library – Page 15 – STE WILLIAMS

TA505 Targets HR Departments with Poisoned CVs

library
crime | hacking | security

Infamous cybercrime organization spotted in attacks that employ legitimate software — and Google Drive.

A newly discovered attack campaign by the notoriously prolific TA505 cybercrime organization now is targeting businesses in Germany via their human resources executives.

Researchers at Prevailion, a security monitoring firm, today detailed the cybercrime group’s latest campaign, a business email compromise–style phishing email with Trojanized curriculum vitae files. Once the rigged file is open, the attackers deploy commercial tools to mask their movements, including the NetSupport Manager remote control administration software for intel-gathering and data theft, Google Drive for hosting their hacking tools, and the GPG encryption tool as a ransomware weapon. According to Prevailion, the attack campaign has been operating since at least April 2018.

The attackers use malicious PowerShell scripts that steal login credentials from browsers and Outlook and grab payment card data. In one wave of attacks, the TA505 used GPG to encrypt the victim’s files and hold them for ransom. In a second wave of attacks, the group raised the bar a bit, using NetSupport to steal files, screen captures, and voice recordings — hiding the remote access Trojan in plain sight on a Google Drive account operated by the attacker.

TA505 also has been known for its use of Necurs, a sort of botnet of botnets, of which four were responsible for 95% of all malware infections, according to BitSight, which assisted Microsoft in its March 5, 2020, operation to derail the botnet by sinkholing Necurs’ US-based domains. While that disruption operation was significant, Necurs had been relatively quiet starting around March 2019, but still leaving some 2 million infected machines ready and able to be called for duty once again.

But TA505’s recent attack campaign does not rely on any Necurs infrastructure components. “Based on what we’ve seen on Necurs … there is no overlapping C2 [command and control]. So you could completely take down Necurs, and this would be entirely” independent of it, says Danny Adamitis, director of intelligence analysis for Prevailion.

Adamitis says this set of attacks likely occurred in February or March, and the Google Drive links were still active as of last week. “It was super-targeted and directed this email to the HR director at this particular organization,” he says. “They were looking for Chrome, Firefox, Edge, and Outlook credentials” and credit card information stored in the Chrome browser in one attack, he says. “That also serves as an attack vector where they could use or sell [that data].”

Prevailion did not reveal the victim organizations targeted, but the researchers initially flagged the campaign after an online forum post by someone at an organization reporting a ransomware attack that appeared to be tied to TA505.

Like any security firm’s research team, Prevailion’s has a specific view into the attack via its own tools’ vantage point. Prevailion’s platform tracks network-based traffic, and also provides a view into binaries and C2, notes Adamitis. “We don’t have an endpoint tool or capability, so we don’t have the same level of insight to see how [a] file is downloaded,” for example, he explains. But he and his team can see things like “a hardcoded IP address hosting the CV’s .rar file, with a script stealing credentials and hosting that executable,” he says.

This isn’t TA505’s first rodeo abusing legitimate tools: In 2018, it targeted US-based retailers and organizations in the food and beverage industry using a spearphishing email in an infected Word document. When the victim opened it, the file urged them to download a copy of Remote Manipulator System (RMS) from Russian software vendor TektonIT.

G Drive
The attackers also have been hosting their tools on a Google Drive account to grab NetSupport to steal files, take screenshots, and remotely turn on the infected machine’s microphone to listen in.

The clue that connected the attacks to TA505: a digital signature associated with the loader used by the attackers in the German campaign. They were able to correlate one of the samples with that in a previous report by South Korea’s CERT, as well as previous research by Palo Alto Networks on the NetSupport tool.

“We’ve seen them take a more sophisticated approach [now], with a brand-new loader not seen anywhere else” and hosting their tools on Google Drive, Adamitis says. “If a network defender sees … Google Drive [activity], it’s more likely to get by” them and not be flagged as suspicious, he says.

Researchers at FireEye and Zscaler also have previously reported cases of the malicious use of NetSupport Manager.

The attackers were still active last week, Adamitis says, and still serving up the NetSupport tool.

Like most advanced cybercrime gangs, TA505’s M.O. has similarities to those of nation-state groups. “They’re not categorized as an APT [advanced persistent threat] but … there seems to be unique cross-pollination in some of the TTPs [tactics, techniques, and procedures],” says Karim Hijazi, founder and CEO of Prevailion.

The best bet for thwarting this latest campaign or similar attacks is deploying an email security solution, keeping anti-malware updated, requiring strong passwords, and segmenting the network so the attackers can’t easily move laterally, the researchers recommend.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Security Lessons We’ve Learned (So Far) from COVID-19.”

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/ta505-targets-hr-departments-with-poisoned-cvs-/d/d-id/1337355?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New Study Calls Common Risk Figure into Question

library
crime | hacking | security

Many risk models use a commonly quoted number — $150 per record — to estimate the cost of an incident. A new study from the Cyentia Institute says misusing that number means that estimates are almost never accurate.

