NEWS

Pulse Secure has alerted customers to the existence of an exploitable chain of attack against its Pulse Connect Secure (PCS) appliances. PCS provides Virtual Private Network (VPN) facilities to businesses, which use them to prevent unauthorized access to their networks and services.

Cybersecurity sleuths Mandiant report that they are tracking “12 malware families associated with the exploitation of Pulse Secure VPN devices” operated by groups using a set of related techniques to bypass both single and multi-factor authentication. Most of the problems discovered by Pulse Secure and Mandiant involve three vulnerabilities that were patched in 2019 and 2020. But there is also a very serious new issue that it says impacts a very limited number of customers.

The old vulnerabilities

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The patched vulnerabilities are listed as:

• CVE-2019-11510 an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. We wrote about the apparent reluctance to patch for this vulnerability in 2019.
• CVE-2020-8243 a vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload a custom template to perform an arbitrary code execution.
• CVE-2020-8260 a vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.

The obvious advice here is to review the Pulse advisories for these vulnerabilities and follow the recommended guidance, which includes changing all passwords in the environments that are impacted.

The new vulnerability

The new vulnerability (CVE-2021-22893) is a Remote Code Execution (RCE) vulnerability with a CVSS score of 10—the maximum—and a Critical rating. According to the Pulse advisory:

[The vulnerability] includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.

There is no patch for it yet (it is expected to be patched in early May), so system administrators will need to mitigate for the problem for now, rather than simply fixing it. Please don’t wait for the patch.

Mitigation requires a workaround

According to Pulse Secure, until the patch is available CVE-2021-22893 can be mitigated by importing a workaround file. More details can be found in the company’s Security Advisory 44784. Reportedly, the workaround disables Pulse Collaboration, a feature that allows users to schedule and hold online meetings between both Connect Secure users and non-Connect Secure users. The workaround also disables the Windows File Share Browser that allows users to browse network file shares.

Targets

The Pulse Connect Secure vulnerabilities including CVE-2021-22893 have been used to target government, defense and financial organizations around the world, but mainly in the US. According to some articles the threat-actors are linked to China. The identified threat actors were found to be harvesting account credentials. Very likely in order to perform lateral movement within compromised organizations’ environments. They have also observed threat actors deploying modified Pulse Connect Secure files and scripts in order to maintain persistence. These modified scripts on the Pulse Secure system are reported to have allowed the malware to survive software updates and factory resets.

Threat analysis

FireEye’s Mandiant was involved in the research into these vulnerabilities. It has posted an elaborate analysis of the related malware, which they have dubbed SlowPulse. According to Mandiant, the malware and its variants are “applied as modifications to legitimate Pulse Secure files to bypass or log credentials in the authentication flows that exist within the legitimate Pulse Secure shared object libdsplibs.so”. In their blogpost they discuss 4 variants. Interested parties can also find technical details and detections there.

Networking devices

State sponsored cyber-attacks are often more about espionage than about monetary gain with the exception of sabotage against an enemy state. A big part of the espionage is getting hold of login credentials of those that have access to interesting secret information. Breaking into network devices in a way that can be used to extract login credential is an important strategy in this secret conflict. Keep in mind that attribution is always hard and tricky. You may end up reaching the conclusion they wanted you to reach. Given the targets and the methodology however, it makes sense in this case to look first at state sponsored threat actors.

The post Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild appeared first on Malwarebytes Labs.

Facial recognition tech is in the news again after the FBI discovered the identify of one of the Capitol rioters by using facial recognition software on his girlfriend’s Instagram posts. It may sound scary and invasive, but in truth, what’s happening isn’t particularly new. In this case, we have what’s fast becoming a fairly standard tale of tracking people down via online imagery. Sometimes there’s cause for concern even without the latest tech providing some sort of flashpoint.

What’s happened?

After the Capitol riots following the US election, those responsible were slowly arrested over a period of weeks of searching and identifying. The Verge story mentions that in this effort, law enforcement made use of “facial recognition tools” to track down people associated with the event. The tool apparently brought researchers to the Instagram feed of a suspect’s girlfriend. It was a short step from there to matching his clothes with images from the Capitol riot.

Everything unravelled for the suspect quickly. Facebook accounts revealed his name. This brought investigators (via his state driving licence records) to his identity, workplace, and home.

Recognising recognition

We’ve covered facial recognition on the blog many times. Most concerns tend to focus on the potential for abuse from repressive Governments and law enforcement overreach. It’s such a concern that tech giants regularly dip in, and then quickly dip out when public opinion turns.

