IT NEWS

When an organization experiences a massive data breach, it knows (at least) that it needs to inform the federal government about the cybersecurity incident, get law enforcement involved, and then inform its clients and affiliates. Seems simple enough, but this process, which countries from the West have been abiding by, is the result of countless breaches in the past, followed by a myriad of digital crimes that took advantage of those leaked and stolen data.

Unfortunately, not all governments in the world are in the same boat when handling incidents of compromised data—something every country has been familiar with, along with its associated victims. And while some governments continue to deny the real-life impacts of such online incidents and lawmakers are still figuring out what to do, consumers are left to fend for themselves with no real help in sight from law enforcement.

Such was the case of @TheVenusDarling, a Twitter user in Malaysia. She was targeted by online scammers who used her personal details gleaned from an April 2022 data leak that affected 22.5 million people.

Note that Venus’s case is just one of many. After she shared her experiences on Twitter, some came forward to tell a similar tale that, more than losing money, left them feeling traumatized for a long time. Without Venus’s quick thinking and help from a cybersecurity pro, she would’ve been left in a far more difficult situation.

Scammers put victims in a swirl of “too much”

It began with a phone call.

The caller, a female who was purportedly working for the Inland Revenue Board of Malaysia (IRBM), an agency responsible for collecting taxes, said that “Venus” owed at least RM50,000 ($11,000) in arrears for a business created under her name.

“The caller seemed authoritative and convincing and even supplied a reference number,” said Munira Mustaffa, the expert who helped Venus in her case. It didn’t stop here. In further attempts to sell the legitimacy of the call and the integrity of the person on the other end of the line, the caller connected Venus to a “police inspector” (PI), who then instructed her to hang up and Google the number of the local police headquarters. She then received a call from a number matching the number she had just searched.

Mustaffa, who founded the Chasseur Group and serves as its executive director and principal analyst, is known in counter-terrorism and organized crime circles. In her post, she broke down the scam into four phases, reflecting the scammers’ intent in each stage: Dismay, Isolate, Overwhelm, and Intimidate.

The so-called PI proceeded to inform Venus that there was an arrest warrant for her because her ATM card was linked to money laundering and fraud activities [Dismay]. He then passed the call to a “high-ranking officer” (HRO), who instructed her to move to a quieter place to ensure the call’s privacy [Isolate]. The HRO then sent Venus a copy of the purported arrest warrant, containing her legitimate details, via WhatsApp [Overwhelm]. He also told her to download and install an APK file he sent via the messaging app to aid them in their investigation.

The fake arrest warrant the supposed “high-ranking officer” sent to the victim. It contains the official emblem of the country’s law enforcement body and contains legitimate details of the victim gleaned from the April 2022 leak. (Source: Chasseur Group)

Venus did what she was instructed, including filling out the form in the app. When she was about to enter her bank account PIN, she remembered she wasn’t supposed to share it with anyone. She then realized she was about to be scammed. Sensing her hesitation, the HRO began shouting to further freak her out into giving up the PIN [Intimidate].

She then ended the call, uninstalled the app, and sought Mustaffa’s help.

“Unfortunately, in this instance, uninstalling the app is not sufficient,” Mustaffa said. “Even with the application deleted, we had to assume that the device remained infected with malware. Hitting reset would have been the recommended option; however, that would result in data loss—an outcome not many are willing to go for.”

Scammers know what people don’t

If this scam is not spotlighted and people are not educated, many more will continue to fall for this campaign. Scammers find success in what they do because not only do they have the tools to take advantage of anything ill that happens to people—they know what people know and what they don’t.

In this case, they know that citizens are largely unaware of government processes. And while the IRBM and law enforcement have social media presence and do inform their followers of scams, it’s not enough.

“[T]he general populace must be properly informed about the government’s procedures and standards,” Mustaffa said. “And in order to do this, it is vital to enhance the accessibility, clarity, and transparency of information that is already widely available.”

Getting familiar with the scam is also a big way to prevent it.

A scam is a scam, regardless of origin. If it proves lucrative, many will copy it. It’s only time before online criminals adopt this tactic and begin their social engineering campaign against unwary citizens.

With rising energy costs and increased volatility in the value of cryptocurrencies, we were bound to see a rise in malicious cryptomining, aka cryptojacking. If you don’t know whether you will ever see a return on your investments in mining equipment, one will look for other opportunities. But if you are a threat actor, you can use other people’s resources to mine your cryptocurrency. No investment, and if the number of mining bots is high enough, there might be some worthwhile profit.

