Cyber Pulse: Edition 142 | 18 January 2021

Here is our cyber security news round-up of the week:

Threat Group Abuses Microsoft & Google Cloud Services

Security researchers are watching a threat group that takes advantage of Microsoft and Google cloud services with the goal of exfiltrating data across a broad range of target organizations. These attackers have a "wide set of interests," report researchers with NCC Group and Fox-IT, who note the group is referred to as Chimera. Their target data ranges from intellectual property belonging to victims in the semiconductor industry to passenger data from the airline industry. Attackers begin by obtaining usernames and passwords from victims of previous breaches. The credentials are used in credential stuffing or password-spray attacks against a victim's remote services; for example, Web mail or other online mail services. Once they have a valid account, they use it to access the victim's VPN, Citrix, or another remote service with network access. With a foothold in the network, the attackers check the account permissions and try to get a list of accounts with admin privileges. This list helps them launch another password-spraying attack until a valid admin account is compromised. They use this account to load a Cobalt Strike beacon into memory; this is can be used for remote access and command and control (C2). The researchers explain how the attackers use Microsoft and Google cloud services to achieve their goals. In one case, they collected data from Microsoft SharePoint Online in order to exfiltrate information. In other attacks, they changed their C2 domains: in 2019 they began using subdomains under the parent domain appspot.com, which is owned by Google, and azureedge.net, a domain owned by Microsoft and part of its Azure content delivery network. 

Dutch Energy Supplier Blames Cyber Intrusion on Data Breaches Suffered by Other Companies

 Dutch energy supplier Eneco has warned tens of thousands of clients, including business partners, to change their passwords amid a recent data breach. Eneco, a producer and supplier of natural gas, electricity and heat in the Netherlands, serves more than 2 million business and residential customers. In a recent statement, the company said that “cyber ​​criminals have used email addresses and passwords from previous thefts at other websites to gain access to approximately 1,700 private and small business My Eneco accounts, the online environment for Eneco customers.” It claims affected customers may have had their data “viewed and possibly changed by third parties,” but doesn’t go into detail about the nature of the data, nor does it mention that attackers may use it to conduct phishing campaigns or fraud – which is typically the case in such attacks. The company adds that “affected customers have been notified and must create a new account with a different password.” The attackers apparently used a classical credential stuffing technique leveraging stolen data from previous breaches, meaning such an attack could have been prevented as easily as by enforcing multi-factor authentication for customer accounts.

Microsoft command ‘bug’ can force Windows 10 to Blue Screen

Bug allows an unprivileged user or program to enter a single command that causes an NTFS volume to become marked as corrupted. While chkdsk resolved this issue in many tests, one of our tests showed that the command caused corruption on a hard drive that prevented Windows from starting. Today, we look at the second bug that causes Windows 10 to perform a BSOD crash by merely attempting to open an unusual path. Since October, Windows security researcher Jonas Lykkegaard has tweeted numerous times about a path that would immediately cause Windows 10 to crash and display a BSOD when entered into the Chrome address bar. When developers want to interact with Windows devices directly, they can pass a Win32 device namespace path as an argument to various Windows programming functions. For example, this allows an application to interact directly with a physical disk without going through the file system. Lykkegaard discovered the following Win32 device namespace path for the 'console multiplexer driver' that he believes is used for 'kernel / usermode ipc.'  When opening the path in various ways, even from low-privileged users, it would cause Windows 10 to crash. While it has not been determined if this bug could be exploited for remote code execution or elevation privilege, in its current form, it can be used as a denial of service attack on a computer.

New Zealand central bank governor apologises after cyberattack resulted in serious data breach

The head of the Reserve Bank of New Zealand apologised on Friday after a recent cyberattack led to a serious data breach at the central bank, and brought in an independent investigator to review the incident. The breach was first announced on Sunday and later in the week the RBNZ said a file sharing service provided by California-based Accellion was illegally accessed. The breach comes just months after New Zealand’s stock exchange operator was targeted in a series of distributed denial of service attacks that overwhelmed its website, preventing trading for several days.

“I own this issue and I am disappointed and sorry,” said Governor Adrian Orr, adding that the ongoing investigation showed the breach is “serious and has significant data implication. While a malicious third party has committed the crime, and we believe service provisions have fallen short of our agreement, the Bank has also fallen short of the standards expected by our stakeholders.”

The bank has said the system that was breached has been secured and closed, and New Zealand’s financial system remains sound and open for business. Apart from the forensic cyber investigation underway, the bank also appointed an independent third party to undertake a review of the incident. Orr said he could not provide any further details as it could adversely affect the investigation and the steps being taken to mitigate the breach.

A Sophisticated Windows and Android Hacking Operation Using Zero-Day Exploits

Google has published a report, describing a sophisticated hacking operation that targeted owners of both Windows and Android devices. The attacks were using two exploit servers spreading different exploit chains via watering hole attacks. Both were using exploits as initial remote code execution. While one server targeted Windows, the other targeted Android users. The exploit servers included four renderer bugs in Google Chrome, one was zero-day at the time of its discovery. Two sandbox escape exploits utilized three zero-day vulnerabilities in the Windows OS. In addition, a privilege escalation kit was used that consisted of publicly known n-day exploits for older versions of the Android OS. The four zero-days discovered in these chains are CVE-2020-6418, CVE-2020-0938, CVE-2020-1020, and CVE-2020-1027, which were fixed between February to April 2020. Recently, Microsoft patched a Defender antivirus zero-day vulnerability (CVE-2021-1647) that was being exploited in the wild. In addition, a patch was released to fix a zero-day LPE vulnerability in the Windows PsExec management tool. The recent attacks were well-engineered and had complex code with a mixture of novel exploitation methods. To avoid any risks from such threats, experts suggest organizations take proactive measures such as regularly patching up software, using reliable anti-malware, deploying a Host Intrusion Protection System (HIPS), and using only essential applications on business devices.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter Find out about QA's extensive cyber-security courses