPN services

Law enforcement agencies in Europe and the United States have successfully taken down Safe-Inet, a VPN service used by the world's top cybercriminals to spy on companies worldwide, target them with ransomware attacks, and evade detection by law enforcement agencies. The operation that resulted in the takedown of Safe-Inet was led by German police and assisted by Europol and law enforcement agencies from around the world. The operation led to the shutdown of Safe-Inet infrastructure in Germany, the Netherlands, Switzerland, France and the United States.

According to Europol, Safe-Inet was being used by some of the world’s biggest cybercriminals, such as the ransomware operators responsible for ransomware, e-skimming breaches and other forms of serious cybercrime. The VPN service was much sought after in the world of cybercrime and commanded a huge price tag as it offered up to five layers of anonymous VPN connections. The takedown of the Safe-Inet infrastructure took place at a time when Europol and law enforcement agencies have armed themselves with a new decryption platform to analyse legally obtained data and crack down on organised criminal and cyber-criminal gangs.

"Law enforcement were able to identify some 250 companies worldwide which were being spied on by the criminals using this VPN. These companies were subsequently warned of an imminent ransomware attack against their systems, allowing them to take measures to protect themselves against such an attack. The service has now been rendered inaccessible," Europol said.

European Medicines Agency Covid-19 vaccine documents leaked


While the pandemic is spreading on a global scale, threat actors continue to target government organisations and entities in the pharmaceutical industry. Security experts from threat intelligence firm Cyble have found several documents relating to the Covid-19 vaccine allegedly stolen from the European Medicines Agency (EMA) and leaked on the Darkweb. The EMA, which plays a crucial role in the evaluation of Covid-19 vaccines across the EU, has access to sensitive and confidential information, including quality, safety, and effectivity data resulting from trials.

In early December, the European Medicines Agency (EMA) announced that it was targeted by a cyber-attack. The EMA did not provide technical details about the attack, nor whether it will have an impact on its operations while it is evaluating and approving Covid-19 vaccines. 

Recently, Cyble started tracking documents being shared on a Russian-language forum. The links to the documents have been shared by a newly created profile that was used only for the alleged data leak.

“During the assessment of data, our researchers noticed that multiple confidential files, including MoMs, assessment reports, confidential emails, login portal links and images of its internal pages were accessed and leaked,” reported Cyble in its analysis.  

The documents also include the alleged assessment report of a Covid-19 vaccine along with the summary report of drug release and stability.

Microsoft issued a zero-day fix six months ago but it didn’t work


Microsoft reportedly fixed a zero-day vulnerability in June 2020. Security researchers from Google’s Project Zero showed that attackers could still use the zero-day, despite the patch. Since zero-day exploits are a serious matter, most of the time, companies quickly release a patch. The June 2020 patch for Windows 8.1 and 10 covered the zero-day CVE-2020-0986 vulnerability, or at least that was the plan. An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, reads the vulnerability. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.

As results go, a quick fix for such a significant problem is the best possible outcome, but security researchers discovered that the fix wasn’t working. Not only that, but the vulnerability is still unpatched to this day, and the attackers already used the zero-day in at least one incident.

“The original issue was an arbitrary pointer dereference which allowed the attacker to control the source and destination pointers to a memcpy,” said Google’s Project Zero Maddie Stone. “The ‘fix’ simply changed the pointers to offsets, which still allows control of the arguments to the memcpy. There have been too many occurrences this year of 0-days known to be actively exploited being fixed incorrectly or incompletely. When 0-days aren’t fixed completely, attackers can reuse their knowledge of vulns and exploit methods to easily develop new 0-days,” she explained.

A new fix is in the works, and it should be available with the January patch. Until that’s out, many Windows machines will be vulnerable. Microsoft also announced that hackers had recently gained access to its source code but without evidence of any compromise to its services or customer data.

 

New malware strain abuses GitHub and Imgur

A new malware strain has been discovered that uses Word files with macros to download a PowerShell script hosted on GitHub. Further, the script downloads a legitimate image file from the image-sharing community, Imgur, which is used for decoding a Cobalt Strike script on Windows systems. The malware strain is linked to a state-backed (APT) group known as MuddyWater. The malware spreads with an embedded macro within a legacy Microsoft Word (*.doc) file.