It’s one thing to know your organization’s level of cyber-risk. It’s a step farther along the maturity path to be able to quantify that risk. But if you don’t know where your risk ranks in relation to the risks that other organizations face, you may still be operating in a partial information vacuum. That’s the premise of a new study that looked at the numbers behind industrywide risk and reached some conclusions that many may find provocative.

The Information Risk Insights Study (IRIS), conducted by the Cyentia Institute, is intended to help business risk managers build better models for risk, and to use those models to make better decision for managing cyber-risk. David Severski, senior data scientist at Cyentia and the principal author of the IRIS report, says that the point isn’t to have more data, but to use available data more effectively. “We’re never going to have perfect information, but we can use information that we have available to make a better decision rather than just a finger-in-the-wind type of analysis there,” he says.

Severski says that one example of using information more effectively would be to use industry-scale information if risk data on a specific company isn’t available. “If I have very little information about my organization or about a vendor that I’m working with, for instance, I can use the information that’s in the IRIS study to start the risk conversation,” he explains. He says that knowing the market area of the company and its size can allow a starting point for conversations involving the frequency and size of loss.

With information in hand on industry averages, Severski says, discussions can continue about whether the particular organization is better or worse than average, and what any available data says about the possibility of changing risk levels.

Size Matters
The averages for companies of different sizes are among the report findings that surprised Wade Baker, partner at the Cyentia Institute. “I was surprised that the likelihood that a Fortune 1000 firm would have an incident is about 1 in 4, or 25% in a given year,” he says. He found that likelihood to be much higher than he expected. An equal surprise on the flip side came from their study of small and midsize businesses.

“We found a 2% likelihood of an incident in any given year among small and medium businesses,” Baker says. Those percentage don’t say anything, though, about the impact an incident can have on the organization.

“If you’re a really large organization, with high revenue, when you have a breach, you stand to lose more just on a sheer dollars standpoint than when a small business is compromised,” he says. But when Cyentia researchers analyzed the incident data as a proportion of revenues, they found that the incident cost was well under 1% of annual revenues for a typical breach for a large corporation.

The news is quite different for small companies. “It’s a quarter of annual revenues for the typical breach for a small and medium enterprise. And I mean, that’s just shocking,” Baker says. One of the reasons it’s shocking is not simply the high level of the loss, but because it indicates that a key number frequently used by risk managers and analysts may be quite wrong.

One Size Fits None
The “2019 Cost of a Data Breach Report” by IBM Security and the Ponemon Institute shows that data breaches cost, on average, $150 per record involved. That number is frequently used (and, Severski says, commonly misused) to estimate incident costs in risk analysis. In IRIS, Severski writes, “A single cost-per-record metric simply doesn’t work and shouldn’t be used. It underestimates the cost of smaller events and (vastly) overestimates large events.”

As an example, Severski mentions a group that published a figure of $5 trillion in losses from misconfigured clouds. It is, Severski says, a patently ridiculous number that comes from multiplying 33 billion exposed records by $150. And the effect of errors like that is, he explains, huge.

When Severski plotted the projected costs of historical breaches versus the known actual costs, he found that the projection matched reality far less often than statistical modeling would expect. And the total amount of the error was more than $1.7 trillion — an amount that exceeded the total amount of the actual losses.

As a result, Severski says that a table of probabilities, with number of records (from 10 to 1 billion) on the X axis and total loss amounts (from $10,000 to $1 billion) on the Y axis offers a far more accurate way to use available data to build risk models.

A Trusted Voice
Asked why cybersecurity professionals should care about the accuracy of historical numbers, Baker says the answer depends on the company those professionals serve. For those in large enterprises, he says, it’s all about being seen as a reliable source of information for the board of directors. “A wildly overestimated view of the potential impacts of these cyber events will lead to wildly overspending to mitigate them, which will lose the confidence of the board in the long run. And we’ll lose the ability to have a real discussion and be taken seriously,” Baker explains.

On the other hand, “if you’re a small organization, you can quickly look at this and say, OK, how worried should I be about this particular topic for publicly disclosed breaches for my organization, and maybe you stop there,” he says, because that level of information would allow the company to decide whether to spend money on mitigating risk or launching a new product.

The key, Baker says, is understanding that no matter how much we want simple answers, risk isn’t a one-size-fits-all matter. Putting that understanding into action will, he says, allow organizations of all sizes to make better decisions about how to address the risks they face.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Security Lessons We’ve Learned (So Far) from COVID-19.“

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/risk/new-study-calls-common-risk-figure-into-question/d/d-id/1337350?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

VPN Usage Surges as More Nations Shut Down Offices

library
crime | hacking | security

As social distancing becomes the norm, interest in virtual private networks has rocketed, with some providers already seeing a doubling in users and traffic since the beginning of the year.

The use of virtual private networks (VPNs), a staple technology for remote work, has more than doubled in some countries impacted by the Cononavirus pandemic, as offices close, governments mandate social distancing, and workers move to remote work.

One provider of VPN services, NordVPN, says it has seen 165% growth in the number of average daily users, up from an expansion of 40% just last week. Google has marked a six- to tenfold increase in searches for VPN-related queries since the beginning of the year. And other VPN providers, such as Atlas VPN, have seen a massive rise in the amount of data flowing through their networks, with Italian users more than doubling their use of that provider’s network.

