A Wave of Cyber-Attacks on Singapore post the Trump-Kim Summit
An F5 Labs report claims that the number of cyber-attacks targeting Singapore climbed sharply from June 11 to June 12, during the meeting between U.S. President Donald Trump and North Korean President Kim Jong-un in a Singapore hotel, and most of these attacks originated from Russia.
Russia has long been said to keep the United States under a continuous barrage of cyber-attacks, and even attracted a series of sanctions following the hacking aimed at the 2016 presidential election, which was supposedly the doing of state-sponsored Russian threat actors.
Thus, it’s no wonder the Trump-Kim summit earlier this week was targeted as well, but the number of assaults coming from Russia is indeed impressive: 88% of the total number of observed cyber-attacks came from this country. Furthermore, 97% of all the attacks that originated from Russian during the timeframe targeted Singapore, data from F5 Labs and Loryka reveals.
“We cannot prove they were nation-state sponsored attacks, however the attacks coincide with the day President Donald Trump met with North Korean President Kim Jong-un in a Singapore hotel. The attacks targeted VoIP phones and IoT devices, which appears to be more than a mere coincidence,” F5 says.
During a period of 21 hours, starting at 11:00 p.m. on June 11 through 8:00 p.m. June 12, local time, a total of 40,000 attacks were launched on Singapore. Of these, 92% were reconnaissance scans looking for vulnerable devices, while the remaining 8% were exploit attacks.
“Thirty-four percent of the attacks originated from Russian IP addresses. China, US, France, and Italy round out the top 5 attackers in this period, all of which launched between 2.5 to 3 times fewer attacks than Russia. Brazil, in the sixth position, was the only other country we detected launching SIP attacks alongside Russia,” F5 reveals.
During the period, Singapore became the top destination of cyber-attacks by a large margin, receiving 4.5 times more attacks than the U.S. or Canada. Typically, Singapore is not a top attack destination, and the anomaly coincides with President Trump’s meeting with Kim Jong-un.
While Russia was the main source of attacks, accounting for 88% of them, Brazil was the second largest attacker, launching 8% of the assaults. Germany rounded up top three attackers, with 2%.
“We do not have evidence directly tying this attacking activity to nation-state-sponsored attacks, however, it is common knowledge that the Russian government has many contractors within Russia doing their bidding and that a successful attack on a target of interest would make its way through to the Kremlin,” F5 concludes.
Vulnerabilities in SCALANCE and Other Devices Patched by Siemens
Siemens published around five new security adversaries describing several vulnerabilities discovered in its switches, routers, building automation products and medical devices. The severity of the vulnerabilities was huge, one of the advisories covers a high severity flaw that allows an unprivileged attacker to execute arbitrary code with elevated privileges by sending a specially crafted DHCP response to an affected device’s DHCP request, which could be done once the attacker gets the access to the local network segment that hosts the targeted device.
SCALANCE X switches, SCALANCE X-204RNA access points, RUGGEDCOM WiMAX private wireless WAN devices, and RFID 181-EIP and SIMATIC RF182C RFID communication modules are affected by the security hole. Siemens has also informed their customers that SCALENCE M875 industrial routers are impacted by six vulnerabilities, three of which are high severity, including two command execution flaws that can be exploited by an authenticated attacker with admin privileges. The company has told that there was no evidence that any of these flaws have been exploited in the wild.
Malicious Programs Mines $175 Million in Monero: Palo Alto Report
Palo Alto’s Josh Grunzweig discovered information on around 630,000 malicious samples, 3,773 emails used to connect with mining pools, and 2,995 mining pool URLs while looking into the proliferation of crypto-mining malware.
Given the clear interest cybercriminals have in Monero, the researcher focused on this virtual coin as well. In addition to the 2,341 Monero wallets extracted from the analyzed sample set, he also managed to determine the mining pools used and discovered that, of the top ten mining pools used by this malware, all but one allows for anonymous viewing of statistics based off of the wallet as an identifier.
“By querying the top eight mining pools for all 2,341 Monero addresses, I was able to determine exactly how much Monero has been mined historically with a high degree of accuracy. By querying the mining pools themselves, instead of the blockchain, we’re able to say exactly how much has been mined without the fear of the data being polluted by payments to those wallets via other sources,” he notes.
While half of the 2,341 wallets identified have been unable to generate a meaningful amount of Monero, the remaining batch obtained over $140 million, the researcher estimates. According to Grunzweig, “a total of $175m has been found to be mined historically via the Monero currency.”
