Friday, December 20, 2019

Ring Issues ? Did you secure your Ring properly

    In the world of IoT home cameras, Ring cameras by Amazon are most popular. There can be many benefits of using the cameras for monitoring or as a security device, but it’s been a bad few weeks for the Ring camera. We now have reports of a hacker taunting a child in Mississippi, in another report someone hurled racist insults at a Florida family. A Tennessee family reported that a man hacked their camera to talk to an 8-year-old girl in her bedroom. Yesterday, a Ring camera was hacked to make inappropriate comments toward a California woman. 

    Are these really hacks, or simply user errors? Ring seems to have put much of the blame for these hacks on its users. A Ring spokesperson said that the California incident was not a result of Ring’s network or systems being compromised. A Ring spokesperson also said that the incident in Tennessee was isolated and that it wasn’t because of a security breach. But there have been two claims of exposed Ring data. The first, reported by Buzzfeed, claimed 3,672 Amazon Ring cameras were compromised potentially exposing the login credentials of users; security experts noted the data was most likely taken from another company’s database. Tech Crunch reported that about 1,500 Ring customers’ passwords were also compromised in a separate leak and the passwords and email addresses were uploaded to a dark web site DeepPaste.

    Motherboard found “hackers have made dedicated software for more swiftly gaining access to Ring cameras by churning through previously compromised email addresses and passwords, and that some hackers were live-streaming the Ring

    Zerocleare abuse on their own so-called podcast dubbed ‘NulledCast.’ " Users are not without blame here. As motherboard pointed out, reused passwords can lead to compromise and may have been the case in several incidents. Ring however is not without blame either. Last month a flaw was identified in Ring Video Doorbell Pro cameras' software that made it possible for wireless eavesdroppers to grab the WiFi credentials of customers during the device's setup. Ring does not currently offer some basic security precautions, such as double-checking whether someone logging in from an unknown IP address different from the legitimate user, or providing identification of how many users are currently logged in. Ring doesn't appear to check a user's chosen password against known compromised user credentials nor does Ring appear to provide users a list of previous login attempts.

    What can one do? Ring does offer twofactor authentication, and although not required, it should be implemented. As always don’t reuse passwords, go change it now if you did reuse one. Even if someone is actively watching though one of your devices, Ring will log everyone out after the password change. Look at the blue light, we know it’s not a guarantee if the camera is on but it’s an indication. And finally, you can always cover or unplug a camera if you want your privacy assured, otherwise smile – you might be on camera.

Sources:

https://www.vice.com/en_us/article/epg4xm/amazon-ring-camera-security

https://www.digitaltrends.com/home/man-hacks-ring-camera-inwomans-home-to-make-explicitcomments/

Thursday, December 12, 2019

Android Malware impacts all Android devices including the most recent versions and updates

    Malicious apps are bad enough, but what if you have one on your phone that looks just like an app you use everyday? As it turns out, researchers from the Norwegian application security firm Promon discovered an Android vulnerability that does just that. 

    Dubbed StrandHogg, it impacts all Android devices including the most recent versions and updates. It also reportedly "puts the top 500 most popular apps at risk" without even needing root access. If you have an Android in your pocket, you are at risk.

    StrandHogg is delivered through a malicious dropper app that then downloads additional apps posing as some of your favorites. From there it will request additional permissions to your phone, allowing it to spy on your activity, steal credentials, track your location, access your data, and access features like the camera and microphone. Thirty-six known dropper apps have since been removed from the Google Play store, but even more will surely take their place. 

    At this time it's unclear whether Google plans to do anything about StrandHogg. The vulnerability itself is not exactly brand new. The Promon team's work was actually a continuation of research conducted in 2015 by a team at Penn State. Back then they proved that the vulnerability was theoretically possible, but it wasn't enough to get Google to take it seriously. Now that it's being actively exploited in the wild, perhaps that will change. 

    Despite the fact that StrandHogg impacts all 2.5 billion Android devices in use, a healthy dose of user awareness will go a long way in mitigating the risk. If an app you normally use is behaving strangely, there may be something wrong and you should stop using it immediately. 
Tell-tale signs of malicious app activity include unusual permissions requests or requests that don't include the app name; login prompts when you are already logged in; and mistakes in the interface like typos or buttons that don't work. 

    Always download apps from trusted sources and even then, a quick check to make sure an app is legit can save a lot of headaches later. 

Sources: 

https://threatpost.com/strandhogg-vulnerability-allows-malware-to-poseas-legitimate-android-apps/150750/

https://lifehacker.com/how-to-tell-if-an-android-app-is-strandhoggmalware-in-1840172627

https://promon.co/security-news/strandhogg/

VPN Hijacking Attack

A virtual private network (VPN) is supposed to keep the user's traffic over a network safe from outside onlookers. They act as a protected path for communication over a public network to gain access to the resources and capabilities of the private network without a physical connection. Researchers at University of New Mexico have discovered a vulnerability in most  Linux distros that allow an attacker to discover if the victim is using a VPN and to even hijack active connections within the VPN. The vulnerability is tracked as CVE-2019-14899.

The Attacker needs to be network adjacent to the victim to set up a rogue access point for which the victim will connect. This allows the attacker to determine the victim's virtual IP address, make inferences about the victim's active connections, and then to determine the sequence and acknowledgement numbers of the active connection by examining the encrypted replies to unsolicited packets. This gives the attacker the ability to hijack the TCP session. This acts much like echolocation or backscattering effects to determine the shape of something by observing the reactions of something thrown at it, be it sound waves, charged particles, or unsolicited packets.
This method was tested against several VPN services including OpenVPN, WireGaurd, and IKEv2/IPSec. The vulnerability was found to be exploitable in both IPv4 and IPv6 connections. It was not effective against any Linux distribution before the Ubuntu 19.10. In Ubuntu 19.10, the rp_filter settings were set to "loose" as opposed to "strict", but can be changed manually. The researchers believe that ToR users are protected as the encryption for these connections occur in user space.

The systems this vulnerability effects are as follows:
• Ubuntu 19.10 (systemd)
• Fedora (systemd)
• Debian 10.2 (systemd)
• Arch 2019.05 (systemd)
• Manjaro 18.1.1 (systemd)
• Devuan (sysV init) • MX Linux 19 (Mepis+antiX)
• Void Linux (runit)
• Slackware 14.2 (rc.d)
• Deepin (rc.d)
• FreeBSD (rc.d)
• OpenBSD (rc.d)

Turning on Reverse path filtering (setting the rp_filter to “strict”), filtering fake addresses with bogon filtering, and encrypting both packet size and timing would help mitigate the issue.

