Les Bell and Associates Pty Ltd
Blog entries about Les Bell and Associates Pty Ltd
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Microsoft Accounts Locked Out of Win 11
A recent Microsoft patch for Windows 11, KB5016691, has the unintended effect of locking out newly-added Microsoft user accounts after the first reboot or log out. The company has addressed the issue by issuing a Known Issue Rollback, which will revert known buggy patches distributed via Windows Update.
However, in enterprises, administrators will have to install and configure a Known Issue Rollback Group Policy in order to fix the problem. However, this is unlikely to be a common problem, since enterprises use Active Directory rather than Microsoft accounts.
Microsoft Support, Unable to sign in after adding a new Microsoft Account user in Windows, Windows 11 status page, 7 September 2022. Available online at https://docs.microsoft.com/en-us/windows/release-health/status-windows-11-21h2#unable-to-sign-in-after-adding-a-new-microsoft-account-user-in-windows.
Medical Infusion Pumps Vulnerable
Security firm Rapid7 has discovered vulnerabilities in medical equipment produced by Baxter Healthcare, specifically infusion pumps which are used in clinical settings to deliver medication and nutrition directly into the bloodstream of patients.
The devices, which connect via wi-fi in order to provide data for patient monitoring, store the wi-fi credentials of the hospital network in their batteries, so that after disposal anyone with access can retrieve them. The devices also have two format string vulnerabilities, as well as other vulnerabilities which give access to wi-fi configuration data.
Heiland, Deral, Baxter SIGMA Spectrum Infusion Pumps: Multiple Vulnerabilities (FIXED), 8 September 2022. Available online at https://www.rapid7.com/blog/post/2022/09/08/baxter-sigma-spectrum-infusion-pumps-multiple-vulnerabilities-fixed/.
140,000 WordPress Sites Vulnerable Via Backup Utility
WordPress sites which use the BackupBuddy utility are being warned to update the plugin, following reports of 0day exploitation of an arbitrary file read and download vulnerability. The vulnerability is due to an insecure implementation of the mechanism for downloading files from the server, allowing unauthenticated users to download any file on the server.
The plugin's download does not validate its parameters, and can be triggered from any admin page, including some that do not require authentication. From there, the URL arguments can use directory traversal to escape the backup files directory and access any file. The appearance of the classic "/../../" string in logs is a sure sign of exploitation.
Bannister, Adam, WordPress warning: 140k BackupBuddy installations on alert over file-read exploitation, The Daily Swig, 8 September 2022. Available online at https://portswigger.net/daily-swig/wordpress-warning-140k-backupbuddy-installations-on-alert-over-file-read-exploitation.
Iranian State-Sponsored Group Lives Off The (Windows) Land
Microsoft reports that it has been tracking ransomware campaigns conducted by DEV-0270, also known as Nemesis Kitten, and has laid out its TTP's and some IOC's in a detailed profile article. Although the group seems to operate on behalf of the Iranian government, it also funds itself via ransomware.
Interestingly, although the group does make use of an open-source disk encryption utility called DiskCryptor, it also encrypts Windows 10, Windows 11 and Windows Server 2016 systems using their own built-in BitLocker encryption. This use of a system's code and features against itself is known as living-off-the-land, and the programs are referred to as LOLBIN's.
The profile provides a detailed insight into the group's operations.
Microsoft Security Threat Intelligence, Profiling DEV-0270: PHOSPHORUS' ransomware operations, blog article, 7 September 2022. Available online at https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Cyberespionage Group Worok Target SE Asia Companies, Governments
A previously-unknown threat group, named Worok by the ESET researchers who discovered and investigated them, has been targeting high-profile companies and government, mostly in Asia. Analysis of previously-obtained telemetry data suggests the group was active in late 2020 but then went quiet until February 2022; they seem to be engaged in cyberespionage, stealing information rather than deploying ransomware or attempting extortion, and their targets are quite diverse, including a telecom, a bank, a maritime company, a government entity in the Middle East and even a company in southern Africa.
The group gains initial access via the ProxyShell vulnerability, which allows them to install web shells in order to persist in the victim's network. From there, a variety of implants are used. The group's reconnaisance tools include Mimikatz, Earthwork, ReGeorg and NBTscan, and from there they use a first-stage loader to pull down a .NET loader called PNGLoad, which extracts a steganographically-hidden PowerShell script from a PNG image.
The loaders are all heavily obfuscated, with multiple stages of decryption and unpacking before they execute, and analysis indicates that the Worok group develops its own tools, although it may share some with an earlier APT called TA428.
Passilly, Thibaut, Worok: The big picture, ESET WeLiveSecurity blog, 6 September 2022. Available online at https://www.welivesecurity.com/2022/09/06/worok-big-picture/.
Shikitega Stealth Malware Targets Linux
A new piece of malware, targeting Linux computers, including IoT devices, has been discovered by AT&T Alien Labs and christened 'Shikitega'. What is interesting about this particular malware is the stealthy way it downloads and installs in multiple stages; each stage is quite small - typically only a few hundred bytes, which performs some small task, then downloads and runs the next stage. At the culmination of the process, Shikitega installs a Monero cryptominer, but retains full control of the victim.
Along the way, the malware downloads and uses the Metasploit 'Mettle' meterpreter, and uses multiple cycles of XOR decoding to deobfuscate its final payload shellcode, which uses the execve() syscall to execute (you guessed it) /bin/sh, passing it commands received from its C2 server. To persist in the system, it also downloads 5 shell scripts. setting four crontab entries - two for the currently logged in user and two for root. If necessary, it will install crond and start it.