So far, the surge has not taxed the networks, says Rachel Welch, chief operating officer of Atlas VPN.

“We did see an increase in users, but that number is not significant enough to affect the traffic to such an extent,” she says. “In short, people are starting to use VPNs a bit more, but users who were already using VPNs are the ones leaning toward a VPN more often day by day.”

For many workers, especially gig workers and freelancers, VPN services are the most secure way to work online. The increased use of VPNs appears in step with the rise in cases of the Coronavirus in many countries. Atlas VPN says it has seen increases in traffic of anywhere from 9% to 112% in the past week in the seven countries hardest hit outside of China: Italy, Iran, South Korea, Spain, Germany, France, and the United States.

Businesses in those countries are ordering up new service as well, says Daniel Markuson, digital privacy specialist at NordVPN Teams.

“We see the increase due to more and more companies encouraging their employees to work from home, [and] many countries are also starting a quarantine,” says Markuson. “Companies must provide their employees with appropriate tools, and one of those tools is a VPN.”

In the past, only about a third of knowledge workers in the United States have worked remotely to some degree, according to a survey conducted by enterprise software firm Citrix. The Coronavirus pandemic has — and will continue to — change that, says Akhilesh Dhawan, director of product marketing for Citrix’s Delivery Networks group.

“With increased calls and even government mandates to work from home, companies must quickly scale their VPN solutions to accommodate significantly greater demand for access from remote locations, and many are struggling to do so,” he says. “There is a complex supply chain of ordering, procuring, and configuring an appliance involved, especially if it is hardware, and in many cases reduced IT staff available in the office to manage it.”

While the increase could lead to bandwidth congestion in residential networks not used to midday traffic spikes, so far the increases have been manageable.

The most significant issue for companies is whether employees’ devices have been secured before they connect to internal networks, as well as the security of the services themselves. A flaw in the Pulse Secure VPN appliance led to several companies hit by ransomware attacks last year. And NordVPN suffered a privacy breach when a provider of datacenter services added additional accounts to its infrastructure.

While patching and securing their infrastructure is important, companies also need to focus on educating their employees on the secure use of VPNs, according to Aaron Zander, head of information technology at vulnerability-program provider HackerOne.

“Without a doubt, in 9 months from now, we’ll be looking at news stories about two impacts resulting from COVID-19 — all the babies being born, and all the breaches that have happened because of negligent infrastructure,” he said in a statement. “A VPN breach is about as bad as you can get, the ability for someone to travel internally from VPN infrastructure into sensitive data is extremely easy.”

Companies should make sure users know that VPNs are not enough to guarantee security, NordVPN said.

“People should keep in mind that cybercriminals are well aware of the fact that many people are working from home. Attackers hope that these employees are leaving security gaps,” the company predicted. “Sadly, cybercrime doesn’t stop because of the quarantine. Therefore we encourage you to pay serious attention to proper cyber hygiene.”

Related Content

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Security Lessons We’ve Learned (So Far) from COVID-19.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/operations/vpn-usage-surges-as-more-nations-shut-down-offices/d/d-id/1337356?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Hong Kong makes wearable trackers mandatory for new arrivals, checks in with ‘surprise calls’ too

library
crime | hacking | security

Hong Kong has made it mandatory for all new arrivals to wear an “electronic wristband” that links to a smartphone to provide location-tracking services, so that authorities can be sure they’re observing COVID-19 quarantine requirements. And the city-state insists its privacy commissioner has signed off on the idea because it “does not pose privacy concerns.”

As explained today by government CIO Victor Lam, “the app will not capture directly the location, but only capture the changes in the location, especially the telecommunication and communication signals around the confinee to ensure that he (or she) is staying at home.”

An earlier press release presaging the devices’ introduction said “The decision of technologies to be used in monitoring was made on a risk-based approach. During the quarantine period, various measures are used to ensure the compliance of quarantine order, including the sharing of real-time location via communications software (WhatsApp or WeChat) by those under quarantine.”

And here’s the fun part in the press release: “The staff at the communication centres set up by the Office of the Government Chief Information Officer will check the location of people under quarantine from time to time and make surprise video calls to ensure that they are staying at their dwelling places.”

Which is a whole new spin on the role of a CIO!

But we digress.

The device is tamper-proof. Government advice is that “If the wristband is broken or the smartphone is disconnected or taken away from the dwelling place, an alert will be sent to the Department of Health and Police.”

The app appears to come from a Hong Kong outfit named Compathnion that bills itself as “an award-winning team with a mission to deliver effective location based solutions to fulfill evolving business needs.”

The exact disposition of the wristband has not been revealed, but Lam’s video shows him wearing what looks like a Tyvek wristband with a loop that could conceivably conceal an RFID or other silicon. CNBC’s report on the device shows something more robust and akin to the MagicBand that Disney properties slap onto their visitors. CNBC also described an enrolment process that requires wearers to pace out the dimensions of their dwellings.