Sources:

https://www.zdnet.com/article/newvulnerability-lets-attackers-sniff-orhijack-vpn-connections/

https://seclists.org/oss-sec/2019/q4/122

https://securityaffairs.co/wordpress/94764/hacking/cve-201914899-vpn-flaw.html


Don’t

Get or Buy a New Smart TV Warning

    Smart TVs have become extremely common in the last few years; it is even difficult to buy a new TV without smart functionality. Having Netflix streaming built into your TV can be convenient, but connecting your TV to the internet might not be the best idea. The FBI issued a warning this week regarding smart TVs and the risks associated with including your TV in the often poorly secured Internet of Things pool. The warning includes successful attack results ranging from minor annoyances like attacker being able to change the channel to major privacy invasions such as being able to record video and sound of you and your home.

    An attacker having the ability to change the volume and channels on your TV would be annoying, but the greater danger stems from more advanced attacks. As TVs have started integrating with 3rd party services, like Amazon Alexa and Google Assistant, some manufacturers have started including microphones and video cameras into their devices. As TVs are often located where people most commonly hang out, often these sensors provide an interesting target to attackers looking to eavesdrop on private conversations or steal personal information. Some manufacturers may even utilize these sensors for marketing and research purposes depending on the privacy policy and device settings. Automatic content recognition technology designed to analyze and report your viewing habits is also included in many smart TVs.

    Beyond using the TV to spy on you an attacker may just use it as a starting point into your private network to attack other devices containing more valuable information. Smart TVs fall into the IoT device category which includes a history of poorly secured and vulnerable devices. Some botnets, like Mirai, targeted IoT devices specifically due to their security reputation. Some TVs create their own wifi or Bluetooth network to enable file sharing or control from proximity devices. These can provide a bridge of sorts for a local attacker onto a network they shouldn’t have access to.

    The FBI has several recommendations to mitigate the risks associated with putting your smart TV on the network. The first tip is to look through the TV settings to disable the camera and microphone if possible. Along with this, they recommend reading through the privacy policy and opting out of any data collections options included with the TV. If it is not possible to disable the camera via software, they suggest the low tech method of placing a piece of tape over it. Consumers should research the security history of devices they are thinking of purchasing and try to buy from reputable companies to increase the likelihood of future security updates.

Sources

 • https://threatpost.com/smart-tvs-cyberthreat-living-room-feds/150713/

https://fbi.gov/contact-us/field-offices/portland/news/press-releases/techtuesdaysmart-tvs

Draft NIST Special Publication (SP) 800-208, Recommendation for Stateful Hash-Based Signature Schemes


NIST invites comments on Draft NIST Special Publication (SP) 800-208, Recommendation for Stateful Hash-Based Signature Schemes. All of the digital signature schemes specified in Federal Information Processing Standards Publication (FIPS) 186-4 will be broken if large-scale quantum computers are ever built. NIST is in the process of developing standards for post-quantum secure digital signature schemes that can be used as replacements for the schemes that are specified in FIPS 186-4. However, this standardization process will not be complete for several years.

In this draft recommendation, NIST is proposing to supplement FIPS 186 by approving the use of two stateful hash-based signature schemes: the eXtended Merkle Signature Scheme (XMSS) and the Leighton-Micali Signature system (LMS) as specified in Requests for Comments (RFC) 8391 and 8554, respectively. Stateful hash-based signature schemes are not suitable for general use since they require careful state management in order to ensure their security. However, their use may be appropriate for applications in which use of the private key may be carefully controlled and where there is a need to transition to a post-quantum secure digital signature scheme before the post-quantum cryptography standardization process has completed.

Draft SP 800-208 profiles LMS, XMSS, and their multi-tree variants. This profile approves the use of some but not all of the parameter sets defined in RFCs 8391 and 8554. The approved parameter sets use either SHA-256 or SHAKE256 with 192- or 256-bit outputs. This profile also requires that key and signature generation be performed in hardware cryptographic modules that do not allow secret keying material to be exported.

The public comment period for this document is open through February 28, 2020. See the publication details for a copy of the draft and instructions for submitting comments.

NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Tuesday, December 3, 2019

Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Trend Micro report this

Behavior analysis


CallerSpy claims it’s a chat app, but we found that it had no chat features at all and it was riddled with espionage behaviors. When launched, CallerSpy initiates a connection with the C&C server via Socket.IO to monitor upcoming commands. It then utilizes Evernote Android-Job to start scheduling jobs to steal information.

Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)

Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)

CallerSpy sets several scheduling jobs to collect call logs, SMSs, contacts, and files on the device. It also receives commands from the C&C server to take screenshots, which it later sends to the server.

Figure 3. Scheduled jobs

Figure 3. Scheduled jobs

Source Command
alive_latest_files_watcher Starts latest_files_watcher job and keeps it alive
enviorment_schedulers Configures environment record module
keep_enviorment_scehdular_alive Starts the enviorment_scehdular job and keeps it alive
keep_listener_alive Starts listener job and keeps it alive
latest_files_watcher Collects latest call logs, SMSs, contacts, and files
listeners Updates configuration and takes a screenshot
record_enviorment Records environment
remote_sync Uploads privacy to the remote C&C server
sync_data_locally Collects all call log, SMS, contacts, and files information on the device

Table 1. Some of CallerSpy’s scheduling job tags

All of the stolen information are collected and stored in a local database before they’re uploaded to the C&C server periodically. This spyware targets the following file types: jpg, jpeg, png, docx, xls, xlsx, ppt, pptx, pdf, doc, txt, csv, aac, amr, m4a, opus, wav, and amr.

Figure 4. Privacy database

Figure 4. Privacy database

The screenshot gets captured when a command is received from the C&C server. The screenshot image then gets encoded using Base64 and sent back to the server via a preconfigured Socket.IO connection.

Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)

Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)
 
For full info click here

Sunday, December 1, 2019

Caller Poses as CISA Rep in Extortion Scam


National Cyber Awareness System:

 

Original release date: November 29, 2019

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a phone scam where a caller pretends to be a CISA representative. The scammer claims to have knowledge of the potential victim’s questionable behavior and attempts to extort money.

If you receive a threatening call from someone claiming to be a CISA representative, CISA recommends the following actions:

  • Do not respond or try to contact the caller.
  • Do not pay the caller.
  • Contact your local FBI field office to file a report.

