IT News

Explore the MakoLogics IT News for valuable insights and thought leadership on industry best practices in managed IT services and enterprise security updates.

CodeCov supply-chain compromise likened to SolarWinds attack

CodeCov, a company that creates software auditing tools for developers, was recently breached (the company says it was breached on April 1, and reported it on the April 15). According to investigators, this incident, in turn, gave attackers access to an unknown number of CodeCov’s clients’ networks.

One cannot help but think that this knock-on breach effect is a supply-chain attack, similar to what happened to SolarWinds and their clients.

As you may recall, in the SolarWinds attack multiple companies reported being breached by state-sponsored adversaries, following an attack on the IT company SolarWinds that resulted in undetected modifications to its products. Those affected included FireEye, which resulted in the theft of their Red Team assessment tools; Microsoft; and departments in the US Treasury and Commerce.

Like SolarWinds, this seems like another attempt to add malicious code to products supplied to other organizations, so as to compromise those organizations, and potentially the software products they supply too.

CodeCov said that its Bash Uploader script, used by clients to find and upload code coverage reports to CodeCov, had been initially tampered with at the end of January this year. This wouldn’t have been found out if a client hadn’t raised concerns on April 1. According to the company, attackers were able to gain access to and alter the script by exploiting an error in CodeCov’s Docker image creation process.

A security update post by CodeCov states:

Our investigation has determined that beginning January 31, 2021, there were periodic, unauthorized alterations of our Bash Uploader script by a third party, which enabled them to potentially export information stored in our users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure,”

Because the script is allowed to search through users’ code it potentially has access to any credentials stored with that code. This could have given the attackers access to systems inside CodeCov’s clients’ networks, and in turn, the code that those companies are developing and supplying to others. And because it is expected to upload data outside of the clients’ networks, the upload script also offered an easy exfiltration route for the stolen data.

According to Reuters, the CodeCov attackers rapidly copied and pasted credentials from compromised customers, via an automated script, and used an automated way of searching for other resources (it’s not clear if these are references to the bash upload script, which seems to fit that description, or some other tools). “The hackers put extra effort into using CodeCov to get inside other makers of software development programs, as well as companies that themselves provide many customers with technology services, including IBM,” Reuters also revealed in an interview with one of the investigators.

Reuters reports that IBM, Atlassian, and other clients of CodeCov have claimed that their code has not been altered, while not address issues on credentials. Hewlett Packard Enterprise, another CodeCov client, has yet to determine if they or any of their clients have been affected by this breach according to the news service.

CodeCov says the modified Bash Uploader could affect:

– Any credentials, tokens, or keys that our customers were passing through their [Continuous Integration] runner that would be accessible when the Bash Uploader script was executed.

– Any services, data stores, and application code that could be accessed with these credentials, tokens, or keys.

– The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.

CodeCov has a list of recommended actions to take. This includes “all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders.” If you’re a CodeCov client, go here for more details. You will also find in there a list of actions they have taken in response to this breach.

The post CodeCov supply-chain compromise likened to SolarWinds attack appeared first on Malwarebytes Labs.

FIN7 sysadmin behind “billions in damage” gets 10 years

In 2018 three high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe were arrested and taken into custody by US authorities. Ukrainian nationals Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov, were members of a prolific hacking group widely known as FIN7.

Hladyr is the systems administrator for the FIN7 hacking group, and is considered the mastermind behind the Carbanak campaign, a series of cyberattacks said to stolen as much as $900 million from banks in early part of the last decade. Last week Hladyr was sentenced in the Western District of Washington to 10 years in prison for his high-level role in FIN7.

The Carbanak campaign first made international headlines in 2015 as one of the first malware campaigns that specialized in remote ATM robberies. But FIN7 had already been active for a few years at that point and was involved in a lot more banking and financial malware than just the ATM machines manipulation.

The malware

Since 2013 FIN7 have attempted to attack banks, e-payment systems, and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt. Carbanak is considered a further development of the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world.

The campaigns all started with spear-phishing targeted at bank employees. When targets executed a malicious attachment the criminals were able to remotely control the victims’ infected machine. With access to a bank’s internal network, they were able to work their way internally until they gained control of the servers controlling ATMs.

A very detailed analysis of Anunak by Fox-IT and Group-IB can be found here (pdf).

By the following year, the same coders had improved the Anunak malware into a more sophisticated version, known as Carbanak. From then onwards, FIN7 focused its efforts on developing an even more sophisticated wave of attacks by using tailor-made malware based on the Cobalt Strike penetration testing software, but Carbanak remained part of their toolset.

In the US alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations.

Attribution

Many believe that the Carbanak malware was used by at least two separate entities. FIN7 and the Carbanak Group. This can be very confusing when trying to establish a timeline. Or when trying to solve any “whodunnit” mysteries. Once malware has been released and has proven to be successful you can count on other criminals trying to steal, copy, or rip off the code and techniques. So, if the Carbanak malware was used in a specific attack, it is not always clear which group was behind that attack, although it is clear that FIN7 was one of its users.

The arrest

The leader of the crime gang behind the Carbanak and Cobalt malware attacks was arrested in Alicante, Spain. The arrest was announced by Europol on 26 March 2018. According to Europol, the activities of the gang were believed to have resulted in losses of over EUR 1 billion for the financial industry.

Arresting the leader of that group did not stop the activities of the group though. The FIN7 campaigns appear to have continued, with the Hudson’s Bay Company breach using point-of-sale malware in April of 2018 being attributed to the group.

The arrest of Hladyr in August of 2018 at the request of the US Department of Justice, along with two other high-ranking members of the group did not have that effect either. In 2020 a cooperation between FIN7 and the Ryuk operators was suspected when the tools and techniques of FIN7, including the Carbanak Remote Administration Tool (RAT), were used to take over the network of an enterprise.

The conviction

After being extradited to the US in 2019, Hladyr pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking, in his role as the systems administrator of the FIN7 group.