Detection

Keeping the number of bots that are secretly being used for mining means that cybercriminals will have to maintain a low profile on the affected machines. Rendering a device useless for the owner will cause that user to investigate, which could result in that user removing the sneaky miner from their machine.

File detections, whether based on running executables or browser extensions, will have the same effect. Once a miner is detected by one or more popular anti-malware programs, a cyberthief will quickly see their army of miners diminish. Looking at our top 10 malware of last month, you will notice that RiskWare.BitCoinMiner and Trojan.BitCoinMiner are regulars in the top 10 of (Windows) malware that we blocked.

Fileless

The workaround that some cybercriminals find for averting file detection is to make their malware fileless. Unlike traditional malware, which relies on a file being written to a disk, fileless malware is intended to be memory resident only. In a recent blog post, Microsoft differentiates between crypto miners that use legitimate tools and LOLBins.

LOLBins is the abbreviated term for Living Off the Land Binaries. Living Off the Land Binaries are binaries of a non-malicious nature, local to the operating system, that are utilized and exploited by cybercriminals to camouflage their malicious activity.

Notepad

One of the most abused tools for cryptomining is notepad.exe. Using techniques like process hollowing to inject malicious code into legitimate processes like notepad.exe, the cryptomining malware tries to stay below the radar. The malware will create a scheduled task or use other recurring events to start the process hollowing routine.

Detecting fileless malware

There are several ways to detect fileless malware. In their blog post, Microsoft proposes using a hardware-based threat defense, which applies machine learning to low-level CPU telemetry to detect threats. Cryptojackers will typically cause spikes in CPU usage, a phenomenon that will typically cause a user to start an investigation because it slows the system down.

Using behavioral detection methods certainly makes sense, especially in the case of cryptojacking where the behavior of the malware is predictable based on its end goal. But other typical malware behavior like code injection, process hollowing, and creating scheduled tasks will raise warning flags as well.

Other warning signs can be found in the connections that certain processes make, like reaching out to known C2 servers and mining pools. And we can block the connection to websites that use their visitor’s systems for cryptomining without their explicit consent.

Mitigation

Noticing that something is amiss is an important step. Don’t discard constant high CPU usages as a nuisance. It can do some costly damage to your system. It was not built to constantly perform at peak levels.

Cryptojacking can be done locally on the system or in the browser. Knowing the difference can help you remediate the problem, as both methods require different forms of protection.

Any decent anti-malware solution, like Malwarebytes, will provide protection against both methods. You will need to use active protection though. Just scanning your computer’s file system can miss the fileless variants.

Last week on Malwarebytes Labs:

• Donut breach: Lessons from pen-tester Mike Miller: Lock and Code S03E17
• Introducing Malwarebytes Cloud Storage Scanning: How to scan for malware in cloud file storage repositories
• JSSLoader: the shellcode edition
• CISA and FBI issue alert about Zeppelin ransomware
• How to secure a Windows PC for your kids
• Ransomwater confusion, does the criminal know who the victim is?
• Update Chrome now! Google issues patch for zero-day spotted in the wild
• Nearly 2,000 Signal users affected by Twilio phishing attack
• $6 million heist targets video game skin trading site
• Urgent update for macOS and iOS! Two actively exploited zero-days fixed
• Bad rhythm: Janet Jackson song resonates poorly with some old hard drives
• How IT teams can prevent phishing attacks with Malwarebytes DNS filtering
• Attackers waited until holidays to hit US government
• Business Services industry targeted across the country for backdoor access
• Spying on the spies. See what JavaScript commands get injected by in-app browsers
• Explained: Steganography
• Tech support scammers target Microsoft users with fake Office 365 USB sticks

Stay safe!

Steganography is the prime example of effectively hiding something in plain sight. The word steganography comes from the Greek words “stegos” meaning “cover” and “grafia” meaning “writing.” Steganography, then, is defined as “covered writing.”

In essence, we use the name steganography for every technique that conceals secret messages in something that doesn’t immediately cause suspicion.

In this article we will focus on steganography in digital images.

Methods

Hiding a message inside an image without changing its visible properties too much requires some work, but if the work is automated it can be done quickly and effectively.

