IT NEWS

Amazon smart device owners only have until June 8 to opt out of a new program that will group their Echo speakers and Ring doorbells into a shared wireless network with their neighbors, a new feature that the shopping giant claims will provide better stability for smart devices during initial setup and through possible Internet connectivity problems.

The program is the latest example of yet another multibillion-dollar company rolling out significant changes without meaningfully notifying users beforehand, making it increasingly difficult for users to choose how their data is used, or how their products function. In March, Google changed how Google Chrome users would be tracked across the web, and in May, WhatsApp threatened to remove basic messaging functions from the apps of users who refused to share some of their data with parent company, Facebook.

With all these company decisions, user choice has diminished.

This week, Amazon announced that many of its smart devices would be incorporated into what it is calling “Amazon Sidewalk,” a shared network of devices within neighborhoods that will, according to the company, “help simplify new device setup, extend the low-bandwidth working range of devices to help find pets or valuables with Tile trackers, and help devices stay online even if they are outside the range of their home WiFi.”

Amazon Sidewalk will create a mesh network between smart devices that are located near one another in a neighborhood. Through the network, if, for instance, a home WiFi network shuts down, the Amazon smart devices connected to that home network will still be able to function, as they will be borrowing internet connectivity from neighboring products. Data transfer between homes will be capped, and the data communicated through Amazon Sidewalk will be encrypted.

Amazon smart device owners will automatically be enrolled into Amazon Sidewalk, but they can opt out before a June 8 deadline. That deadline has irked many cybersecurity and digital rights experts, as Amazon Sidewalk itself was not unveiled until June 1—just one week before a mass rollout.

Jon Callas, director of technology projects at Electronic Frontier Foundation, told the news outlet ThreatPost that he did not even know about Amazon’s white paper on the privacy and security protocols of Sidewalk until a reporter emailed him about it.

“They dropped this on us,” Callas said in speaking to ThreatPost. “They gave us seven days to opt out.”

Other experts have warned about the security and privacy implications of Amazon’s project, as Sidewalk will rely on an untested WiFi protocol to link together selected devices. Whitney Merrill, a privacy and information security attorney with Asana, said on Twitter: “Hello privacy nightmare.” 

Further, as reported by Ars Technica, the history of wireless connection technologies is littered with vulnerabilities. Researchers found flaws in the late-90s security algorithm Wired Equivalent Privacy (WEP)—after it had been widely used for years—and the technology that replaced it—WPA—is not without problems.

To its credit, Amazon’s white paper addresses how it plans to keep customers’ data secure and private when it travels through Sidewalk. According to that white paper, Amazon will limit the type and amount of metadata it receives, it will encrypt the contents of delivered packets so that the company cannot see what is inside, and customers themselves will also be prevented from seeing the content of packets sent to and from endpoints that they do not own.

Security and privacy aside, one issue still remains—weakened user choice.

The implementation of Amazon Sidewalk mirrors the more careless behavior showcased by Google earlier this year, when it decided to include millions of Google Chrome users in an experiment into how their web browsing behavior was tracked online. Google, like Amazon, did not individually notify users about the new program—called FLoC—and Google, like Amazon, automatically enrolled users into the program, forcing them to manually opt out.

Amazon’s approach to opt-out is clearer than Google’s, though. The company has developed a specific menu item in its Alexa and Ring apps that clearly denotes a new setting to enable or disable Sidewalk. Google, on the other hand, did not have a specific toggle to disable FLoC, and users were instead forced to turn off all third-party cookies if they wanted to opt out.

Certain aspects of Amazon’s rollout of Sidewalk also resemble decisions made this year by WhatsApp, the end-to-end encrypted messaging app owned by Facebook. Last month, the messaging app told users that if they did not agree to sharing some of their data with Facebook, they would see their apps become useless, unable to receive calls or messages. WhatsApp walked back this decision in late May.

Here, Amazon is implementing no such consequences for opting out—which is good—but it is still making a sweeping decision about how customers’ own products should function. And the company isn’t just changing the way already-purchased Amazon devices work, it’s also reaching beyond those devices to affect relationships that have nothing to do with Amazon, such as who gets to use your internet connection, how much of it they can use, and what you might be charged for that.

Amazon Sidewalk will work with the following devices in the US, according to Amazon: Ring Floodlight Cam (2019), Ring Spotlight Cam Wired (2019), Ring Spotlight Cam Mount (2019), Echo (3rd gen and newer), Echo Dot (3rd gen and newer), Echo Dot for Kids (3rd gen and newer), Echo Dot with Clock (3rd gen and newer), Echo Plus (all generations), Echo Show (2nd gen), Echo Show 5, 8, 10 (all generations), Echo Spot, Echo Studio, Echo Input, Echo Flex.

For users who want to opt out, they can find the solution in their Alexa and Ring apps. In the Alexa app, users can go to “Settings,” and then navigate to “Account Settings,” where they can find “Amazon Sidewalk.” Users can also disable Sidewalk in the “Control Center” of the Ring app or Ring website.

The post Amazon Sidewalk starts sharing your WiFi tomorrow, thanks appeared first on Malwarebytes Labs.

When you think of the world of ethical hackers (white hat), malicious hackers (black hat), and hackers that flirt with both sides (grey hat), you may envision people in shiny trench coats and dark glasses, whose computer skills are only matched by their prowess in martial arts.

The truth is that hackers are pretty different from their depiction in The Matrix. For example, most hackers can’t slow time down and jump across tall buildings. At least, not that we know of. In reality, a hacker usually keeps a low profile and concentrates on their work.

What’s a hacker?

The answer to “what’s a hacker?” depends on who you ask. We’d guess that most people who work with computers will tell you the answer is something close to this Wikipedia description: “a computer expert who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means.” Much to the annoyance of many of those people, outside of computing, people often understand “hacker” to mean something different and more negative.

To many, a hacker is someone that employs their expertise to breach a computer, smartphone, tablet, or network, regardless of intent. Although it is often used to refer to illegal activity, even within this narrower definition not all hackers are deemed criminal. They are often classified into three main categories: Ethical hackers have traditionally been known as “white hat”, malicious hackers as “black hat”, and “grey hats” are somewhere in the middle.