Caspi, Ofer, Shikitega - New stealthy malware targeting Linux, AT&T blog, 6 September 2022. Available online at https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux.
Control Panel Manages ServHelper Back Doors
The days when hackers used IRC (Internet Relay Chat) as their command and control channel, with simple text commands, are long gone; these days, the bad guys use sophisticated dashboards and control panels to manage their assets (actually, your assets).
The Evil Corp ransomware gang (also known as TA505) has long used a piece of backdoor malware called ServHelper, which it uses to deploy a variety of payloads such as cryptominers and ransomware, mainly against the US finance sector, although other industries and countries are also targeted. As this and similar groups have scaled up their operations, managing multiple campaigns became increasingly difficult, especially when a single phishing campaign can target thousands of victims. Evil Corp's solution to this problem is a sophisticated control panel called 'TeslaGun'.
A single instance of TeslaGun can manage multiple campaigns with different delivery methods and attack data. Generally the payloads require no interaction, but the control panel does allow remote control via RDP and VNC connections, and other software can be dropped on the victims' machines. The C2 servers for the control panel are mainly located in a single data center in Moldova, although they keep changing IP addresses to evade detection.
PTI Team, TA505 Group's TeslaGun In-Depth Analysis, Prodaft, 5 September 2022. Available online at https://www.prodaft.com/resource/detail/ta505-ta505-groups-tesla-gun-depth-analysis.
Maine Privacy Law Survives Legal Challenge
In 202, the US state of Maine introduced one of the tightest privacy laws in the US for internet service providers, in the form of an 'opt in' web privacy standard. This stops ISP's from using, disclosing, selling or providing access to customers' personal information without permission.
Almost immediately, industry associated sued, claiming that the new law violated their First Amendment rights. A federal judge rejected this argument, but industry groups hired a veritable "army of industry lawyers" to challenge the law. However, the groups have now dropped their suit and agreed to pay the state's costs of $US55,000 (which seem quite low, to this writer).
Whittle, Patrick, Internet service providers drop challenge of privacy law, AP News, 6 September 2022. Available online at https://apnews.com/article/technology-lawsuits-united-states-maine-data-privacy-9b2a40a18839c16df732368ee04ea856.
Mirai Variant Targets D-Link Routers
While D-Link products are rarely used in the enterprise, they are popular with home users, and the trend to hybrid work and telecommuting means that compromised devices belonging to employees can represent an exposure for the employer. Now a derivative of the notorious Mirai botnet, called Moobot, is targeting vulnerable D-Link routers with a combination of old and new exploits.
First discovered by Fortinet in December 2021, Moobot was then targeting Hikvision CCTV cameras to recruit into its DDoS botnet. However, it has now switched to targeting D-Link devices via a range of RCE vulnerabilities. Although D-Link has released patches for these vulnerabilities, home users are notoriously lax about patching their devices. Although Moobot simply uses the RCE capability to install their DDoS malware, it obviously has the capability to do a lot more, and so enterprise security personnel may have to encourage employees to install the relevant patches.
Zhang, Chao Zhibin, Cecilia Hu and Aveek Das, Mirai Variant MooBot Targeting D-Link Devices, Palo Alto Networks, 6 September 2022. Available online at https://unit42.paloaltonetworks.com/moobot-d-link-devices/.
HP Laptop Utility Hosts CVSS 8.2 Vulnerability
Major supplier Hewlett-Packard has disclosed a serious vulnerability in the HP Support Assistant which is preloaded on its laptops. CVE-2022-38395 is a DLL search path vulnerability in Fusion, which the utility uses to launch its HP Performance Tune-up function. The function requires admin privileges, and by placing a DLL in the right directory, an attacker is able to achieve a privilege escalation attack.
Users are advised to update to HP Support Assistant version 9.11 or later and Fusion version 1.38.2601.0 or later.
HP Customer Support, Privilege escalation in HP Support Assistant, Knowledge Base article, 6 September 2022. Available online at https://support.hp.com/us-en/document/ish_6788123-6788147-16/hpsbhf03809.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Privilege Escalation Vuln in Squiz Matrix CMS
Squiz Matrix is a popular website content management system in the UK, Australia & New Zealand region, especially among universities and some government agencies. However, the product was revealed to have a nasty insecure direct object reference vulnerability which would allow an attacker to edit the email address in the contact details of any user.
Once the attacker has changed the email address of an admin user to one they control, they can trigger a password reset, which sends a confirmation link email to that address, resulting in a privilege escalation exploit. Since the account ID numbers are allocated sequentially, and the lower numbers are more likely to be allocated to the earliest - therefore admin - users, it won't take many attempts before an attacker will get lucky.
Squiz released a fix back in mid-June; hopefully all those bureaucracies have applied the patches.
Bannister, Adam, Squiz Matrix CMS squashes admin account takeover bug, The Daily Swig, 5 September 2022. Available online at https://portswigger.net/daily-swig/squiz-matrix-cms-squashes-admin-account-takeover-bug.
Phishing for Dummies: EvilProxy
Simple phishing attacks are easily defeated by the deployment of multi-factor authentication, but sophisticated attackers have evolved a man-in-the-middle attack, using a reverse proxy to display a copy of the legitimate website's login screen, and then relaying credentials, including TOTP token values, to the site. Once the user has authenticated, the site will return a session cookie, which contains an authentication token, and the reverse proxy is able to steal this - the attackers can then use the session cookie to access the site, with no need to repeat the authentication process.
