Tuesday, January 15, 2019 - Jake Omann, CIC, CPCU

Exposed login credentials put other accounts at risk

Estimated to be the 95th largest website in the world with an average of 700 million visits per month, the question-and-answer website Quora, has suffered a data breach exposing account information of 100 million users. While no financial information was released, hackers gained access to personal account information, including usernames and encrypted passwords. As many people tend to use the same credentials for multiple accounts, including email and financial institutions, the hackers may be able to gain access to other accounts where Quora users have the same username and password.

• On December 3, Quora announced that one of its systems was hacked, exposing the account data of approximately 100 million users to an unauthorized third-party.
  
  
• The breach was discovered Friday, November 30, 2018 when Quora noted unauthorized third-party access to user data.
  
  
• Quora contacted law enforcement and hired a digital forensics and security consulting company to determine how this breach occurred and who may have conducted the attack.
  
  
• Data exposed includes:
  1. Account information (name, email address, encrypted password, and data imported from linked networks)
  2. Public content and actions (questions, answers, comments, and upvotes)
  3. Non-public content and actions (answer requests, downvotes, and direct messages)
     
     
• It is not currently known how the attacker gained access to their systems. Quora has notified users who were impacted by this breach.

Source: BleepingComputer.com

He went to Jared – and accessed someone else’s order information

Signet Jewelers, the parent company of retailers Jared and Kay Jewelers, has fixed a vulnerability found in the websites of both companies that could have potentially exposed the order information of their online customers. The vulnerability was caused by a common URL misconfiguration known as “insecure direct object references” where an altered URL address shows content not intended for the user.

• When modified and pasted into a web browser, the link in the confirmation receipt email revealed order information for another customer, including name, billing address, shipping address, phone number, email address, ordered items and purchased amount, delivery date, tracking link, and the last four digits of the customer’s credit card number.
  
  
• This vulnerability could have been exploited to track shipments for doorstop theft or for targeted phishing attacks requesting additional account or financial information.
  
  
• The vulnerability appears to have only affected online orders through jared.com and kay.com. The online retail sites for Signet Jeweler’s other brands, such as Zales and Piercing Pagoda, do not appear to have been impacted.
  
  
• Signet Jewelers had been made aware of the problem previously and fixed the bug for all orders going forward. It was only after a Jared customer contacted cybersecurity firm KrebsOnSecurity that Signet took the additional step of fixing the issue for previous orders.

Source: KrebsOnSecurity.com

Adobe released update closing Flash Player backdoor vulnerability

Adobe has released an update for its Flash Player app after a vulnerability exploit as part of an APT attack against a Russian medical services organization. A security bulletin issued by Adobe identifies Flash Player 31.0.0.153 and earlier as the versions affected by this vulnerability. Cybersecurity experts expected the vulnerability to be commoditized and added to existing exploit kits (see our previous Threat Intelligence article) in the weeks following the attack.

• The advanced threat response team at Qihoo 360 and Gigamon noted an attack against a Russian FSBI clinic, known as "Polyclinic #2,” was detected on November 29, 2018. The attack has since been referred to as "Operation Poison Needles."
  
  
• According to its website, Polyclinic #2 provides medical and cosmetic services to executive and higher level employees of the Russian Federation.
  
  
• Operation Poison Needles came in the form of a fake employee questionnaire that triggered an exploit of the Flash Player vulnerability when opened.
  
  
• When opened, Word displayed a “harmful to your computer” warning. Users who agreed to continue executed a command to extract a rar file and start the backup.exe executable contained within it.
  
  
• The backup.exe file acted as a backdoor by pretending to be the Nvidia Control Panel application, using a stolen certificate from "IKB SERVICE UK LTD," which has since been revoked.
  
  
• When executed, the program copied itself to the Nvidia Control Panel program located in the local app data on the user’s computer. The copied program then sent information about the computer and its applications to a remote host. The copied program also downloaded and executed shell code on the computer.
  
  
• The cyber experts at Qihoo 360 and Gigamon have reason to believe the attack was politically motivated, possibly in response to the Kerch Strait incident where the Russian coast guard captured three Ukrainian Navy vessels.

Source: BleepingComputer.com

Bomb threat email scam results in evacuations and searches, but no explosives

Schools, government agencies and private organizations were the target of bomb threat emails that struck nationwide in December 2018. The emails demanded a payment in the form of bitcoin in order to halt the detonation of the alleged bomb. Victims of the email scam included local Wisconsin businesses in Appleton and Fon Du Lac.