Friday, November 15, 2019

(In)Security Management Engine

   The out of band management system bundled on almost all Intel processors has become a hot target for attackers in recent years. This is because it runs alongside the main processor and has virtually unrestricted access to all the hardware in the machine. As long as the machine has power the management engine is sitting there silently waiting for commands from a system administrator with access to it. While this feature can be a huge help for administrators managing a large number of machines it also presents an extremely attractive attack point.

    Intel provides a number of different subsystems under the Converged Security and Management Engine (CSME). The management engine is the specific firmware for mainstream chips, they also provide Server Platform Services (SPS) for server hardware and the Trusted Execution Engine (TXE) for tablets and other low power devices. Security researchers have been skeptical of the CSME for years due to it being closed source, having full access to the hardware, and its inability to be disabled. Several vulnerabilities have been found in the system by various researchers in the past. It’s time to make sure your systems are up to date as Intel just released a bug advisory with 77 found vulnerabilities, including one listed as critical.
    The most critical vulnerability found (CVE-2019-0169) is a heap overflow bug that could allow an unauthenticated attacker to take over a target system or cause a denial of service. Other high security bugs were found as well including cross site scripting, insufficient access control, and privilege escalation. For most of the attacks the only requirement is that the target machine is on the same network as the attacker. While many of the vulnerabilities allow an already privileged user to escalate their privileges, some of them require no prior authorization. By chaining these types of vulnerabilities together it would be possible for someone to go from having no access to having full privileges on the machine.
    Most of the vulnerabilities were found by Intel itself as part of an internal audit designed to harden the CSME system. 10 of the vulnerabilities came from independent researchers who reported the bugs to Intel. As always, it is important to make sure your systems are up to date, especially if public facing or used on untrusted networks. The required patches are typically bundled in your operating systems update mechanism such as processor micro code updates. Depending on your specific hardware and software setup you may have to acquire and run the updates manually.

Sources

 • https://threatpost.ccom/intel-critical-info-disclosure-bug-securityengine/150124/

https://blogs.intel.com/technology/2019/11/ipas-november-2019-intelplatform-update-ipu/11

Vulnerability in Amazon’s Ring Video Doorbell

    Researchers at Bitdefender have found a vulnerability in Amazon’s Ring Video Doorbell which allows an attacker with proximity to the device to intercept the Wi-Fi credentials of the network it operates on, which could lead to further attacks to devices on the network. The Ring Doorbell is an IoT device that allows a person to remotely view and communicate to people on their property. The exploit revolves around the setup procedure and the lack of security in place during that setup. The researchers say that while setting up the device, the doorbell will broadcast an unprotected wireless signal which is meant to facilitate the communication between the app and the device. Besides this, the communication between the app and the doorbell is done insecurely through HTTP. This means that when the app prompts the user to enter their home Wi-Fi credentials, an eavesdropper can see the password in plaintext. This could then lead to exploitation of the network and attacks against the devices on it.

    While the doorbell is only vulnerable when performing the initial setup, the researchers say that there is a way to trick the user into going through the setup again. They discovered that sending de-authentication messages to the device will make the user think that the device is not properly working, leading them to reconfigure it. A de-authentication attack is a type of denial of service attack where an attacker continuously sends de-authentication frames to one or more devices, preventing them from connecting to the network. While sending the de-authentication messages, the doorbell will disconnect itself from the Wi-Fi network and make it unable to reconnect. The last resort to resolve the connection issue is to reconfigure the device by going through the setup process again, leading to an eavesdropper gathering the credentials.

    Ring has since patched this vulnerability with the release of its newest software update and urges its users to perform an update on their device. However, users that have not yet updated should be aware of this method to force a reconfiguration. If you suddenly find that the device is unable to connect to Wi-Fi you may be the victim of this attack. The exploitation of this vulnerability, while relatively easy, does require the attacker to be within some proximity to the network. This is not the first time that Ring has exposed users’ Wi-Fi passwords to attackers. In 2016, researchers found that by pushing a button on the device to activate access point mode, an attacker could use a mobile device to navigate to a URL that exposed the network settings. While IoT devices can provide great benefits to consumers, they must contain proper security controls.

Sources: 

https://thehackernews.com/2019/11/ring-doorbell-wifi-password.html 

https://www.bitdefender.com/files/News/CaseStudies/study/294/Bitdefender-WhitePaper-RDoor-CREA3949-en-EN-GenericUse.pdf 
11

Wednesday, November 13, 2019

Amazon Alexa and Google Home are listening

    Amazon Alexa and Google Home are listening. It’s likely you are aware of the security and privacy concerns as well as their mitigations. It’s the price we pay for the technology we want. Unfortunately, there is another attack vector recently exposed by researchers at Germany's Security Research Labs (SRL). The most interesting part of this research is that it is an absolute “confirmed proofof-concept”. The researchers developed four Alexa “skills” and 4 more Google Home “actions”, submitted the malicious apps where they all passed Amazon and Google security vetting processes, and made it into the respective markets. SRL developed two types of malicious applications: a set for eavesdropping, and a set for phishing. The eavesdropping apps responded to the wake phrase and provided the requested information while the phishing apps responded with an error message. Both methods created the illusion of stopped functions while proceeding silently with their attack. The eavesdropping attacks used methods involving pauses, delays, and exploiting flaws in text-to-speech engines speaking unspeakable phrases that produced no auditable output. This gave the impression that the application finished when it was still listening, recording, and sending it back to the application developer. In the case of the phishing apps, the error message created the impression that the application had finished unsuccessfully. Similar tricks to keep the application running were used followed by the application mimicking the device voice claiming there is an update available and requesting that the user say their account password. Neither Amazon Alexa nor Google Home do this, but naive users might respond. These seem like they may not be too effective- a user may not say anything of utility or anything at all to the eavesdropper and they should know to ignore the requests of a phishing attempt.

    But these attacks highlight key issues:

• What vetting process is Amazon or Google using?

• What other exploitable flaws exist in their vetting methods?

• Why would Amazon or Google allow a functionality change after review?

    Google Play has an unfortunate history of hosting a variety of malicious apps and eavesdropping concerns have been previously reported by Checkmarx and MWR Labs for Alexa skills. SRL did report the results of its research to Amazon and Google through their responsible disclosure process. Both companies removed the apps and said they are changing their approval processes to prevent skills and actions from having similar capabilities in the future. But SRL’s success raises serious concerns and it’s worth noting these key issues are not only applicable to listening smart home devices but can be considered for all applications available on any platform. I’m not ready to give them up just yet, but Dan Goodin of ARS Technica sums it up this way: “SRL’s research only adds to my belief that these devices shouldn't be trusted by most people.”