Hong Kong’s government says it has secured 60,000 of the wristbands, and has put in place severe fines for those that don’t wear them, leave their dwellings or try to game the system.

Hong Kong joins Israel and China in the using-tech-to-track-Corona club, with several other currently considering the idea.

What a time to be alive. ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/19/hong_kong_makes_wearable_trackers_mandatory_to_enforce_covid_19_quarantine/

Android malware uses coronavirus for sextortion and ransomware combo

library
crime | hacking | security

Late last week, researchers at network intelligence company DomainTools warned about an Android malware sample that caught our attention.

Like many other cyberthreats doing the rounds these days, the criminals have used the coronavirus pandemic as a lure, offering an intriguing if rather creepy app called COVID 19 TRACKER.

Catchy icon of the malware app

The app offers to “Track Real-Time Coronavirus Outbreak in your Street, City and State”, and says it will “Get Real-Time Statistics about Coronavirus outbreaks around you in over 100 countries.”

Main malware landing page when browsing from Android

To be precise, if you’re keeping your eye out for giveaway mistakes, it actually says outbreak aroud you, an error both of grammar and spelling that you can see below.

Sure, mainstream websites make spelling mistakes, too, but every clue helps, so keep your eyes open for errors that might be a telltale sign of crooks in a hurry.

As we’ve seen before in coronavirus-themed cybercrime, the criminals have added the logos of various legitimate and useful sources of information:

Left: Main malware landing page when browsing from Android
Right: Download button with fraudulent “certification” claims

This time, they’re claiming their app is “certified by” the US Department of Education, the World Health Organization (WHO), and the US Centers for Disease Control and Prevention (CDC).

(No, that’s not a typo above: the CDC runs its operations and research from numerous major locations, so its name is a plural.)

If you’re wondering why the feature to track coronavirus infections in more than 100 countries has what looks like a winner’s gold cup above it with the number “1” on it, it’s because the crooks have plundered various legitimate apps and brands to leech logos, layout ideas, icons and more to use in their code.

The marketing material that the crooks have crudely ripped off comes from the pages of an unrelated Google Play app that really does have a 4.4-star rating:

Left: ripped-off web site content repurposed by malware authors
Right: original marketing from unrelated Google Play app

What about the the app?

As you can see from the screenshot above, the “tracker app” doesn’t come from Google Play, because it wouldn’t get in.

Instead, you have to go off-market by downloading it directly from the crooks’ website by clicking their own [DOWNLOAD APK] button.

When you run the app for the first time, it asks for various permissions that might make you suspicious, but that don’t seem too outrageous, given that it’s supposed to keep you alerted about coronavirus cases as you move around.

In particular, the app wants to run in the background, to have lockscreen access, and to use Android’s accessibility features, as you see here:

Left: background permission is requested immediately
Right: clicking the [SCAN] button on the app screen demands you to grant more permissions first

Although the malware claims to need lockscreen access to give you an “instant alert when a coronavirus patient is near you”, that’s bogus for two reasons.

Firstly, even if the app is using the latest coronavirus stats, downloaded in real time, it has no way of determining the infectious status of any individual passing by, so it is false (and, indeed, creepy) to claim this as a “feature” at all.

Secondly, you don’t need “lockscreen access” to send notifcations to the lockscreen – that’s controlled by the user, who can choose from their phone’s settings what sort of notifications to show when the phone is locked.

In fact, the malware wants what’s called device admin rights, as you can see in the screenshot below.

This is a feature that Google describes in its own documenation as allowing “device administration features at the system level, [to] allow you to create security-aware apps that are useful in enterprise settings.”

Similarly, if this app were genuine, it wouldn’t need Accessiblity permissions, as it claims.

Those features are intended for use by software such as screen readers (which obviously need to access the screen content of other apps), and they’re tolerated on Google Play for security apps that can justify looking out for data such as web links in order to look for malicious sites.

The app claims that it needs Accessibility permissions by mentioning “active stats monitoring”, but a legitimate program would get its data by downloading and processing it itself, not by “sneaking a peek” and stealing it from other apps.

Left: malware demands device admin powers, though they aren’t needed for lockscreen notifications
Right: malware uses Accessibility functions to track your app usage

What happens next?

The real reasons why this malware wants to run in the background, monitor the other apps you are running, and intervene as a device administrator…

…are probably rather obvious, given the headline of this article.

Amongst other things, it tracks which app you have in the foreground and takes over control as soon as you try to use your phone for most of its normal features, including making calls, getting and sending messages, and accessing the Settings page.

And the Settings page is probably exactly where you will want to go as soon as a the malware kicks in, which is does within about a second of launching most apps:

The malware locks you out of most apps by quickly covering them entirely with a blackmail demand.
The demand mixes sextortion with ransomware.

As you can see, this one is a combination of sextortion and ransomware – you’re locked out of your device because of the persistent pop-over screen, but with a threat to leak personal videos and photos to your family as an added incentive to pay up.

Once you’re infected, you can’t access Settings (where you can, in fact, kill off and uninstall the malware), in an attack reminiscent of Reveton, one of the earliest mobile phone “screen locker” ransomware variants that was widespread back in 2012.