1,278 (55%) of the identified wallets earned 0.01 XMR (~$2.20) or more and only a small subset earned a significant (100 XMR or greater) amount of coins. Only 99 wallets (less than 2% of all wallets identified) have received over 1,000 XMR, and 16 wallets (0.68% of all wallets) have obtained over 10,000 XMR.
Looking at the total hashing power, the research revealed the attackers only used 2% of the global hashing power mining the Monero network. At around 19MH/s, the hashrate would result in approximately $30,443 per day being mined.
“To date, the popularity of malicious cryptocurrency mining activity continues to skyrocket. The large growth of malware mining cryptocurrencies is a direct result of a previous spike in value, which has since corrected to a value that is more in line with expectations. As this correction has taken place, only time will tell if cryptocurrency miners will continue in popularity. It is clear that such activities have been incredibly profitable for individuals or groups who have mined cryptocurrency using malicious techniques for a long period of time,” Palo Alto concludes.
Atlanta’s Systems hit by a Ransomware, Destroys Police Evidences
Atlanta Police Department along with 4 other departments among the 13 departments of the city was impacted by infection of a ransomware. Erka Shields, Chief of the department told the department had lost years of dashcam footage as a result. Though he also reassured saying, “The dashcam doesn’t make the cases for us. There’s got to be the corroborating testimony of the officer. There will be other pieces of evidence.”
This all started in March when the infection reportedly began spreading from a single infected server. Out of a total of 424 programs on Atlanta’s systems around 150 were taken offline completely. Till April end the cost to undo the damage had surpassed $2.6 million, last month it jumped to $5 million and now officials have requested $9.5 million more to be set aside for clean-up.
US Official Warns Russians Will Hack Phones, Computers During FIFA World Cup
A top US intelligence official warned football fans traveling to Russia for the World Cup that Moscow’s cyber spies could hack their phones and computers. William Evanina, Director of the National Counterintelligence and Security Center, said that in Russia, even people who believe they are too unimportant to be hacked can be targeted.
“Anyone traveling to Russia to attend the World Cup should be clear-eyed about the cyber risks involved,” Evanina said in a statement. “If you’re planning on taking a mobile phone, laptop, PDA, or other electronic device with you — make no mistake — any data on those devices (especially your personally identifiable information) may be accessed by the Russian government or cyber criminals.”
Evanina, in charge of the agency that assesses and counters the threat to the United States from foreign espionage, said that people attending the World Cup, which began on Thursday, should leave behind any devices they can do without. For devices they take with them, they should remove the battery when it is not in use.
“Corporate and government officials are most at risk, but don’t assume you’re too insignificant to be targeted.” he said.
Schneider Patches Critical Flaws in their Building Automation Software
Schneider Electric patches around 4 vulnerabilities in its U.motion Builder Software including two critical command execution flaws while publishing adversaries for the same. The vulnerability was found by a Chinese researcher who uses the online moniker “bigric3”. He discovered the U.motion Builder is affected by a critical stack-based buffer overflow vulnerability (CVE-2018-7784)
“This exploit occurs when the submitted data of an input string is evaluated as a command by the application,” Schneider said in an advisory. “In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application.” Bigric 3 discovered another flaw CVE-2018-7785 which has been described as a remote command injection issue that can lead to authentication bypass. Schneider patched these vulnerabilities with their new version 1.3.4.
India Ranks 10th In Global Cyber-Security, Still Needs Improvement: McAfee
“Although India has become more active when it comes to cybersecurity, the country needs to put all the pieces together to protect businesses via a full-proof ecosystem”, a top executive from cybersecurity firm McAfee has stressed. “India is interacting a lot with neighbours, coordinating with them via strategic MoUs on cybersecurity, but there are few things that need to be patched to be able to respond faster and better to cyber-attacks,” said Ian Yip, Chief Technology Officer, Asia Pacific at McAfee. In a recent report released by the Australian Security Policy Institute, India ranked 10th on cybersecurity globally.
“The 10th rank globally is not that bad and there is room for improvement. India is in a good place to make those improvements by collaborating with all the stakeholders including cyber security firms,” Yip added. India now has the National Cyber Coordination Centre, apart from a general Computer Emergency Response Team (CERT) and a separate CERT to protect the Banking, Financial services and Insurance (BFSI) sector.
According to Yip, there is now a full-fledged secondary market with cybercrime-as-a-service, helping cybercriminals leverage capabilities from fellow attackers and use advanced malware techniques to target enterprises. “Cyber attackers have the capability to use some of the more advanced techniques. There is a secondary market with cybercrime-as-a-service, where they can leverage the capability of other criminals into the attack mechanisms,” Yip noted.
Apart from rising ransomware attacks, cryptojacking is now a big threat to companies. Cryptocurrency mining is rising, said the executive, owing to the increase in the cryptocurrency value. “Cryptojacking is more harmful for businesses and individuals than ransomware because it increases the cost of ransom,” Yip added.