According to acting US Attorney Tessa M. Gorman of the Western District of Washington:

This criminal organization had more than 70 people organized into business units and teams.  Some were hackers, others developed the malware installed on computers, and still others crafted the malicious emails that duped victims into infecting their company systems. This defendant worked at the intersection of all these activities and thus bears heavy responsibility for billions in damage caused to companies and individual consumers.

The Department of Justice says that Hladyr joined FIN7 via a front company called Combi Security but soon learned that it was a fake cybersecurity company with a phony website and no legitimate customers. It asserts that Hladyr served as FIN7’s systems administrator and played a central role in aggregating stolen payment card information, supervising FIN7’s hackers, and maintaining the servers used to attack and control victims’ computers. Hladyr also controlled the organization’s encrypted channels of communication.

The post FIN7 sysadmin behind “billions in damage” gets 10 years appeared first on Malwarebytes Labs.

Interview with a bug bounty hunter: Youssef Sammouda

Behind the scenes there are many people working in cyber-security that make the internet a safer place. Youssef Sammouda is one of these people. He has submitted at least a hundred reports to Facebook which have been resolved, making Facebook a safer platform along the way. Generally speaking, people may refer to this work as being a bug bounty hunter, but there is more to it than that.

Q: Tell us a little bit about your background

A: I’m 21 years old. I grew up in Tunisia. I always loved everything about computers from an early age. I started programming when I was 12 and my curiosity eventually led me to hacking. First I learned about “hacking”, techniques to get access to systems, how to escalate privileges, and how to achieve persistence. A better name than hacking is penetration testing. After that, I focused on web application security and learned a lot from forums and IRC chat rooms. Later, I heard about bug bounty hunting by coincidence and started doing it.

I can’t say much about my educational background since I dropped out of university due to my engagements in web applications development and my security assessments. I’d say that everything I learned to this day was from online content or books and not from educational institutions.

Q: How did you get interested in bug bounties?

A: Before bug bounties, it was difficult to test what you learned or sharpen your skills without being worried about getting noticed or caught when targeting websites or servers, since after all you’re doing something without the owner’s permission even if your intention is not to cause damage. So, the first benefit of bug bounty programs was the ability to responsibly apply or test what you’d learned about security, without worrying about legal actions by the website owners. Then of course, some of the programs introduced financial rewards which made it even better. You could start earning money at the same time as learning and doing what you love.

I became interested in the Facebook bug bounty program because it was beginner friendly. The scope was huge and it had the biggest rewards. My first bug in Facebook was a critical one and I found it in less than an hour, which encouraged me to dig more and learn about their infrastructure. After some time, I found myself knowing all the techniques to best enumerate their websites.

Q: Are there other security fields you are interested in?

A: I’ve always been fascinated by browser security and Operating System (OS) security. Reading proof-of-concept exploits of vulnerabilities found in browsers or applications has always been fun and an enjoyable thing to do, and I hope one day I can achieve the level of the researchers in these fields.

Q: Can you tell us something about how you find new bugs? And why you focus on Facebook?

A: I believe Facebook is running one of the best bug bounty programs out there. Sure, it has some problems and sometimes you get misunderstood by the security team, but if you compare it to other bug bounty programs, you’ll notice that Facebook is way better. Also, Facebook is very serious about its security. With time you notice that it’s getting harder to find bugs, which motivates me more, since I know others might be quitting and leaving me with a big scoop to dig out.

Due to the large numbers of researchers/hunters nowadays, and the continuous competition between us, I always try to follow my own methodology—which is different from others’—to avoid duplicated reports, and also to find special bugs that others have missed. Of course, over time, I have to change my methodology to stay in the game: Other researchers discover similar methodologies to mine, the security team adapt and make enumeration harder, and so on.

Q: Do you get a ton of requests to hack people’s Facebook accounts?

A: Actually, I don’t remember receiving requests to hack someone’s Facebook account, but I get requests to verify profiles or pages. I always try to gently explain that I don’t work for Facebook. I redirect them to the right Facebook support or contact page for their needs.

Q: What is the most potentially dangerous discovery you have made?

A: I believe the most dangerous discovery I have found was a Facebook bug that allowed me to return data fragments of any object. This data extraction bug was similar to finding an SQL injection bug, which is rare to find in modern applications. This could have allowed a malicious actor to collect a large amount of data about Facebook infrastructure, users and more.

Q: What advice do you have for aspiring bug bounty hunters?

A: I have always believed that there’s no such thing as a “bug bounty hunter”. There are security experts or researchers. “Bug bounty hunter” tells newcomers, or other experts in the field, that it’s all about bounties for us: How to earn them and what’s the fastest route to do that. Which is clearly wrong, since one must first understand what cybersecurity is and what problems we’re trying to address and fix.

The best advice for people trying to start is to first master a programming language. Then learn about security in a field you like (web, OS, mobile …) and how to write secure code. When learning about security, try to write vulnerable applications that you can exploit, so you can test what you learned against them. If you can understand how a vulnerability occurs in your application, you might try to apply what you learned against real applications, like the ones run by websites with a bug bounty program.

Do not care about bounties to begin with, just about finding bugs. You might report them without even waiting for the security team to reply. At some point, you’ll reach a certain level, with skills and experience gained over years, that will enable you to start making money from it, or by starting a professional career.

We would like to thank Youssef for his cooperation. You can follow Youssef Sammouda on Twitter.

The post Interview with a bug bounty hunter: Youssef Sammouda appeared first on Malwarebytes Labs.

Lazarus APT conceals malicious code within BMP image to drop its RAT

This blog was authored by Hossein Jazi

Lazarus APT is one of the most sophisticated North Korean Threat Actors that has been active since at least 2009. This actor is known to target the U.S., South Korea, Japan and several other countries. In one of their most recent campaigns Lazarus used a complex targeted phishing attack against security researchers.

Lazarus is known to employ new techniques and custom toolsets in its operations to increase the effectiveness of its attacks. On April 13, we identified a document used by this actor to target South Korea. In this campaign, Lazarus resorted to an interesting technique of BMP files embedded with malicious HTA objects to drop its Loader.