Ethical hackers

Ethical hackers look for security flaws and vulnerabilities for the purpose of fixing them. Ethical hackers don’t break laws when hacking. An ethical hacker can be someone who tests their own computer’s network defenses to develop their knowledge of computer software and hardware or a professional hired to test and enhance system security.

Security careers related to ethical hacking are in-demand. Malware analysts are a good example. An in-demand ethical hacker who has worked hard to develop their skillset can have a lucrative career.

Ethical hackers are sometimes referred to as white hat hackers. White hat hacker is an outmoded term for an ethical hacker. It comes from 20^th century Western films in which the good guys wore white hats. Modern experts refer to them as ethical hackers.

Malicious hackers

Malicious hackers circumvent security measures and break into computers and networks without permission. Many people wonder what motivates hackers who have had intentions. While some do it for cyber-adventure, others hack into computers for spying, activism, or financial gain. Malicious hackers might use tools like computer viruses, spyware, ransomware, Trojan horses, and more to further their goals. While there may be financial incentives to hacking, the risks are high too: A malicious hacker can face a long time behind bars and massive fines for their illegal activity.

Just as “white hat” is an older term for ethical hackers, conversely “black hat” is an older term for malicious hackers, also based on the old Western film practice of which hats the “good guys” and “bad guys” wore. Today, malicious hacker is a more apt description.

Grey hat hackers

A grey hat hacker skirts the boundaries between ethical and unethical hacking by breaking laws or using unethical techniques in order to achieve an ethical outcome. Such hackers may use their talents to find security vulnerabilities in a network without permission to simply show off, hone their skills, or highlight a weakness.

Tips on how to become an ethical hacker

You may have what it takes to become a highly rated ethical hacker if you’re patient, clever, have an affinity for computers, have good communication skills, and enjoy solving puzzles.

A degree in computer science or information security and a background in military intelligence can be useful but isn’t necessary. Thanks to the wide availability of information and open source code, and incentives like bug bounties, there are many routes into ethical hacking outside of traditional education. For more advice on how to become an ethical hacker, take a look at our interview with bug bounty hunter Youssef Sammouda.

How do I protect myself from a hacker?

An unethical hacker can use many techniques and tools to breach your computer or device’s network security. Your first line of defense is to make life hard for hackers by ensuring you: Use strong, unique passwords; keep your systems patched with security updates; install advanced antivirus protection that defends your computer against malicious software; enable the firewalls on your Internet router and computers. For an extra layer of defense, you can protect your network traffic from snooping and tampering with a VPN.   

Lastly, be on guard for phishing and social engineering attacks that try to trick you into doing something that’s bad for you, like downloading malware or giving out sensitive information.

The post White hat, black hat, grey hat hackers: What’s the difference? appeared first on Malwarebytes Labs.

The impact of recent ransomware attacks on vital infrastructure in the US has triggered a reaction from the US Attorney’s office. In an internal guidance it says that all ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington.

According to Reuters, the internal communication states:

“To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking.”

Terrorism model

This model of investigation and cooperation is used only in a few fields that touch upon national security, e.g. terrorism. According to US officials this shows how the issue of ransomware is being prioritized. According to Reuters, this means investigators will have to share updated case details and active technical information with leaders in Washington. It also means they will receive guidance from Washington on how to proceed. If implemented optimally this will surely result in a better understanding of the ransomware landscape.

In his recent executive order on improving the nation’s cybersecurity President Biden already pointed out that the US faces persistent and increasingly sophisticated malicious cyber-campaigns. Section two of the order it titled Removing Barriers to Sharing Threat Information, and this new cooperation seems to fall under that banner.

Ransomware Task Force

In April we reported about international cooperation in this field in the form of the Ransomware Task Force (RTF), a think tank composed of more than 60 volunteer experts who represent organizations encompassing industries and governments. In its report (PDF) the RTF recommended that ransomware be treated as a threat to national security.

“Ransomware attacks have shut down the operations of critical national resources, including military facilities. In 2019, a ransomware attack shut down the operations of a U.S. Coast Guard facility for 30 hours,  and in February 2020, a ransomware attack on a natural-gas pipeline operator halted operations for two days. Attacks on the energy grid, on a nuclear plant, waste treatment facilities, or on any number of critical assets could have devastating consequences, including human casualties.”

This was before the attack on Colonial Pipeline which prompted  President Biden to sign an executive order that broadly directs the Commerce Department to create cybersecurity standards for companies that sell software to the federal government.

Whether the RTF and the proposed task force in Washington will work closely together is unknown but perhaps unlikely given the international character of the RTF. Sharing information might be benificial for both though.

REvil is not impressed

In an interview published by cybersecurity blogger Sergey R3dhunt, a spokesperson for the REvil appears to indicate they are not worried by the new “terrorism approach.“

Translated, the transcript says:

Q: What happened as a result of the cyber attack?

A: As a result, the United States has put us on the agenda of the discussion with Putin. The question is, why there is such confidence that at the moment everyone is in the CIS, and even more so in the Russian Federation. In connection with the recent events with fuel [Colonial Pipeline], the United States are in every possible way avoided, as well as work inside CI.

Further inquiries seemed to indicate that it will only make matters worse, because if they are going to be prosecuted anyway, they may as well open the floodgates. When asked why they attacked JBS, this was the answer:

“Revenue. The parent company is located in Brazil, where the attack was directed. Why the US intervened is not clear. She was avoided by all means.”

History tells us the words of ransomware criminals should be taken with a heavy dose of salt.

Treated as or investigated like

Even though some gut reactions were indicating that ransomware attacks would be treated in the same way as terrorist attacks, this is not entirely true. Even though some ransomware attacks have had worse outcomes than terrorist attacks. It is the way in which the US Attorney’s office wants to organize the ransomware investigations that is similar to other national security issues. Not the severity of the punishments or the way convicted persons will be apprehended.

Ransomware infrastructure

Ransomware, especially Ransomware-as-a-Service (RaaS), has a similar organizational structure to some terrorist organizations. You have the enablers, that provide the software and the infrastructure for the ransomware itself and for receiving payments. And you have the executioners that go out and attack victims. These groups do not have to know each other’s true identities and usually communicate through encrypted channels.