Least significant bits

In the RGB color scheme, each pixel’s color is defined by 24 bits. The first 8 bits encode the amount of red in the pixel, the next 8 bits encode the amount of blue, and the next 8 bits encode the amount of green.

This method of steganography uses bits of each pixel in the image and makes hardly noticeable changes to the color by changing the least significant bits of the RGB amounts. The resulting changes that are made to the least significant bits are too small to be recognized by the human eye.

For example if a pixel has the color defined by RGB values (124, 5, 78) and I would change that to (123, 6, 79) in order to hide some message, the difference in colors will be minimal.

 Images courtesy of rgbtohex.net

You can barely see the difference between the color of the two figures, let alone such a difference when it would only be shown in pixels in a broader image.

Masking

The methods that use these techniques are effectively similar to paper watermarks, creating markings in an image. This can be achieved, for example, by modifying the luminance of parts of the image. Luminance determines how bright a particular object will appear in its given size per unit.

Without a color, luminance is the value from which an image’s brightness can be calculated. And without an available comparison to the original, these changes will hardly be noticeable. Masking and filtering techniques are mostly used on 24 bit and grey scale images. Masking images entails changing the luminance of the masked area.

Palette-based technique

Senders embed their message in palette-based images such as GIF or PNG files. The persistence of palette based images is very interesting. There is a color lookup table which holds all the colors that are used in the image. Each pixel is represented as a single byte and the pixel data is an index to the color palette.

There are two approaches to hiding messages in palette-based images:

• Embedding messages into the palette. The capacity does not depend on the image and is limited by the palette size.
• Embedding into the image data. Provides a higher capacity, but it is generally harder to design a secure scheme.

Compression and cropping

There are some possible hurdles that can remove or distort the hidden message between being created and reaching its destination. To escape those pitfalls the choice of the format and the method is important. And you will have to know which hurdles you can expect on the chosen route.

To prevent data loss there are three elements to consider in steganography:

• the message from the sender to the receiver
• the carrier, in our case the image in which the message is hidden
• the key is the information the receiver needs to find the message

The most common worry will be whether any operations that are performed on the carrier on its way from the sender to the receiver have an impact on the message. A much researched topic in this field is resisting JPEG compression. Lossy compression removes redundancies that are too small for the human eye to differentiate which makes the compressed files a close approximate, but not an exact duplicate of the original one. A famous file format that does lossy compression is JPEG.

Due to the development of mobile communication technology, many social media platforms such as Facebook, Twitter, and Instagram transmit enormous amounts of images. JPEG compression is always applied on the images of social media platforms out of consideration for the bandwidth, tariff, traffic, and other restrictions. This kind of lossy operation often destroyed the message hidden by traditional steganography techniques.

Cropping is an operation that can be used to make an image smaller (in pixels) and/or to change the aspect ratio (length to width) of the image. One approach to resist cropping is to copy the steganographic mark several times in different positions of the image.

Since masking techniques embed information in significant areas, the hidden message is more integral to the cover image than it will be when you are hiding the information at the noise level as you would with LSB techniques.

Steganography vs encryption

Why would we hide our secret message in an image rather than encrypt it? After all, an encrypted message cannot reveal its contents if its intercepted, unless the interceptor has the decryption key.

However, sending encrypted messages might imply that there is something we want to hide.

So, what to do if you want to send a secret message to someone without anyone else knowing that there is a secret in the message? Steganography is a possible answer to that problem.

Other hurdles

To find the hidden message the receiver will need some information and to prevent that the message can be found and read by anyone this will need a certain amount of complexity.

In top secret communications you will see a combination of steganography and encryption where a hidden message needs to be decrypted before it reveals anything meaningful. One of the problems is the security of transferring the key used for steganography between sender and receiver.

Again, there has been a lot of research into this matter. It can be as simple as using matching encode and decode routines. But whichever method you chose, it is imperative to have clear and unambiguous agreements in place if you want to rely on steganography for your secret communications.

Example

Let’s hide a message in the image we used as a header for this post. We used the python script which is available on geeksforgeeks.org.

Original:

With a hidden message:

The elegant part of this script is that the receiver does not need a copy of the original image or some cipher to decode with. The receiver just needs to use the same script to decode the message.

As you can see from the example images above, though there is no perceptible difference between the two images, we have, indeed, hidden a message within (Malwarebytes rocks). 