Process Graph

This attack likely started by distributing phishing emails that were weaponized with a malicious document. The following figure shows the overall process of this attack. In the next sections, we provide the detailed analysis of this process.

process
Figure 1: Process graph

Document Analysis

Opening the document shows a blue theme in Korean that asks the user to enable the macro to view the document.

doc blue theme
Figure 2: Blue theme

Upon enabling the macro, a message box will pop up and after clicking the final lure will be loaded.

doc app form
Figure 3: Lure form

The document name is in Korean “참가신청서양식.doc” and it is a participation application form for a fair in one of the South Korean cities. The document creation time is 31 March 2021 which indicates that the attack happened around the same time.

The document has been weaponized with a macro that is executed upon opening.

macro scaled
Figure 4: Macro

The macro starts by calling MsgBoxOKCancel function. This function pops up a message box to the user with a message claiming to be an older version of Microsoft Office. After showing the message box, it performs the following steps:

auto open
Figure 5: Document_Open
  • Defines the required variables such as WMI object, Mshta and file extension in base64 format and then calls Decode function to base64 decode them.
  • Gets the active document name and separates the name from extension
  • Creates a copy of the active document in HTML format using ActiveDocument.SaveAs with wDFormatHTML as parameter. Saving document as HTML will store all the images within this document in FILENAME_files directory.
saveas
Figure 6: SaveAs HTML
  • Calls show function to makes document protected. By making document protected it makes sure users can not make any changes to the document.
protect
Figure 7: Protect the document
  • Gets the image file that has an embedded zlib object. (image003.png)
  • Converts the image in PNG format into BMP format by calling WIA_ConvertImage. Since the BMP file format is uncompressed graphics file format, converting a PNG file format into BMP file format automatically decompresses the malicious zlib object embedded from PNG to BMP. This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images. The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.
embedded objs
Figure 8: Embedded objects within png and bmp file
bmp
Figure 9: Embedded hta file within bmp
  • Gets a WMI object to call Mshta to execute the bmp file. The BMP file after decompression contains a HTA file which executes Java Script to drop a payload.
  • Deletes all the images in the directory and then removes the directory generated by the SaveAs function.

BMP file analysis (image003.zip)

The macro added the extension zip to the BMP file during the image conversion process to pretend it’s a zip file. This BMP file has an embedded HTA file. This HTA contains a JavaScript that creates “AppStore.exe” in the “C:UsersPublicLibrariesAppStore.exe” directory and then populates its content.

At the start, it defines an array that contains the list of the functions and parameters required by the script: OpenTextFile, CreateTextFile, Close, Write, FromCharCode, “C:/Users/Public/Libraries/AppStore.exe” and some junk values. When the script wants to perform an action, it calls a second function with a hex value that is responsible for building an index to retrieve the required value from the first array.

For example, at the first step it calls the second function with 0x1dd value. This function subtracts 0x1dc from 0x1dd to get the index for the first array which would be 1. Then it uses this index to retrieve the first element of the first array which would be “C:/Users/Public/Libraries/AppStore.exe”. Following the same process, it calls CreateTextFile to create AppStore.exe and then writes MZ into it. Then it converts the data in decimal format to string by calling fromCharCode function and uses the same procedure it writes them into the AppStore.exe. At the end it calls Wscript.Run to execute the dropped payload.

emmbbeded hata
Figure 10: Embedded HTA object

Payload analysis (AppStore.exe)

AppStore.exe loads a base64 encrypted payload that has been added to the end of itself. Before the payload there is a string which is the decryption key (by7mJSoKVDaWg*Ub).

embedded payload
Figure 11: Embedded payload

To decrypt the second stage payload, at first it writes itself into a buffer created by VirtualAlloc and then looks for the encrypted payload and copies it into another buffer.

allocatedmem
Figure 12: Allocate memory

In the next step, it has implemented its own base64 decoder to decode the allocated buffer and write it into another buffer using memset and memmove. At the end, this encoded payload gets decrypted via XOR using hardcoded decryption key to generate the second stage payload.

Figure 13: XOR decryption

After the decryption process has finished, it jumps to the start address of the second payload to execute it.

Second stage payload Analysis

This payload is loaded into memory by AppStore.exe and has not been written to disk. It starts by performing an initialization process which includes the following steps:

initial1
Figure 14: Initialization process
  • Create Mutex: Checks if a mutex with “Microsoft32” name exist on machine or not and if it exists, it exits. Otherwise, It means the machine has not been infected with this RAT and it starts its malicious activities.
  • Resolve API calls: All important API calls have been base64 encoded and RC4 encrypted which will be decoded and decrypted at run time. The key for RC4 decryption is “MicrosoftCorporationValidation@#$%^&*()!US”.
resloveAPIs
Figure 15: API resolver
  • Makes HTTP requests to command and control servers: The server addresses have been base64 encoded and encrypted using a custom encryption algorithm. You can find the decoder/decryptor here. This custom encryption algorithm is similar to the encryption algorithm used by BISTROMATH RAT associated to Lazarus reported by US-CERT.
string decoder
Figure 16: Custom decryption algorithm

http://mail.namusoft.kr/jsp/user/eam/board.jsp
http://www.jinjinpig.co.kr/Anyboard/skin/board.php

After the initialization process has finished, it checks if the communications to C&C servers were successful or not and if they were successful it goes to the next step in which it receives the commands from the server and performs different actions based on the commands.

The commands received from the C&C are base64 encoded and encrypted using its custom encryption algorithm (Figure 16). After deobfuscation, it performs the following commands based on the command codes. The communications to the server have been done through send and recv socket functions.

  • 8888: It tries to execute the command it has received after command code in two different ways. At first it tries to execute the command by creating a new thread (Figure 17). This thread gets the command after command code and executes it using cmd.exe. This process has been done through using CreatePipe and CreateProcessA. Then it uses ReadFile to read the output of cmd.exe.
threadstartaddress1
Figure 17: Create thread

Output of cmd.exe has been encoded and encrypted and is sent to the server as test.gif using an HTTP POST request (Figure 18).

testgif1
Figure 18: Send the output of cmd.exe as test.gif

If the CreateThread process was not successful, it executes the command by calling WinExec and then sends the “”8888 Success!” message after encrypting it using its custom encryption and then encoding it using base64 to the server as test.gif.