At first, only the most sophisticated groups were able to develop their own reverse proxies, but then toolkits like Modlishka, Necrobrowser and Evilginx2 made it easier for less sophisticated threat actors. This process has continued with the release of the EvilProxy/Moloch Phishing-as-a-Service platform, which is highly polished, with detailed instructional videos and tutorials, a user-friendly GUI, and a selection of off-the-shelf cloned phishing pages for popular sites including Apple, Facebook, GoDaddy, Google, Instagram, Microsoft, Twitter, Yandex and many others.
Resecurity staff, EvilProxy Phishing-as-a-Service With MFA Bypass Emerged In Dark Web, Resecurity blog, 5 September 2022. Available online at https://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web.
12 Arrested in SE Asian Sextortion Ring Takedown
Interpol warned in June of a dramatic increase in extortion campaigns, including DDoS attacks, quadruple extortion ransomware and sextortion. Now the agency's cybercrime division, operating in collaboration with the police forces of Hong Kong and Singapore, has uncovered a transnational sextortion ring which had extracted at least $US47,000 from 34 victims. The victims had been lured into downloading a malicious mobile app in order to engage in 'naked chats' - only to discover that the app had stolen the contact lists from their phones and the criminals were threatening to circulate their nude videos to all their relatives and friends if a blackmail demand was not met.
Fortunately, some of the victims contacted police, who were able to (presumably) use warrants to obtain IP addresses and other data which identified 12 core members of the sextortion ring, who were then arrested during July and August.
Uncredited, Asia: Sextortion ring dismantled by police, Interpol news, September 2022. Available online at https://www.interpol.int/News-and-Events/News/2022/Asia-Sextortion-ring-dismantled-by-police.
PII of 2.5 million Students Exposed in Loan Provider Breach
A data breach affecting US student loan providers EdFinancial and the Oklahoma Student Loan Authority has exposed the personally identifiable information of 2.5 million students. The breach occurred in the systems of a service provider in Lincoln, Nebraska, called Nelnet Servicing.
The information disclosed includes name, address, email address, phone number and social security number - all very useful in identity theft and social engineering attacks, especially since the Biden administration's recently-announced student loan relief plan will lead the victims to expect correspondence relating to their student loans.
BÎZGĂ, Alina, Data Breach at Student Loan Service Provider Exposes Personal Info of 2.5 Million Borrowers, BitDefender HotForSecurity blog, 5 September 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/data-breach-at-student-loan-service-provider-exposes-personal-info-of-2-5-million-borrowers/.
US Education Sector Under Attack
Beginnings are perilous times, and the beginning of the school year is no exception. The Los Angeles Unified School District, the second-largest in the US, has disclosed that it was the victim of a ransomware attack over the weekend, and is still working to recover its systems. The main student portal login page was down, and a voicemail to parents instructed them to reset their students' passwords in person or via a phone number - which inevitably had long hold times.
This comes as the Cybersecurity & Infrastructure Security Agency, FBI and Multi-State Information Sharing and Analysis Center released a joint advisory detailing TTP's and IOC's for Vice Society, a ransomware group which is known to target the education sector.
Staff, As LA Unified Battles Ransomware, CISA Warns About Back-to-School Attacks, Dark Reading, 7 September 2022. Available online at https://www.darkreading.com/attacks-breaches/la-unified-ransomware-cisa-warns-back-to-school-attacks.
CISA, #StopRansomware: Vice Society, Alert AA22-249A, 6 September 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-249a.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
QNAP Fixes Photo App Vuln
NAS vendor QNAP has issued a patch to fix a vulnerability in its Photo Station application. The vulnerability is being actively exploited by a ransomware zero-day from the DeadBolt threat actor, starting on Saturday and continuing this week.
The attack is only a problem for users whose NAS servers are open to the Internet - something of a no-no around here. If you want to share photos, use a cloud service: they're free and perfectly set up for sharing via the web. NAS devices work best for sharing on the LAN, and QNAP has had several problems with their devices being exploited when exposed to the Internet.
Toulas, Bill, QNAP patches zero-day used in new Deadbolt ransomware attacks, Bleeping Computer, 5 September 2022. Available online at https://www.bleepingcomputer.com/news/security/qnap-patches-zero-day-used-in-new-deadbolt-ransomware-attacks/.
Android Banking Trojan Poses as Antivirus and Cleaner Apps
As Google has restricted apps in its Play Store from using management API's and Accessibility permissions, the operators of the SharkbotDropper trojan have produced a new version which manages to evade detection and remains in the Play Store. The trojan poses as an antivirus called "Kyhavy Mobile Security" and a cleaner app called "Mister Phone Cleaner", with over 50 thousand and 10 thousand installs respectively.
While the previous versions of the dropper used the Accessibility permissions to fake on-screen button clicks to automatically install Sharkbot with no user interaction, the new version can no longer do this - so it downloads an APK package and the asks the user to install what it claims is an update for the fake antivirus. While an alert user might not fall for this, enough apparently do to make it worthwhile, and allows the app to evade detection in the Play Store.
Once installed, Sharkbot will perform credential stealing by displaying a phishing site in front of a banking application, keylogging, remote control via Accessibility permissions, SMS message interception and other functions. It also uses new C2 infrastructure to target user in Spain, Australia, Poland, Germany, the USA and Austria.
Segura, Alberto and Mike Stokkel, Sharkbot is back in Google Play, Fox It blog, 2 September 2022. Available online at https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/.
IRS Blunder Releases Confidential Data of 120,000 Taxpayers
A bureaucratic blunder by somebody at the US Internal Revenue Service has seen the Form 990-T confidential data on 120,000 taxpayers made available for download via the Tax Exempt Organization Search function. This form is used to report business income, claim an income tax refund, request a credit for certain federal excises and a few other purposes. While the IRS is required to publish the information filed by non-profit tax-exempt organizations, but should be kept private for individuals.