I don’t think many people will complain if facial recognition is used to help identify the people at the Capitol riots. Organisations find new ways to secure their sites with facial recognition and biometrics on a daily basis. You may or may not object to your bank combining facial recognition with AI software. These are potentially useful applications of this technology. Even so, we need to know what we’re dealing with for this story.

When pop culture and cold hard reality collide

Facial recognition is very much one of those technologies made a cliche for all time by film and television. The camera zooms in from orbit, it picks up the target in seconds, the operator is able to tell where the suspect bought his suit by enhancing the fibers on his jacket and so on.

The reality here is, “some people used a program to play mix and match with publicly available photographs”. The end result is still impressive, but CSI: Cyber this is not.

Impressive, but not CSI: Cyber

How does this work, then? Well, the article mentions “open source facial recognition tools”. The affidavit doesn’t say which tool, because law enforcement doesn’t want to give perpetrators clues for avoiding the long arm of the law. You can see some of the more popular tools available here, if you’re interested in learning more or giving them a go.

Otherwise, there are many other ways to match images with the raft of materials floating around online. TinEye is a dedicated online tool for matching images, and Google / Bing / Yandex search all offer their own versions of this functionality. A little bit of sleuthing and familiarity with OSINT practices can go a long way.

A sliding scale of “that’s impressive”

One of the best examples of this happened just recently, with a lost hiker pinpointed via a photograph. To me, this is significantly more impressive than digging a fairly distinctive individual out from a never-ending pile of selfies and readily available data on popular image sharing websites. As a result, I’d say this one is interesting, but definitely nothing new. Crowdsourcing also has a history of going horribly wrong, and the infamous Reddit Boston Bombing debacle is as good a place to drop this warning as any.

We’ll definitely see more of these stories in the near future, but I wouldn’t necessarily start panicking about this branch of open sourcing just yet.

The post FBI face recognition trawl finds Capitol rioter via his girlfriend’s Instagram appeared first on Malwarebytes Labs.

CodeCov, a company that creates software auditing tools for developers, was recently breached (the company says it was breached on April 1, and reported it on the April 15). According to investigators, this incident, in turn, gave attackers access to an unknown number of CodeCov’s clients’ networks.

One cannot help but think that this knock-on breach effect is a supply-chain attack, similar to what happened to SolarWinds and their clients.

As you may recall, in the SolarWinds attack multiple companies reported being breached by state-sponsored adversaries, following an attack on the IT company SolarWinds that resulted in undetected modifications to its products. Those affected included FireEye, which resulted in the theft of their Red Team assessment tools; Microsoft; and departments in the US Treasury and Commerce.

Like SolarWinds, this seems like another attempt to add malicious code to products supplied to other organizations, so as to compromise those organizations, and potentially the software products they supply too.

CodeCov said that its Bash Uploader script, used by clients to find and upload code coverage reports to CodeCov, had been initially tampered with at the end of January this year. This wouldn’t have been found out if a client hadn’t raised concerns on April 1. According to the company, attackers were able to gain access to and alter the script by exploiting an error in CodeCov’s Docker image creation process.

A security update post by CodeCov states:

Our investigation has determined that beginning January 31, 2021, there were periodic, unauthorized alterations of our Bash Uploader script by a third party, which enabled them to potentially export information stored in our users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure,”

Because the script is allowed to search through users’ code it potentially has access to any credentials stored with that code. This could have given the attackers access to systems inside CodeCov’s clients’ networks, and in turn, the code that those companies are developing and supplying to others. And because it is expected to upload data outside of the clients’ networks, the upload script also offered an easy exfiltration route for the stolen data.

According to Reuters, the CodeCov attackers rapidly copied and pasted credentials from compromised customers, via an automated script, and used an automated way of searching for other resources (it’s not clear if these are references to the bash upload script, which seems to fit that description, or some other tools). “The hackers put extra effort into using CodeCov to get inside other makers of software development programs, as well as companies that themselves provide many customers with technology services, including IBM,” Reuters also revealed in an interview with one of the investigators.

Reuters reports that IBM, Atlassian, and other clients of CodeCov have claimed that their code has not been altered, while not address issues on credentials. Hewlett Packard Enterprise, another CodeCov client, has yet to determine if they or any of their clients have been affected by this breach according to the news service.