Figure 19: WinExec
  • 1234: It calls CreateThread to execute the buffer(third stage payload) it received from the server. At the end it encodes and encrypts “1234 Success!” and sends it to the server as test.gif.
  • 2099: It creates a batch file and executes it and then exits. This batch file deletes the AppStore.exe from the victim’s machine.
bat
Figure 20: Creates batch file
  • 8877: It stores the buffer received from server in a file.
  • 1111: It calls The shutdown function to disables sends or receives on a socket.

This second stage payload has used custom encoded user agents for its communications. All of these user agents have been base64 encoded and encrypted using the same custom encryption algorithm used to encrypt the server addresses. Here is the list of the different user agents used by this RAT.

Mozilla/%d.0  (compatible; MSIE %d.0; Windows NT %d.%d; WOW64; Trident/%d.0; Infopath.%d)

Mozilla/18463680.0  (compatible; MSIE -641.0; Windows NT 1617946400.-858993460; WOW64; Trident/-858993460.0; Infopath.-858993460)

Mozilla/18463680.0  (compatible; MSIE -641.0; Windows NT 1617946400.-858993460; Trident/-858993460.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Infopath.-858993460)

Mozilla/%d.0  (Windows NT %d.%d%s) AppleWebKit/537.%d (KHTML, like Gecko) Chrome/%d.0.%d.%d Safari/%d.%d Infopath.%d

Attribution

There are several similarities between this attack and past Lazarus operations and we believe these are strong indicators to attribute this attack to the Lazarus threat actor.

  • The second stage payload has used the similar custom encryption algorithm that has been used by BISTROMATH RAT associated to this APT.
  • The second stage payload has used a combination of base64 and RC4 for data obfuscation which is a common technique used by this APT.
  • The second stage payload used in this attack has some code similarities with some of known Lazarus malware families including Destover.
  • Sending data and messages as a GIF to a server has been observed in past Lazarus operations including AppleJeus, Supply Chain attack against South Korea and the DreamJob operation.
  • This phishing attack has targeted South Korea which is one of the main targets of this actor.
  • The group is known to use Mshta.exe to run malicious scripts and download programs which is similar to what has been used in this attack.

Conclusion

The Lazarus threat actor is one of the most active and sophisticated North Korean threat actors that has targeted several countries including South Korea, the U.S. and Japan in the past couple of years. The group is known to develop custom malware families and use new techniques in its operations. In this blog we documented a spear phishing attack operated by this APT group that has targeted South Korea.

The actor has used a clever method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format. The dropped payload was a loader that decoded and decrypted the second stage payload into memory. The second stage payload has the capability to receive and execute commands/shellcode as well as perform exfiltration and communications to a command and control server.

laz block

Indicators of Compromise

Document

F1EED93E555A0A33C7FEF74084A6F8D06A92079E9F57114F523353D877226D72

Dropped executable

ED5FBEFD61A72EC9F8A5EBD7FA7BCD632EC55F04BDD4A4E24686EDCCB0268E05

Command and control servers

jinjinpig[.]co[.]kr
mail[.]namusoft[.]kr

The post Lazarus APT conceals malicious code within BMP image to drop its RAT appeared first on Malwarebytes Labs.

A week in security (April 12 – 18)

Last week on Malwarebytes Labs, our podcast featured Troy Hunt, Chloé Messdaghi, and Tanya Janca who discussed security fatigue with us.

We announced the release of the Malwarebytes SMB Cybersecurity Trust & Confidence Report 2021,  a first-of-its-kind survey of the hardworking IT professionals on the front lines of the fight against cyberthreats.

We wrote about how Bitcoin payments were used to unmask a man who hired a Dark Web contract killer; how some ransomware gangs are connected, sharing resources and tactics; about a visa scam affecting Nigerian citizens looking to move to the United States; about NAME:WRECK a set of vulnerabilities found in the way a number of popular TCP/IP stacks handle DNS requests; how ransomware disrupted a food supply chain in the Netherlands; how Chrome needed patching against two in-the-wild exploits; how a controversial FBI intervention to shut down malware on hundreds of Exchange servers caused heated discussions; how researchers noted a huge upsurge in DDoS attacks during the pandemic; how Chrome users can opt out of the Google FLoC trial; how deepfakes were going to change everything and then didn’t; About the NSA, CISA, and FBI warning of Russian intelligence exploiting 5 vulnerabilities; and how shady scam bots trick Omegle users into nonconsensual video sex recordings.

Other cybersecurity news:

  • An update to the Covid-19 NHS track and trace mobile app was blocked over privacy and security concerns. (Source: TechRadar)
  • Cryptocurrency rewards platform Celsius Network disclosed a security breach exposing customer information that led to a phishing attack. (Source: BleepingComputer)
  • Threat analysts have been tracking activity where contact forms published on websites are abused to deliver malicious links to IcedID malware. (Source: Microsoft Security Blog)
  • The EU published the SOCTA 2021 report providing a detailed analysis of the threat of serious and organised crime facing the EU. (Source: Europol)
  • New information was revealed about how the FBI managed to get into the San Bernardino shooter’s iPhone. (Source: The Verge)
  • The use of facial recognition for surveillance, or algorithms that manipulate human behaviour, is set to be banned under proposed EU regulations on artificial intelligence. (Source: BBC)

Stay safe, everyone!

The post A week in security (April 12 – 18) appeared first on Malwarebytes Labs.

Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released a Cybersecurity Advisory called Russian SVR Targets U.S. and Allied Networks,  to expose ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. The advisories’ executive summary reads:

Russian Foreign Intelligence Service (SVR) actors, who are also known under the names APT29, Cozy Bear, and The Dukes frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials and use those to gain further access. This targeting and exploitation encompasses US and allied networks, including national security and government related systems.