Sources: 

https://arstechnica.com/information-technology/2019/10/alexa-andgoogle-home-abused-to-eavesdrop-and-phish-passwords/

https://srlabs.de/bites/smart-spies/

Adobe Data Leak

    Multinational software company Adobe has suffered a data leak that exposed the account information of an estimated 7.5 million customers, according to security researcher Bob Diachenko. Those affected were subscribers to Adobe’s Creative Cloud service which provides users with access to its line of software applications which includes Photoshop, Illustrator, and After Effects, among others. This leak is the result of an unsecured and poorly implemented Elasticsearch database.

    The researchers discovered the database on October 19th and notified Adobe the same day. Exposed information includes email addresses, owned products, account creation date, subscription status, account ID, country, last login date, and if the user is an Adobe employee. The database did not include any financial information or passwords. It is also unknown whether this database had been stumbled upon before researchers found and disclosed it to Adobe. Adobe released a blog post stating that” last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.” Adobe also confirmed that the data did not include any passwords or financial information.

    This is not the first time Adobe has been careless about how user information is stored. In 2013, Adobe suffered a major data breach that affected at least 38 million users but could have affected up to 150 million. This 2013 breach also resulted in the loss of password data as well as stolen source code for several Adobe products. Analysis of this breach found that Adobe was improperly storing passwords, allowing for many of the most common passwords to be guessed. At the time, the 2013 breach was considered one of the worst data breaches to have occurred. 

    While the leaked data may seem unalarming, it may still be a cause for concern. Using the leaked data, a malicious actor could create a very targeted phishing campaign. Typically, phishing emails are sent to a wide range of individuals, and because of this tend to not include information relevant to the recipient. However, using this data an individual could use details such as first and last name, account number, subscription status, and last login date to create a very convincing phishing email. While, as previously stated, it is unknown as to whether this information was found by anyone else, users should still be aware of possible phishing emails containing Adobe account information. 

Sources

https://thehackernews.com/2019/10/adobe-database-leaked.html 

https://securityaffairs.co/wordpress/92986/breaking-news/adobe-creative-cloud-data-leak.html11

Friday, November 1, 2019

Computer Baselines


    Security, for many, seems hard to do right.   I know that we all think about firewalls, patch management, antivirus and physical security.   But I like to cover an area that does not get focused on by most companies.

     Baseline and inventory of computers on a network are often overlooked.  I ask all the time, “Do you know what the computers are in your network?  What are the services that are running?  What ports are open?  Who uses the services?  Who are the users?”

    For the most part, I hear “Uh, no. We don’t know.”   If you do not know what’s running on your systems, how will you know what changed if someone breaks into your network?  How will you know?  I believe that you need to create a master file (portfolio) that lists what the computers/servers are doing; what tasks/services are being run; what ports are open; who is the owner of that application; who are the users; what are the data backup requirements, 1 a day, once and hour ?; and finally, who maintains master file (portfolio)?


    If you have this as minimum documentation you can then do a risk assessment and identify all the systems and prioritize what needs to be monitored and controlled.

Monday, October 28, 2019

Apps Apple App Store that are infected with clicker trojan malware.

    Wandera’s threat research team has discovered 17* apps on the Apple App Store that are infected with clicker trojan malware. The apps communicate with a known command and control (C&C) server to simulate user interactions in order to fraudulently collect ad revenue.
The clicker trojan module discovered in this group of applications is designed to carry out ad fraud-related tasks in the background, such as continuously opening web pages or clicking links without any user interaction.

    The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.
Because these apps are infected with the clicker trojan module, they fall within the trojan category of Wandera’s malware classification.

About the infected apps

    The group of 17 infected apps covers a random set of application categories, including productivity, platform utilities, and travel. The full list of infected apps appears below:
All 17 infected apps are published on the App Stores in various countries by the same developer, India-based AppAspect Technologies Pvt. Ltd.

Adware Campaign Affects Millions

    Smartphones have become the icon of our modern technological society. They are so prevalent that app development has grown exponentially in recent years in the struggle to become the next Facebook or Pinterest. The phrase “There’s an app for that” truly describes the breadth of apps available. However, this can also lead to many malicious apps available that could be harmful to users, such as the Ashas family of adware apps available on the Google Play store.

    ESET researchers discovered a family of 42 apps, dubbed the Ashas family, that were originally designed as legitimate apps but later updated to provide fullscreen advertisements to users and exfiltration of some basic device data. The original functionality, such as photo viewers, video downloaders, music apps, and games still exists but with the malicious activity included as well. The adware campaign had been active since July 2018 with over 8 million downloads and half of the apps still available on the Play store at the time of discovery. Since the researchers reported their findings, the remaining apps have been removed.

    The apps use a command and control (C&C) server to send device information such as type, version of the operating system, language, installed apps, free storage space, and other fingerprinting data. The app is then configured from the C&C server and also includes ways of avoiding detection. First, the app can detect if it is being run on a Google server and therefore will not run the adware payload. Next, a custom delay can be set so that ads are displayed well after starting the app (a half-hour later, for instance) so that the user doesn’t associate the ad behavior with that particular app. Ashas apps can also display a different icon when users try to determine which app is showing the ad, usually hiding as Google or Facebook. Finally, the app installs a shortcut in the app menu instead of the icon itself so that when a user tries to delete it, they are removing only the shortcut and the app continues to run in the background. 

    ESET researchers managed to track down the author of the Ashas apps, a university student in Vietnam. They backtracked from the IP address of the C&C server to the owner information, then to university information and eventually the author’s YouTube channel and personal Facebook page. All of the information was publicly-available open-source data, showing that the author didn’t try to cover his tracks. This leads the researchers to believe that the developer started honestly when creating the apps and then later decided to turn to malicious behavior.

Sources:

 • https://thehackernews.com/2019/10/42-adware-apps-with-8-milliondownloads.html 

 • https://www.welivesecurity.com/2019/10/24/tracking-down-developerandroid-adware/ 

https://www.zdnet.com/article/vietnamese-student-behind-androidadware-strain-that-infected-millions/10

Tuesday, October 22, 2019

Unpatched Linux bug may open devices to serious attacks over Wi-Fi

NIST   National Vulnerability Database  - CVE-2019-17666 Detail            
rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
 
Buffer overflow can be triggered in Realtek Wi-Fi chips, no user interaction needed.
 