A thorough knowledge of the ransomware landscape and successful infiltration of the communication platforms could provide methods to hinder operations. Maybe the inherent distrust between criminals can be used to launch successful misinformation campaigns to disrupt the cooperation between enablers and executioners. And maybe the fear of being tracked down by a strong dedicated task force will keep some potential participants away from the scene.

Tracking payments or making it illegal to pay ransom could make another dent in the severity of the threat. According to the report by the RTF, about 27 percent of victims choose to pay a ransom. With this, these victims are fuelling the ransomware industry. Not that they want to, but sometimes they feel it’s the only viable choice. This feeling is often strengthened by the additional threat to publicly disclose exfiltrated data.

All in all, a US centralized task force to investigate ransomware could contribute to the goals that the international RTF has set:

• Deter ransomware attacks
• Disrupt the ransomware business model
• Help organizations prepare
• Respond to ransomware attacks more effectively

Let’s hope so.

The post Ransomware to be investigated like terrorism appeared first on Malwarebytes Labs.

How about that Colonial Pipeline?

As troubling as this event may be, for those of us working in the world of cybersecurity it can be hard to convince others to take dangers like this seriously—regardless of how real and immediate they are.

“Sadly, the upper leadership team does not understand the stakes and why an investment is necessary to protect assets and tomorrow’s productivity,” said one beleaguered security professional we spoke to.

If this sounds like you, you’re not alone. There are plenty who share your pain.

Back in March, Malwarebytes released the SMB Cybersecurity Trust and Confidence Report 2021. For this report, we surveyed 704 cybersecurity professionals from all levels on the corporate ladder, from CISOs on the top rung down to the hardworking sysadmins. Participating small- and medium-sized businesses ranged from 50 to 999 employees. 

What did we find? Security professionals trust their endpoint protection to do its job—with some caveats.

Some 95 percent of respondents say they trust their cybersecurity vendor to provide effective endpoint protection. By that same token, more than 90 percent say their endpoint protection is effective and they’re confident it protects against dangerous threats.

So, what’s the catch?

Decision makers versus decision influencers

To get a better sense of who our survey-takers are and identify any potential difference of opinion, we asked them for their titles. You can see the full breakdown below, but just under half, 48 percent, of our respondents identify as IT directors.

Next, we grouped participants by those who “make the final decision” regarding endpoint protection purchases and those who have ”significant influence,” with 52 percent identifying as decision makers and 48 percent identifying as decision influencers.

Those who answered, “Yes, I’m a decision maker” generally have a somewhat rosier disposition when it comes to the dangers their organizations are facing and their ability to stop those dangers. 

We asked, “Has your endpoint protection product ever failed to detect a threat?” Those who make the final decision are more likely than those who influence decision making to say their endpoint protection provider hadn’t failed (64 percent versus 48 percent).

Coming at the issue from another angle, we also asked, “How frequently does your organization register a cybersecurity threat?” Those who make the final decision are far more likely than those who influence decision making to say their organization registers a threat “once a month” or “very often” (26 percent versus 13 percent).

We then asked “Agree or disagree? I believe it’s not a matter of if but when my organization suffers a successful attack or breach.” Just over half, 56 percent, said they agreed. Those who make the final decision agree to this statement significantly more than those who influence decision making (64 percent versus 49 percent).

So, what is the data telling us? Security professionals are confident in their endpoint protection, but they’re realistic about the threats they’re facing. Yes, there are some variations depending on an individual’s position within the org chart; otherwise, everyone is pretty much in agreement on the increasing sophistication and frequency of attacks.

The security ouroboros

Many of the survey respondents expressed frustration with leadership outside of the security org.

We asked, “What’s the biggest obstacle to security at your organization?”

“Buy-in from the leadership team that it is worth the investment versus other priorities,” said one respondent.

Another said, “Faced with a range of obstacles, from slowing budget growth to dissatisfied boards, business and security leaders are being challenged to change the way they approach cybersecurity and risk.”

No budget? No buy-in? Lack of investment? Sounds about right.

At risk of reading too deeply in to the data, the implication here is that while businesses get bigger, security orgs stay the same in terms of personnel and infrastructure. 

The numbers bear this out, 65 percent of respondents from SMBs with 500 to 999 employees identified as CIO, CISO, or IT director. 

Where one would expect to see a pyramid shape from the CISO or CIO on down, with more frontline level employees at the bottom than leaders at the top, the reality has gone all pear-shaped. As mentioned earlier, almost half of total survey respondents identified as IT directors.

Compounding the problem, a significant portion of our respondents believe that bigger organizations make for more frequent targets.

We asked “Agree or disagree? Hackers do not target small- and medium-sized organizations and attack only bigger organizations.” 

Some 39 percent of respondents agreed bigger organizations made for more frequent targets. Among survey respondents at organizations with more than 500 employees, a slightly larger 43 percent agree.

However, those who make the final purchasing decision on endpoint protection agree even more—bigger business, bigger target—than those who just influence decision making (48 percent versus 30 percent).

What does it all mean? For starters, security professionals across the board have faith in their endpoint protection, but they’re frustrated at the lack of support from senior leadership outside of the security org. 

When businesses find success and the dollars start rolling in it’s a given that many of those dollars are going to be earmarked for talent acquisition and IT infrastructure. Unfortunately, from a security perspective, growth at one end doesn’t translate to growth at the other end. Security pros just don’t get the additional resources that they’re expecting—that they need—to accommodate growth within the organization as a whole.

Like a snaking eating its own tail, growing businesses have more employees and more endpoints to protect, but security budgets and head count seem to remain stagnant. And the consequences for this security conundrum are dire. Look no further than the latest headlines.

The post Security pros agree about threats—convincing everyone else is the problem appeared first on Malwarebytes Labs.

After the attacks on Colonial Pipeline and JBS, many may have been wondering, as we did, what the next ransomware headline was going to be.

Well, here it is—another victim in the vital infrastructure of transport and logistics, although this time the impact may be less brutal.

Steamship Authority, the largest ferry service in Massachusetts, has fallen victim to a ransomware attack. The Steamship Authority informed the public on social media that it was the target of a ransomware attack early Wednesday, June 2, 2021.