Remarkable mentions in the cybersecurity advisory

Released alongside the advisory is the US Government’s formal attribution of the SolarWinds supply chain compromise, and the cyber espionage campaign related to it, to Russia.

Mentioned are recent SVR activities that include targeting COVID-19 research facilities via WellMess malware and targeting networks through a VMware vulnerability disclosed by NSA.

Vulnerabilities

NSA, CISA, and the FBI are encouraging organizations to check their networks for Indicators of Compromise (IOCs) related to five vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The advisory lists the following CVEs:

We have added a link to the vendor’s sites where they discuss the vulnerabilities and where you can find how to patch them. As you can see most of those are quite old (the first four digits in a CVE ID are the year in which the CVE was issued) and patches have been available for a considerable time.

General mitigation strategy

While some vulnerabilities have specific additional mitigations that you can read about in the items linked in the list above, the advisory hands us the following general mitigations:

  • Keep systems and products updated and patch as soon as possible after patches are released since many actors exploit numerous vulnerabilities.
  • Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions. Assume that a breach will happen, enforce least-privileged access, and make password changes and account reviews a regular practice.
  • Disable external management capabilities and set up an out-of-band management network.
  • Block obsolete or unused protocols at the network edge and disable them in device configurations.
  • Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network.
  • Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.
  • Adopt a mindset that compromise happens; prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach’s full scope before remediating.

Techniques

The techniques leveraged by SVR actors include:

  • Exploiting public-facing applications. Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.
  • Leveraging external remote services. Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms (notably RPD) allow users to connect to internal enterprise network resources from external locations.
  • Compromising supply chains. Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.
  • Using valid accounts. Adversaries may obtain and abuse credentials of existing accounts as a means of gaining access or elevating permissions.
  • Exploiting software for credential access. Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
  • Forging web credentials: SAML tokens. An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.

The items listed under mitigations and techniques probably won’t be new to many of the people reading this, but they are a reminder that security, even against nation-state actors, is often a matter of getting some important but mundane things right, over and over again.

Stay safe, everyone!

The post Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities appeared first on Malwarebytes Labs.

Shady scam bots trick Omegle users into nonconsensual video sex recordings

14-year old Michael (not his real name) from Scandinavia first visited Omegle, the video online chat that has become hugely popular since the start of the pandemic, after hearing about “unpredictable and weird encounters” one may experience on the site from other students in school. He was intrigued.

At the end of his “session”, however, he was worried.

The allure of talking to strangers and doing “stuff”

A couple of months ago, Malwarebytes Labs covered a BBC investigation into Omegle, wherein they found that young boys are exposing themselves on camera, and adult males are also exposing themselves to minors.

Michael, now 21-years-old, reached out to the media company after reading about their investigation in the hopes of sharing his disturbing experience, so other people could learn from it and start questioning who really is on the other side of the screen.

He had expressed doubts as to whether the first person Omegle paired him with—an older woman, he claimed—when he was 14 was what she claimed to be.

After quitting the site for several years, Michael, then 18, came back to Omegle and became addicted. “I started going on the site again and started doing ‘stuff’ on camera with different people. Video sex,” he said in a BBC interview.

Michael would later realize that at least one of his “sessions” was recorded. He was horrified to find that, after quitting the video chat site again for more than a year and coming back due to lockdown boredom, Omegle paired him to a recording of his 18-year old self “doing 18+ stuff” while a stranger he was chatting with at that time, who was clearly posing as him, was encouraging him to join in.

Michael told the BBC he believes the same technique was used to groom him as minor: “I am constantly stressed about it, but I find peace that at least my face is not in it. But it pains me I am used that way to hurt other people. In fact, I believe this is the way I was groomed into the site as a 14-year-old, although I can’t confirm the other person was fake at that time.”

Stranger danger fostered, thanks to VCW

Sarah Smith, the chief technology officer of the UK’s child abuse hotline, Internet Watch Foundation (IWF), sympathized with Michael’s plight. “I can’t imagine how distressing it must be to find someone using a video of yourself in this way,” she said in a BBC interview.

Smith described the technology these shady people in Omegle are using as Virtual Cam Whores (VCW). A VCW is a recording of someone that a controller can manipulate to trick their target into thinking that the person they’re seeing on the camera is the person they’re talking to. In reality, it’s like a digital puppet.

The video doesn’t talk back, which gives scammers a good excuse to force people to talk to them via text chat instead, while they parade and move the VCW puppet/bot to their will.

VCW
A forum post from ScamSurvivors.com displaying what a virtual cam whore looks like on the scammer’s end. Notice the limited actions a VCW ‘puppet’ can do. Take note, however, that the above post is almost 10 years old. VCW has evolved since then as evidenced by some tutorial videos on YouTube. (Source: ScamSurvivors.com)

Essentially, Michael has been turned into a VCW bot so scammers can collect more videos of other people and potentially transform them into bots without them knowing as well. Perhaps this is also a way for scammers to make their bots more believable, by recording unknowing Omegle users doing things the scammer wants them to do. (One of the ways to tell bots from real users is to ask someone to do something unusual on cam.)

While we have seen that women are commonly used as VCW bots, we’ve also seen the male kind. We have not seen evidence of child bots, but given Michael’s experience as a fourteen year old, it does not seem out of the question.

Omegle is not safe for children—and for good reason

Thanks to TikTok, many young users are flocking to Omegle, not knowing the possible dangers they might encounter in the platform. Michael’s story could illuminate this path for them and help them decide to look somewhere else.

Omegle’s home page (unusually) includes its terms and conditions, which include the stipulation: “Do not use Omegle if you are under 13” on the very first line. The site also contains a warning that “Predators have been known to use Omegle, so please be careful”.

Warning from Omegle home page
The Omegle home page warns: “Predators have been known to use Omegle”.

Parents and carers, we know it is not always easy keeping an eye out for your children and knowing what they do or where they go online daily. But remember that at times like these, they need your guidance, support, and understanding.