CodeCov says the modified Bash Uploader could affect:

– Any credentials, tokens, or keys that our customers were passing through their [Continuous Integration] runner that would be accessible when the Bash Uploader script was executed.

– Any services, data stores, and application code that could be accessed with these credentials, tokens, or keys.

– The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.

CodeCov has a list of recommended actions to take. This includes “all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders.” If you’re a CodeCov client, go here for more details. You will also find in there a list of actions they have taken in response to this breach.

The post CodeCov supply-chain compromise likened to SolarWinds attack appeared first on Malwarebytes Labs.

In 2018 three high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe were arrested and taken into custody by US authorities. Ukrainian nationals Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov, were members of a prolific hacking group widely known as FIN7.

Hladyr is the systems administrator for the FIN7 hacking group, and is considered the mastermind behind the Carbanak campaign, a series of cyberattacks said to stolen as much as $900 million from banks in early part of the last decade. Last week Hladyr was sentenced in the Western District of Washington to 10 years in prison for his high-level role in FIN7.

The Carbanak campaign first made international headlines in 2015 as one of the first malware campaigns that specialized in remote ATM robberies. But FIN7 had already been active for a few years at that point and was involved in a lot more banking and financial malware than just the ATM machines manipulation.

The malware

Since 2013 FIN7 have attempted to attack banks, e-payment systems, and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt. Carbanak is considered a further development of the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world.

The campaigns all started with spear-phishing targeted at bank employees. When targets executed a malicious attachment the criminals were able to remotely control the victims’ infected machine. With access to a bank’s internal network, they were able to work their way internally until they gained control of the servers controlling ATMs.

A very detailed analysis of Anunak by Fox-IT and Group-IB can be found here (pdf).

By the following year, the same coders had improved the Anunak malware into a more sophisticated version, known as Carbanak. From then onwards, FIN7 focused its efforts on developing an even more sophisticated wave of attacks by using tailor-made malware based on the Cobalt Strike penetration testing software, but Carbanak remained part of their toolset.

In the US alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations.

Attribution

Many believe that the Carbanak malware was used by at least two separate entities. FIN7 and the Carbanak Group. This can be very confusing when trying to establish a timeline. Or when trying to solve any “whodunnit” mysteries. Once malware has been released and has proven to be successful you can count on other criminals trying to steal, copy, or rip off the code and techniques. So, if the Carbanak malware was used in a specific attack, it is not always clear which group was behind that attack, although it is clear that FIN7 was one of its users.

The arrest

The leader of the crime gang behind the Carbanak and Cobalt malware attacks was arrested in Alicante, Spain. The arrest was announced by Europol on 26 March 2018. According to Europol, the activities of the gang were believed to have resulted in losses of over EUR 1 billion for the financial industry.

Arresting the leader of that group did not stop the activities of the group though. The FIN7 campaigns appear to have continued, with the Hudson’s Bay Company breach using point-of-sale malware in April of 2018 being attributed to the group.

The arrest of Hladyr in August of 2018 at the request of the US Department of Justice, along with two other high-ranking members of the group did not have that effect either. In 2020 a cooperation between FIN7 and the Ryuk operators was suspected when the tools and techniques of FIN7, including the Carbanak Remote Administration Tool (RAT), were used to take over the network of an enterprise.

The conviction

After being extradited to the US in 2019, Hladyr pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking, in his role as the systems administrator of the FIN7 group.

According to acting US Attorney Tessa M. Gorman of the Western District of Washington:

This criminal organization had more than 70 people organized into business units and teams.  Some were hackers, others developed the malware installed on computers, and still others crafted the malicious emails that duped victims into infecting their company systems. This defendant worked at the intersection of all these activities and thus bears heavy responsibility for billions in damage caused to companies and individual consumers.

The Department of Justice says that Hladyr joined FIN7 via a front company called Combi Security but soon learned that it was a fake cybersecurity company with a phony website and no legitimate customers. It asserts that Hladyr served as FIN7’s systems administrator and played a central role in aggregating stolen payment card information, supervising FIN7’s hackers, and maintaining the servers used to attack and control victims’ computers. Hladyr also controlled the organization’s encrypted channels of communication.

The post FIN7 sysadmin behind “billions in damage” gets 10 years appeared first on Malwarebytes Labs.

Behind the scenes there are many people working in cyber-security that make the internet a safer place. Youssef Sammouda is one of these people. He has submitted at least a hundred reports to Facebook which have been resolved, making Facebook a safer platform along the way. Generally speaking, people may refer to this work as being a bug bounty hunter, but there is more to it than that.