Microsoft is a hot target for scammers and acts of fraud. For example, tech support scam websites cover themselves in Windows branding and messages. Phone scammers claim to be calling directly from Microsoft. If it’s not a Bill Gates themed lottery spam mail in your mailbox, it’s a fake Excel spreadsheet laden with dangerous Macros.

Well, Microsoft is now issuing a warning related to a recent scam riding on the coat-tails of their branding. Criminals are producing very slickly designed physical boxes made to look like Microsoft products. The boxes say “Microsoft Office Professional Plus” on the front, along with “product key inside – no disc” at the bottom.

Opening the box reveals a solitary USB stick and a product key. This is about to go as horribly wrong as you’d expect.

Why mysterious USB sticks are probably not your friend

We’ve warned at length about the dangers of plugging random USB sticks into your device. Whether a stranger has given you it in the street as part of a giveaway, or you found it on the floor, or even received it at an event, there’s an element of risk involved.

You simply do not know what lurks on the stick if someone else has used it first. Of course, some fancy Microsoft branding and a large box will work wonders on the “please trust my fancy Microsoft box” front. Some sort of promotional copy of an otherwise expensive document editing tool? Even better.

What happens if someone is unfortunate enough to plug it in?

What’s in the box?

Sadly, people expecting a freebie Office Professional Plus do not receive what they were expecting. What actually happens is victims see a popup for a fake tech support line. Phoning the number is a short step to handing over remote control to the scammers.

Based on the typical tactics, the scammers will install a form of remote access software onto the target PC. At this point, they can pretty much do what they want. Do you have bank details stored on a notepad on your desktop? They can just open it up and take it. Will they install some dubious software or even malware to get up to who knows what? They might, and the victim would probably be none the wiser.

If they stick to the whole “here’s a product of some sort” angle, they may well just ask the victim to make a payment of some sort over the phone. Whatever the end-game, it’s not going to benefit the person sitting in front of their computer.

It’s pretend virus time

In this particular instance, the fake Microsoft outfit went with the “You have a virus, call us” approach. They did indeed attempt to install remote access software. Once the non-existent problem was “solved”, the victim was passed over to a phony Office 365 subscription team.

Microsoft has pointed out that this isn’t a very common tactic. While it has happened in the past, you shouldn’t start living in fear of novelty oversized Microsoft boxes landing on your doorstep to ruin your day.

Should you receive a novelty oversized Microsoft box, don’t panic. Check out Microsoft’s list of tips for staying safe where Microsoft-centric tech support scams are concerned. Report the box directly to Microsoft’s technical support scam reporting page. If there’s anything suspicious, you’ll have some steps to follow and hopefully a safe and timely resolution to follow. Either way: do not plug the USB stick into your computer and you’ll be fine.

Developer and privacy expert Felix Krause aka KrauseFx announced this week that he had introduced a simple tool to list the JavaScript commands executed by iOS apps when they deployed an in-app web browser to render webpages. He already shared some eye-opening results on his Twitter feed.

By opening Krause’s tool—new website inappbrowser.com—in a designated app, the website checks for one of many hundreds of attack vectors, which is JavaScript injection from the app itself. Disclaimer: a green checkmark is no guarantee that there is no JavaScript injection going on.

The reason

According to his announcement the development of the tool was triggered by his own report on the risks of mobile apps using in-app browsers. Instead of opening links to external websites in the default browser of the device, many apps render these links inside their own app. More importantly, those apps rarely offer an option to use a standard browser as default, instead of the in-app browser. Since it would be a lot easier for a developer to implement the use of an already present browser, there must be a reason they want you to open the links inside the own app.

Well, one of those reasons is that they can inject their own code into the website they just opened, which allows them to collect all the taps on a webpage, keyboard inputs, website title, and more. This is a privacy risk as such data can be used to create a digital fingerprint of a person. App-makers also claim, with some truth, that users do not like to hop from app to app—leaving their current environment only to be brought to another environment, like a separate web browser, when, for instance, shopping online. 

How to use

If you would like to check on some of the apps you are using, here’s how. First, you open an app that you want to analyze. Then you share the URL “https://InAppBrowser.com” somewhere inside the app (you can send it as a DM to a friend). Tap the link inside the app to open it and get a report about the JavaScript commands. Below you can find some results for apps that Krause tested.

Meta

Unsurprisingly, Instagram and Facebook have the ability to track interactions like searches, clicks, screenshots, and “form inputs.” Form inputs are a big deal since they can include things like passwords and credit card numbers. According to Meta’s response to Krause’s report, the injected script helps aggregate events, i.e. online purchase, before those events are used for targeted advertising and measurement for the Facebook platform.