The files which contained this information have been removed from the IRS site, and the agency will be contacting organizations which routinely use the files in an attempt to have them replace them with the updated versions as they become available. Reading between the lines, it sounds as though people who do not routinely use the files but have downloaded them would not be known to the IRS.
Uncredited, IRS statement on Forms 990-T, Internal Revenue Service, 2 September 2022. Available online at https://www.irs.gov/newsroom/irs-statement-on-forms-990-t.
Quantum Computing Overhyped, Says Oxford Quantum Physicist
Oxford University physicist Nikita Gourianov has ripped into the quantum computing industry, daring to point out the elephant in the room: the industry has not yet developed one single product that can solve practical problems. As he points out, quantum computing firms are obtaining vastly more funding from investors than they are able to earn in real revenue, and such revenue as they do obtain "most comes from consulting missions aimed at teaching other companies about 'how quantum computers will help their business, as opposed to genuinely harnessing any advantages that quantum computers have over classical computers'".
This places security pros in a bind; while the prudent course for us is to assume that sooner or later quantum cryptanalysis will break public-key crypto, Gourianov argues that these fears are overblown. The original article is behind a firewall, but the link below provides an overview.
Tangermann, Victor, Oxford Physicist Unloads on Quantum Computing Industry, Says It's Basically a Scam, The Byte, 2 September 2022. Available online at https://futurism.com/the-byte/oxford-physicist-unloads-quantum-computing.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Windows Defender Detects MS Edge As Malware
An error in a Microsoft Defender database update is causing the built-in anti-virus to detect Microsoft Edge, Google Chrome and other browsers based on the Chromium and Electron browsers to be reported as malware, specifically Behavior:Win32/Hive.ZY. Users can choose to ignore the warning, but it will keep popping up, as frequently as every 20 seconds, in an endless cycle.
Microsoft is reported to be investigating - obviously! - and a patch should be forthcoming soon.
Rubino, Daniel, Windows Defender is reporting a false-positive threat 'Behavior:Win32/Hive.ZY'; it's nothing to be worried about, Windows Central, 5 September 2022. Available online at https://www.windowscentral.com/software-apps/windows-11/windows-defender-is-reporting-a-false-positive-threat-behaviorwin32hivezy-its-nothing-to-be-worried-about.
Linux No Longer Securely Obscure
Just as the Mac soon fell prey to the early viruses that plagued Windows users, so Linux has now become a prime target for threat actors. Although Linux has historically benefited from a simpler security model than Windows (where security seemed to be an afterthought) the fact that Linux now powers the vast majority of cloud-hosted infrastructure has led to a 75% increase in attacks detected on the platform over the last year, according to Trend Micro researchers.
As an example, in October 2021, a new variant of the Lockbit ransomware emerged, this one targeting and encrypting VMware Linux ESXi servers. This was soon followed by another, called Cheerscrypt. This is all part of a trend: attackers are both broadening the targets of their attacks and also using more sophisticated techniques.
Trend Micro Staff, Midyear Cybersecurity Report, Trend Micro, 31 August 2022. Available online at https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/defending-the-expanding-attack-surface-trend-micro-2022-midyear-cybersecurity-report.
Ransomware Hits Portugal's Flag Airline
The Portuguese flag airline, TAP, has been hit with a ransomware attack by the Ragnar Locker group. While TAP has admitted to an attack in an announcement, it denies that there was any improper access to customer data.
The Ragnar Locker group say otherwise, claiming the TAP scalp on their name-and-shame list, along with images that appear to show compromised TAP customer information, including names, dates of birth, emails and addresses. The gang claims to be sitting on hundreds of gigabytes of exfiltrated data.
Trutja, Filip, Ragnar Locker Names and Shames Portugal's Flag Airline after Hitting It with Ransomware, Bitdefender HotForSecurity blog, 2 September 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/ragnar-locker-names-and-shames-portugals-flag-airline-after-hitting-it-with-ransomware/.
No Honour Among Thieves . . .
The popular (among cybercriminals) infostealer Prynt Stealer, which rents to crminals for rates between $100 a month and $700 per annum, is an unusual combination of code from the AsyncRAT remote access trojan and the StormKitty infostealer. It compresses credentials it obtains from browsers as well as messaging and gaming applications, and exfiltrates them via a Telegram channel to its operator.
However, according to a report from Zscaler ThreatLabz, Prynt Stealer has one more feature - a back door which uses a second Telegram channel to exfiltrate the same data to the program's author. While this behaviour has sometimes been observed in the past, it was on freely-shared malware - in this case, the Prynt Stealer developer is engaging in a bit of double dipping.
Honestly, what is the world coming to, when a hard-working cybercriminal gets ripped off like this?
Singh, Atinderpal and Brett Stone-Gross, No Honor Among Thieves - Prynt Stealer's Backdoor Exposed, Zscaler ThreatLabz, 1 September 2022. Available online at https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed.
New Guide to Securing the Software Supply Chain
The Software Supply Chain Working Panel of the Enduring Security Framework (ESF) - a cross-sector working group operating under the auspices of the Critical Infrastructure Partnership Advisory Council - issued a 64-page guide to securing the software supply chain. This provides detailed guidance for developers and project managers on secure development, including verification of third-party components.
Enduring Security Framework, Securing the Software Supply Chain: Recommended Practices Guide for Developers, Enduring Security Framework Software Supply Chain Working Panel, August 2022. Available online at https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
WatchGuard Fixes Medium and Critical Severity Vulns
Firewall vendor WatchGuard has released patches for several vulnerabilities in its Firebox and XTM appliances. Security engineer Charles Fol investigated the boxes as part of a red team engagement, coming up with several exploitable bugs - two of which, an RCE vulnerability and a privilege escalation, would allow attackers remote root access.