Steamship Authority, the company

Steamship Authority is the largest ferry service to the islands of Martha’s Vineyard and Nantucket. They operate ferry transports between the mainland of the US and Martha’s Vineyard and Nantucket islands, including passengers, autos, and trucks. The ferry services and their safety have not been compromised, but it looks like the Steamship Authority offices have been disrupted in a severe way. The Steamship Authority’s website is currently unavailable. This also means that it is not possible to make new reservations, not even by phone.

 The impact

In a tweet, the company informed customers that while they were working through the consequences of the cyberattack, all ferries are operating at this time. They are keeping customers informed by posting the ferry schedules on their social media channels.

Which does not mean that it’s all business as usual. There is limited access to credit card systems at some terminal and parking locations but, to avoid delays, cash is likely the best option for ticketing and parking. Customers are currently unable to book or change vehicle reservations online or by phone. Existing vehicle reservations will be honored at Authority terminals, and rescheduling and cancellation fees will be waived.

The timing for the attack is painfully accurate as this marks the start of season where tourists start to visit this region and where a peak in traffic is to be expected.

Investigation

The Steamship Authority tweeted that it is working internally, as well as with federal, state and local authorities, to determine the extent and origin of the attack. Since this is an ongoing investigation it is unlikely that the authorities will share any information about the type or possible origin of the attack. But we will keep you informed if we should learn more.

A spokesperson for the U.S. Coast Guard stated that the U.S. Coast Guard 1st District is working in conjunction with the Massachusetts Cybersecurity Unit, and that the FBI is currently leading the investigation.

Recovery

Recovery from a ransomware attack can be a long and expensive process, even if the victim decides to pay the ransom. It can take weeks to months to get the server infrastructure back up and running. If the possibility to make new bookings stays offline it will only take so long before the number of existing bookings starts to dwindle. We can only hope that the Steamship Authority manages to get back into an operational state as soon as possible. Getting stuck on one of the islands is not the worst thing one could imagine, but it’s different if you didn’t necessarily plan it.

Stay safe, everyone!

The post Steamship Authority answers question: Who’s the next ransomware victim? appeared first on Malwarebytes Labs.

Since the initial lockdown, we have seen the rise of certain types of cybercrime, including scams and fraud campaigns that either bank on the global COVID-19 pandemic or take advantage of potential victims that adhere to work-from-home measures.

In the UK, the National Crime Agency (NCA) has determined that many types of cybercrime, such as ransomware attacks, digital fraud, and insider threats—with a specific mention of child sexual abuse—have increased because of more users in the UK logging online to do work, attend online classes, and (at the first few months of lockdown) alleviate boredom.

The agency also noted the resilience and adaptability of serious and organized crimes (oddly labeled as “SOCs,” despite the same acronym meaning “security operation center” in the cybersecurity field) in their use of technology and well-established tools to avoid detection. For example, budding and professional criminals are using commercially available encryption, Secure Messaging Applications (SMAs), and decentralized messaging apps, which usually comes with a crypto wallet, to manage their own data and mask their identities and communications. They also use cryptoassets to buy and sell illegal commodities in the underground or to launder money. Because of this, the NCA has assessed that by disrupting the technology, including the capabilities that enable them, they can end criminal schemes in an efficient manner.

SOCs are categorized as “significant and established national security threat that endangers the integrity, legitimacy, and sovereignty of the UK and its institutions, both at home and overseas.” It is no surprise to see SOCs being conducted over the internet by crime groups. And the NCA has been monitoring them year on year.

Organized crime: Ransomware-as-a-service (RaaS)

The growing threat of ransomware continues to loom over organizations across industries worldwide. In the UK, the estimated direct and indirect cost of ransomware is, at most, billions of pounds per year. However, determining the exact figure has always been a challenge seeing that underreporting and inaccurate cost estimates were and have been pretty much a problem in 2020. Underreporting is primarily caused by lack of awareness of who to report an attack to and, in some cases, the general reluctance to report for fear of reputational damage and/or uncertainty.

The NCA has observed a dramatic increase in demand for Remote Desktop Protocol (RDP) credentials. This is because of the increased use of such software following remote working. Criminals gaining these credentials could no doubt also access corporate networks.

Lastly, cybercriminals use current events in their spam and phishing emails—another way to get into corporate networks. They have themed their campaigns around COVID-19 and the end of the financial year for the business.

Organized crime: Online fraud

COVID-19 themes are also common in fraud campaigns. According to Action Fraud, the UK’s go-to reporting center for fraud and cybercrime, between January to December 2020, victims lost an estimated total of 3 billion GBP to fraudsters. 

The increased reliance on online services has encouraged fraudsters to target and take advantage of the more vulnerable and less security-savvy UK citizens, giving rise to shopping fraud, auction fraud, and, of course, sophisticated phishing campaigns. If criminals couldn’t find a way to their potential victims, online advertising has served as the perfect means for their victims to come to them. Fraudsters have been observed to use social media and online service platforms to post up fraudulent ads.

The NCA cited other fraud campaigns, such as romance scams and misinformation campaigns surrounding Brexit, the UK’s departure from the European Union. 

What’s the difference between ‘catfishing’ and ‘catfishing’? Find out here.

Organized crime: Insider threats 

In the financial sector, working from home shined a light on the problem of reduced ability to monitor staff, thus missing signs of unusual behaviour and other signs that give away employee struggles. This opens the possibility of an insider threat, a threat that businesses hardly mention, let alone prepare for.

Disgruntled employees and those struggling financially could more likely be tempted to engage in bribery and corruption when opportunity presents itself. Incidents involving these would be difficult to trace or pinpoint as they are usually presented as genuine payments for goods with increased market rates. There is also a realistic possibility that such engagements will only increase as businesses in the UK begin recovery measures from the impact of the pandemic and Brexit.

Future cybercrimes in the UK and beyond

Whether or not these online organized crimes will continue to be noteworthy in the next year is yet to be seen. However, notice that these online crimes have already been present, pre-pandemic and pre-Brexit. More often than not, when everyone starts living in “the new normal,” it’s highly likely that the possible turnout will all just be differences in numbers: Ransomware, for example, may or may not have higher victim rates after a year. Or, perhaps, romance scams will dramatically scale down to nonexistence. Perhaps.