Ironically, the malware is careful not to block your browser, even though you could use it to go online and look for advice on how to clean up.

That’s because the malware itself relies on the browser to load its own “here is how it works” page, hosted on the free data-sharing site Pastebin:

Instructions for how much to pay and whom to contact

How to clean up

Fortunately, at least in our experiments with this sample, the malware was fairly easy to remove by hand.

Our files were left intact, with the malware relying on its rapid pop-over screen as its way of keeping you locked out of your device, and as far as we can tell, the threat to reveal your personal data to friends and family if you don’t pay is entirely empty.

In other words, if you can remove the app so it no longer interferes with your phone usage, then you’re essentially home free.

A quick fix is offered by the fact that the crooks were lazy, and hardcoded the unlock code into their app:

When we typed in the 10-digit code 4865083501 where you see enter decryption code in the blackmail page shown above, the malware stopped blocking our access to other apps.

Note, however, that the unlock code doesn’t actually stop the malware and uninstall it!

(The crooks handily left logging code in their app, so we could use the Android development tool adb logcat to watch the app continuing to abuse its Accessibility permissions to track apps as we used them, even after we’d entered the unlock code.)

But after entering the unlock code, we were able to access the Settings page, remove the malware’s device admin rights and uninstall it.

We used Settings Apps and notifications See all N apps to reach the App info page, where we located the Coronavirus Tracker app:

Left: the top-level App info page
Right: the malware shows up as “Coronavirus Tracker”

We tapped on the malware entry to open up its own App info page, where we used the system’s Uninstall button to get to the Deactivate uninstall option, by which the system will demote the app from its device admin role (which prevents regular uninstallation) and then remove it:

Left: the [Uninstall] button on the system App info page
Right: uninstalling from here lets you remove device admin and the app in one go

We also tried rebooting our phone in Safe Mode, where most background apps don’t run, to see if we could remove the malware without relying on the unlock code – even though we know the right code for this sample, it might be different in other variants of the malware.

Also, there is something unappealing about trying to remove the malware while it’s still active and keeping track of what you’re up to on the device.

On our phone, Safe Mode is activated by holding the power button until the reboot menu appears, then holding down the power off icon for a second or two until the Safe Mode menu appears.

After a reboot, the text Safe mode appeared at bottom left of the screen; the malware didn’t launch; and we could use the same procedure as we did above to locate, deactivate and uninstall the malware.

What to do?

Not all mobile malware is this easy to get rid of, and most ransomware these days no longer just locks your device but also scrambles your files so that they need decrypting, too.

And many crooks have learned not to take shortcuts with their passwords, so it’s unusual to find an unlock key right there in the malware code.

So, your best bet is not to let your Android get infected in the first place.

Stick to Google Play. It’s not perfect, but it would almost certainly never have admitted this app, not only because of its coronavirus theme, but also because of its blatant abuse of permissions.
Use a third-party anti-virus in addition to the standard built-in protection. Sophos Intercept X for Mobile is free, and it will not only block malware from running in the first place, wherever you download it from, but also keep you away from risky websites to start with.
Never believe an app’s own propaganda. In this case, the crooks simply stole a marketing history from an existing app and claimed it as their own, complete with a positive review rating. On-site reviews are largely meaningless – they could have come from anywhere, and probably did. If you need advice, ask someone you actually know and trust.
Don’t grant permissions to an app unless it genuinely needs them. Decently-behaved apps generally still work, albeit with limited features, even if you withold some permissions, so this malware’s trick of demanding unreasonable permissions before it runs at all should be considered suspicious.

Oh, in case it makes you feel better, the total amount that the crooks have received into the Bitcoin address shown in the Pastebin page above…

…is zero.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/s1Y-wWd2yNo/

Dear Adobe, Trend Micro users: Please vaccinate your software – at least some of these security holes were exploited in the wild

library
crime | hacking | security

A little more than a week after forgoing March’s Patch Tuesday hullabaloo, Adobe has emitted fixes for dozens of security flaws in its applications.

The ever-vulnerable Reader and Acrobat on Windows and macOS require patching for 13 CVE-listed holes, nine of which can be exploited to gain malicious code execution on vulnerable machines. The others are privilege escalation and information leakage.

Viettel Cyber Security, Shearwater Solutions, STAR Labs, Tencent Security Xuanwu Lab, SEFCOM Lab, Arizona State University, Renmin University of China, and TCA/SKLCS Institute of Software Chinese Academy of Sciences were thanksed for finding and reporting the programming blunders.

In addition to tackling the Reader and Acrobat bugs, Adobe pushed out patches for 22 bugs in Windows and macOS Photoshop – 16 of which allow for malicious code execution – and one privilege escalation hole in the aptly-named Adobe Genuine Integrity Service on Windows.

These discoveries were credited to infosec researchers working with the Trend Micro Zero Day Initiative (ZDI), 小鸡帮, and Fortinet.

There are also two code-execution holes in Adobe Bridge on Windows, an info-leak bug in Experience Manger, and two critical flaws in ColdFusion.

