Tag Archives: exploits

AVIATION-RELATED PHISHING PASSWORDS

Facebooktwittergoogle_plusredditpinterestlinkedinmail

A wave of email-based phishing campaigns is targeting airline consumers with messages that contain malware that infects systems or links to spoofed airline websites that are personalized to trick victims into handing over personal or business credentials.

“Over the past several weeks, we have seen a combination of attack techniques. One, where an attacker impersonates a travel agency or someone inside a company. Recipients are told an email contains an airline ticket or e-ticket,” said Asaf Cidon, vice president, content security services at Barracuda Networks. Attachments, he said, are documents rigged with malware or are designed to download it from a command and control server.

Cidon said other aviation-themed phishing attacks contain links to spoofed airline sites. In these types of attacks, adversaries go to great lengths to spoof the airline’s site. In addition, attackers personalize the landing page with the target’s personal information in hopes of coaxing them to log in with either their company or airline username and password.

“It’s clear there is some degree of advanced reconnaissance that takes place before targeting individuals within these companies,” Cidon said.

Recent phishing campaigns, he said, are targeting logistic, shipping and manufacturing industries.

Barracuda’s warning comes a week after the U.S. Computer Emergency Readiness Team issued an alert of similar attacks targeting airline consumers. It warned email-based phishing campaigns were attempting to obtain credentials as well.

“Systems infected through phishing campaigns act as an entry point for attackers to gain access to sensitive business or personal information,” according to the US-CERT warning.

The US-CERT warning was based on concerns Delta Air Lines had over a rash of fake websites designed to confuse consumers.

“Delta has received reports of attempts by parties not affiliated with us to fraudulently gather customer information in a number of ways including: fraudulent emails, social media sites, postcards, Gift Card promotional websites claiming to be from Delta Air Lines and letters or prize notifications promising free travel,” according to the Delta Air Lines warning.

Delta said some victims were sent emails that claimed to contain invoices or receipts inside attached documents. Attachments contained either dangerous viruses or links to websites that downloaded malware onto a victim’s computer.

When asked about the warning, Delta declined to comment.

More troubling to Barracuda researchers was the success rate adversaries are having with phishing campaigns it is tracking.

“Our analysis shows that for the airline phishing attack, attackers are successful over 90 percent of the time in getting employees to open airline impersonation emails,” Cidon wrote in a research note posted Thursday. “This is one of the highest success rates for phishing attacks.”

In June, Microsoft Malware Protection Center reported a resurgence in the use of Office document macro attacks. Researchers say crooks attempting to install malware and perpetrate credential-harvesting attacks are more likely to use social engineering to trick people into installing malware than to exploit vulnerabilities with tools such as exploit kits.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

OPENSSL UPDATE FIXES HIGH-SEVERITY DOS VULNERABILITY

Facebooktwittergoogle_plusredditpinterestlinkedinmail

The OpenSSL Software Foundation released an update to the OpenSSL crypto library that patches a vulnerability rated high severity that could allow a remote attacker to cause a denial-of-service condition.

OpenSSL released the version 1.1.0e update that fixes flaws found in OpenSSL 1.1.0, according to the OpenSSL Security Advisory issued last week. The United States Computer Emergency Response Team also alerted system admins of the issue last week.

According to OpenSSL, the vulnerability occurs during a renegotiation handshake procedure. “If the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected,” according to the advisory.

OpenSSL is ubiquitous, in tens of thousands of commercial and homespun software projects. The open source project provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. The technology is credited for keeping communications secure between endpoints by ensuring the identity of both parties.

According OpenSSL, the issue does not impact OpenSSL version 1.0.2. However, additional versions of OpenSSL, such as version 1.0.0 and 0.9.8, which are no longer supported, will also need updates. The bug, CVE-2017-3733, was reported by Red Hat’s Joe Orton on Jan. 31. The fix was developed by the OpenSSL team’s Matt Caswell.

OpenSSL deployments continue to be plagued by the Heartbleed vulnerability. The flaw persists today and can be found on almost 200,000 servers and devices, according to a recent report by the operators of Shodan search engine.

Earlier this month Ubuntu users were urged to update their operating system to address a handful of patched OpenSSL vulnerabilities (CVE-2016-7056 and CVE-2016-7055) which affect Ubuntu and its derivatives.