Once the Word document is opened, it executes the embedded macro. Subsequently, the macro launches powershell[.]exe and adds the location of a PowerShell script that is hosted on GitHub. The single-line PowerShell script downloads a real PNG file from Imgur. In this image, downloaded image pixel values are used by the PowerShell script for calculating the next stage payload. Hiding payloads within an ordinary image is possible using the Invoke-PSImage. This tool can encode PowerShell script within the pixels of a PNG file, along with a one-line command for payload execution. The malicious payload communicates with the C2 server using the WinINet module to obtain further instructions. However, the C2 server is not accessible anymore.

Using legitimate services, such as GitHub and Imgur, allows cybercriminals to mask their footsteps without any major investments. Thus, experts suggest organisations be cautious against such attacks by providing training to their employees to identify phishing emails, disable macros if not needed, using reliable antivirus software, and frequently updating all software and patches.

Kawasaki Heavy Industries breached in cyber attack


Kawasaki Heavy Industries Ltd. has reported that some data may have been breached as a result of unauthorised access to a server in Japan. The hack may have targeted defence-related information held by Kawasaki Heavy, which produces aircraft and submarines for the Defence Ministry. Kawasaki Heavy said it found fraudulent server access via a company based in Thailand during a system audit on 11 June this year and confirmed the possibility of a data breach. The administrator identification and password of the company’s domestic system had been stolen, Kawasaki Heavy said.

Fraudulent access from outside the company started in September 2019, at the latest, according to the company. An investigation by Kawasaki Heavy also detected illegal access via company bases in Indonesia, the Philippines and the United States. Kawasaki Heavy said it has already strengthened its information security measures. No unauthorised access has been confirmed since August this year, according to the company.

“We deeply apologise for causing troubles and worries,” Kawasaki Heavy said in a statement. Tokyo-headquartered Kawasaki said that entry to its servers “had been carried out with advanced technology that did not leave a trace.”

 

Hackers knocked out one of Germany's biggest news organisations

One of the biggest media organisations in German-speaking territories has become the victim of a sustained cyberattack over the Christmas holiday, forcing several newspapers to cancel or offer severely curtailed "emergency" editions. The attack, which is still ongoing, began last Tuesday. The Funke Media Group, which publishes dozens of newspapers and magazines and runs several local radio stations and online news portals, said on Monday that some 6,000 of its computers had been "potentially infected" in the attack, which had affected several central computer systems at all its locations in Germany.

All IT systems had to be powered down to prevent further damage, which means that "all editorial systems and the entire technology for newspaper production had been switched off, and even remotely normal work is currently impossible," Tyrock wrote. "The newspaper pages are essentially built by hand, in many places from home." The group would not comment on media reports that the hackers had demanded a ransom to be paid in Bitcoin. State prosecutors and police are currently leading the investigation, while Funke scrambled a team of IT experts to build a "quarantine network" of untainted computers and a skeleton IT system to continue working.

Lithuania's National Centre for Public Health hit by Ransomware


The internal networks of Lithuania's National Centre for Public Health (NVSC) and several municipalities have been infected with Emotet malware following a large campaign targeting the country's state institutions. When infected recipients opened infected messages, the virus entered the internal networks of the institutions, NVSC officials said in a statement published today. The NVSC e-mail systems have been temporarily shut down on Tuesday to stop the further spread of the virus.

NVSC information technology specialists, together with experts from the Central State Telecommunications Center and the UK's National Cyber ​​Security Center, are currently working on cleaning affected systems of the Emotet infection, as well as recovering NVSC emails and restoring email access.

Rytis Rainys, Director of the Lithuanian National Cyber ​​Security Center (NKSC), warned that the Emotet emails sent as replies to previous conversations distributed malicious code using password-protected archives as attachments, with the password shared in the email body. This prevented anti-malware solutions from detecting the malicious emails which made it possible for the targeted individuals to open the attachment and infect themselves. Stealing reply-chain emails is a known Emotet tactic used to camouflage malicious emails as parts of existing conversations for higher credibility and better infection rates in future spam campaigns.

Edited and compiled by QA's Director of Cyber, Richard Beck.

QA