A potentially serious vulnerability in Linux may make it possible for nearby devices to use Wi-Fi signals to crash or fully compromise vulnerable machines, a security researcher said.
The flaw is located in the RTLWIFI driver, which is used to support Realtek Wi-Fi chips in Linux devices. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi chip is within radio range of a malicious device. At a minimum, exploits would cause an operating-system crash and could possibly allow a hacker to gain complete control of the computer. The flaw dates back to version 3.10.1 of the Linux kernel released in 2013.
"The bug is serious," Nico Waisman, who is a principal security engineer at Github, told Ars. "It's a vulnerability that triggers an overflow remotely through Wi-Fi on the Linux kernel, as long as you're using the Realtek (RTLWIFI) driver."
The vulnerability is tracked as CVE-2019-17666. Linux developers proposed a fix on Wednesday that will likely be incorporated into the OS kernel in the coming days or weeks. Only after that will the fix make its way into various Linux distributions.
Waisman said he has not yet devised a proof-of-concept attack that exploits the vulnerability in a way that can execute malicious code on a vulnerable machine.
"I'm still working on exploitation, and it will definitely... take some time (of course, it might not be possible)," he wrote in a direct message. "On paper, [this] is an overflow that should be exploitable. Worst-case scenario, [this] is a denial of service; best scenario, you get a shell."
After the vulnerability became public, the researcher discussed the flaw on Twitter.

Notice of Absence

The driver flaw can be triggered when an affected device is within radio range of a malicious device. As long as the Wi-Fi is turned on, it requires no interaction on the part of the end user. The malicious device exploits the vulnerability by using a power-saving feature known as a Notice of Absence that's built into Wi-Fi Direct, a standard that allows two devices to connect over Wi-Fi without the need of an access point. The attack would work by adding vendor-specific information elements to Wi-Fi beacons that, when received by a vulnerable device, trigger the buffer overflow in the Linux kernel.
The vulnerability only affects Linux devices that use a Realtek chip when Wi-Fi is turned on. The flaw can't be triggered if Wi-Fi is turned off or if the device uses a Wi-Fi chip from a different manufacturer. Based on links here and here, it appears that Android devices with Realtek Wi-Fi chips may also be affected.
Representatives of both Realtek and Google didn't immediately comment on this story.
While it's still not clear how severely this vulnerability can be exploited, the prospect of code-execution attacks that can be staged wirelessly by devices within radio range is serious. This post will be updated if new information becomes available.

you can read the full post here

Monday, October 21, 2019

New malware strain that allows the adversary to deploy man-in-the-middle (MitM) attacks on TLS traffic.

   The vast majority of websites these days have Hypertext Transfer Protocol Secure (HTTPS) enabled, adding a layer of security that protects our communications against eavesdropping and tampering. It is encrypted using Transport Layer Security (TLS), the current standard for secure web communication. Like all protocols, it is not immune to attack. Some of the more infamous malware that impacts TLS (or its predecessor Secure Sockets Layer [SSL]) are FREAK, Logjam, POODLE, and Heartbleed.

   More recently, researchers from Kaspersky's Global Research and Analysis Team (GReAT) discovered a malware strain that allows the adversary to deploy man-in-the-middle (MitM) attacks on TLS traffic. Dubbed Reductor, it appears to be related to the COMPfun trojan discovered in 2014, which provides one of its infection vectors. Servers that that are infected with COMPfun can be used to download and install Reductor. Reductor is also delivered through software downloads from untrustworthy sites. 

   Once installed, the malware patches Firefox® and Chrome web browsers to snoop on the victim's encrypted traffic. It modifies the target's TLS certificate and gives the attacker remote access to manipulate and execute files. What really sets Reductor apart is the way that it patches the code for pseudorandom number generator functions (PRNG). This function adds random numbers to the packet at the beginning of the TLS handshake. Reductor is able to use the PRNG code to inject victim-specific identifiers, allowing the attacker to track the victim's traffic wherever it goes. 

   GReAT believes Reductor comes from a hacker group operating under the protection of the Russian government and may be linked to the Advanced Persistent Thread (APT) group Turla, however there is no concrete evidence to support a Turla connection. There are similarities both with the COMPfun code and in the affected victims, where "cyber-espionage on diplomatic entities" appears to be a primary objective. 

Sources
 • https://www.bleepingcomputer.com/news/security/hackers-patch-webbrowsers-to-track-encrypted-traffic/

https://threatpost.com/new-reductor-malware-hijacks-httpstraffic/148904/

https://securelist.com/compfun-successor-reductor/93633/

New Phishing Emails Attack

  Phishing emails typically provide some obvious tells to their malicious nature. However, when a    phishing email contains information such as organizationspecific email bodies and email signatures, organization branding, and relevant news, it can be harder to distinguish the difference between legitimate and malicious. These factors are what make the phishing campaign of TA407 or the “Silent Librarian” threat actor group different. This group, as described by researchers at Proofpoint and Secureworks, are a group of Iranian hackers targeting the intellectual property of universities in the United States and Europe.

    This is done through a phishing campaign targeted at university students which redirect users to a malicious landing page tailored to look like the universities’ login page. The hackers are then able to access library content with the stolen account credentials. 
What makes this campaign unique is the length at which the threat actors went to appear convincing. Each targeted university has a personalized landing page. In addition to that, the email contains proper grammar, providing links to library resources and a helpdesk email address if the student should need any help with account login. The landing page contains spoofed display names, stolen branding matching the actual login page and even in one case, an accurate weather forecast informing students that the campus is closed due to a snowstorm.

   In 2018, the US Department of Justice charged nine members of the group for their actions, alleging that between 2013 and 2017, TA407’s activities accounted for $3.4 billion worth of stolen intellectual property, 31.5 terabytes of academic data, almost 8000 compromised university accounts and 3700 compromised accounts belonging to professors at US-based universities. They also allege that 144 US-based and 176 foreign universities were victims of the scheme. The Department of Justice states that this group operates on behalf of the Iranian government and that the stolen data is being used by the Iranian government and Iranian universities. Although this specific phishing campaign is targeted toward students, there are many steps that you can take to avoid falling victim to phishing emails. Noticing such things as a strange sender email address, the lack of identifying information (e.g. valid account number, name, address), links to strange domains, and improper grammar may all be a tell that the email is malicious. If you are still unable to determine if it is a phishing email, it may be best to visit the site in question directly and not through any links provided in the email. 

Sources

https://www.bleepingcomputer.com/news/security/iranian-hackers-create-credible-phishing-to-steal-library-access/

 • https://www.proofpoint.com/us/threat-insight/post/threat-actor-profileta407-silent-librarian 

New Infected Docker Daemons in the Docker Engine

    Researchers at Palo Alto's Unit 42 have discovered a worm that mines Monero, a privacy focused cryptocurrency, and spreads itself via infected Docker Daemons in the Docker Engine. Shodan scans of Docker engines show over 2000 unsecured Docker hosts. The researchers have named the cyptojacking malware Graboid. 

    Graboid has a downloader planted on an infected Docker image with a Docker Client tool used to connect to other Docker hosts. The attacker accesses an unsecured Docker host and infects it with the malicious image. Anti-virus solutions would normally look for viral content or virus like activity but not check the contents of data within container as the container is maintained separately from the main machine. This form of obfuscation has been observed in other containerization solutions before, but Graboid is exceptional in its erratic and relatively ineffective methodology.

    After retrieving and establishing the malicious image, the attacker then downloads the 4 shell scripts of DOOM. These Shell scrips are named live.sh, worm.sh, xmr.sh, and cleanxmr.sh. The first script, live.sh, surveys the victim assessing the resources to be plundered. it reports the number of available CPUs on the compromised host for the Command & control (C2) server to coordinate. The next script brings the ever hunting nose of the beast. The worm.sh script downloads the list of over 2000 vulnerable host's IPs and replicates itself onto one of those IPs randomly. Then the last two scripts bring the chaos. The xmr.sh script deploys gakaws/nginx, a Monero cryptominer disguised to look like a NGIX load balancer/ web server, and does so on a randomly selected infected server. The last script, cleanxmr.sh, stops any xmrig based containers on another randomly selected infected server. It seems like Graboid runs Cleanxmr.sh before it runs xmr.sh as to avoid deactivating any Docker engines that just had their Monero mining capabilities turned on. This leads to a delay in the mining capabilities being turned on until the host is selected randomly by another infected host. Eventually the host will be selected to be disabled until a later time to be re enabled. This flash of infection and erratic appearances as well as the worm functionality has led to the researcher's choice in naming the malware after the monsters in the 1990's film Tremors.

    Graboid currently uses 15 C2 servers where 14 are included in the list of vulnerable IPs and the last has over 50 known vulnerabilities. The researchers have observed that it is likely these are controlled by the attacker illicitly. they have also calculated that it would have taken about 60 minutes to infect 70% of the vulnerable hosts with returns diminishing sharply after that. At that point there would be about 900 active miners at any particular time rotating through the available infected hosts with all of the infected hosts acting as nodes to facilitate communication with the Monero blockhain network. With a 100 second period of activity, a node is expected to be active for 250 seconds before being deactivated.

Sources:
 • https://unit42.paloaltonetworks.com/graboid-first-ever-cryptojacking-worm-found-in-images-on-docker-hub/

https://threatpost.com/dockercontainers-graboid-cryptoworm/149235/

https://securityaffairs.co/wordpress/92586/malware/graboidtargets-docker-hub.html

NSA and NCSC Release Joint Advisory on Turla Group Activity


National Cyber Awareness System:

 


10/21/2019 11:56 AM EDT

 

Original release date: October 21, 2019

The National Security Agency (NSA) and the United Kingdom National Cyber Security Centre (NCSC) have released a joint advisory on advanced persistent threat (APT) group Turla—widely reported to be Russian. The advisory provides an update to NCSC’s January 2018 report on Turla’s use of the malicious Neuron, Nautilus, and Snake tools to steal sensitive data. Additionally, the advisory states that Turla has compromised—and is currently leveraging—an Iranian APT group’s infrastructure and resources, which include the Neuron and Nautilus tools.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources for more information:
•    NSA Advisory
Turla Group Exploits Iranian APT To Expand Coverage Of Victims
•    UK NCSC Advisory Turla group exploits Iranian APT to expand coverage of victims
•    January 2018 UK NCSC Report Turla Group Malware

Wednesday, October 16, 2019

Is Your VPN at Risk ?

    A commonly used method to secure network resources is a Virtual Private Network (VPN). They allow remote network devices to securely communicate with local resources as if they were physically plugged into the same network segment. You may even use one when working remotely to help keep your network traffic secure. While they can easily provide a lot of protection from various network attacks there are many pitfalls to avoid in order to keep the network resources secure.

    One common mistake when setting up a VPN is not properly securing the devices that the VPN provides access to. Because the servers or devices will not have direct inbound internet access many times a relaxed security policy is taken. This is because it is assumed that in order to access them an attacker would first have to either be on the network directly or be connected tuourhrough the VPN. Another common mistake is not regularly updating the VPN software. There are many reasons this can occur, including avoiding downtime or not wanting to break something that appears to be working fine as is.

    This week the National Security Agency (NSA) issued an advisory stating that APT groups have been actively using flaws in some popular VPN software to attack networks. They say the groups have weaponized three vulnerabilities against two pieces of VPN software, Pulse Secure VPN and Fortinet VPN. Two of the vulnerabilities, CVE-2019-11539 and CVE-201911510 specifically target Pulse Secure VPN servers. They allow remote unauthenticated command injection and arbitrary file reads on the VPN server device. The remaining vulnerability, CVE-201813379, targets Fortinet VPN servers and allows for remote unauthenticated arbitrary file reads from the server device. The National Cyber Security Center in the UK posted a separate advisory which added CVE-2018-13383 and CVE-2018-13383 to the list of vulnerabilities being used against Fortinet devices. Palo Alto Networks VPN software was also added to the vulnerable devices list with attackers utilizing CVE-2019-1579 for remote code execution on the affected VPN servers.

    In total the two agencies reported six vulnerabilities against three separate VPN software vendors. For each of the affected VPN products the vulnerabilities being used could allow an attacker access to the network resources as if the attacker were physically on the network. All of the affected products have updates available to fix these flaws so it is important that they are updated immediately if an affected version is still in use. The NSA also recommends rotating any existing VPN keys or tokens just in case they were stolen before the patches were able to be applied. 
Sources:

https://threatpost.com/apt-groupsexploiting-flaws-in-unpatched-vpnsofficials-warn/148956/

https://www.cyberscoop.com/vpnvulnerabilities-china-apt-palo-alto/

Saturday, October 5, 2019

Ransomware attacks across the world - TheCybersecurity and Infrastructure Security Agency (CISA)

The Cybersecurity and Infrastructure Security Agency (CISA) has observed an increase in ransomware attacks across the world: See CISA's Awareness Briefings on Combating Ransomware, Joint Ransomware Statement, and CISA Insights – Ransomware Outbreak
Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.
Ransomware can be devastating to an individual or an organization. Anyone with important data stored on their computer or network is at risk, including government or law enforcement agencies and healthcare systems or other critical infrastructure entities. Recovery can be a difficult process that may require the services of a reputable data recovery specialist, and some victims pay to recover their files. However, there is no guarantee that individuals will recover their files if they pay the ransom.
CISA recommends the following precautions to protect users against the threat of ransomware:
  • Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
  • Never click on links or open attachments in unsolicited emails.
  • Backup data on a regular basis. Keep it on a separate device and store it offline.
  • Follow safe practices when browsing the Internet. Read Good Security Habits for additional details.
In addition, CISA also recommends that organizations employ the following best practices:
  • Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
  • Use application whitelisting to allow only approved programs to run on a network.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Configure firewalls to block access to known malicious IP addresses.
See the Ransomware Security Publication, technical guidance on How to Protect Your Networks from Ransomware, and CISA's Awareness Briefings on Combating Ransomware, Joint Ransomware Statement, and CISA Insights – Ransomware Outbreak for more information.
For recent CISA Alerts on specific ransomware threats, see:
Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office.

NCSC Releases Fact Sheet on DNS Monitoring

Original release date: October 4, 2019

The Dutch National Cyber Security Centre (NCSC) has released a fact sheet on the increasing difficulty of Domain Name System (DNS) monitoring. NCSC warns that although modernization of transport protocols is helpful, it also makes it more difficult to monitor or modify DNS requests. These changes could render an organization’s security controls ineffective.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends users and administrators review the Dutch NCSC fact sheet on DNS monitoring for additional information and recommendations.

Microsoft Reports Cyberattacks on Targeted Email Accounts


Original release date: October 4, 2019

The Microsoft Threat Intelligence Center (MSTIC) has released a blog post describing an increase in malicious cyber activity from the Iranian group known as Phosphorus. These threat actors are exploiting password reset or account recovery features to take control of targeted email accounts.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to review the Microsoft blog for additional information and recommendations and CISA’s Tip on Supplementing Passwords.

New Portable Document Format (PDF) attack on encryption features

    The Portable Document Format (PDF) standard has been able to provide many benefits that unify communications across many different software and hardware platforms. One of those elements is the encryption schemes that allow users to password protect their documents from view, edit, or saving permissions without the required password. Another encryption feature included with the PDF standard is the ability to sign documents with an electronic signature with the same legal standing as a handwritten signature, this may include digital signing which uses cryptographic measures to assure authenticity.

    Researchers from Ruhr University Bochum, FH M√ľnster University of Applied Sciences, and Hackmanit GmbH have developed a two pronged attack on the security measures of PDFs and their encryption schemes. They have named their attack PDFex. In their research they developed methods for the exfiltration of the contents of the encrypted PDF with minimal prior knowledge of the contents of the PDF file. The methods studied can also modify the contents to change the plain text as well as add malicious functionality. The first prong of PDFex attack methods rely on how an encrypted PDF only encrypts portions of the PDF file leaving other portions unencrypted and unprotected. The attacker is then able to modify the contents of the unencrypted portions of the file. In this way they can plant data which submits a form including the contents of the PDF to an attacker controlled server granting the attacker access to the contents of the PDF. The attacker can edit an unencrypted field with a URL which will be sent encrypted and unencrypted strings from the document. The last method in this attack on the unencrypted portion of PDF files injects JavaScript code into the document which then ex filtrates the data within the file. This is the "Direct Exfiltration" method of the PDFex attack.

    The other prong of this attack uses CBC malleability gadgets, tools that are able to edit cipher texts encrypted with the cipher block chaining (CBC) encryption mode without integrity checks. It just so happens that the PDF standard does exactly that. This method can modify plain text as well as add in new encrypted content to the file. This technique can enact the PDF forms and hyperlink techniques as listed in the Direct Exfiltration method. The CBC Gadgets method can also edit PDF object streams such that they submit themselves to an attacker controlled server. Both attacks require the victim to open the tainted document so that the traps can deliver the finally decrypted information to the attacker. The researchers have tested their techniques on 27 PDF viewers and all were susceptible to at least one method of the PDFex attack.
    The attack requires that the attacker have access to the file to modify it, some of the attacks have other requirements such as the ability to trigger URL s from the viewer, or for the viewer to have permission to use JavaScript in the background. One of the researchers reported to Threatpost that "There are currently no effective countermeasures, as the weaknesses lie in the PDF encryption standard itself" and that the best mitigation is to use additional layers of encryption outside of the PDF standard to protect their data.

Sources:

https://www.pdf-insecurity.org/download/paper-pdf_encryptionccs2019.pdf

https://threatpost.com/hack-breakspdf-encryption/148834/

New Malware Uses messaging app Telegram

    Remote malware has been around for almost the entire history of computers. Attackers are always looking for ways to exfiltrate data from systems and be able to control their malware from a remote location. The Command & Control (C2) devices are usually servers controlled by the attacker, but a new malware dubbed by Juniper researchers as Masad has taken a different approach: using the messaging app Telegram for its C2 functions.

    Telegram is a popular messaging and Voice-over-IP (VoIP) app with over 200 million active monthly users. This makes it a pretty good place to try and hide malicious activity. Masad uses the sendDocument API of Telegram to exfiltrate data stolen from victims as a 7zip archive. Juniper has detected over 1,000 variants of Masad in the wild, as well as 338 unique Telegram C2 bots related to its use. Due to the malware being sold as a product rather than kept to a particular group, multiple groups can be using Masad for different campaigns. The developers of Masad have even created a group within Telegram with over 300 members, designed for potential clients and tech support.
Masad’s attack vectors include disguising itself as a legitimate tool or hiding itself in other third-party tools. For instance, it has been seen mimicking CCleaner, Utilman, Whoami, ProxySwitcher, a Samsung Galaxy software update, and many others. The developers have also included current trends in gaming, especially for younger internet users that may not be security conscious, by hiding Masad as Fortniteaimbot 2019.exe and an EXEA HACK CRACKED executable claiming to be for PUBG, CounterStrike Global Offensive, Fortnite, Grand Theft Auto 5, and DOTA.

    The malware also has the capability to download additional malicious tools, usually more cryptominers. Masad has a wide array of abilities for information stealing in addition to its cryptomining. It can steal system information including running processes, desktop files and screenshots, browser information such as cookies, passwords, credit cards, and AutoFill data, as well as Steam, FileZilla, and Discord files. Masad is also being advertised as a Clipper which looks for cryptocurrency wallet information in the system’s clipboard and replaces it with the attacker’s wallet information. It searches for over two dozen different flavors of cryptocurrency, including Bitcoin, Litecoin, Monero, Ethereum, and DogeCoin.

    Juniper researchers recommend locking down the Telegram communication protocol at the firewall level provided there is no legitimate business use that this would interrupt. They also suggest using a next-generation firewall with Advanced Persistent Threat (APT) protection to help counteract the malware if it gets inside the organization.

Sources

https://threatpost.com/masad-spyware-telegram-bots/148759/ 

https://coingeek.com/new-malware-uses-telegram-app-to-replace-cryptoaddresses/

https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltratingusing-Telegram/ba-p/468559 

Baseband Management Controllers (BMC) critical vulnerability

    Baseband Management Controllers (BMC) are a popular feature found on most motherboards targeting the server market. They provide a number of convenience functions for remote management which is great for machines typically located in a cold noisy room. Some of the functions they provide include remote power cycling, keyboard video mouse (KVM), and virtual media emulation. The combination of these functions can allow an administrator to provision a server without ever having to touch it. With that much power over the system they are bound to be a highly valuable target for attack.

    This week the security company Eclypsium released a critical vulnerability they found in Supermicro’s BMC implementation. The vulnerability reported is in the virtual media service subsystem. This service allows a remote administrator to attach USB devices, such as DVD drives or keyboards, to the machine remotely as if they were physically plugged into the machine. The feature requires authentication to function properly of course but the researchers found a way to bypass this requirement. 

    The first weakness is that the BMC would accept authentication requests via plaintext by default. They noted that encryption support is available but based on an old weak Rivest Cipher 4 algorithm. In addition, the key used when using encryption is shared across all Supermicro devices, making man-in-the-middle decryption possible. They also uncovered a complete authentication bypass in the system. This is possible because the BMC does not timeout a valid authorized session in a timely manner. An attacker would be able to re-use the session and gain access if an administrator had recently successfully logged into the system and used the virtual media service. BMC systems are rarely reset due to their nature of being an always online out of band management system, increasing the likelihood of this attack being successful.

    Supermicro has issued an update to their BMC software, but it is unlikely that machines will be patched immediately. This is due to the machines needing to be completely powered off in order to apply the update. Until then it is recommended to block the port used by the virtual media service, port 623, until the patch can be applied. Researchers warn that this will likely not be the last BMC vulnerability discovered, so additional measures should be taken when possible. The best defense against these attacks is keeping vulnerable machines on a separate network from other traffic. Ideally management interfaces should be on their own network that is not exposed to public facing traffic.

Sources

 • https://csoonline.com/article/3435900/insecure-virtual-usb-feature-insupermicro-bmcs-exposes-servers-to-attack.html

https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack

Fake Veteran Hiring Website

    Researchers at Cisco Talos have discovered a fake veteran hiring website, hosted by an Iranian hacking group, luring users into downloading malware by spoofing a legitimate veteran job search site. The sham website, hiremilitaryheroes.com has been designed to resemble the valid US Chamber of Congress sponsored hireheroesusa.org and is targeting veteran job seekers with malicious code including Remote Administration Trojans and spying tools.

    Researchers have attributed the website to a nation state hacking group known as “Tortoiseshell”, which has since been determined to be aligned with the Iranian hacking team “Imperial Kitten”. Adam Meyers, VP of intelligence at CrowdStrike noted in their research that “Imperial Kitten” is a nation-state hacking group supporting Iran’s Islamic Revolutionary Guard. The modus operandi for the group has been to first target major IT provider networks in Saudi Arabia and then to leapfrog from those provider networks to customer target networks. The Iranian group has been hosting a website with an image from the film “Flags of our Fathers” seen here. The malicious site prompts users to download their “desktop app” for free. The app is a fake installer that downloads malware to the device. The downloads are binary base 64 encoded and perform reconnaissance and provide remote administrative access to the victim’s machine.

    The recon tool collects a vast amount of information from the system including, date and time, installed drivers, patch levels, network configuration, number of processors, hardware and firmware versions, a listing of accounts, and much more. This information is then sent to two hardcoded email addresses in the malware, “ericaclayton2020@gmail.com” and “marinaparks108@gmail.com”. The threat actors also deploy a Remote Access Tool (RAT) which reaches back to the Command and Control (C2) server for further directions from the hacking group. The RAT has functionality allowing it to download additional modules from the internet, zip and unzip files, and to execute commands on the system.
    The malicious website has the potential to impact a large swath of victims due to the nature of this particular attack vector. Americans are supportive of veterans, and one could imagine how many could be infected if this fake site is shared online among social media sites. 

Sources:

https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html

Google Play Store and Malicious Applications

    There has always been a battle between the Google Play Store and the malicious applications that attempt to reside on it. Google implements rigorous security testing of all apps, but some can still slip through the cracks. Such was the case when researchers from Symantec’s Threat Intelligence team found 25 instances of malicious apps, with a combined userbase of over 2.1 million, on the Google Play Store. These apps were designed to be camouflaged as photo utility and fashion apps, and upon download, did not exhibit any malicious properties. It wasn’t until the app downloads a remote configuration file that it becomes malicious. This behavior is what allows the app to bypass the security checks implemented by Google. Since the malicious code is not actually in the app and is downloaded remotely, Google is none the wiser. Researchers say that the 25 apps share a similar code structure, leading them to believe that the developers are part of the same organization or, at least, using the same code base. 

    Once installed, the app hides its icon and begins to display full-screen advertisements at random intervals with the app title hidden. This is done to prevent users from determining which app is responsible for the ads. This behavior continues even when the app is closed. This can be confusing for users who cannot even recall downloading the app as there is no icon or name associated with the behavior. Another interesting trick the developers use is the use of two versions of the same app. One version is a malicious version with full-screen advertisements while the other is a non-malicious version, which just so happens to be present in the Google Play’s Top App Charts. The researchers believe that this is done in the hope that users accidentally download the malicious copy of the app instead of the popular, non-malicious version. 

    The researchers believe that the primary reason for the creation of these apps is the monetary gain from the advertising revenue. There will be some subset of users that will continue to deal with the advertisements, despite their annoyance. When downloading apps from the Google Play Store, it can be difficult to determine which are malicious at first glance. In order to protect yourself from malicious applications, the researchers suggest keeping software updated, not downloading apps from unfamiliar sites, only installing apps from trusted sources, and noticing the permissions requested by apps that you download

Sources: 

https://www.bleepingcomputer.com/news/security/malicious-androidapps-evade-google-play-protect-via-remote-commands/ 

https://www.symantec.com/blogs/threat-intelligence/hidden-adwaregoogle-play09