Try to keep an open, healthy communication with your children. Talk to them about how to stay safe online. Teach them how to be kind and respectful to anyone they talk to, even when the other party doesn’t do the same. Lastly, be involved in some of their online activities. Trust us, doing these (and more) will do both parents and their children a lot of good.

The post Shady scam bots trick Omegle users into nonconsensual video sex recordings appeared first on Malwarebytes Labs.

Deepfakes were going to change everything. And then they didn’t

For much of 2020, the most visible conversation about the US election and tech was related to deepfakes (images or videos where the subject is replaced by another likeness). They could “destroy democracy” generally, and influence the US election in ways we couldn’t possibly imagine. People talked about disinformation, regulation, and how automated detection probably wouldn’t help a great deal.

It all sounded very bad indeed. And it didn’t happen.

With hindsight we can see that the flash points related to the November election were entirely unrelated to deepfakes. The election came and went with a spectacular fizzling out of the deepfake hype train. The one notable moment I can recall from the election period is a fake of Republican Matt Gaetz. It’s so bad, it resembles an old PlayStation cutscene.

Is your message “If we can do this, imagine what Putin can do”? And is what you’ve done awful? Because if it is, then people aren’t going to take it seriously.

Deepfake creators follow the money

Deepfake pros almost certainly decided to stay where they make their money: dubious porn clips. It’s (somewhat) more under the radar than drawing attention to your election interference. There’s a never-ending supply of people wanting celebrity fakes, or revenge / blackmail pornography.

Indeed, data from Sensity illustrated this perfectly. Although the US was the most targeted nation for deepfake activity, politics wasn’t the target. The most popular sector for fakes was entertainment at 63.9%. Politics weighed in at an incredibly low 4.5%.

Creating a political deepfake capable of turning the tide of an election, when even major outlets can only create very bad fakes? It was always going to be a long shot.

Where did all the deepfake election interference go?

The biggest problem for the November election was disinformation, conspiracy theories, and outright manipulation going viral. Creating a politically charged deepfake and having it be believable long enough before the inevitable debunking seems just plain unnecessary. Why invest all that time and effort into something when you can spin up millions of likes and reposts on social media instead?

These are questions which may not have been asked as rigorously as they should have been. The 2020 election has come and gone, and so has the chance for fakers to make an indelible mark on key aspects of democracy. What we ended up with, was half a dozen poorly made clips which feel more like parody than anything particularly serious. Indeed, the serious part is where folks working in and around Government look at the political clips offered during the run-up to the vote, and genuinely think they’re good uses of technology. They are not, and this suggests they perhaps need to be brought up to speed on the convincing (and not so convincing) aspects of this realm.

The bright side is that it appears the time for deepfakes to impact an election…any election…is gone. Many analysts suspect their best use is as an addition to scams, not the main feature. Even a little scrutiny brings the walls of artifice crashing down, so it’s best to leave them at the edges of peripheral vision.

Actual uses of deepfakes in the wild

Some of the biggest media splashes for deepfakes the past few months have had little, if nothing, to do with electioneering. One smash was the Tom Cruise Deepfakes posted to TikTok back in March which dazzled people with their brilliance. If you missed it, this video from creator Chris Ume will give you a sense of just how good deepfakes can be:

Sadly the genuinely well-done nature of the clips was undone almost immediately:

  • The creator posted them to an account called “Deeptomcruise”, which linked to social media accounts of a well-known Tom Cruise impersonator.
  • Viral attention was drawn to the clips as intended, instead of them simply being uploaded in low-key fashion and left to spread slowly, unnoticed, across the web for months or years.
  • The creator spilled the beans in the press almost immediately, and mentioned they were essentially trying to get work off the back of it.

This was arguably never intended to be a clever commentary on the unreal nature of AI, but a VFX job reel.

The case of the face-swapped biker 

The other interesting fake media content happening was the reveal that a popular female biker was using FaceApp to hide the fact he was a middle-aged man. This one genuinely shocked people, and unlike the Cruise approach was designed to conceal the truth from the get-go. If they hadn’t had a change of heart and told all, their many fans would still be none the wiser.

Compare and contrast all of the sophisticated GAN tools you see in the news, with “middle-aged man performs face swap using incredibly commonplace phone app”. Which one is more relevant? Which one had more impact outside of actual observable harm, such as deepfake revenge porn?

Digital detection and disclosure

While the notion of exposing your own fakery seems contradictory, in some ways the Tom Cruise deepfake creator had it right. Yes, it’s fake – but they’re not exactly pretending it’s genuine. By the same token, we now have app developers planning to add watermarks to their user-generated clips. The EU may want organisations to disclose when deepfakes are deployed. Researchers continue to study new methods of deepfake detection. Note that the researcher in that last link also seems more concerned about deepfake antics away from major electioneering.

Wherever you look, there’s a growing consensus that people simply want to know what’s placed before them is legitimate. If there is fakery involved, I suspect they’re cool with it as long as upfront disclosure takes place. The comfort levels around this technology somewhat suggests folks now view it the same way they view cinema-based VFX. This itself could be a problem. Become too complacent with it, and the tech runs the risk of causing unexpected damage down the line. Sure, it’s mostly fun and amusing right now – but what about when it suddenly isn’t?

There is also the significant volume of people out there prone to conspiracy theories and other virtual shenanigans. No matter how bad the fake, or how silly the story it’s attached to, there’s a good chance they’ll believe the content no matter what disclaimer is provided.

For now, deepfakes remain the weapon of choice for malign interference campaigns, troll farms, revenge porn, and occasionally humorous celebrity face-swaps. It remains to be seen, a year on from 2020, if they’ll ever strike a decisive blow in the misinformation wars on a grand scale.

The post Deepfakes were going to change everything. And then they didn’t appeared first on Malwarebytes Labs.

