1-A Cyber Attack on Sony’s PlayStation Network
PlayStation Network was hacked and the personal details of 77m users accessed.It was the largest security breach of its kind to ever hit console gamers, and an event with huge repercussions for PlayStation – both in the short term for its users, left for weeks without access to online services, and longer term as Sony sought to win back customer trust .It began with Anonymous, the umbrella-term hacktivist group which had been bombarding Sony’s servers with distributed denial of service (DDOS) attacks. Anonymous had brought PSN to its knees several times in April 2011 in the run-up to the actual privacy breach. But the greater damage was from all the confidential information that got leaked to the public. The hackers posted five Sony movies (four unreleased) to file-sharing networks. And they also leaked thousands of confidential documents — everything from private correspondence among Sony executives to salary and performance data about Sony employees. Those documents were password protected, and whoever is behind the hack provided said password only to journalists
Distributed Network Attacks are often referred to as Distributed Denial of Service (DDoS) attacks. This type of attack takes advantage of the specific capacity limits that apply to any network resources – such as the infrastructure that enables a company’s website. The DDoS attack will send multiple requests to the attacked web resource – with the aim of exceeding the website’s capacity to handle multiple requests… and prevent the website from functioning correctly.
Typical targets for DDoS attacks include:
- Internet shopping sites
- Online casinos
- Any business or organisation that depends on providing online services
2-Hackers Cause World’s First Power Outage with Malware
SCADA system has always been an interesting target for cyber crooks, given the success of Stuxnet malware that was developed by the US and Israeli together to sabotage the Iranian nuclear facilities a few years ago, and “Havex” that previously targeted organizations in the energy sector.
Now once again, hackers have used highly destructive malware and infected, at least, three regional power authorities in Ukraine, causing blackouts across the Ivano-Frankivsk region of Ukraine on 23rd December.
The energy ministry confirmed it was investigating claims a cyber attack disrupted local energy provider Prykarpattyaoblenergo, causing the power outage that left half of the homes in Ivano-Frankivsk without electricity just before Christmas.
First Malware to Cause Power Outage
On Monday, researchers from antivirus provider ESET confirmed that multiple power authorities in Ukraine were infected by “BlackEnergy” trojan.
BlackEnergy Trojan was first discovered in 2007 as a relatively simple tool to conduct Distributed Denial of Service (DDoS) attacks but was updated two years ago to add a host of new features, including the ability to render infected computers unbootable.
The malware was launched by “Russian security services” with it being used against industrial control systems and politically sensitive targets, the SBU state intelligence service said in a statement on Monday.
According to ESET, the malware was recently updated again to add a new component called KillDisk and a backdoored secure shell (SSH) utility that gives hackers permanent access to infected computers.
How Did Hackers Cause Blackouts?
Researchers said hackers had used backdoors to spread the KillDisk wiper module through booby-trapped macro functions embedded in Microsoft Office documents across the Ukrainian power authorities.
3-Cybersecurity Firm FireEye Got Hacked; Red-Team Pentest Tools Stolen
FireEye, one of the largest cybersecurity firms in the world, it became a victim of a state-sponsored attack by a “highly sophisticated threat actor” that stole its arsenal of Red Team penetration testing tools it uses to test the defenses of its customers.
The company said it’s actively investigating the breach in coordination with the US Federal Bureau of Investigation (FBI) and other key partners, including Microsoft.
However, The New York Times and The Washington Post reported that the FBI has turned over the investigation to its Russian specialists and that the attack is likely the work of APT29 (or Cozy Bear) — state-sponsored hackers affiliated with Russia’s SVR Foreign Intelligence Service — citing unnamed sources.
As of writing, the hacking tools have not been exploited in the wild, nor do they contain zero-day exploits, although malicious actors in possession of these tools could abuse them to subvert security barriers and take control of targeted systems.Red Team tools are often used by cybersecurity organizations to mimic those used in real-world attacks with the goal of assessing a company’s detection and response capabilities and evaluating the security posture of enterprise systems.The accessed Red Team tools run the gamut from scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. A few others are modified versions of publicly available tools designed to evade basic security detection mechanisms, while the rest are proprietary attack
4-US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor
State-sponsored actors allegedly working for Russia have targeted the US Treasury, the Commerce Department’s National Telecommunications and Information Administration (NTIA), and other government agencies to monitor internal email traffic as part of a widespread cyberespionage campaign. The motive and the full scope of what intelligence was compromised remains unclear, but signs are that adversaries tampered with a software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate the systems of government agencies as well as FireEye and mount a highly-sophisticated supply chain attack.
SolarWinds’ networking and security products are used by more than 300,000 customers worldwide, including Fortune 500 companies, government agencies, and education institutions.
It also serves several major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
An Evasive Campaign to Distribute SUNBURST Backdoor
FireEye, which is tracking the ongoing intrusion campaign under the moniker “UNC2452,” said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.
This rogue version of SolarWinds Orion plug-in, besides masquerading its network traffic as the Orion Improvement Program (OIP) protocol, is said to communicate via HTTP to remote servers so as to retrieve and execute malicious commands (“Jobs”) that cover the spyware gamut, including those for transferring files, executing files, profiling and rebooting the target system, and disabling system services.
Orion Improvement Program or OIP is chiefly used to collect performance and usage statistics data from SolarWinds users for product improvement purposes.
What’s more, the IP addresses used for the campaign were obfuscated by VPN servers located in the same country as the victim to evade detection.
5-Researcher Discloses 4 Zero-Day Bugs in IBM’s Enterprise Security Software
A cybersecurity researcher publicly disclosed technical details and PoC for 4 unpatched zero-day vulnerabilities affecting an enterprise security software offered by IBM after the company refused to acknowledge the responsibly submitted disclosure.
The affected premium product in question is IBM Data Risk Manager (IDRM) that has been designed to analyze sensitive business information assets of an organization and determine associated risks.
IBM Data Risk Manager contains three critical severity vulnerabilities and a high impact bug, all listed below, which can be exploited by an unauthenticated attacker reachable over the network, and when chained together could also lead to remote code execution as root.
- Authentication Bypass
- Command Injection
- Insecure Default Password
- Arbitrary File Download
Critical Zero-Day Vulnerabilities in IBM Data Risk Manager
In brief, the authentication bypass flaw exploits a logical error in the session ID feature to reset the password for any existing account, including the administrator.
The command injection flaw resides in the way IBM’s enterprise security software lets users perform network scans using Nmap scripts, which apparently can be equipped with malicious commands when supplied by attackers.
According to the vulnerability disclosure, to SSH and run sudo commands, IDRM virtual appliance also has a built-in administrative user with username “a3user” and default password of “idrm,” which if left unchanged, could let remote attackers take complete control over the targeted systems.
The last vulnerability resides in an API endpoint that allows authenticated users to download log files from the system. However, according to the researcher, one of the parameters to this endpoint suffers from a directory traversal flaw that could let malicious users download any file from the system.
Besides technical details, the researcher has also released two Metasploit modules for authentication bypass, remote code execution, and arbitrary file download issues.
Leave a Reply