Cyber Pulse: Edition 173 | 2 February 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

UK local authorities to receive £37.8 million to boost cyber resilience

UK local authorities are to receive £37.8 million from the government to boost cyber resilience in essential public services and data in sectors such as housing benefits, voter registration, electoral management, school grants and the provision of social care. The move is part of the UK's first government Cyber Security Strategy, which was announced as part of an over £2 billion program of government investment, detailed in this year’s spending review in cyber, retiring legacy IT systems and stepping up skills and coordination.

Last month, the UK National Cyber Security Strategy was introduced. It calls on all parts of society to play their part in reinforcing the UK’s economic strengths in cyberspace, through more diversity in the workforce, levelling up the cyber sector across all UK regions, expanding offensive and defensive cyber capabilities and prioritising cybersecurity in the workplace, boardrooms and digital supply chains.

A Government Cyber Coordination Center (GCCC) is also being established as part of the new strategy. Based in the Cabinet Office, the GCCC is tasked with rapidly identifying, investigating and coordinating the government’s response to attacks on public sector systems, and managing how data and cyber intelligence is shared by defenders.

In addition, a new cross-government vulnerability reporting service is intended to enable security researchers and members of the public to easily report any issues with public sector digital services. The new program will also work to understand the growing risk from the supply chains of commercially provided products in government systems.

While making the announcement, UK Cabinet Minister Steve Barclay, chancellor of the Duchy of Lancaster, highlighted the upsurge in attacks in recent years, which he said had made Britain third on the list of countries most targeted by hostile states in cyberspace. Barclay said that some 40% of the 777 incidents managed by the National Cyber Security Center between September 2020 and August 2021 were aimed at the public sector. For example, in 2020, both the Redcar and Cleveland and Hackney councils were hit by ransomware attacks affecting council tax, benefits and housing waiting lists, and the Gloucester City Council fell victim to a cyberattack in 2021.

UK organisations warned by NCSC to prepare for cyber attacks in light of Ukraine tension

The National Cyber Security Centre (NCSC) has warned UK organisations to prepare for Russian cyber attacks amid ongoing geopolitical tensions in Ukraine. The new guidance follows numerous malicious cyber incidents in Ukraine in the past month, which the NCSC said corresponds with past Russian behaviour. These include more than a dozen Ukrainian government websites getting taken offline in a cyber attack, while a major malware wiper campaign targeting government, IT and non-profit organisations across the country was recently detected by Microsoft.

The agency noted that such incidents resemble high-profile attacks like NotPetya in 2017 and cyber attacks against Georgia in 2019, which the UK government attributes to the Russian government. While no specific threats to the UK have currently been identified, the UK government’s support for Ukraine in the crisis is likely to make it a target of Russian threat actors. The dispute revolves around Russian concerns that Ukraine will join NATO, and it has built up a substantial force on the border, leading to fears of invasion.

To prepare for potential attacks, the NCSC has urged UK organisations to take action to secure their systems. These include patching systems, enabling multi-factor authentication, implementing an effective incident response plan and checking that backups and restore mechanisms are working. This guidance is primarily aimed at larger organisations. The NCSC has also advised any organisation that has fallen victim to a cyber attack to report the incident to the NCSC’s 24/7 Incident Management team.

Qubit Finance platform hacked for $80 million's cryptocurrency

A threat actor has used an exploit to steal approximately $80 million from Qubit Finance, a decentralised finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations. The hack took place on 27 January, and was formally acknowledged by the platform within hours. According to an incident report of the hack, Qubit said the attacker was able to steal 206,809 Binance coins (BNB) from its wallet using a vulnerability in one of its Ethereum blockchain contracts, which the company uses to process transactions for its users. The attacker’s address was identified last night, and the funds are still in the attacker’s possession and haven’t been laundered yet.

Since Qubit can’t recover the funds on its own, the company has sent a message to the attacker using the “private note” feature of a blockchain transaction, offering to pay the hacker a bug bounty reward in the hopes of convincing the hacker to return the stolen funds. The company later followed this statement up with a full public message posted on its Twitter account, asking the hacker again to get in contact with its team to disclose the bug and receive a bounty reward.

If the hacker refuses to return the funds, the Qubit hack will rank as one of the Top 10 largest hacks of a DeFi platform ever recorded. Besides Qubit’s own report, blockchain security firm CertiK has also published an alternative analysis of the Qubit Finance exploit – if readers are looking to learn more about the technical side of the attack.