These discoveries were credited to Mikhail Egorov, the ZDI, and Venustech ADLab.

Thus far, there have been no reports of active exploitation of the bugs.

Trend Micro

Meanwhile, folks running Trend Micro Apex One and Office Scan security tools will want to make sure they have the latest updates for those apps.

Five CVE-listed bugs, two of which are being targeted in the wild, need to be patched. These bugs range from remote malicious code execution to giving attackers the ability to delete any file on a system, or overwrite any data. The two bugs exploited by hackers are described as:

CVE-2020-8467: CVSS 9.1 (CRITICAL) – A migration tool component of Trend Micro Apex One and OfficeScan contains a vulnerability which could allow remote attackers to execute arbitrary code on affected installations (RCE). An attempted attack requires user authentication.

CVE-2020-8468: CVSS 8.0 (HIGH) – Trend Micro Apex One and OfficeScan agents are affected by a content validation escape vulnerability which could allow an attacker to manipulate certain agent client components. An attempted attack requires user authentication.

The programming blunders were found by Trend Micro Research.

“Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine,” Trend said of the flaws.

“Customers are encouraged to review and ensure the product servers and management consoles are restricted to trusted networks and/or users as appropriate.” And, also, don’t forget to patch as soon as possible. ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/18/adobe_trend_micro_patches/

Forget James Bond’s super-gadgets, this chap spied for China using SD card dead drops. Now he’s behind bars

library
crime | hacking | security

An American citizen will spend the next four or so years behind bars in the US for smuggling corporate secrets out of the states to his spymasters in China.

A federal district judge this week sentenced Xuehua Edward Peng, 56, of Hayward, California, after he admitted handing over the trade secrets to Beijing. Peng earlier confessed that SD cards loaded with information stolen from an unspecified US company were left for him to collect at hotels by a contact only known as Ed. Peng would also hide tens of thousands of dollars in hotel rooms for Ed to collect as payment. Lawyers said Peng spent years trafficking confidential info.

“Today Xuehua Peng suffers the consequences of acting in the United States at the direction of a foreign government,” said US attorney David Anderson.

“This day of reckoning comes from Peng’s decision to execute dead drops, deliver payments, and personally carry to Beijing, China, secure digital cards containing classified information related to the national security of the United States. Peng will now spend years in prison for compromising the security of the United States.”

Months-long trial of alleged CIA Vault 7 exploit leaker ends with hung jury: Ex-sysadmin guilty of contempt, lying to FBI

Prosecution paperwork [PDF] stated that, from 2015 through 2019, Peng agreed to, under orders from the Chinese Ministry of State Security, collect SD cards filled with stolen corporate information, and fly to China to drop them off to government snoops. The nature of the data was seemingly too sensitive for the US government to disclose in court.

Uncle Sam’s investigators said Peng moved to the Land of the Free under a B-1 business visa at the turn of the millennium, armed with a degree in mechanical engineering and “training in traditional Chinese medicine.” We’re told “he became a permanent resident via marriage in 2006, and was working as a San Francisco tour guide during his nefarious activities.”

According to prosecutors, three years after his US naturalization in 2012, Peng began moving information from the US to China via hotel pickups after he was tapped up by a Beijing official. Here’s how it went down, we’re told:

On October 24, 2015, Peng goes to the hotel [in Newark, California] and retrieves a package that was left for him there. The package contains a secure digital (SD) memory card. The next day, Peng drives to San Francisco International Airport and flies directly to Beijing, China. In Beijing, Peng meets with agents of the Ministry of State Security (MSS), including the People’s Republic of China (PRC) official with whom Peng had been communicating, and delivers the SD card to MSS.

A PRC official uses coded language to tell Peng that another dead drop will occur on April 23, 2016. The official directs Peng to book a hotel room where he will conduct the exchange. The PRC official directed Peng to leave $20,000 cash in the hotel room and that Peng be will be reimbursed for the payment. The PRC official instructs Peng to return to the PRC on April 24, and to fly directly to Beijing, Shanghai, or Guangdong. Peng is informed that the PRC official with whom he is communicating would meet Peng when he landed.

Peng complied with the instructions. On April 23, 2016, Peng drives to an Oakland hotel, reserves a room, and leaves a key to the room at the front desk. Peng leaves $20,000 concealed on the underside of a dresser in the room. Hours later, Peng returns, observes that the money had been retrieved and determines that a cigarette pack with an SD card inside of it has been left for him in place of the money. Peng travels on a direct flight from San Francisco to Beijing the next day where he meets with agents of the MSS, including the PRC official.

Rinse and repeat a few more times. At one point, we’re told, Peng taped $20,000 to the underside of a dresser in a hotel room and left a key to his room at the front desk for someone to collect. Returning to the hotel about 90 minutes later, Peng saw the money was taken, checked out of the hotel, and returned home.

Peng was cuffed at his home on September 27, 2019 before his seventh dead drop could be completed. We’re told the US government found out about the espionage after a contact informed on Peng for around $200,000 in reward money, and he was put under FBI surveillance.