The FBI and Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) both issued releases concerning the threats.

• The email has been classified along the same lines as sextortion scams designed to scare people into paying in order to keep a supposed embarrassing video from being posted online.
  
  
• The email informs the recipient that a “recruited mercenary” has placed an explosive device inside the recipient’s building which the sender plans to detonate unless the recipient makes a $20,000 payment to an enclosed Bitcoin address.
  
  
• While the emails have triggered evacuations and searches by local law enforcement, no explosive devices have been found in connection to these threats. The FBI and local police agencies are reporting that they do not consider the threats credible.

Source: SC Magazine

Microsoft urges users to install updates preventing Internet Explorer vulnerability

On December 19, 2018, Microsoft released an out-of-band update for the web browser, Internet Explorer, patching a zero-day vulnerability, identified by Google’s Threat Analysis Group, that had been exploited in targeted attacks.

• According to Microsoft, attackers exploit the vulnerability by directing the user, often through social engineering tactics, to a malicious website using Internet Explorer.
  
  
• The vulnerability has been described as a remote code execution, related to how Internet Explorer handles objects in memory.
  
  
• Affected versions include Internet Explorer 9 on Windows Server 2008, Internet Explorer 10 on Windows Server 2012, and Internet Explorer 11 on Windows 10, Windows Server 2019, Windows Server 2016, Windows Server 2008 R2, Windows Server 2012 R2, Windows 7, and Windows 8.1.
  
  
• Users are advised to install the Microsoft updates as soon as possible.
  
  
• Microsoft patched a significant number of similar vulnerabilities in 2018, resolving at least one a month since August.

Source: SecurityWeek.com

Sophisticated malware used Twitter to go undetected

Researchers at Trend Micro have identified a new type of malware hidden in memes posted to the social media site, Twitter. The tweets alone were not enough to cause an infection, serving only as a conduit to activate devices that had already been infected.

• Trend Micro discovered it was the same old malware – a remote access trojan (RAT) – but up to new tricks. The first step in the attack is infecting a targeted PC with the RAT, identified as TROJAN.MSIL.BERBOMTHUM.AA. Once installed, the malware listens for commands from a single Twitter account, controlled by the malware operator.
  
  
• Memes sent from the Twitter account contained an embedded command enacted by the malware after being downloaded onto the infected device.
  
  
• Only two malicious tweets were observed, posted to Twitter on October 25 and 26, 2018. Twitter has since disabled the account in question.
  
  
• Infected tweets were found to contain memes with five executable commands, such as “/clip” to view text copied to the device’s clipboard, or “/processes” to find out what programs were actively running on the computer. The code also included a “/print” command which enabled the malware to capture screenshots from the infected device.
  
  
• While the use of Twitter as a means to spread malicious code is nothing new, what sets this attack apart is its use of steganography to send commands to the malware program and its use of Twitter as a way to communicate undetected.

Source: ThreatPost.com

Malware targets online shoppers with "convincing" Amazon emails

Online shoppers are warned to be on the lookout for order confirmation emails appearing to come from Amazon.

• Email security company, EdgeWave, discovered a “malspam” campaign had been sending very convincing, but fake, Amazon order confirmation emails.
  
  
• The email shows an order confirmation stating an item has shipped, but does not provide any order information or tracking details. The email directs the recipient to click on an Order Details button to view more information, but instead of directing you to your order information, the button downloads a Word document named order_details.doc.
  
  
• When opened, the Word document directs the user to Enable Content to properly view the information. Clicking Enable Content button triggers macros that execute a PowerShell command, which then downloads and installs a trojan virus onto the user’s computer.
  
  
• Once installed, the virus performs a number of unwanted activities such as logging key strokes and stealing sensitive account information.
  
  
• Compromised servers associated with this campaign have been located in Columbia, Indonesia, and even in the U.S.

Source: BleepingComputer.com

Employer resources

Associated Benefits and Risk Consulting offers several tools to help clients assess their cyber risk:

• Cyber Risk Scorecard survey — this new online tool can assess your company’s cybersecurity standing, addressing the major drivers of cyber risks to organizations.

• Cyber risk webinar — register for our webinar "Unforeseen Cyber Risks: How to protect your employees and your company" on Wednesday, February 13.

For more information about protecting your organization from cyber threats or risk management strategies in general, please contact us.