This follows a series of breaches by the Russian state-sponsored group Sandworm, which allowed them to build a botnet called Cyclops Blink, by using a privilege escalation vulnerability. Thanks to all of the publicity surrounding that campaign, network administrators have hardened their Watchguard configurations, with far fewer exposing admin interfaces on the Internet.
Woollacott, Emma, WatchGuard firewall exploit threatens appliance takeover, The Daily Swig, 1 September 2022. Available online at https://portswigger.net/daily-swig/watchguard-firewall-exploit-threatens-appliance-takeover.
No-touch Activation of Touchscreens
Researchers at Zhejiang University and TU Darmstadt have shown that capacitive touchscreens can be fooled using electromagnetic interference to inject fake touch points without actually touching them. In a presentation at the 31st USENIX Security Symposium, they related how they were able to successfully run their GhostTouch attack against nine different smartphone models, injecting targeted taps continuously with a standard deviation as low as 14.6 x 19.2 pixels from the target area, a delay of less than half a second and at a distance of up to 40mm.
The researchers came up with various adversarial scenarios for this capability, including implanting malware without the owner's knowledge, establishing a malicious connection and answering an eavesdropping phone call.
The required setup is quite complex, involving an arbitrary waveform generator, RF amplifier, an antenna array and a ChipSHOUTER device. However, it is quite within the capabilities of a moderately sophisticated adversary and a dedicated device could probably be made substantially smaller. The lesson: keep your phone close to your chest, and don't lay it down on any untrusted desks or boardroom tables.
Wang, Kai, et. al., GhostTouch: Targeted Attacks on Touchscreens without Physical Touch, 31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 1543–1559. Available online at https://www.usenix.org/conference/usenixsecurity22/presentation/wang-kai.
Hackers Create Large Traffic Jam in Moscow
According to Twitter user @runews, somebody hacked the largest taxi service in Russia, Yandex Taxi, and booked every available cab to pick up at an address on Kutevsky Prospekt. The result was a massive traffic jam which reportedly held up drivers for 40 minutes while police tried to deal with the confusion. News site South Front blamed the hack on the usual suspects: the criminal Kiev (Kyiv) regime and their Yankee neocolonial imperialist puppetmasters.
Russian Market (@runews), Someone hacked #YandexTaxi, tweet, 1 September 2022. Available online at https://twitter.com/runews/status/1565319649683804160.
Doubts Arise Over International Contributors to Open Source
The nature of most open source projects make it possible for anyone, anywhere, to contribute, provided they establish their competence - open source projects are a meritocracy, and there are usually gatekeepers who review commits (Linus Torvalds is legendary for his scathing critiques of Linux kernel commits). With the growth of supply-chain attacks, you can bet your bottom dollar that foreign governments (for all values of 'foreign') are looking at this as a vector for injecting back doors into popular FLOSS projects.
A study by Dan Geer and his colleagues examined two popular open-source code repositories which have recently suffered supply-chain attack problems - the Python Package Index (PyPI) and Node Package Manager (npm) - to see where the major contributors are. Reassuringly, only a small fraction are in China or Russia. Less reassuringly, a growing proportion of developers provide no location information whatsoever - in 2020 21.7% of the top 100 contributors to PyPI and 9.6% of npm's top 100 had no profile information whatsoever on their GitHub profiles.
Previous research by the same group found no examples in which knowing the geographic location of a developer would have prevented a software supply chain compromise. The question therefore becomes less one of knowing where a developer is, so much as using a number of other identity-related signifiers of trustworthiness. Of course, it is in the nature of trust that a 'sleeper' can behave well in order to establish trust, until such time as they are willing to sacrifice this in order to gain an advantage. But then, that's true for all links in the software supply chain.
Geer, Dan, Joehn Speed Meyers, Jacqueline Kazil and Tom Pike, Should Uncle Sam Worry About 'Foreign' Open-Source Software? Geographic Known Unknowns and Open-Source Software Security, Lawfare blog, 25 August 2022. Available online at https://www.lawfareblog.com/should-uncle-sam-worry-about-foreign-open-source-software-geographic-known-unknowns-and-open-source.
Royal Australian Mint Puts Ciphertext on 50c Coin
2022 sees the 75th anniversary of the Australian Signals Directorate (formerly Defence Signals Directorate), the down-under equivalent to the NSA and GCHQ. To celebrate this, the Royal Australian Mint has produced fifty thousand 50c coins.
These are no ordinary coins bearing anodyne statements in Latin. Rather, the coins carry a hidden message which will be revealed once four layers of encryption have been broken. Although some layers appear to be based on classical ciphers which can be broken with paper and pencil (as well as a heaping dollop of persistence), the presence of a long hexadecimal string on one side of the coin suggests a computer will be necessary at some point. There are some curious patterns on the heads side, too.
The coin also functions as a recruitment advertisement - those who think they have cracked the message are invited to fill out a form, answering four (plus bonus) questions. The Royal Australian Mint site says the coins are "unavailable" (sold out already, at $A12.50 a pop?), but the high-res images on the ASD and Mint sites should provide enough for amateur cryptanalysts to work on.
ASD, 75th Anniversary Commemorative Coin, Australian Signals Directorate, 1 September 2022. Available online at https://www.asd.gov.au/75th-anniversary/events/2022-09-01-75th-anniversary-commemorative-coin.
Royal Australian Mint, 75th anniversary of the Australian Signals Directorate - 50c Uncirculated coin 2022, product page, September 2022. Available online at https://eshop.ramint.gov.au/2022-aluminium-bronze-uncirculated-75-anniversary-australian-signals-directorate.