Q: Tell us a little bit about your background

A: I’m 21 years old. I grew up in Tunisia. I always loved everything about computers from an early age. I started programming when I was 12 and my curiosity eventually led me to hacking. First I learned about “hacking”, techniques to get access to systems, how to escalate privileges, and how to achieve persistence. A better name than hacking is penetration testing. After that, I focused on web application security and learned a lot from forums and IRC chat rooms. Later, I heard about bug bounty hunting by coincidence and started doing it.

I can’t say much about my educational background since I dropped out of university due to my engagements in web applications development and my security assessments. I’d say that everything I learned to this day was from online content or books and not from educational institutions.

Q: How did you get interested in bug bounties?

A: Before bug bounties, it was difficult to test what you learned or sharpen your skills without being worried about getting noticed or caught when targeting websites or servers, since after all you’re doing something without the owner’s permission even if your intention is not to cause damage. So, the first benefit of bug bounty programs was the ability to responsibly apply or test what you’d learned about security, without worrying about legal actions by the website owners. Then of course, some of the programs introduced financial rewards which made it even better. You could start earning money at the same time as learning and doing what you love.

I became interested in the Facebook bug bounty program because it was beginner friendly. The scope was huge and it had the biggest rewards. My first bug in Facebook was a critical one and I found it in less than an hour, which encouraged me to dig more and learn about their infrastructure. After some time, I found myself knowing all the techniques to best enumerate their websites.

Q: Are there other security fields you are interested in?

A: I’ve always been fascinated by browser security and Operating System (OS) security. Reading proof-of-concept exploits of vulnerabilities found in browsers or applications has always been fun and an enjoyable thing to do, and I hope one day I can achieve the level of the researchers in these fields.

Q: Can you tell us something about how you find new bugs? And why you focus on Facebook?

A: I believe Facebook is running one of the best bug bounty programs out there. Sure, it has some problems and sometimes you get misunderstood by the security team, but if you compare it to other bug bounty programs, you’ll notice that Facebook is way better. Also, Facebook is very serious about its security. With time you notice that it’s getting harder to find bugs, which motivates me more, since I know others might be quitting and leaving me with a big scoop to dig out.

Due to the large numbers of researchers/hunters nowadays, and the continuous competition between us, I always try to follow my own methodology—which is different from others’—to avoid duplicated reports, and also to find special bugs that others have missed. Of course, over time, I have to change my methodology to stay in the game: Other researchers discover similar methodologies to mine, the security team adapt and make enumeration harder, and so on.

Q: Do you get a ton of requests to hack people’s Facebook accounts?

A: Actually, I don’t remember receiving requests to hack someone’s Facebook account, but I get requests to verify profiles or pages. I always try to gently explain that I don’t work for Facebook. I redirect them to the right Facebook support or contact page for their needs.

Q: What is the most potentially dangerous discovery you have made?

A: I believe the most dangerous discovery I have found was a Facebook bug that allowed me to return data fragments of any object. This data extraction bug was similar to finding an SQL injection bug, which is rare to find in modern applications. This could have allowed a malicious actor to collect a large amount of data about Facebook infrastructure, users and more.

Q: What advice do you have for aspiring bug bounty hunters?

A: I have always believed that there’s no such thing as a “bug bounty hunter”. There are security experts or researchers. “Bug bounty hunter” tells newcomers, or other experts in the field, that it’s all about bounties for us: How to earn them and what’s the fastest route to do that. Which is clearly wrong, since one must first understand what cybersecurity is and what problems we’re trying to address and fix.

The best advice for people trying to start is to first master a programming language. Then learn about security in a field you like (web, OS, mobile …) and how to write secure code. When learning about security, try to write vulnerable applications that you can exploit, so you can test what you learned against them. If you can understand how a vulnerability occurs in your application, you might try to apply what you learned against real applications, like the ones run by websites with a bug bounty program.

Do not care about bounties to begin with, just about finding bugs. You might report them without even waiting for the security team to reply. At some point, you’ll reach a certain level, with skills and experience gained over years, that will enable you to start making money from it, or by starting a professional career.

We would like to thank Youssef for his cooperation. You can follow Youssef Sammouda on Twitter.

The post Interview with a bug bounty hunter: Youssef Sammouda appeared first on Malwarebytes Labs.