Category Archives: Attacks

VPN Vulnerabilities

NSA Releases Advisory on Mitigating Recent VPN Vulnerabilities

The National Security Agency (NSA) has released an advisory on advanced persistent threat (APT) actors exploiting multiple vulnerabilities in Virtual Private Network (VPN) applications. A remote attacker could exploit these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review NSA’s Cybersecurity Advisory and CISA’s Current Activity on Vulnerabilities in Multiple VPN Applications for more information and apply the necessary updates or mitigations.

Source

What are ATPs?

ATP are stealthy cyber attacks where a person or a group gains unauthorised access to a network and remains undetected.

In most cases, these attacks are conducted by nation-state, or criminal organisations (see article there). Their purposes are to extract information, intellectual property, financial data and can be used to steal cask when banks are attacked.

The USB scam is back

Infected USB devices

This has reappeared recently in New Zealand. If, when checking your mail box, you find a brand new USB stick, just throw it in  the bin immediately.

Scammers are placing these USBs in mailboxes pre-loaded with malicious software.  They are even going to the trouble of repacking them so they look factory fresh.  They are banking on the recipients being thankful for a free USB or being curious as to what might be on them.

If you receive one it is part of a recurring scam and most likely not spearphishing. Spearphishing means that someone is targeting you as a member of an organisation . 

If you make the mistake of connecting it to one of your devices such as a phone or a computer, it is likely that viewing the content (on a computer) will lead to a malware infection. Usually, it takes the opening of a file on a computer to activate the malware. It should not activate by connecting the device alone.

USB Drive

Simply throw the USB stick away without connecting it to any computer.

Be vigilant.

You can find more information on the Sophos blog (2016)

Magic Weapons: China’s political influence….

At a time when there is controversy about the rejection by various countries of Huawey equipment, it is interesting to find more about hacks attributed to sources within China. It is also interesting to read the report by professor Anne-Marie Brady about the influence of that country in New Zealand. For memory, her office and home were burglared following the publication of the report, and the breaks on her car were sabotaged. Probably a coincidence, as the police found nothing to incriminate anyone.

The report is very interesting, and worth the effort to read to the end. It is available on the Wilson Center web site and can also be directly downloaded from here.

I do not believe that the attacks are one way in any case.

Wanted Chinese Hackers

Opportunistic online scams and attacks : the scavengers are out!

There have been reports of opportunistic online scams and attacks after the terrorist attack in Christchurch last week. The vector used are online donation fraud, malicious video files, defacement of NZ websites, and website disruption.

The scammers and attackers use the following:

  • Phishing emails containing links to fake online banking logins, as well as fraudulent bank accounts where people can make donations for the victims of the Christchurch tragedy.
    • A phishing email is an email which is sent to a wide range of people in the hope that a few will follow the instruction to make the exercise worthy of the effort. They usually contain links to website containing malicious content
  • Sharing malicious video files on compromised websites or on social media. A shared on-line video file containing footage related to the attack can have malware embedded in it.
  • Some attackers are changing New Zealand websites to spread political messages about the Christchurch tragedy
  • Some New Zealand websites are receiving threats of denial-of-service attacks, which would take them offline.

There are official channels to donate money, please use them should you wish to make a donation.

What to do

If you receive a phishing email or have found a website hosting political messages, report it to CERT NZ.

If your website has been taken over with political content relating to the tragic events in Christchurch, report it to CERT NZ.

CERT NZ recommend you consent to share your report with the NZ Police.

More information

This is not something new: online scams and attacks frequently use disasters and tragedies as opportunities for “business”

If any of the terminology used is confusing you, feel free to comment and I will make the confusing part the subject of a subsequent posting.

scammers are about!
Mind the Scammers!

Google Chrome Security Advisory

As reported by CERT New Zealand, attackers might be able to attack and take control of your computer if you do not have the latest version of Chrome.
You need to check the version of Chrome used. Anything earlier than 72.0.3626.121 is vulnerable.

How do you check if you are at  risk?

The instructions from CERT are:

“If you are on a laptop or desktop computer, open Chrome and visit chrome://settings/help. If you are not up-to-date, visiting the page should automatically update your browser.