Update
Well, that didn't take long. Just over one hour after the coin was launched, a 14-year-old from Tasmania broke all four levels of encryption.
Smith, Dan, Australian Signals Directorate 5-cent coin code cracked by Tasmanian 14yo in 'just over an hour', ABC News 2 September 2022. Available online at https://www.abc.net.au/news/2022-09-02/asd-50-cent-code-cracked-by-14yo-tasmanian-boy/101401978.
Epic RickRoll Hack
This goes back to April 2021, but it's still an entertaining and moderately educational read. A group of four students in the Cook County, Illinois school district were able to gradually - over several years - gain access to the school district's internal systems, including a classroom management system, which they used to run scans and exploit computers, and the school district's IP TV system, which ran all projectors and TV's across the district. The final part of the puzzle was to crack the public address system; while default passwords did not work, they found the default had been changed to the example given in the user manual, which was available online.
Having gained access to the TV system, the goup cleverly decided against compromising the servers, but instead stealthily inserted scripts into all the TV's and projectors, which triggered at10:55 am on 30 April 2021. Just what happened - well, you'll have to read the article, but it was certainly highly noticeable and memorable.
The hack was ultimately quite sophisticated, but the students managed to escape disciplinary action by the expedience of submitting a 26-page report, including security suggestions, which they sent to the school district's IT admins immediately after the incident. In fact, the school district confirms the events and views them as a penetration test, claiming "the incident highlights the importance of the extensive cybersecurity learning opportunities the District offers to students".
Burgess, Matt, Inside the World's Biggest Hacker Rickroll, Wired, 22 August 2022. Available online at https://www.wired.com/story/biggest-hacker-rickroll-high-school-prank/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
FIDO Passkeys Bid to Replace Passwords
Passwords have been the bane of life for most security professionals ever since . . . well, since passwords were invented. We have shored them up with length and - wrongly - complexity requirements, password safes and various kinds of second factors. Now, the FIDO Alliance and W3C are making ground on a promise to replace passwords altogether.
The FIDO2 passwordless authentication scheme, also known as FIDO Authentication, encompasses the W3C's Web Authentication (WebAuthn) specification and the FIDO Client to Authenticator Protocol (CTAP), wrapping them all up in the user-friendly moniker, passkeys. A passkey is a cryptographic keypair which is shared between a client device and a web site or application, and can be stored on a phone, a computer, or a security key. Microsoft, Google and Apple have all signed up to the standard, which will allow users to authenticate using just a username or email address and the passkey on an unlocked device.
This finally dispenses with passwords entirely - for some time we have known that the security of multi-factor authentication using crypto techniques like security keys is provided primarily by the key and not the password. Latest to sign on to the passkey and WebAuthn approach is Dashlane, which has announced that it will integrate passkeys into its cross-platform password manager, which runs on most platforms and integrates with most browsers.
Pierce, David, Dashlane is ready to replace all your passwords with passkeys, The Verge, 31 August 2022. Available online at https://www.theverge.com/2022/8/31/23329373/dashlane-passkeys-password-manager.
Meanwhile, Back In Password Hell
Since passwords aren't going to immediately disappear, we still have to grapple with users who will use their corporate emails to register on external websites, possibly re-using passwords and thereby enabling credential-stuffing attacks. Specialist in shadow IT discovery, Scirge (from the Old English word for sheriff) has developed a browser plugin and related tools which can discover external web accounts, track who has accessed them and regulate which corporate email addressed may be used for online registration.
The plugin can also enforce password strength (and - gaak! - complexity) rules, detect compromised and shared accounts, and also deliver individually tailored security awareness messages.
Hacker News Staff, Stop Worrying About Passwords Forever, The Hacker News, 1 September 2022. Available online at https://thehackernews.com/2022/09/stop-worrying-about-passwords-forever.html.
Chilean Government Under Novel Ransomware Attack
At least one Chilean Government agency has suffered a ransomware attack by what appears to be yet another, previously-unseen, offshoot of the fragmented Conti gang. The attack has targeted Microsoft and VMware ESXi servers, encrypting files with the NTRU encryption algorithm.
Curiously, the malware delivers its ransom note before commencing the file-encryption process, perhaps as an anti-forensic technique, and although a Tor site for ransom payment has been established, there is as yet no sign of data exfiltration.
Toulas, Bill, New ransomware hits Windows, Linux servers of Chile govt agency, Bleeping Computer, 1 September 2022. Available online at https://www.bleepingcomputer.com/news/security/new-ransomware-hits-windows-linux-servers-of-chile-govt-agency/.
BianLian Malware Targets Exchange Servers, SonicWall VPN Devices
Yet another piece of malware written in the Go programming language has emerged, in this case using its cross-platform capabilities to exploit Microsoft Exchange servers via the ProxyShell vulnerability and also targeting SonicWall VPN devices as a mechanism for pivoting within victim networks. BianLian also deploys a trojan dropper, which can fetch arbitrary plugins from a C2 server, as a back door for persistence.
The malware uses a number of techniques to evade discovery, waiting for up to six weeks after initial infection before it activates, deleting shadow copies, purging backups and rebooting servers in safe mode to perform its file encryption safe from observation by security software.
Armstrong, Ben, et. al., BianLian Ransomware Gang Gives It a Go!, [Redacted] blog, 1 September 2022. Available online at https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Steganography for Fun and Profit
A malware campaign called GO#WEBBFUSCATOR is distributing malware payloads in what seems to be an image of the Deep Space Field captured by the James Webb Space Telescope. Of course, malware embedded in a JPEG won't do anything by itself unless able to exploit a buffer overflow vulnerability in an image viewer, but in this case, the file gets downloaded by an obfuscated VBA macro fetched by an infected email.