“This case exposed one of the ways that Chinese intelligence officers work to collect classified information from the United States without having to step foot in this country,” said Assistant Attorney General Demers. “Peng acted as an agent of the Chinese Ministry of State Security in the United States, conducting numerous dead drops here on their behalf and delivering classified information to them in China.” ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/19/sd_card_spy_china/

Skimmer May Have Put NutriBullet Customers’ Card Data at Risk for Nearly a Month

library
crime | hacking | security

Blender maker is the latest victim of Magecart.

Blender manufacturer NutriBullet on Wednesday said it had identified and removed malicious code on its website that allowed attackers to steal data from customers entering payment card information on it when purchasing products.

The move came about one month after security vendor RiskIQ first detected the malware on NutriBullet’s website and apparently informed the company about it shortly thereafter. According to RiskIQ, NutriBullet did not respond to multiple attempts to alert it about the issue until today.

Researchers at RiskIQ, working in concert with ShadowServer and Abuse.ch — two malware fighting nonprofits — instead took down the domain the attackers were using to store stolen credit card data. The effort resulted in the card-skimmer being removed from NutriBullet’s website on March 1, only to be replaced with a new one on March 5.

RiskIQ once again worked to neutralize the attacker’s data-exfiltration domain and, in a repeat of the first time, the threat actors placed a new card skimmer on NutriBullet’s website a few days later. Over the past few weeks, the criminals had access to NutriBullet’s infrastructure and continued to be able replace the skimmer domain in the code to make it work again, RiskIQ said in a report Wednesday. Customers who placed orders on NutriBullet’s website between February 20 and today are likely to have been affected, RiskIQ said.

In an emailed statement to Dark Reading, NutriBullet acknowledged the issue and claimed the matter had been quickly resolved. NutriBullet’s statement suggested the company first learned of the skimmer today, which is at odds with RiskIQ’s claims about the company having been notified previously about the issue. RiskIQ has continued to maintain that it made multiple previous attempts to reach NutriBullet.

“Our IT team immediately sprang into action this morning (3/17/20) upon first learning from RiskIQ about a possible breach,” NutriBullet said. “The company’s IT team promptly identified malicious code and removed it.” NutriBullet said it had launched a forensic investigation to determine how the attackers had managed to place the skimmers on its website. It has also updated its security policies to include multifactor authentication.

NutriBullet is the latest victim of Magecart, a collection of hacker groups that over the last few years has stolen data on hundreds of millions of credit and debit cards by placing card-skimming software on e-commerce sites. Though each of the multiple groups has slightly different tactics and techniques, the most common has been to place skimmers on online shopping cart software or on other third-party software components that websites commonly use.

The card skimmers are designed to steal card information that customers enter into websites when making a purchase. Over the last few years, groups operating under the Magecart umbrella have compromised tens of thousands of large organizations, including Ticketmaster, British Airways, and NewEgg.

Magecart Strategy Highlights Supply Chain Risks
Yonathan Klijnsma, threat researcher at RiskIQ, says the different tactics that Magecart groups use make response harder for organizations. “The end goal is always to get the skimmer functioning on a website’s checkout process, but how they place it varies widely — they do it however they can,” Klijnsma says. “The same goes for their initial breaching of websites, which can be exploitation of the website [content management system] to reuse of credentials and simply logging in as an administrator.”

Klijnsma says RiskIQ has been tracking Magecart activities since 2014 and therefore is able to spot attacks like the one on NutriBullet as they happen. RiskIQ has no visibility into how many purchasers on NutriBullet’s website may have had their credit card information stolen, he adds. But based on how Magecart operates, it is likely that customers who shopped at the blender maker’s website over the period the skimmers were on it were affected. “We didn’t expect radio silence from NutriBullet, but it was sadly the case.”

Lamar Bailey, senior director of security research at Tripwire, says most midsize to large companies have a formal process for reporting vulnerabilities and security issues and typically respond quickly when informed about an issue. But getting smaller companies to respond to information about a security threat on their websites can sometimes be a struggle. “I will add that it is worse for companies that develop products for the general public,” such as small Internet of Things manufacturers, Bailey says. “Many of them will deprecate the product or end-of-life it instead or fixing it. This leaves customers in a bad position.”

For organizations, attacks such as those involving Magecart groups highlight the importance of supply chain security because in most incidents, Magecart operators have placed card skimmers in third-party software such as shopping carts, content management systems, and visitor-tracking tools.

“With modern applications using a host of third-party libraries and services, there are ample locations to effectively poison the supply chain,” says Tim Mackey, principal security strategist at Synopsys CyRC.

Therefore, for organizations, the question increasingly is about whom they can trust. When software was sourced solely from commercial vendors, the trust was inherent in the contract between the vendor and purchaser, Mackey says. But when the provenance and authorship of software is unknown, website owners need to have processing for vetting trust.

