Latest Cyber-Attack Threats – October 2019

Avast Breached – Abiss

Major cyber security firm, Avast suffered an intrusion recently which may have been targeting CCleaner to initiate a possible supply chain attack. This might have been a repeated attempt of the 2017 CCleaner breach in which 2.27 million users downloaded a tainted version via the official update channel. The intrusion took advantage of VPN credentials which were erroneously left enabled and compromised.

Avast stated the following: “On September 25, we halted upcoming CCleaner releases and began checking prior CCleaner releases and verified that no malicious alterations had been made. As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate. Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected.”

Read the full blog post here:

https://blog.avast.com/ccleaner-fights-off-cyberespionage-attempt-abiss

Nord VPN Data Centre Breach

Nord VPN found themselves in a similar situation to Avast when one of their datacentres was breached using, yet again, forgotten VPN credentials which were compromised. In their blog, Nord stated: “The breach was made possible by poor configuration on a third-party datacentre’s part that we were never notified of. Evidence suggests that when the datacentre became aware of the intrusion, they deleted the accounts that had caused the vulnerabilities rather than notify us of their mistake. As soon as we learned of the breach, the server and our contract with the provider were terminated and we began an extensive audit of our service.”

NordVPN have since reassured their clients that no user credentials were affected and that no signs existed of a man-in-the-middle attack. “The incident effectively showed that the affected server did not contain any user activity logs. To prevent any similar incidents, among other means, we encrypt the hard disk of each new server we build. The security of our customers is the highest priority to us and we will continue to raise our standards further and further.”

Read the full blog post here:

https://nordvpn.com/blog/official-response-datacenter-breach/

 

Call centre security scam claims R75500

Retired businessman Doug Varey reportedly fell victim to a security scam which cost him R75500 (£4000). Mr Varey signed up to a computer security protection popup offering 12 years of protection for R10500 (£556) or R875 (£46) per year, which led to him being contacted by the associated call centre a few months later. The ‘security firm’s’ call centre agents tricked Mr. Varey into believing that he needed to pay the £4000 amount for an advanced level of security to stop a Russian hacker who had taken over his computer from buying guns, ammunition and hand grenades.

Unfortunately, this happens more often than most people realise and is a good example of how it is sometimes too good to be true.  The computer security software was fake and allowed the threat actors to take control of Mr. Varey’s computer via remote access. This incident also shows how cyber criminals easily use information to manipulate people. Social engineering and phishing-based attacks typically use similar methods.

See the full article here:

https://www.bbc.com/news/technology-50117796

 

Skip-2.0, Microsoft SQL Server 11 and 12 Nightmare

Chinese hackers have reportedly been identified as the ones using new malware, dubbed skip-2.0, recently to gain backdoor access to Microsoft SQL (MSSQL) 11 and 12 servers. The malware enables use of a ‘magic password’, enabling access to any account on the server and the ability to hide their activity in security logs. MSSQL 11 and 12 are not exactly new as these were released in 2012 and 2014 respectively but can still be found in many environments.

Skip-2.0 is reported to only affect MSSQL versions 11 and 12. At the time of writing, there are no known security patches to remediate this vulnerability. It may be time to upgrade to a later version.

See mere details in the following:

https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-malware-to-backdoor-microsoft-sql-servers/

 

Phishing Spam

Cyber security experts recently got wind of another email phishing campaign doing the rounds. This particular scheme is well done and it’s easy to see how an unsuspecting victim may fall for this sort of thing.

The scam’s breakdown:

  1. A recipient receives a POP (proof of purchase) email from a known sender.
  2. The email looks legitimate and even contains all the content usually seen from a known sender (privacy statement, disclaimer, proper email address, etc.).
  3. A web link is provided to the POP stored on a cloud drive.
  4. On navigation, the recipient is presented with login options asking for their email and password or company credentials.
  5. The website still looks legitimate with working links to ‘forgot password’, ‘privacy policy’ and ‘cookie preferences’.
  6. The recipient enters their credentials and their account is then compromised with everyone in their contacts and recent list receiving the same email but formatted based on the newly compromised account’s email template.
  7. The whole process then repeats itself.

One of the tell-tale signs of the account being compromised is the ‘from’ and ‘to’ addresses. These are exactly the same and with other recipients included.

Email:

 

“Cloud Drive” website Login: