Cyber Pulse: Edition 150 | 23 April

Android malware Joker infects 500,000 Huawei users

Joker, the infamous Android-based malware family, has now infected more than 500,000 Huawei users and subscribed them to unwanted premium mobile services. A report from Doctor Web disclosed that these malicious apps retained their advertised functionality, however, their downloaded components are subscribing users to premium mobile services. To stay hidden, the infected apps requested access to notifications to intercept confirmation codes delivered on SMS via the subscription service without the victim’s knowledge. The malware-laden apps could subscribe an infected user to a maximum of five services. However, the attacker behind this malware could change this limitation at any time.

The list of malicious applications includes a launcher, a camera application, an online messenger, colouring programs, a sticker collection, virtual keyboards, and a game. These 10 malicious apps were downloaded by 538,000 Huawei users. Even though Google keeps introducing new policies and defence mechanisms to counter them, operators of Joker are regularly changing their tactics and exploiting any possible gap in Play Store's defences. Therefore, smartphone users are recommended to be extra cautious when downloading new applications even from trustworthy stores.

VPN appliance exploited within the Defence Industrial Base

Pulse Secure has shared mitigation measures for a zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance that is actively exploited in attacks against worldwide organisations and focused on US Defence Industrial base (DIB) networks. To mitigate the vulnerability tracked as CVE-2021-22893 (with a maximum 10/10 severity score), Pulse Secure advises customers with gateways running PCS 9.0R3 and higher to upgrade the server software to the 9.1R.11.4 release. As a workaround, the vulnerability can be mitigated on some gateways by disabling Windows File Share Browser and Pulse Secure Collaboration features using instructions available in the security advisory published earlier today.
 
The investigation shows ongoing attempts to exploit four issues: The substantial bulk of these issues involve three vulnerabilities that were patched in 2019 and 2020: Security Advisory SA44101 (CVE-2019-11510), Security Advisory SA44588 (CVE- 2020- 8243) and Security Advisory SA44601 (CVE- 2020- 8260). Customers are strongly recommended to review the advisories and follow the guidance, including changing all passwords in the environment if impacted. The new issue, discovered this month, impacted a very limited number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system. PCS will issue a software update in early May. At the moment, there is no evidence that these threat actors have introduced any backdoors through a supply chain compromise of Pulse Secure's network or software deployment process.

Smart meters breached at North American Utility

Researchers from the FireEye’s Mandiant team have breached the network of a North American utility and turned off one of its smart meters. The scope of the test was to demonstrate tactics, techniques and procedures used by threat actors to breach the protected perimeter between an IT network and an OT network. In the first phase of the attack, the Mandiant team adopted techniques used by TEMP.Veles to breach the OT network during the TRITON attack.

Mandiant’s red team initially targeted the external-facing IT network, then attempted to gain access to the OT network. Once they'd achieved control over the workstations in the enterprise environment, experts used a set of publicly available offensive security tools (OST) to escalate privileges and to obtain domain administrator-level access.

Below the list of tools used by the Mandiant’s team:

• ldapsearch to enumerate information in the enterprise domain
• PowerSploit to exploit common security misconfigurations in IT
• WMImplant to move laterally from one system to another in the internal network
• Mimikatz to extract credentials for local user and domain administrator accounts

Then Mandiant’s OT Red Team conducted an internal reconnaissance in the IT network to determine targets of interest (people, processes, or technology) and found a way to jump from the IT to the OT. Finally, once mapped the OT network, researchers were able to steal login credentials for a human-machine interface portal for the meter control infrastructure and issue a command to disconnect the smart meter.

Drinks giant C&C Group shuts down IT after security incident

Matthew Clark Bibendum (MCB), a distributor of alcoholic beverages and soft drinks in the UK and Ireland, says it’s working to restore IT systems following a cybersecurity incident. In a statement, constituent businesses Matthew Clark and Bibendum said they were “temporarily supporting customers and suppliers manually” having become aware of the incident.

“MCB responded quickly, enacting its cybersecurity response plan and shutting down all of its IT systems,” reads the statement.

MCB is owned by C&C Group, which manufactures and distributes two of its most well-known brands – Irish cider Bulmers and Scottish beer Tennent’s – to more than 40 countries. The company said it “is in the process of informing its customers and suppliers of the incident”, and “has notified the relevant authorities, including the Information Commissioner’s Office."

Bristol-based Matthew Clark supplies the UK and Irish hospitality sectors with alcoholic and non-alcoholic drinks from more than 4,000 product lines. Dublin-headquartered, FTSE 250 company C&C Group supplies over 35,000 UK and Ireland pubs, bars, restaurants and hotels with beer, cider, wine, spirits and soft drinks.

Infection Monkey: Open-source tool allows zero trust assessment of AWS environments

Guardicore unveiled new zero trust assessment capabilities in Infection Monkey, its open-source breach and attack simulation tool. Available immediately, security professionals will now be able to conduct zero trust assessments of AWS environments to help identify the potential gaps in an organization’s AWS security posture that can put data at risk. Infection Monkey helps IT security teams assess their organisation’s resiliency to unauthorised lateral movement both on-premises and in the cloud.

“The accelerated adoption of cloud workloads has elevated the risk of data being exposed either by external threat actors, or by internal vulnerabilities such as poor access control and misconfigurations. Securing this sensitive information requires a shared model of responsibility, where organisations are enforcing Zero Trust frameworks on their cloud workloads,” said Ofri Ziv, VP Research, Guardicore.

Despite patches being issued, organisations are still susceptible to powerful new vulnerabilities that threat actors continue to exploit. Infection Monkey is now able to test infrastructure resiliency to new remote code execution vulnerabilities, including CVE-2020-1472 (Zerologon) and CVE-2019-6340, which affects Drupal Core.

Industrial Control Systems (ICS) increased threat from ransomware

Kaspersky has published its report on the ICS Threat Landscape for H2 2020, revealing an increase in ransomware attacks on ICS computers. The report is based on statistical data gathered by the distributed antivirus Kaspersky Security Network. Around 33.4% of ICS computers were targeted by some cyberattack in the second half of 2020, a 0.85% increase compared to H1. Saudi Arabia recorded the maximum growth (8.2%) in the number of attacks. Globally, ICS computers targeted by ransomware dropped from 0.63% in H1 2020 to 0.49% in H2 2020. 

However, experts observed an increase in ransomware attacks in several countries including Western Europe (0.13%), Australia (0.23%), the US and Canada with a 0.25% increase. The recent attack trend indicates the reaction of cybercriminals toward the economic consequences of the pandemic. In countries where organisations were badly hit and unstable in running businesses, they faced fewer attacks than organisations with financial stability – mostly developed countries.

Coding issue for Facebook live video services

Security researcher Ahmad Talahmeh published an advisory explaining how the Facebook vulnerability worked, together with Proof-of-Concept (PoC) code able to trigger an attack. Facebook's live video allows users to broadcast and publish live streams, a feature that has been widely adopted not only by individuals but also by companies and organisations worldwide. Owners can publish live streams through a page, group and event. Once a broadcast has ended, users can implement video trimming to cut out unnecessary content from their streams, such as by scrubbing between to- and from- timestamps.

Talahmeh found an issue with this feature that allowed live video to be trimmed on behalf of owners to the point of deletion, an unexpected behaviour that could have ramifications for privacy and security.