“If developers can’t explain what changed in a given release, that’s a problem,” Mackey says. “If they can’t explain how the code they depend upon gets updated, that’s a problem. Both are in effect the equivalent of [saying] ‘if it’s on the Internet, it must be OK,'” Mackey says.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Beyond Burnout: What Is Cybersecurity Doing to Us?“

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/skimmer-may-have-put-nutribullet-customers-card-data-at-risk-for-nearly-a-month/d/d-id/1337346?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

TrickBot Module Takes Aim at Remote Desktops

library
crime | hacking | security

The module, still in development, focuses on compromising Windows systems by brute-forcing accounts via the Remote Desktop Protocol.

Trickbot, a popular malware distribution framework often referred to simply as a Trojan, gained a new trick, with developers adding a module that focuses on compromising Windows systems via brute-forcing the guessing of usernames and passwords, security firm BitDefender said in an analysis published today.

The module, first discovered in January but only publicly analyzed this week, seems to mostly target systems in Hong Kong and the United States and relies on command-and-control (C2) servers based mainly in Russia and northern Europe. The module downloads a list of targets, usernames, and passwords from the C2 servers, can check that targeted domains are running the Remote Desktop Protocol (RDP) service, and can attempt a manually ordered attack on the list of domains.

Overall, the attack is not overly complex but shows the malware platform is still evolving, says Liviu Arsene, global cybersecurity researcher for security software firm BitDefender.

“It is not technically something that is sophisticated or advanced, but it continues to do interesting things,” he says. “It has all the traits of an advanced attack, but it’s not sophisticated at all. It’s just a targeted attack.”

First discovered in 2016, Trickbot is perhaps best known as one part of the frequently encountered malware chain of Emotet-Trickbot-Ryuk, which has systematically targeted companies, compromised them, and then installed a disruptive ransomware program. Trickbot has adopted a number of different attacks against Windows system, most recently an ActiveX-based attack.

About three-quarters of the targeted organizations appear to be in telecommunications, education and research, or financial services, BitDefender said in its report.

“Based on the list of targets, whoever created this module seems to be focused on nation-state-type compromises, not financial stuff like in the past,” Arsene says.

The operators behind the Trickbot malware framework have continued to add features, such as password collection, better methods of evading detection, and the ability to download and run Ryuk ransomware. In December, security firm SentinelOne discovered the Trickbot operators had started selling access to compromised networks to nation-state groups and that North Korea had used the access in an attack.

Earlier this year, security researchers found Ryuk had targeted a variety of critical infrastructure, including industrial control system and the maritime facilities. The other component in the triad, Emotet, has increasingly shed its banking Trojan roots and is now attempting to use business email compromises to spread and cash out.

Trickbot currently has more than a dozen different modules, from software packages that enable worm-like spread, to reconnaissance software that collects information on systems, to remote administration programs that allow an attacker to access compromised systems.

The group also has an extensive C2 infrastructure. Almost 3,000 servers are dedicated to managing compromised systems, while another 556 servers are used for downloading updates.

While the Trickbot infrastructure suggests a group connected to espionage work, attribution is complicated, says BitDefender’s Arsene.

“The command-and-control structure is mainly based in Russia. Then you have a module that mainly targets a list of verticals — telecommunications, education, and science and research — within two different countries, the US and in Hong Kong,” he says. “We cannot put our fingers on any piece and say, ‘This is the forensic evidence that indicates this is a nation-state attack.'”

Companies should make sure vulnerable software applications do not have ports that are exposed to the Internet, Arsene says. In addition, employees are often targeted by attackers, so educating the workforce can help harden an organization.

“The initial infection usually happens via spear-phishing emails, so that means that you need to train employees,” he says.

Companies should also investigate different ways of obfuscating their remote-access infrastructure, especially with many more employees working from home. “You need to be able to see if something is going on on your network,” Arsene says.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Security Lessons We’ve Learned (So Far) from COVID-19.”

Article source: https://www.darkreading.com/threat-intelligence/trickbot-module-takes-aim-at-remote-desktops/d/d-id/1337345?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Trend Micro Patches Two Zero-Days Under Attack

library
crime | hacking | security

Businesses are urged to update the Apex One and OfficeScan XG enterprise security products as soon as possible.

Trend Micro has issued critical patches for several vulnerabilities in its Apex One and OfficeScan XG enterprise security products. Attackers have tried to exploit at least two of these flaws.

CVE-2020-8467, one of the two zero-days, is a critical remote code execution vulnerability in a migration tool component in Apex One and OfficeScan. This could allow remote attackers to execute arbitrary code in affected installations. The second zero-day, CVE-2020-8468, is a content validation escape flaw that could let an attacker manipulate certain agent client components. Both of these require valid user credentials for exploitation, Trend Micro reports.

In addition to the zero-days, today’s updates address three additional vulnerabilities, all of which are critical and do not require user authentication. Trend Micro says it has not observed attempted exploits of CVE-2020-8470, CVE-2020-8598, or CVE-2020-8599 in the wild.

Patches have been deployed for software versions including Apex One (on premise) CP 2117 for Windows, OfficeScan XG SP1 CP 5474 for Windows, and OfficeScan XG CP 1988 for Windows. Businesses are urged to update to the latest version of each product if a new one is available.