If you are on a mobile device, like a mobile phone or tablet, open Chrome and visit chrome://version. If you are not up-to-date, visit your app store and download the update.”

Don’t take a chance. Check if you need to update, or use the latest version of Firefox.

As a general advice, you always need to update promptly any software installed on any of you devices to minimize exposure. An attacker would try to identify what you are running, then exploit whatever unpatched vulnerability encountered, as in this example.

 

Live attack on GitHub

DDoS attack

A massive DDos attack has been taking place on GitHub for the last 4 days.

From the status page the administrators seem to get on top of it, and the page is describing well the sequence of events

More information on the background of the attack is available here.

 

Digital Attack Map

Interesting interactive map displaying in real-time the Denial of Service attacks taking place worldwide. The map also allows access to historical records. DoS is only one type of attack, and include multiple flavours. Source: http://www.digitalattackmap.com/

Cold Calling Scam

The PC Doctor Scam:

There has recently be an increase in the now classic scam by which so-called technicians are targeting New Zealanders with phone calls informing them that their computer had been infected. The scale of the problem has become such that Microsoft New Zealand and NetSafe have issued an alert this week (Fraud Awareness Week).

– The caller, often from overseas, states they are from Microsoft
– indicates that

  • your computer is infected and harming others on-line users
  • their ISP has identified their system as a problem.

– Con the computer owner to give the caller remote access using a genuine networking service.
– Use the ‘Event Viewer’ tool on the computer to highlight error messages which are supposedly signs of an infection.
–  Offer to clean up the infection and/or install security software and provide an ongoing support service costing anywhere up to $500.

That software, looking like a security software could also be collecting your credentials for identity theft and financial fraud. The credit card number supplied can be used to purchase goods using your account. The remote technician could install ransomware on your device, which means that he or she could encrypt your data, and demand a payment to give you access back to them.

What you can do:

Several possibilities:

  • ignore the call: hang-up
  • if you fell for it, and gave access to your computer, disconnect the machine from the internet immediately then consult a genuine local PC technician to check that nothing serious has been installed on your PC or laptop
  • report the call to NetSafe.
  • If you have paid money, discuss your options with your bank.

This article has been inspired by this post on Geekzone.

Another Chrome Security Concern

The Password Security Concern.

We already knew that storing any passwords on Google Chrome was dangerous , and the method to do this is widely available, as for example on this video.

The Microphone Concern.

It has now come to light that people can eavesdrop on you by accessing your microphone, without you being aware of it. It is not a simple process, but Guya.net describes it very well . Chrome is using outdated technology, which can be abused to have a web site accessing your microphone without any warning.

© Nguyen Thai | Dreamstime Stock Photos

Computer bugs
© Nguyen Thai | Dreamstime Stock Photos

The bug has been reported to Google, and let’s hope that a fix come soon. Or may be you might want to swap to another browser.

What browser are you using, and why?

New Attack Discovered on Monday

A zero-day attack affecting Microsoft Word as just been detected.

a zero-day attack is a type of attack that might have been used for a while, unknown to users. Zero day indicates that it has just been discovered, and that the security industry is furiously trying to write a patch to stop it from being used. Expect a Microsoft update soon.

How does the attack work?

Microsoft word 2003 to 2013 are all vulnerable. Text file with the extension .rtf can be modified to corrupt the system memory in a way that some code is executed. When a user opens the file in Microsoft Word (default setting in Windows), or previews an malicious .rtf file in Outlook, an attacker can gain the same privileges as the user, and this can lead to a remote takeover of the PC.

How can you protect your system from this attack?

3 easy ways come to mind:

  1. Stop using MSWord by default to open the .rtf file. To do that , right click on a .rtf file, select open with then Choose default program. Select WordPad, then tick Always use the selected program to open this kind of file.
  2. Ignore emails coming from people you do not know; links in them can point towards infected site, and if there are file attached, they are likely to be malicious. In this case, even previewing the file is enough to trigger the attack.
  3. Do not use MSWord if you can. (Libre office is good.)

Let us know if you can think about another way of keeping the computer safe until the patch is issued.

The detailed technical information about this attack are described by Microsoft on their site.