One small bonus point for Facebook and Instagram is that they offer you the option to open third-party links in another browser (use that option!), which is more than we can say for TikTok.

TikTok

This should not come as a surprise, given that the FCC already called TikTok an unacceptable security risk. When you open any link on the TikTok iOS app, it’s opened inside their in-app browser. There is no alternative. While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click. There is no way to know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites. TikTok confirmed that those features exist in the code, but said that it is not using them.

“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience—like checking how quickly a page loads or whether it crashes,” said spokesperson Maureen Shanahan in a statement offered to Forbes.

Legitimate reasons

There are some legitimate reasons for apps to use an in-app browser, but these should be limited to first party content. In which case the publisher still should offer the user the option to open the content in another browser or an explanation as to why that is not possible. Such reasons do not exist when it concerns third-party content and such content should always be opened in the browser that the user prefers to use.

Incomplete

The inappbrowser tool is unable to show you everything that is going on for a couple of reasons, so a green checkmark is no guarantee.

• With iOS 14.3 (December of 2020), Apple introduced the support of running JavaScript code in the context of a specified frame and content world. JavaScript commands executed using this approach can still fully access the third party website, but can’t be detected by the website itself, like InAppBrowser.com.
• The tool cannot detect other app tracking that may occur, such as custom gesture recognition, screenshot detection, or tracking of web request events.

The article and the tool are focused on iOS, because the developer feels he is not knowledgeable enough to talk about the Android side of things, but you can rest assured that the apps you shouldn’t trust will be the same on either platform.

The presence of so many hacking tools in the detections for the Business Services industry tells a story about these organizations being targeted for not only infection, but to establish backdoors and likely gain access to customers of the organizations through the victim’s network.

Just like everyone else, the Business Services industry dealt with heavy detections of exploit attempts using the CVE-2021-21551 Dell driver vulnerability. The trend line followed by these exploit blocks also follow the trend of our heuristic engine detecting never-before seen malware, likely a result of successful exploit attempts during the same period. At the same time we observed this spike, the insurance company CNA Financial was breached in a ransomware attack.

A subsequent spike of this threat in August 2021 coincides with three major attacks, likely achieved because of the success of CVE-2021-21551.These were the Kaseya Breach which spread REvil to hundreds of networks, the ransomware attack on insurance firm Accenture, which demanded $50 million in payment, and the T-Mobile data breach which exposed the information of 50 million people.

Tools meant to compromise or hack an endpoint were discovered in numerous places throughout the year. This includes PortScanner slowly gaining traction through 2021, then spiking during January and February of 2022. Around this same period, the tire-marker Bridgestone was attacked by the LockBit ransomware gang. Our telemetry reveals these attacks focused on organizations in Georgia and Arizona. 

Next, OpenPort is a hacking tool that had most of its traction in May and August of 2021 against companies in California and New Jersey, matching up with spikes in detections of the Dell driver exploit.

In addition, the RemoteAdmin tool was detected primarily in Tucson, Arizona and saw a spike in November 2021, which never let up through the rest of the period, meaning that there are likely existing infections of this threat that have yet to be caught.

Wrapping up hacking tools, Business Services in Massachusetts fought off multiple attempts to launch malicious PowerShell scripts on their systems. This was observed throughout the entire period but spiked in December of 2021, coinciding with the hack against the business scheduling provider FlexBooker.

Folks in California and Ohio have been dealing with increasing detections of the notorious Emotet trojan. A massive increase was observed in October 2021 and has continued until the end of the period.

Recommendations to the Business Services industry

Our recommendation is to ensure security staff can push updates and force regular scans on all endpoints, ideally remotely. Regular scanning goes beyond just checking for malware though. We recommend utilizing a traffic monitoring tool to identify any malicious or suspicious traffic coming both in and out of the network. Also, take the time to do regular audits of open ports on all endpoints, looking for possible backdoors.

Considering the desire to utilize these tools from inside of the network, ensure that individual user rights don’t extend to the point of being able to scan the entire network, open ports, or establish remote connections without the permission of IT. This effort will reduce the success these actors have and make their lives a lot harder.

Phishing attacks are a persistent threat to businesses globally. 