However cybercrime will look like in the future, what remains constant is the continued vigilance of groups like the NCA and businesses in the public and private sectors on effectively educating and training UK employees on cybercrimes that affect them and how they should respond. As a business, they should know what steps to take to further improve their security posture and who to contact in the event of a cybercrime incident they may encounter. Lastly, much stress should also be placed in reporting to spread awareness, help other organizations avoid being victimized, and for law enforcement to keep track of cybercriminals.

The post Cybercrime, fraud, and insider threats increased in 2020 in the UK, report says appeared first on Malwarebytes Labs.

As offices start to slowly open back up, the theoretically post-pandemic world is changing its threat landscape once again, and that includes the likely inclusion of coronavirus phishing attempts. With the move to remote work, attackers switched up their tactics. Personal devices and home networks became hot targets. Organizations struggled with securing devices remotely, rolling out VPNs, and forming best practices for potentially sensitive work done outside the office environment.

And hey, don’t forget the trend of using work devices for personal use. The gradual blurring of lines between work and personal use is an understandable one given how 2020 panned out. Even so, it introduces an aspect of risk that many organizations perhaps weren’t dealing with previously.

Office, work from home (WFH), or…both?

Now that a lot of the office space has gone virtual and might not go back to being fully on-site, we’re all left holding our breath. It’s impossible to predict how the post COVID-19 work landscape will fit together. A hybrid approach seems most likely, with time split between office and home. Full office attendance or 100 percent WFH seems unlikely, and perhaps not actually possible for some roles.

With this in mind, attackers will have to keep thinking up the best ROI for schemes which are able to take on said hybrid workers with maximum efficiency.

For now, we have an opening salvo of “welcome back to the office, here’s a phish we’d like you to click”.

“The office is re-opening! Please read the newsletter…”

Employees are now indeed being targeted with “back to the office” missives. Found by Cofense, the mail claims to be an [EXTERNAL] email notice from the CIO, welcoming people back to the office as they update their “business operations”.

A simple yet effective tactic. Many organisations will likely be sending similar messages over the coming weeks and months. In fact, this could be more effective where companies don’t have regular COVID status updates going out by mail. In places where regular comms and instructions are dispensed, this will perhaps stand out. A curious employee won’t think “Oh, it’s not our bi-weekly update from our official pandemic information source. This seems peculiar”. They may perhaps go down the “Wow, it’s the boss! We’re back in the office” route instead.

From there, it’s a short step to “I’ve just handed my credentials to this fake Microsoft portal”.

Taking action against the pandemic chancers

There’s a few ways to try and defend against this type of attack.

If an organization doesn’t have any sort of plan for COVID updates, they should really consider it. Narrowing down the scope for “Who sends this” to one specific mailbox/individual potentially makes it a target, but that’s preferable to a fake COVID update coming from any number of random employees.

There’s also other ways to get across COVID updates, like group calls or status updates in other weekly/monthly team meetings. Considering how many Zoom calls everyone has had at this point, there shouldn’t be any problem dropping these updates into overall messaging.

A combination of mailed and spoken comms, alongside other systems like Intranet portals containing the latest advice, should go a long way to keeping the Covid scammers out. For now, be on your guard against mails making bold promises regarding office activity. While many of us can’t wait to get back, that’s exactly what these phishers are banking on.

The post Coronavirus phishing: “Welcome back to the office…” appeared first on Malwarebytes Labs.

This week another major supplier reported it had been hit with ransomware. After the Colonial Pipeline attack last month, this time the victim is the world’s largest meatpacker, JBS. JBS halted cattle slaughter at all its US plants on Tuesday after the attack caused their Australian operations to shut down on Monday. Some plant shifts in Canada were also canceled Monday and Tuesday. The company’s operations in Mexico and the UK were not impacted and are conducting business as normal.

JBS

JBS is the second largest meat and poultry processor in the US. JBS controls about 20 percent of the slaughtering capacity for US cattle and hogs. It owns the Swift brand, and most of chicken processor Pilgrim’s Pride Co. Due to the attack, US meatpackers slaughtered 22 percent fewer cattle than a week earlier. There are early fears that ongoing shutdowns of JBS plants could raise meat prices further for American consumers.

The attack

The initial press statement by JBS mentioned an “organized cybersecurity attack,” affecting some of the servers supporting its North American and Australian IT systems. Soon after it became clear that the company was dealing with a ransomware attack because a ransom demand came in. This was later confirmed by some tweets from the Cybersecurity and Infrastructure Security Agency (CISA).

At the moment of writing it is unclear which ransomware family was involved or how the attack took place, although early reporting indicates the cybercrime group responsible is REvil. The same early reporting also indicates that, if REvil was indeed responsible for the attack, the group has not written about the attack publicly on its darkweb blog called “Happy Blog.”

Recovery

According to JBS, they have made significant progress in resolving the cyberattack that has impacted the company’s operations.

“Our systems are coming back online and we are not sparing any resources to fight this threat. We have cybersecurity plans in place to address these types of issues and we are successfully executing those plans. Given the progress our IT professionals and plant teams have made in the last 24 hours, the vast majority of our beef, pork, poultry and prepared foods plants will be operational tomorrow.”

A one-day recovery time is remarkably fast, as many organizations takes weeks and sometimes even months to become fully operational after suffering a ransomware attack. We have even seen companies go bankrupt over the costs.

International intervention

What is also notable about this incident, as well as the attack on Colonial Pipeline, is the fact that the Biden administration has sent another warning to Russia, which is believed to be the origin of the cyberattacks. White House principal deputy press secretary Karine Jean-Pierre said:

“The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals.”

Biden is scheduled to meet with Russian President Vladimir Putin in Geneva later this month.

Supply chains and critical infrastructure

The attacks on critical infrastructure—especially in supplies that we need on a daily basis—are very disruptive and it is no wonder that governments are likely to get involved. But it makes us wonder why the supply chains for food and oil seem to be a higher priority than other critical services like healthcare, schools, and emergency services, all of which have suffered countless attacks without political intervention. On the other hand, Colonial Pipeline and JBS represent suppliers for whom there are no immediate replacements if they shut down for a long time.