New European Cyber Incident Coordination Framework

The European Systemic Risk Board (ESRB) proposed a new systemic cyber incident coordination framework that would allow EU relevant authorities to coordinate better when responding to major cross-border cyber incidents impacting the Union's financial sector. ESRB is an independent EU body established in 2010 that oversees the European Union's financial system to prevent and mitigate systemic risk.

"The three European Supervisory Authorities (EBA, EIOPA and ESMA – ESAs) published today a statement welcoming the European Systemic Risk Board's (ESRB) Recommendation on systemic cyber risk, which calls on the ESAs to prepare for the gradual development of a Pan-European systemic cyber incident coordination framework (EU-SCICF)," a press release published Thursday reads. "The ESRB highlights the need for authorities to coordinate and communicate swiftly in the event of a major cyber incident, to rapidly assess its impact and to support confidence in the financial sector," the ESRB said [PDF].

ESRB's recommendation comes in the context of an increased risk to the EU's financial stability from an increasing number of continuously evolving cyber threats.

Fake job phishing campaign using GitHub for Command and Control

Threat actors are using Windows Update to spray malware in a campaign powered by a GitHub command-and-control (C2) server. Researchers at Malwarebytes Threat Intelligence reported that they discovered the North Korean state advanced persistent threat (APT) group’s latest living-off-the-land technique while analysing a spear-phishing campaign.

The focus of the campaign – in which the APT masqueraded as American global security and aerospace giant Lockheed Martin – is in keeping with their taste for infiltrating the military. According to Malwarebytes’ Thursday report, the 18 January spear-phishing campaign was weaponised with malicious documents that tried to lure targets into clicking by using the same “job-opportunities” baloney that the group has dangled before. Malware authors often create files with virus scripts and name them after wuauclt.exe. In fact, in October 2020, wuauclt.exe was added to the list of living-off-the-land binaries (LOLBins): executables signed by Microsoft that attackers use to execute malicious code on Windows systems while evading detection.

“This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms,” the threat-intelligence team noted. “With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL.”

Use of GitHub as a C2 is rare, the researchers observed, and this is the first time they’ve seen Lazarus doing so. But it’s an apt choice for the task at hand, using GitHub as a C2 has its own drawbacks but it is a clever choice for targeted and short-term attacks as it makes it harder for security products to differentiate between legitimate and malicious connections.

US water utility operators to use new 100-day cyber plan

The White House, Environmental Protection Agency (EPA) and Cybersecurity and Infrastructure Security Agency (CISA) are rolling out a 100-day plan to improve the cybersecurity of the country's water systems, which have faced a variety of attacks. "The Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan" includes several measures that officials believe can be taken in the next few months to address cybersecurity gaps within the water utility industry. The plan will create a task force of leaders in the water utility industry, kickstart incident monitoring pilot programs, improve information sharing and provide technical support to water systems in need of help. 

EPA Administrator Michael Regan said cyberattacks represent an "increasing threat to water systems and thereby the safety and security of our communities."

"As cyber threats become more sophisticated, we need a more coordinated and modernised approach to protecting the water systems that support access to clean and safe water in America," Regan said. "EPA is committed to working with our federal partners and using our authorities to support the water sector in detecting, responding to, and recovering from cyber incidents."

The White House said the plan will offer owners and operators with technology that will provide "near real-time situational awareness and warnings." The Washington Post noted that over 150,000 water utilities are serving the US population. National Cyber Director Chris Inglis explained that the plan will provide owners and operators of water utilities with a roadmap for high-impact actions to improve their operations' cybersecurity. The 100-day plan is part of President Joe Biden's Industrial Control Systems (ICS) Initiative that aims to help critical infrastructure organisations with tools that provide greater visibility, indicators, detections, and warnings about cyber threats. 

17 critical bugs that need immediate patching

The Known Exploited Vulnerabilities catalogue shows around 341 vulnerabilities that include the new 17 vulnerabilities, along with the date by which agencies have to fix or apply security updates to mitigate the flaw. The listed vulnerabilities allow attackers to carry out different types of attacks, such as stealing credentials/information, remotely executing commands, gaining access to networks, and downloading/executing malware.