“Huge upsurge” in DDoS attacks during pandemic

Researchers at Netscout have released a report analyzing the malicious internet traffic of 2020 and comparing it to the years before. Some of the results were as expected: Brute-forcing credentials and more targeting towards internet-connected devices were foreseeable and have been discussed at length. And even a record-breaking year in Distributed Denial of Service (DDoS) attacks might have been expected as it follows the upward trend over the years. But the sheer number of attacks, their size, and a new big player in the field of DDoS extortion may raise some surprised eyebrows.

The records

The report identifies a “huge upsurge” in DDoS traffic during 2020, with a number of records broken:

  • The most DDoS attacks launched in a single month (929,000).
  • The most DDoS attacks in a single year (more than 10 million).
  • Monthly DDoS attack numbers that regularly exceed the 2019 averages by 100,000-150,000 attacks.

As you can see the records are found in the number of attacks. The attack frequency spiked by 20 percent year over year and 22 percent in the last six months of 2020.

New methods

A DDoS attack stops people from using a computer system by keeping it so busy with traffic from multiple locations that it is overloaded and either crashes or is permanently busy. Because they work by delivering more traffic than the system or network under attack can handle, they hinge on an attackers’ ability to deliver significant volumes of traffic.

To increase the amount of data they can deliver, attackers look for methods that amplify the amount of traffic they can create. Typically an attacker will look for a service that will return a lot of data in response to a simple request (often hundreds of times more data). They will then make as many requests to that service as possible, but spoof their address so that it looks like the requests are coming from the victim. Because of the spoofed address the responses are reflected: sent to the victim instead of back to the attacker.

According to Netscout, threat actors exploited and weaponized at least four new reflection/amplification DDoS attack vectors in 2020. The report specifically mentions that abusable applications and services based on the UDP protocol remained a valuable asset for attackers. These applications and services were analysed and abused to provide new reflection/amplification vectors for DDoS attacks and helped provide the power required for the new wave of attacks.

Old methods

According to the report, UDP-based reflection/amplification attacks continued to dominate the list of most popular attack vectors, with TCP ACK flood attacks coming in a close second. This represents a changing of the guard, given that TCP SYN floods were dominant in previous years. However, Domain Name System (DNS) reflection/amplification attack frequency rose steadily over approximately the past 18 months and became the top vector of choice in 2020.

Recommended background reading: SYN/ACK in the TCP Protocol

Lazarus Bear Armada

The Netscout report also reveals that in August of 2020 a new threat actor in the field of DDoS extortion emerged and quickly started to make waves. In a DDoS extortion attack an attacker demands a ransom in exchange for halting a DDoS attack that is stopping the victim or its customers from using systems they need. The new group named themselves Lazarus Bear Armada (LBA). Very likely to imply that they are affiliated with well-known APT groups like the Lazarus Group, Fancy Bear, and the Armada Collective. Affiliations that they like to emphasize when threatening victims.

Their extortion attacks were primarily directed towards companies in the financial and travel-industry sectors, and sometimes included their upstream internet transit providers too. ISPs, healthcare providers, insurance providers, personal care product manufacturers, regional energy providers, and IT-related vendors were also targeted, according to Netscout.

Extortion and attacks

The LBA attacks are characterized by the attacker initiating a demonstration DDoS attack against parts of the target’s online infrastructure, followed shortly after by an email demand for a substantial payment in Bitcoin. The extortion demands typically stated that the attacker had up to 2 Tbps of DDoS attack capacity at the ready, which could be directed at the victim’s systems if the demands were not met. And they did not shy away from actual DDoS attacks against those unwilling to pay. Not even when it concerned organizations that played a crucial role in fighting the pandemic.

DDoS attack capacity

Even though there are no, agreed upon, international standards to measure DDoS attack capacity, the attack volumes observed over the course of the LBA’s campaign maxed out at 300 Gbps, which is significant.

Defending against a DDoS attack

As in most areas of security, searching for a solution at the moment you find out that you are the target of a DDoS attack is not the best strategy, especially if your organization depends on Internet-facing servers. DDoS mitigation is a complex subject, but we suggest that your chosen solution should offer you one or more of these options:

  • Allow users to use your systems normally as much as possible, even during an attack.
  • Protect your network from breaches during an attack.
  • Establish an alternative system to work with.

Broadly speaking organizations either need to be able operate in spite of systems being unavailable, with ways to keep the work going and the revenue flowing, or they need a way to absorb, re-route or drop DDoS traffic so they can continue to operate as close to normally as possible. Defending against massive-scale DDoS attacks requires access to enormous network resources, which may only be accessible via a third-party offering DDoS mitigation services. Whatever form your protection takes, make sure you have a plan or protocols in place before an attack occurs.

You can read more on the subject in our article DDoS attacks are growing: What can businesses do?

The post “Huge upsurge” in DDoS attacks during pandemic appeared first on Malwarebytes Labs.

Chrome users, here’s how to opt out of the Google FLoC trial

Two weeks after Google launched a trial to replace run-of-the-mill online user tracking with new-fangled online user tracking, several companies and organizations have pushed back, criticizing the new technology—called FLoC—which is designed to respect people’s privacy more, as a detriment to user privacy.

The good news is that, if you want to escape Google’s silent experiment into how it thinks you should be tracked across websites, you now have several options. You can test whether you are included in Google’s new trial, download a browser plug-in to stop Google’s new tracking, or choose to install another web browser that is committed to preserving user privacy.

Because Google’s experiment into user tracking is primarily happening on its own browser Google Chrome (we’ll talk about Chromium-based browsers further down), our advice is split between two categories of users:

  • Google Chrome users who do not want to give up Google Chrome
  • Google Chrome users who are open to using a new browser

Some of the steps we offer are as simple as downloading a new browser, while others require users to go into their Google Chrome settings and make some changes. That latter option may sound easy, but for such a seismic shift in how users are being tracked online, it’s unfortunate that users have to, yet again, take even more proactive steps to simply enjoy a private experience online.

As we wrote last time, if Google believes its new technology is a step towards respecting user privacy, it should at least respect the user, too.

Before we get to our advice, let’s briefly explain some background.

What’s going on?