Of course, it is also possible that these attacks are done under the guise of ransomware attacks, but are in reality probes to see how vulnerable our infrastructure is, especially when major targets like Colonial Pipeline and JBS are involved.

The need to better secure the nation’s supply chains prompted the Department of Homeland Security last month to issue new security directives to regulate the pipeline industry for the first time. Maybe we can expect something similar for major food suppliers soon.

Ransomware Task Force

JBS reportedly informed the government about the ransomware attack, which is exactly the kind of behavior that the Ransomware Task Force would like to see of ransomware victims. The Ransomware Task Force (RTF), is a think tank composed of more than 60 volunteer experts who represent organizations encompassing industries and governments. The RTF has recently pushed out a comprehensive and strategic plan for tackling the increasing threat and evolution of ransomware.

Stay safe, everyone!

The post JBS says it is recovering quickly from a ransomware attack appeared first on Malwarebytes Labs.

This blog post was authored by Hossein Jazi.

The Kimsuky APT—also known as Thallium, Black Banshee, and Velvet Chollima—is a North Korean threat actor that has been active since 2012. The group conducts cyber espionage operations to target government entities mainly in South Korea. On December 2020, KISA (Korean Internet & Security Agency) provided a detailed analysis about the phishing infrastructure and TTPs used by Kimsuky to target South Korea.

The Malwarebytes Threat Intelligence team is actively monitoring this actor and has been able to spot phishing websites, malicious documents, and scripts that have been used to target high profile people within the government of South Korea. The structure and TTPs used in these recent activities align with what has been reported in KISA’s report.

Victimology

One of the lures used by Kimsuky named “외교부 가판 2021-05-07” in Korean language translates to “Ministry of Foreign Affairs Edition 2021-05-07” which indicates that it has been designed to target the Ministry of Foreign Affairs of South Korea. According to our collected data, we have identified that it is one entity of high interest for Kimsuky. Other targets associated with the Korean government include:

• Ministry of Foreign Affairs, Republic of Korea 1st Secretary
• Ministry of Foreign Affairs, Republic of Korea 2nd Secretary
• Trade Minister
• Deputy Consul General at Korean Consulate General in Hong Kong
• International Atomic Energy Agency (IAEA) Nuclear Security Officer
• Ambassador of the Embassy of Sri Lanka to the State
• Ministry of Foreign Affairs and Trade counselor

Beside targeting government, we also have observed that they have targeted universities and companies in South Korea including the Seoul National University and Daishin financial security company as well as KISA.

Phishing Infrastructure

The group has the capability to set up phishing infrastructure to mimic well known websites and trick victims to enter their credentials. This is one of the main methods used by this actor to collect email addresses that later will be used to send spearphishing emails. The group is still using similar phishing models previously mentioned in the KISA report with some small changes.

As an example, they have added the Mobile_detect and Anti_IPs modules from type B to type C (KISA report) in order to be able to detect mobile devices and adjust the view based on that. This phishing model has the capability to show phishing pages in English or Korean based on the parameter value received from the phishing email. This model has been deployed by Kimsuky to target not only Korean speaking victims but also English speaking people, as well.

We have observed that they developed different phishing techniques to mimic the following web services and steal credentials:

• Gmail
• Hotmail
• Microsoft Outlook
• Nate
• Daum
• Naver
• Telegram
• KISA

We have identified several URLs used by Kimsuky to host their phishing infrastructure:

http://accounts[.]goggle[.]hol[.]es/MyAccount
https://myaccount[.]google[.]newkda[.]com/signin
http://myaccount[.]google[.]newkda[.]com/signin
http://myaccount[.]google[.]nkaac[.]net/signin
https://myaccounts-gmail[.]autho[.]co/signin
http://myaccounts-gmail[.]kr-infos[.]com/signin
http://myaccount[.]cgmail[.]pe[.]hu/signin
https://accounts[.]google-manager[.]ga/signin
https://accounts[.]google-signin[.]ga/v2
https://myaccount[.]google-signin[.]ga/signin
https://account[.]grnail-signin[.]ga/v2
https://myaccount[.]grnail-signin[.]ga/v2
https://myaccounts[.]grnail-signin[.]ga/v2
https://accounts[.]grnail-signin[.]ga/v2
https://protect[.]grnail-signin[.]ga/v2
https://accounts[.]grnail-signing[.]work/v2
https://myaccount[.]grnail-signing[.]work/v2
https://myaccount[.]grnail-security[.]work/v2
https://signin[.]grnail-login[.]ml
https://login[.]gmail-account[.]gq
https://signin[.]gmrail[.]ml
https://login[.]gmeil[.]kro[.]kr
https://account[.]googgle[.]kro[.]kr

The group has used Twitter accounts to find and monitor its targets to prepare well crafted spear phishing emails. The group also is using Gmail accounts to use for phishing attacks or registering domains. One of the Gmail accounts used by this actor is ” tjkim1991@gmail[.]com” which was used to register the following domains:

ns1.microsoft-office[.]us
ns2.microsoft-office[.]us

They were registered on April 3 and we believe have been reserved to be used for future campaigns. Pivoting from these domains, we were able to uncover the infrastructure used by this actor. Some of it has overlap with previously reported campaigns operated by Kimsuky.

Command and Control infrastructure

Kimsuky reuses some of its phishing infrastructure for its command and control communications. In their most recent attack against South Korea’s government they reused the infrastructure that has been used to host their phishing websites for AppleSeed backdoor C&C communications. Besides using the AppleSeed backdoor to target Windows users, the actor also has used an Android backdoor to target Android users. The Android backdoor can be considered as the mobile variant of the AppleSeed backdoor. It uses the same command patterns as the Windows one. Also, both Android and Windows backdoors have used the same infrastructure. It is also interesting to mention that this actor calls themselves Thallium.

Here are some of IPs and domains used by the actor for C2 communications:

210.16.120[.]34
216.189.157[.]89
45.58.55[.]73
45.13.135[.]103
27.102.114[.]89
210.16.121[.]137
58.229.208[.]146
27.102.107[.]63
download.riseknite[.]life
onedrive-upload.ikpoo[.]cf
alps.travelmountain[.]ml
texts.letterpaper[.]press

Analysis of the most recent AppleSeed attack

In this section we provide an analysis of the AppleSeed backdoor that has been used to target the Ministry of the Foreign Affairs of South Korea.