According to Verizon, 82 percent of data breaches in 2021 involved the human element—with phishing attacks making up over 60 precent of these. And if it ain’t broke, don’t fix it: threat actors have only continued to use phishing to attack businesses in 2022, with the Anti-Phishing Working Group (APWG) recording a 15 percent increase in phishing attacks in Q1 2022 compared to Q4 2021.

With Malwarebytes DNS filtering, however, you can prevent a large swath of phishing attacks. Our DNS filtering module extends our Nebula platform to help prevent risks introduced from nefarious websites and downloadable web content.

In this post, we’ll walk through what it looks like to block phishing attacks with Malwarebytes DNS filtering.

How to block phishing domains with DNS filtering 

Let’s say one of your employees gets an email like the one below. 

Photo credits: Phishing.org

Without some kind of phishing protection in place, after clicking on a link in the email there’s a chance the employee might give up some sensitive information or be tricked into downloading a malicious program.

Obviously, we want to prevent that. 

Let’s press pause here and go back in time to set up our DNS filter in Nebula. 

Above, you’ll see the dashboard for the DNS Filtering module in Nebula.

Let’s navigate to the “Rules” section and hit “New”.

Here, we’re prompted to name the rule and also select a policy to which the rule should be applied. 

I’m naming mine “Phishing block” and applying it to four of my endpoints.

Heading over to the “Categories” page, we see that “Use preconfigured settings” is enabled by default. This automatically blocks each subcategory in the “Security” category.

For demonstration purposes, we’ll leave this untoggled. Just know that each of these security subcategories are available (and recommended to use)!

Let’s scroll down to the “Phishing” option and toggle it.

I

Under allow lists you can add domains to exclude from this DNS rule. We’ll leave it blank: we don’t want to allow any phishing sites!

You can also add domains to block certain domains. We’ll also leave this blank!

Let’s flash forward in time to our employee who received the phishing email. Unfortunately, they clicked a URL in it—but no need to worry. 

Our DNS filtering kicked in and blocked the site, the outcome of which you can see below.

This is the default page, but can even customize it to your liking by going to the “Global Settings” tab. 

How does it work?

It works because Malwarebytes DNS filtering is powered by Cloudflare, which has a massive database of known phishing sites to which we can instantly block access using the intuitive Nebula UI.

But what happens if a phishing website somehow gets through and a malicious program (ransomware, for example) is installed on an endpoint? 

The answer is part of what makes our DNS filtering solution so holistic: because it is an add-on to our Endpoint Detection and Response product, a threat that gets through can be detected and mitigated using our EDR’s isolation and remediation capabilities. 

In other words, DNS filtering helps you filter the easily-blocked known threats, giving time back to your organization to focus on remediating the threats that do get through with our EDR.

Block threats from infiltrating browsers and web-based apps

Malwarebytes DNS Filtering module for Nebula helps block access to malicious websites and limit threats introduced by suspicious content. 

While we focused on preventing phishing threats in this post, the story doesn’t end there. You can also block access to spyware, DNS tunneling, crypto mining sites, and many other websites and domains that pose a security risk. 

Interested in learning more? Read the Malwarebytes DNS filtering datasheet. 

Further reading

What is DNS filtering?

3 ways DNS filtering can save SMBs from cyberattacks

DNS security for your small business

Introducing Malwarebytes DNS Filtering module: How to block sites and create policy rules

The government industry in the United States dealt with heavy hitting breaches against local, federal, and state government networks, primarily during the first quarter of 2021.

Our telemetry revealed a small spike in a generic backdoor detection, known as Backdoor.Agent, during March of 2021, mainly focused in Memphis, Tennessee. This data coincides with the attack on the Azusa Police Department in California; however, it reveals even more about the attacks observed the following month.  

During April of 2021, at least three notable attacks against government services made the news, this included the New York Metropolitan Transport Authority (MTA), the Illinois Attorney General’s office, and the Washington DC Police Department. During this same month, we also observed the beginning of a surge of exploits and AI detected threats that dominate the rest of 2021.

Our top spike for the period follows the detection of the exploit CVE-2021-21551 (Dell System Driver) and all the nasty threats it brought with it. Despite this, we were unable to correlate any newsworthy breach to this month. So, we can assume that the increase in detections was an onslaught of attempts to breach networks, shortly after the release of the Dell driver exploit. We can also make assumptions about this effort leading to numerous breaches and installations of backdoor malware, waiting dormant until later in 2021 and 2022 before launching a full attack.