The vulnerabilities with required action by 1 February include CVE-2021-32648 (October CMS), CVE-2021-21315 (node.js), CVE-2021-21975 (vRealize Operations Manager), CVE-2021-22991 (BIG-IP Traffic Microkernel), CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298 (Nagios XI OS), CVE-2021-33766 (Microsoft Exchange Server), and CVE-2021-40870 (Aviatrix Controller). Additional vulnerabilities with extended dates include CVE-2021-35247, CVE-2020-11978, CVE-2020-13671, CVE-2020-13927, CVE-2020-14864, CVE-2006-1547, CVE-2012-0391, and CVE-2018-8453.

An exploitable flaw is a weak link for a network and may endanger the security. While hackers continue to exploit critical vulnerabilities, security professionals should review the known exploited vulnerability catalogue and patch any discovered flaw immediately.

Hackers are taking over CEO accounts with rogue OAuth apps

Threat analysts have observed a new campaign named ‘OiVaVoii’, targeting company executives and general managers with malicious OAuth apps and custom phishing lures sent from hijacked Office 365 accounts. According to a report from Proofpoint, the campaign is still ongoing, though Microsoft is monitoring the activity and has already blocked most of the apps. The impact of executive account takeovers ranges from lateral movement on the network and insider phishing to deploying ransomware and business email compromise incidents.

OAuth is a standard for token-based authentication and authorisation, removing the need to enter account passwords. Apps that use OAuth require specific permissions such as file read and write permissions, access to calendar and email, and email send authorisation. The purpose of this system is to offer increased usability and convenience while maintaining a high security level within trustworthy environments by reducing credential exposure.

The threat actors then used the apps to send out authorisation requests to high-ranking executives in the targeted organisations. In many cases, the recipients accepted the requests, seeing nothing suspicious in them. When victims hit the Accept button, the threat actors used the token to send emails from their accounts to other employees within the same organisation. If they clicked on Cancel, a manipulation in the Reply URL redirected them back to the consent screen, locking them on the same page until they accept the permission request.

Universal Plug and Play (UPnP) router vulnerability

A malicious campaign known as 'Eternal Silence' is abusing Universal Plug and Play (UPnP) and turns your router into a proxy server used to launch malicious attacks while hiding the location of the threat actors. UPnP is a connectivity protocol optionally available in most modern routers that allows other devices on a network to create port forwarding rules on a router automatically. This allows remote devices to access a particular software feature or device as necessary, with little configuration required by a user. Researchers from Akamai have spotted actors abusing this vulnerability to create proxies that hide their malicious operations, calling the attack UPnProxy. Out of 3,5 milliom UPnP routers found online, 277,000 are vulnerable to UPnProxy, and 45,113 of them have already been infected by hackers.

Akamai's analysts speculate that the actors attempt to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, respectively. Leveraging these flaws can lead to an array of potential problems, including resource-consuming cryptominer infections, devastating worm-like attacks that quickly spread to entire corporate networks, or initial access to corporate networks.

The best way to determine if your devices have been captured is by scanning all endpoints and auditing the NAT table entries. There are many ways to do this, but Akamai has conveniently provided this bash script (screenshot below), which can be run against a potentially vulnerable URL. If you've located a device compromised with Eternal Silence, disabling UPnP won't clear the existing NAT injections. Instead, users will need to reset or flash the device. Also, applying the latest firmware update should be a priority as the device vendor may have addressed any UPnP implementation flaws via a security update.

Unique fingerprints for web tracking via your GPU

A team of researchers from French Israeli, and Australian universities has explored the possibility of using people's GPUs to create unique fingerprints and use them for persistent web tracking. The results of their large-scale experiment, involving 2,550 devices with 1,605 distinct CPU configurations, show that their technique, named 'DrawnApart,' can boost the median tracking duration to 67% compared to current state-of-the-art methods.

This is a severe problem for user privacy, which is currently protected by laws that focus on acquiring consent to activate website cookies.

The researchers considered the possibility of creating distinctive fingerprints based on the GPU (graphics processing unit) of the tracked systems with the help of WebGL (Web Graphics Library). The researchers also tried swapping other hardware parts on the machines to see if the traces would remain distinguishable and found that the fingerprints solely depended on the GPU. When the researchers tested compute shaders in the now-abandoned WebGL 2.0, they found that DrawnApart delivered 98% classification accuracy in just 150 milliseconds, much faster than the 8 seconds used to collect fingerprinting data through the WebGL API.

"We believe that a similar method can also be found for the WebGPU API once it becomes generally available. The effects of accelerated compute APIs on user privacy should be considered before they are enabled globally," concludes the research paper.

Potential countermeasures to this fingerprinting method include attribute value changes, parallel execution prevention, script blocking, API blocking, and time measurement prevention.

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.