Initial Access

The actor has distributed its dropper embedded in an archive file (외교부 가판 2021-05-07.zip) as an attachment through spearphishing emails. The target email addresses have been collected using the actor email phishing campaigns we described in the previous section. The actor conducted this spearphishing attack on May 7, 2021.

The archive file contains a JavaScript file (외교부 가판 2021-05-07.pdf.jse) which pretends to be a PDF file that contains two Base64 encoded blobs. The first one is the content of the decoy PDF file in Base64 format and the other one contains the AppleSeed payload also in Base64 format (encoded twice).

At first it uses the MSXML Base64 decoding functionality to decode the first layer and then uses certutil.exe to decode the second layer and get the final ApppleSeed payload. The decoy PDF file has been decoded using the MSXML Base64 decoding function.

After decoding the PDF and AppleSeed payload, the content gets written into the ProgramData directory. At the end, the decoy PDF file is opened by calling Wscript.Shell.Run and the AppleSeed payload executed through PowerShell by calling regsvr32.exe. Calling regsvr32.exe to run a DLL registers it as a server that automatically calls the DLL export function that has been named DllRegisterServer.

powershell.exe -windowstyle hidden regsvr32.exe /s AppleSeed_Payload

Wscript_Shell.Run(Pdf_Name);

AppleSeed Backdoor

The dropped payload is a DLL file that has been packed using the UPX packer. The unpacked sample is highly obfuscated and important API calls and strings have been encrypted using a custom encryption algorithm. The encrypted version of the strings and API calls are in hex ASCII format. Whenever in the code the malware needs to use a string, it takes the encrypted string and passes it into two functions to decrypt it.

The first function “string_decryptor_prep” gets the encrypted string and then prepares a custom data structure that has four elements:

typedef struct _UNICODESTR {
	wchar_t *Buffer; // Encrypted string
	DWORD padding;
	uint64_t Length; // Length of the string
	uint64_t MaxLength; // Max length for the string which has been calculated based on the lenght
} UNICODESTR;

The second function “string_decryptor” gets the created data structure in the previous function and then decrypts the string and puts it in the same data structure.

The decryptor function first convert the input string in hex ascii format to binary by calling the hexascii_to_binary function on each two ascii characters (i.e. c3, 42, b1, 1d… in example 1). The first 16 bytes of in the input is then used as the key and the remainder is the actual value that gets decrypted in 16 byte chunks (i.e. ed, d5, 0d, 60).
Decryption is a simple xor operation of key[i] ^ string[i-1] ^ string[i] (For the first character string_to_be_decrypted[i-1] is set to zero).

Most of the important API calls resolve dynamically during the run time using “string_decryptor” function. (288 API calls have been resolved dynamically.)

The AppleSeed payload has an export function named “DllRegisterServer” which will be called when the DLL is executed using RegSvr32.exe. DllRegisterServer has a function that is responsible for performing the DLL initialization and setup that includes the following steps:

• Copy itself into “C:ProgramDataSoftwareESTsoftCommon” and rename itself as ESTCommon.dll to pretend it is a DLL that belongs to ESTsecurity company.
• Make itself persistent by creating the following registry key:

Registry key name: EstsoftAutoUpdate
Registry key value: Regsvr32.exe /s C:ProgramDataSoftwareESTsoftCommonESTCommon.dll
Registry location: HKLUSoftwareMicrosoftWindowsCurrentVersionRunOnce

• Functionality activation by creating the following files into “C:ProgramDataSoftwareESTsoftCommonflags” directory and writes “flag” into them: FolderMonitor, KeyboardMonitor, ScreenMonitor, UsbMonitor.

In the next step it creates a Mutex to make sure it only infects a victim once.

After creating that mutex, it checks if the current process has the right access privilege by calling GetTokenInformation API call and if it does not have the right privilege, it tries to escalate its privilege using AdjustTokenPrivilege by passing SeDebugPrivilege to it to gain system level privilege.

At the end it performs its main functionalities in separate threads. All the the collected data in each thread is being zipped and encrypted and is being sent to the command and control server using HTTP POST requests in a separate thread. After sending the data to the server, the data is deleted from the victim’s machine.
The ApppleSeed payload is using RC4 for encryption and decryption of the data. To generate RC4 key, it creates a Random buffer of 117 bytes by Calling CryptGenRandom and then uses CryptCreateHash and CryptHashData to adds the buffer into a MD5 hash object. Then it calls CryptDeriveKey to generate the RC4 key.
The created 117 bytes buffer is encrypted using RSA algorithm and is sent to the sever along with RC4 encrypted data. The RSA key is in hex ASCII format and has been decrypted using “string_decryptor” function.

Input Capture (KeyLogger)

The keylogger function uses GetKeyState and GetKeyboardState to capture the pressed keys on the victim’s machine and logs all keys per process into the log.txt file.

Screen Capture

This module takes screenshots by calling the following sequence of API calls and writes them to files: GetDesktopWindow, GetDC, CreateCompstibleDC, CreateCompatibleBitmap, Bitblt and GetDIBits and then writes them into a file using CreateFileW and WriteFile.

Collect removable media data

This module finds the removable media devices connected to the machine and collects its data before sending it to the command and control server. To identify a USB drive it calls CM_Get_Device_IDW to retrieve the device instance ID that would be in format “<device-ID><instance-specific-ID>” and then checks if it contains USB string value.

Collect files

This thread looks for txt, ppt, hwp, pdf, and doc files in the Desktop, Documents, Downloads and AppDataLocalMicrosoftWindowsINetCacheIE directories and archives them to be ready to be exfiltrated to the server.