The downloaded image file is actually a base64-encoded 64-bit Windows executable written in the Go programming language and further obfuscated using a technique called gobfuscation. This makes reverse-engineering and analysis of the malware very difficult. Fortunately, since Microsoft has disabled macros by default, fewer and fewer systems are likely to be vulnerable to this particular attack.
Lakshamanan, Ravie, Hackers Hide Malware in Stunning Images Taken by James Webb Space Telescope, The Hacker News, 31 August 2022. Available online at https://thehackernews.com/2022/08/hackers-hide-malware-in-stunning-images.html.
Chrome Vulnerability Allows Clipboard Access
A vulnerability introduced in Chrome version 104 allows malicious web sites to write to the clipboard without asking user permission - something that was present in previous versions of the browser.
This could allow a range of attacks, e.g. altering strings which a user copies and pastes from a web page, such as phone numbers, digest values, cryptocurrency wallet addresses, etc. No fix has yet been released for the vulnerability.
Johnson, Jeff, Web pages can overwrite your system clipboard without your knowledge, blog article, available online at https://lapcatsoftware.com/articles/clipboard.html.
Pros and Cons of Managed Firewall Services
An interesting piece in Dark Reading lays out the pros and cons of managed firewalls, which offer services such as firewall monitoring, service and incident management, automatic updates and patching, security policy implementation, reporting, analysis and remediation and more. The author concludes that managed firewalls are generally a good option, but may not suit smaller enterprises with simple networks and small budgets, those with highly complex environments or organizations who want to avoid giving third party service providers privileged access to their systems.
Anderson, Eric, The Pros and Cons of Managed Firewalls, Dark Reading, 1 September 2022. Available online at https://www.darkreading.com/attacks-breaches/the-pros-and-cons-of-managed-firewalls.
Apple Releases Security Updates for Older iPhones and iPads
Apple has released patches for a buffer overflow vulnerability (CVE-2022-3289) in the WebKit browser engine which underpins the Safari browser. An earlier fix was released for macOS and newer handheld devices; this fix applies to iOS 12.5.6, which supports devices back to the iPhone 5s. The company says the update is necessary because they are receiving reports of active exploitation, although no details have been released.
Gatlan, Sergiu, Apple backports fix for actively exploited iOS zero-day to older iPhones, 31 August 2022. Available online at https://www.bleepingcomputer.com/news/apple/apple-backports-fix-for-actively-exploited-ios-zero-day-to-older-iphones/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Chinese APT Targets Australia With Malmail Campaign
A Chinese threat actor identified as APT 40 (TA423, Red Ladon, GADOLINIUM, Leviathan) has been targeting both Australian and international government and energy companies, especially those with interests in the South China Sea, with a malmail campaign based around a fake Australian news media site. The campaign, which ran from April through June, was uncovered by Proofpoint in conjunction with PwC Threat Intelligence.
Victims of the targeted phishing campaign received an email promoting a site called "Australian Morning News" and inciting the recipient to click on an individualized link. Following the link would download the main module of the JavaScript malware ScanBox, which can report back on the configuration of the victim's browser to a C2 server and then load further plugin modules which can perform keylogging, browser fingerprinting, establish peer connections and other functions.
Earlier campaigns by the same threat actor used different TTP's - for example, the payload was Meterpreter rather than ScanBox, and it was delivered in a macro-laden RTF document template rather than by URL fetch. The same technique of registering a domain for a promoting a fake news site was also used in a previous campaign preceding the 2018 elections in Cambodia.
Raggi, Michael and Sveva Scenarelli, Rising Tide: Chasing the Currents of Espionage in the South China Sea, Proofpoint blog, 30 August 2022. Available online at https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea.
Google Launches Open Source Vulnerability Rewards Program
Reflecting its status as a major contributor to (and beneficiary of) open source software projects, Google has launched a new vulnerability rewards program focused on FLOSS. The new program joins existing programs targeting Android, Chrome and Google devices. Some of Google's open source projects, such as the Go programming language and the Angular JavaScript framework, are likely targets of threat actors looking for a way to leverage supply chain attacks, and the new program will help to mitigate that risk.
The program will offer rewards ranging from $US100 to $31,337 for submssions of vulnerabilities, design issues or insecure installations.
Perron, Francis, Announcing Google's Open Source Software Vulnerability Rewards Program, Google Security blog, 30 August 2022. Available online at https://security.googleblog.com/2023/08/Announcing-Googles-Open-Source-Software-Vulnerability-Rewards-Program%20.html.
Malicious Chrome Extensions Installed by Over 1.4 Million Users
Security vendor McAfee has identified five cookie-stuffing Chrome extensions which track user activity and insert code into e-commerce sites. This modifies cookies on the sites, adding affiliate program information so that the extension authors will receive an affiliate commission for any purchases.
The five extensions are:
- Netflix Party
- Netflix Party 2
- FlipShope - Price Tracker Extension
- Full Page Screenshot Capture - Screenshotting
- Autobuy Flash Sales
Collectively, the extensions have been installed by over 1.4 million users, doubtless making them a nice little earner for the operators. Like the Turkish coin miner discussed in yesterday's Security News, these extensions deliberately wait for a couple of weeks after installation before starting their malicious behaviour in an attempt to evade detection.
Devane, Oliver and Vallabh Chole, Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users, McAfee blog, 29 August 2022. Available online at https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuffing-chrome-extensions-with-1-4-million-users/.