At the heart of the issue is Google’s Federated Learning of Cohorts—or FLoC—technology, which is now being tested on at least 0.5 percent of Google Chrome users across the world.

FLoC is Google’s planned replacement for third-party cookie tracking which, after years of enormous influence in digital advertising, is losing its relevance. Simply put, more users are beginning to push back against the types of online user tracking enabled by third-party cookies, and several companies are making it easier for those users to do it. Browser plug-ins abound to stop third-party tracking, and year ago, both Mozilla’s Firebox browser and Apple’s Safari browser disabled third-party tracking by default.

But this could spell trouble for Google, as much of its advertising revenue depends on the third-party cookies that its ad networks use to track users across countless websites.

Thus, enter the third-party cookie’s replacement: FLoC.

According to Google, FLoC is supposed to serve as an improvement on the third-party cookie because it will create advertising profiles on user groups, or cohorts, and not on users as individuals. Cohort membership is calculated by the browser and the data that drives the calculation doesn’t leave users’ machines. The company said that FLoC technology will prevent the creation of cohorts based on “sensitive topics,” with no cohorts based on medical diagnoses or online searches for help with suicide prevention.

According to Google, then, FLoC will give users the best of both worlds, preserving their online privacy while still providing revenue to online publishers who have relied on third-party cookies for years.

According to several outside organizations and companies, though, FLoC is just the latest attempt to box users into an unfair compromise, trading their own privacy for someone else’s gain.

“FLoC, along with many other elements of Google’s ‘Privacy Sandbox’ proposal, are a step backward from more fundamental, privacy-and-user focused changes the Web needs,” wrote Peter Snyder and Brendan Eich, senior privacy researcher and CEO of the privacy-forward web browser Brave. “Instead of deep change to enforce real privacy and to eliminate conflicts of interest, Google is proposing Titanic-level deckchair-shuffling that largely maintains the current, harmful, inefficient system the Web has evolved into, a system that has been disastrous for the Web, users and publishers.”

Importantly, users caught in the FLoC trial will not be subject to solely FLoC-enabled tracking. Instead, the FLoC trial is additive, meaning that Chrome users in the trial will be tracked both through FLoC and through traditional third-party tracking.

Here’s what you can do to push back against FLoC.

How can you opt out of FLoC?

As we wrote above, Google’s FLoC trial is primarily affecting users of its Google Chrome browser. If you are currently using Google Chrome, read on to understand how to find out if you’re included in the FLoC trial, how to opt out, and how to block the FLoC technology through outside means.

For the Google Chrome user who does not want to give up Google Chrome

First, Chrome users should check to see whether they’re included in Google’s FLoC trial. Google itself made this impossible when it launched its trial, as it did not provide any individualized notifications to the affected users.

Flatly, this is bad practice. An experiment that allegedly aims to respect user privacy should also respect the user, and that includes whether that user even wants to be included in the trial.

Alas, technologists at Electronic Frontier Foundation have developed a Google FLoC scanner for Google Chrome users. Simply follow the link to amifloced.org and run the test to see if you’re included in the Google FLoC trial.

Am I FLoCed screenshot
Our instance of Google Chrome was not included in the FLoC trial, according the EFF’s new tool

If you are included in the trial, don’t panic! There are two methods you can take to remove yourself from the FLoC trial, one method provided by Google, and another provided by the search giant’s privacy-preserving competitor, DuckDuckGo.

If you want to just stick to Google Chrome’s settings and opt out of the FLoC trial, you can disable third-party cookies in Google Chrome. You can navigate to your Google Chrome preferences from the dropdown menu from “Chrome,” or, you can enter chrome://settings into your URL bar and press enter.

Chrome settings 1

In your preferences, you next need to click on the “Privacy and security” option in the left-hand menu. Once there, click on the “Cookies and other site data” option, which should be below “Clear browsing data.”

Chrome settings 2
Chrome settings 3

Finally, once you’re in this menu, you need to click on the option to “Block third-party cookies.”

Chrome settings 4

If you don’t want to fuss about with your settings, you can also choose to download the DuckDuckGo browser extension for Google Chrome. According to DuckDuckGo, the company has “enhanced the tracker blocking in [its] Chrome extension to also block FLoC interactions on websites.”

For users who don’t want to change settings or download extensions, there’s also another path: Download and use a different browser.

For the Google Chrome user who is open to using a new browser

It may sound simple to just download and start using a new browser, but we understand how difficult it can be to leave a platform for another that you may not know about or trust. For that reason, you should look at the actions of other web browsers and how they line up with their promise for a more private web experience for you, the user.

Last week, the Chromium-based web browsers Brave and Vivaldi both pledged to disable FLoC technology on their browsers. As the two browsers are built on Chromium’s code, it is important that both of the browsers came forward to clear any confusion about whether Google’s FLoC technology had wormed its way into their own browsers.

“The privacy-affecting aspects of FLoC have never been enabled in Brave releases; the additional implementation details of FLoC will be removed from all Brave releases with this week’s stable release,” the company wrote, adding that it also removed FLoC in its “Nightly” version of the browser, the testing and development version of Brave that receives nightly updates.

Vivaldi co-founder and CEO Jon von Tetzchner also chimed in on FLoC, writing that “the FLoC experiment does not work in Vivaldi. It relies on some hidden settings that are not enabled in Vivaldi.”

As another comparison point, the web browsers Firefox and Safari disabled third-party tracking years ago by default. So, while FLoC obviously will not apply to those browsers, because they aren’t based on Chromium, it’s also important that users understand that those browsers made privacy-protective moves long before Google’s FLoC experiment.

What this all means is that users actually have several options if they want to avoid FLoC and are open to using a new browser. They can try Vivaldi, Brave, Safari, or Firefox.

We wish users did not have to keep taking new steps to enjoy a private web experience, but until we’ve recreated the entire infrastructure of the Internet, Malwarebytes Labs will keep telling users how to stay private and safe online.

The post Chrome users, here’s how to opt out of the Google FLoC trial appeared first on Malwarebytes Labs.