The OpenSSL toolkit is licensed under an Apache-style license and has the financial backing of firms such as The Linux Foundation, Microsoft, Facebook, Amazon, Dell and Google.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

HACKED: PUB CHAIN JD WETHERSPOON; 500,000+ CUSTOMERS’ RECORDS BREACHED

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Pub company JD Wetherspoon has confirmed that its database was the target of a cyberattack. The data breach could potentially affect over half a million customer records from the database.

A database of over 650,000 customers of UK pub chain JD Wetherspoon has been breached by unknown malicious hackers. According to a statement put out by the company, a “very limited” number of customers have had their credit and debit card details stolen, although they are unlikely to be used for fraudulent transactions.

While the card data was not encrypted, only the last four digits of payment card details were stored in the database to begin with, according to CEO John Hutson.

The statement read:

These credit or debit card details cannot be used on their own for fraudulent purposes, because the first 12 digits and the security number on the reverse of the card were not stored on the database.

In a BBC report, it is revealed that the database also held details of 656,723 customers such as:

  • Names
  • Dates of birth
  • Email addresses
  • Phone numbers

The breach is significant, despite the lack of financial information stolen as it is entirely within the realm of possibility that expert malicious hackers could potentially use the breached personal data to engage in identity theft of phishing campaigns.

In a letter to customers, Hutson stressed there was no evidence to show any fraudulent activity from the breached data. Customers are also recommended to stay vigilant against any emails or messages that request them to click or download any files or request any financial and personal data.

An excerpt from the statement read:

We apologize wholeheartedly to customers and staff who have been affected. Unfortunately, hacking is becoming more and more sophisticated and widespread.

The cyberattack struck the company’s old website between June 15 and June 17. The website has since been replaced. Wetherspoon was only made aware of the possible breach on December 1 while confirming it soon after.

The United Kingdom has weathered a blitz of cyberattacks lately with the TalkTalk hack proving to be the most prominent data breach in recent times. Over 4 million users’ personal details may have been compromised with the telecom and broadband provider noting that it might cost the company upwards of $50 million as a one-time financial hit.

Featured image The Flying Standard pub from Shutterstock.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Critical Infrastructure at risk

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Critical infrastructure at risk from remotely exploitable NTP flaws

Remotely exploitable Network Time Protocol (NTP) vulnerabilities are leaving critical infrastructure firms open to attack, according to the Industrial Control Systems Computer Emergency Response Team (ICS-CERT).

ICS-CERT issued an advisory on the flaws, confirming it is working with over 20 vendors, including Google, to create fixes.

“As NTP is widely used within operational industrial control systems deployments, ICS-CERT is providing this information for US critical infrastructure asset owners and operators for awareness and to identify mitigations for affected devices,” read the advisory.

“These vulnerabilities could be exploited remotely.”

The multitude of flaws exist in all NTP Version 4 releases prior to Version 4.2.8p1 and are the result of “insufficient entropy”, the use of a cryptographically weak pseudorandom number generator (PRNG), a section of code without a return command and weak stack buffer, according to the ICS.

The emergency response team said it is yet to see any evidence any of the flaws are being exploited, but warned:

“An attacker with a low skill and an exploit script would be able to exploit these vulnerabilities. However, a higher-level of skill would be necessary to craft usable exploit scripts.”

It added that assessing the full scale of the flaws’ impact is difficult as it will depend on the individual company’s wider system.

“Impact to individual organisations depends on many factors that are unique to each organisation,” read the advisory.

“ICS-CERT recommends that organisations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.”

ICS-CERT recommends firms update to new unaffected NTP versions and take a variety of other protective measures.

“Minimise network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet,” read the advisory.

“Locate control system networks and remote devices behind firewalls, and isolate them from the business network.

“[Finally] when remote access is required, use secure methods, such as virtual private networks (VPNs).”

The ICS-CERT advisory follows widespread warnings that firms involved in critical infrastructure are dangerously vulnerable to cyber attacks.

US president Barack Obama pledged to bolster the nation’s cyber security and intelligence-gathering powers in a bid to protect critical infrastructure and industry from terrorists during his State of the Union speech in January.

Facebooktwittergoogle_plusredditpinterestlinkedinmail