According to Yip, the next big wave of innovation in cybersecurity solution is Machine Learning (ML) and Artificial Intelligence (AI) solutions. “There is urgent need to automate, orchestrate and integrate as much of security infrastructure as possible amid skill shortage. Cyber attackers are now also trying to leverage the potential of New-Age technologies,” he noted.
Geeks to be Hired in order to Combat Cybercrime in the Country, Decides Indian Government
To deal with the increasing cybercrime and cybersecurity threats, the police across the country have been directed by the government to raise their information and technology cadre and open the doors of the police force to computer professionals. These new entrants, in other words the tech geeks will work as “undercover agents” to infiltrate black market places to identify the operators, they will basically act as hawks in the cyberspace and probe cybercrimes. “Also, the cyberspace is used by the terrorists to deal with them the IT cadre will help its ground team understand what cyber terrorism is,” said an IPS officer.
“Terrorism holds an agenda often religious, cultural, social, economic and political. Also, terrorist organisations are promoting the use of computing expertise to radicalize and recruit members to carry out acts of violence and the job of the IT cadre would be to trace the recruiters,” he added.
As per the Indian Computer Emergency Response Team, under the Ministry of Electronics and Information Technology, a total of 69,539 cyber incidents were dealt between April 2017 and February 2018. During this period, 55 security incident and 23,282 Indian website defacements were tracked. These statistics have prompted the Centre to take swift actions and involve geeks to catch criminals.
Flaw in Cortana – Allows Code Execution from Lock Screen
With the June 2018 security patch, Microsoft addressed a flaw in Cortana that could allow an attacker to elevate privileges and execute code from the lock screen. The issue, discovered by Cedric Cochin, Cyber Security Architect and Senior Principle Engineer at McAfee, is tracked as CVE-2018-8140. The bug can be abused to execute code on the impacted machine, directly from the lock screen.
In an advisory, Microsoft explains that the vulnerability “exists when Cortana retrieves data from user input services without consideration for status.” The company confirms the possible exploitation to execute commands with elevated permissions. The vulnerability requires physical access to the impacted device and appears connected to a flaw independent researchers Amichai Shulman and Tal Be’ery detailed in March, and which could be abused to install malware on the affected computers.
In order to exploit the issue, an attacker with access to the impacted computer needs to have Cortana assistance enabled. A user can interact with the voice-based assistant even from the lock screen, by saying “Hey Cortana.” According to Cochin, because Windows indexes file content, including strings in documents, Cortana can be abused to leak sensitive information. Specifically, if the right search phrase is used when clicking on the “tap and say” button, Cortana could show the content of confidential files, such as those storing passwords.
“Armed with this knowledge, you can use your imagination to come up with specific keywords that could be used to start harvesting confidential information from the locked device,” the researcher notes.
Basically, “live off the land” attacks that abuse existing tools for malicious purposes cannot be performed because of a lack of parameters. Other nefarious operations, however, such as uninstalling applications, are possible even with these restrictions in place.
To execute code from the lock screen using Cortana, one would need to make sure the code is indexed (appears in the contextual menu). To get results to show up in the index of an authenticated user, an attacker can abuse OneDrive, where the contents of all shared folders with “edit” rights are indexed.
Thus, an attacker can drop an executable in the OneDrive folder, which can then even be executed as an administrator by simply right-clicking on it and selecting the “Run as administrator” option. Although a user account control (UAC) prompt could be triggered, the attack might still work, as users rarely check the content of the prompt before clicking through it.
Irish Businesses hit by Cybercrime Reports PWC
Irish Economic Crime and Fraud Report by PWC states that almost half of the 77 companies surveyed have been attacked have been attacked by some form of cybercrime over the last two years, increasing by 34 percent from 2016. Of these more than 60 percent mentioned the crimes as phishing and malware and rest termed it as “asset misappropriation”.
Pat Moran, of PWC Ireland: said “Actual crime could well be higher than reported crime, which makes the findings from this survey even more concerning. What the survey is clearly showing us is that there is a better understanding of what fraud is through risk assessments and where it is taking place through cybersecurity programmes. However, despite progress in understanding and reporting, the fact that just over half of businesses say they have not, or don’t know if they have experienced fraud in the past two years, suggests blind spots still exist in many organisations.”
From the survey respondents two thirds told that the total cost of crime reported against them was less than €810,000, one in 10 claimed they had been hit for excess of €4 million, a further fifth told the cost is immeasurable. The surveyed businesses also said that expected levels of cybercrime will increase further in the next two years.