Those most hammered by these exploit attempts were government organizations in Michigan and New Jersey.

The detection of this exploit slows as the year goes on, dwindling to almost nothing by May of 2022. This matches up with our detections of unidentified, AI detected malware. Despite that, a series of unspecific exploits battered the industry in late October, spiking in November and into December, when the Maryland Department of Health, the Virginia State Government and the Hawaii Timekeeping Services were all breached and disrupted, some due to ransomware, others to stolen data.

In addition to the push of exploits, the notorious TrickBot trojan has been lurking in the detections of this industry, staying mostly steady with only a 1.2 percent share of threats during the analyzed time period. Despite this, the small spikes of this threat in March, June, and November of 2021 seem to mostly align with major reported breaches.

Based on our data, there is a case to be made about government industry targeting, mainly taking place during the beginning and end of the year, a time notoriously known for vacation, reorganization, and reduced security staff.

Our best recommendation for this industry, beyond ensuring that proper patching and threat detection software are deployed on every endpoint, is to consider to major factors when planning for a cyber-attack. First is timing, the second is reducing operational disruption. 

Timing can be addressed by understanding not only when the attackers are coming after an organization, but also when an organization might be most vulnerable. For example, if you know that your staff will be reduce to only 25 percent during November, December, and January, for the holidays, you might not need to keep as many security staff on hand since there are fewer users.  This is a perfect opportunity for an attack that may have breached the network months prior, to finally achieve its purpose and attack the network while it’s less guarded.

So, by knowing the trends of government organization attacks, we recommend not reducing security staff during the holidays, if anything, you need to have more eyes on the network, looking for anything that might stand out as odd when the network is meant to be relatively quiet. This might be achieved by bringing in additional security staff for the season, allowing for security staff to take vacations around the usual holidays, if possible, and in some cases, making it possible for security and IT admin to remotely investigate threats through a cloud-based remote console.

The second recommendation is reducing operational disruption. When a restaurant gets hit by ransomware, it takes down the restaurant’s operations for a time, but the damage typically doesn’t go far beyond the restaurant’s walls. When a state or local government network is breached and hit by ransomware, because of the interconnected nature of government and public services, such an attack can disrupt entire cities and states, quickly creating chaos. It’s imperative to ensure that in the case of any type of cyberattack, there is some way to continue operations, be it at a backup site, using pen and paper, or having employees work remotely. The more pressure an organization is under to get things back to normal, the more leverage the attackers have against that organization.

Following these tips will not only reduce the damage done by these attacks, but likely increase the confidence that civilians have in the security of their government organizations.

Apple has released emergency security updates to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs you need to know:

Kernel privileges

CVE-2022-32894: An out-of-bounds write issue was addressed with improved bounds checking. The vulnerability could allow an application to execute arbitrary code with kernel privileges. The kernel privileges are the highest possible privileges, so an attacker could take complete control of a vulnerable system by exploiting this vulnerability.

Apple points out that they are aware of a report that this issue may have been actively exploited.

WebKit

CVE-2022-32893: An out-of-bounds write issue was addressed with improved bounds checking. Processing maliciously crafted web content may lead to arbitrary code execution. An attacker could lure a potential victim to a specially crafted website or use malvertising to compromise a vulnerable system by exploiting this vulnerability. Since the vulnerability exists in Apple’s HTML rendering software (WebKit). WebKit powers all iOS web browsers and Safari, so possible targets are iPhones, iPads, and Macs which could all be tricked into running unauthorized code.

Apple points out that they are aware of a report that this issue may have been actively exploited.

More details

Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. And even then, it depends on the anonymous researcher(s) that reported the vulnerabilities whether we will ever learn the technical details. Or when someone is able to reverse engineer the update that fixes the vulnerability.

That being said, it seems likely that these vulnerabilities were found in an active attack that chained the two vulnerabilities together. The attack could, for example, be done in the form of a watering hole or as part of an exploit kit. CVE-2022-32892 could be exploited for initial code to be run. This code could be used to leverage CVE-2022-32894 to obtain kernel privileges

Mitigation

Users are under advice to implement the updates as soon as possible, by upgrading to:

• iOS 15.6.1
• iPadOS 15.6.
• macOS Monterey 12.5.1

Details can be found on the security content for macOS page. And instructions to apply updates are available on the Apple Security Updates page.

Stay safe, everyone!