Command structure

The AppleSeed backdoor is using a two layer command structure to communicate to its command and control server. Here is the URL pattern used for C&C communications:

entity:url url:?m=[command layer one]&p1=[volume serial number]&p2=[command layer two]

Command layer one defines the type of command that server expected to be executed on the victim and it can have one of the following values:

Command layer 2 is only for when the command layer 1 is in upload data mode (c) and defines the type of upload. It can have one of the following values:

Conclusion

Kimsuky is one of North Korea’s threat actors that has mainly targeted South Korean government entities. In this blog post we took a look at this group’s activities including its phishing infrastructure and command and control mechanisms. Our research has shown that the group is still using a similar infrastructure and TTPs as reported on December 2020 by KISA. Its most recent campaign targeted the ministry of foreign affairs using the Apple Seed backdoor.

MITRE ATT&CK Techniques

The post Kimsuky APT continues to target South Korean government using AppleSeed backdoor appeared first on Malwarebytes Labs.

If you were to compose a list of tools and software developed by security and privacy defenders that ended up being abused by the bad guys, then Cobalt Strike would unfortunately be near the top of the list. Maybe only Metasploit could give it a run for the first place ranking.

Metasploit—probably the best known project for penetration testing—is an exploit framework, designed to make it easy for someone to launch an exploit against a particular vulnerable target. Metasploit is notorious for being abused, yet modules are still being developed for it so that it continues to evolve. Cobalt Strike is in the same basket. Cobalt Strike offers a post-exploitation agent and covert channels, intended to emulate a quiet long-term embedded actor in the target’s network.

What is Cobalt Strike?

Cobalt Strike is a collection of threat emulation tools provided by HelpSystems to work in conjunction with the Metasploit Framework. Cobalt Strike, and other penetration testing tools, were originally created for network defenders to train them to understand vulnerabilities and possible avenues of infection by cyber criminals. These tools are meant to simulate intrusions by motivated actors, and they have proven to be very good at this. So, while “white hat” hackers were developing tools to more easily emulate “black hat” activities, few considered how these tools might be turned against someone. (The terms “white hat” and “black hat” are also falling out of favor, as cybersecurity professionals adopt “red team” and “blue team” descriptors to describe offensive and defensive security teams.)

Establishing a foothold

Lately, we have seen targeted attacks by both state-sponsored threat actors and ransomware peddlers. What we mainly see in the ransomware field is an increasing amount of manual infections. For example, by using brute force methods and exploiting vulnerabilities to break into networks. We have seen a significant uptick in these methods in 2020 and beyond. As a follow-up to these more manual types of attacks, as opposed to spray-and-pray phishing attacks, we are seeing threat actors who have compromised a server, loading tools like Cobalt Strike Beacon onto the system. Cobalt Strike Beacon provides encrypted communication with the C&C server to send information and receive commands. Those commands can include instructions to download malware. After doing this, they can use Cobalt Strike to map out the network and identify any vulnerabilities as well as deploy implants, backdoors, and other tools to accomplish lateral movement eventually leading to complete network infection.

Building out grip on the compromised network

So how this usually goes, is an infection occurs, be it phishing, manual breaches by brute forcing a port, or even an exploit. Once an endpoint has been compromised, the actor looks to compromise a server on the network. There are numerous ways to accomplish this, in fact last year we saw the ZeroLogon vulnerability used against domain admin servers, which essentially gave full admin rights to a criminal within seconds! Once the server is infected, Cobalt Strike is installed and it’s at this point, that more advanced network monitoring, vulnerability identification and a bunch of other advanced features, become available to the criminal. Now armed with more capabilities, the attacker can more quickly and completely compromise endpoints across the network, eventually launching ransomware, sometimes after all the juicy data saved on the network has been collected and exfiltrated.

Cobalt Strike is pricey

New Cobalt Strike licenses cost $3,500 per user for a one year license. License renewals cost $2,585 per user, per year. But why would a cybercriminal worry about such costs? Criminals who are using these tools do not just buy them from the vendors anyway. In many cases, leaked and older versions of Cobalt Strike are being used and in some cases, sophisticated threat actors, e.g. the group behind Trickbot, are building their own versions of Cobalt Strike, modified for their special needs and purposes.

The dilemma

This whole situation creates a strange moral grey area when you consider that tools developed by the good guys as a method of defense against the bad guys, are now being used by the bad guys to infect the customers of the good guys. There is a fair amount of discussion among security professionals whether or not it is a good idea to continue the free and unregulated development and release of these penetration testing tools. Especially when some of them are almost indistinguishable from actual black hat tools. As well as a lot of finger pointing about whose responsibility it is to make sure these tools aren’t used for crime. But also how could we do that, or is it already too late?

The need for pen-testing

While we can see why major corporations deploy red teams to perform penetration testing, we also wonder whether it is right to develop the malware for the threat actors. One could argue that using the latest and newest actual forms of malware should be adequate to test whether your defenses are up to par.

As it stands now, we have ended up with a situation where there are paid, dedicated researchers who spend all day working on new tools for penetration testing and intrusion. Which may very well end up being used by the criminals themselves. There are likely far less, if any, full time malware tool developers who have the resources, time, and experience to create something of the same magnitude. So at the end of the day, the weapons created by the white and grey hats, may be causing more harm than good in the long run because of a lack of control.

The problem it causes

Pen-testing is limited to the companies that can afford it and feel the need to do it. By using it they are not only adding to their own protection, which is their prerogative, but as a side-effect they are enabling the development of more advanced penetration software.

Combine that with an industry where some penetration testers prefer the situation where organizations are unable to defend themselves against these tools because it creates more business for penetration testing companies if they can’t defend themselves effectively. If you pass the test every time with flying colors, you will start to doubt the effectiveness of said test.

This is the problem we currently have with penetration tools being hijacked by criminals. The organizations that employ penetration testers are involuntary enablers, who are protected from this threat while also being the main drivers of development and providers of resources. On the other side of the spectrum there are those who aren’t aware of the threat, and will be the biggest victims once these tools fall into the hands of criminals.

As long as the consultants build new, more powerful tools, and don’t pay attention where the outdated and discarded tools end up, your neighbor can end up under attack by the tools you paid to develop. You are probably safe from the attack, but dozens of others, many in industries who can’t afford a consultant to test their security, are not safe, and in fact, are at a greater risk than before you brought in your consultant.

The post Cobalt Strike, a penetration testing tool abused by criminals appeared first on Malwarebytes Labs.