Chinese PII Database Leaked Online
A major drawback of the surveillance state operated by China came to light today, when a database belonging to a company which operates access control systems based on facial recognition and vehicle data was left exposed on the Internet for several months. The database, which contained over 800 million records, was left open to the public on an Alibaba-hosted server in China until a security researcher discovered it and reported it to the owner, Hangzhou-based Xinai Electronics - whereupon the database promptly disappeared.
The database included links to high-resolution photographs of the faces of construction workers, office visitors and others, each associated with name, age, sex and resident ID numbers, which uniquely identify the individuals. Neither the database nor the linked image files were protected by access control of any kind.
The security researcher who disclosed the breach was not the only one to discover it - a ransom note left by a would-be extortionist indicated that they had also stolen the database, although no payment was made to the related cryptocurrency wallet.
Whittaker, Zack, A high Chinese database of faces and vehicle license plates spilled online, TechCrunch, 31 August 2022. Available online at https://techcrunch.com/2022/08/30/china-database-face-recognition/.
Privacy Breach Affects Millions of Russian Streaming Service Customers
China is not the only country to suffer large privacy breaches, although in this case the issue is not surveillance. The 2021 customer database of Russian streaming service, START (start.ru) was stolen and is now being sold online. Fortunately, it seems nothing of great value was stolen - the database does not contain credit card or other financial information, although it does contain usernames, phone numbers and email addresses and - despite START's denials - MD5 password hashes, IP addresses and other data.
The stolen data seems to constitute a 72 GB JSON dump of a MongoDB database. Much of the data is redundant, but it boils down to almost 7.5 million unique email addresses. The breach is timely, as the Russian Ministry of Digital Development is proposing to introduce fines of up to 3% of a breached company's annual turnover, but this has not yet passed into law.
Toulas, Bill, Russian streaming platform confirms data breach affecting 7.5M users, Bleeping Computer, 30 August 2022. Available online at https://www.bleepingcomputer.com/news/security/russian-streaming-platform-confirms-data-breach-affecting-75m-users/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
AI-generated Deepfake Used to Scam Crypto Project Teams
An unidentified cybercrime group has run an extremely sophisticated operation against crypto asset developers. The group contacted multiple development teams, offering an online meeting with the Chief Communications Officer of Binance, Patrick Hillman, to discuss opportunities to list their crypto assets on the crypto trading platform.
Hillman discovered the scam when he started to receive messages thanking him for taking the time to participate in the meetings. It seems that the scammers had used recordings of TV appearances and interviews to create a deepfake which was able to interact convincingly during the online meetings. For the record, Hillman has no role related to listing of crypto assets on Binance.
Constantinescu, Vlad, Crypto Projects Scammed with Deepfake AI Video of Binance Executive, Bitdefender Hot for Security blog, 29 August 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/crypto-projects-scammed-with-deepfake-ai-video-of-binance-executive/.
RCE 0Day Sells for €8 Million
Three screenshots posted to Twitter suggest that an Israeli spyware company called Intellexa has sold an iOS and Android zero-day exploit toolkit to somebody for the sum of €8 million. The price includes a complete turnkey suite for data analysis, a project plan for delivery to the customer, and a one-year warranty. The key exploit offers remote command execution, delivered with one click via a web link.
vx-underground, Leaked documents online show the purchase (and documentation of) an $8,000,000 iOS Remote Code Execution 0day exploit, Twitter thread, 26 August 2022. Available online at https://twitter.com/vxunderground/status/1562550443712352256.
Turkish Coin Miner Hides in Free Software
A cryptocurrency miner called Nitrokod has infected over 100,000 users around the world by hiding itself in what appears to be a desktop application front end for Google Translate, downloaded from popular sites like Softpedia. The program installer, a file called GoogleTranslateDesktop2.5.exe, checks for the existence of a file called C:\ProgramData\Nitrokod\update.exe, and if it does not exist or is an old version, puts that program in place.
It then waits for at least four reboots on four different days before contacting a C2 server in order to download and install the next stage of the infection, in an attempt to evade sandbox malware detection. It then uses multiple scheduled tasks to stealthily download and install the subsequent stages, deleting all evidence of the previous stages as it does so, before finally - in stage 6 - downloading and installing the XMRig crypto miner. The process is so long, stealthy and involved that a victim is unlikely to detect it, and even if they do, unlikely to be able to figure out the original source of the infection.
Checkpoint has written up a case study on the malware as a showcase for their upcoming Infinity XDR (Extended Detection and Response) product.
Marelus, Moshe, Check Point Research detects Crypto Miner malware disguised as Google translate desktop and other legitimate applications, Check Point Research blog, 29 August 2022. Available online at https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications/.
Highly-Targetable Ransomware Written in Golang
Trend Micro has discovered a neat example of targeted ransomware written in the Go programming language. As their researchers point out, Golang is increasingly popular with malware authors, possibly because Go statically compiles any necessary libraries into the produced executable, rather than dynamically linking them at load or run time; the latter techniques require the required library and function names to be visible in the malware, and by not doing this, the malware authors have made reverse-engineering and analysis significantly harder.
The malware, called Agenda, is currently being used to target healthcare and education organizations in Indonesia, Saudi Arabia, South Africa and Thailand, and all the samples collected were highly customized, containing customer passwords, account and company ID's which are used as the filename extensions for encrypted files. The malware will also attempt to kill various services, change Windows passwords and reboot in safe mode. It shares some characteristics with the earlier REvil, Black Basta and Black Matter ransomware.
Fahmy, Mohamed, et. al., New Golang Ransomware Agenda Customizes Attacks, Trend Micro Research, 25 August 2022. Available online at https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.