Year: 2020

    A ransomware variant referred to as Ragnar Locker is specifically targeting services
used by managed service providers and threatening the public release of found documents. Managed service providers remotely manage a customer’s IT infrastructure and end-user systems. With the remote management services stopped, the ransomware can infect without intervention. The scariest thing about this ransomware is that it also claims to perform data exfiltration. According to the attackers, before the execution of the ransomware, they will perform reconnaissance and specific pre-deployment tasks on the network and the devices connected to it. The attackers state that one of these pre deployment tasks is to steal files and upload them to their server. They then say that if the ransom is not paid, the data will be publicly released.

    The idea of ransomware coupled with a data breach seems similar to blackmail but is a relatively new concept. While not the first ransomware to claim that data was stolen, in October 2019, Maze ransomware released 700MB of stolen data from an affected company after they refused to pay the ransom. Then, in December, the criminals behind Maze created a website dedicated to those who refused to pay. This site contained the company names, date of infection, and any data stolen from that company. Around this time, the Sodinokibi ransomware also stated that they would start exfiltrating user data. While there haven’t been any observed dumps related to Sodinokibi, researchers confirmed that they are exfiltrating data as part of their attacks. However, just because the ransom note says that data theft is part of the attack, doesn’t mean that it was.

    Telling users that their data will be made public if the ransom isn’t paid can be a convincing tactic to increase the rate of payment. In the business setting, the disclosure of sensitive data could make the organization liable for fines exceeding the cost of the ransom demand.

    If the ransom note says that data theft occurred, it is essential to independently verify this as it is often used as a scare tactic. If unable to determine whether data theft occurred, a search of the ransomware variant may provide details as to its behavior. In addition to this, ensuring that backups are in place is an essential part of any ransomware recovery plan. Ragnar Locker is just one of
many ransomware strains that now say that they are exfiltrating data. Expect to see more and more ransomware variants claiming data exfiltration with some following up on that promise.

Sources

• https://www.bleepingcomputer.com/news/security/ragnar-lockerransomware-targets-msp-enterprise-support-tools/

• https://www.coveware.com/blog/marriage-ransomware-data-breach

    Modern communication revolves around the internet and the digital age, allowing people to communicate instantaneously no matter where they are in the world. There are many messaging applications that have come along through the years, but one of the most popular ones used today is WhatsApp. However, security researchers at PerimeterX recently found a vulnerability in WhatsApp that could allow Remote Code Execution (RCE) and the ability to remotely view files on a target system.

    WhatsApp, now owned by Facebook, is one of the most popular messaging apps in the world. The desktop platform alone has over 1.5 billion monthly active users. WhatsApp is known for its end-to-end encryption of messages, making it popular among political dissidents in countries where such activities could be severely punished, as well as among criminal groups and privacy enthusiasts.

    The vulnerability, CVE-2019-18426, is related to the app’s use of JavaScript and was discovered by PerimeterX cybersecurity researcher Gal Weizman. An attacker can modify both links and website previews in messages to appear legitimate through code manipulation of the JavaScript, while also redirecting the victim to malicious sites or downloads. This Cross-Site Scripting (XSS) attack can inject malicious links into messages that appear to be coming from friends of the target. The payload of these malicious links could be malware that allows an attacker to remotely execute code on the target’s machine for a variety of purposes. The XSS vulnerability stems from a gap in the Content Security Policy (CSP) used by WhatsApp, which also leads to an attacker being able to gain read permissions on the local file system for both Mac and Windows desktop apps.

    The vulnerability has been patched in desktop version 0.3.9309 and newer. Also, newer versions of Chrome protect against these types of JavaScript modifications, but other browsers such as Safari do not. Always ensure that your browsers and apps are up to date with the latest patches to ensure maximum protection on the technical side. User training to always be suspicious, especially of links, can also go a long way towards protecting organizations from these types of attacks.

   Sources:

• https://threatpost.com/whatsapp-bug-malicious-code-injection-rce/152578/

• https://www.perimeterx.com/resources/blog/2020/perimeterx-researcher-finds-vulnerability-in-whatsapp/

• https://thehackernews.com/2020/02/hack-whatsapp-web.html

    Take a look around and note all of the electronics around you. How many devices
are in the room with you? How many are communicating? Look beyond the
obvious computer, cell phone, and smart watch. Are there headphones? Key
fobs? Door locks? Anything with a circuit board can be hacked and anything
that is trying to connect makes it easier. Every device comes with vulnerabilities
– it’s just a matter of whether someone has found them yet.

    When security researchers come across a vulnerability they typically report it to
the company that develops the product before going public with the discovery.
This is done in good faith so that the company has time to issue a patch. In a
perfect world, the vulnerability is announced and includes a statement that it’s
already been fixed so we can all grab the update if we need to. Unfortunately,
that isn’t always the case.

    This week, researchers from SonicWall reported active exploitation of proof of
concept code for a critical vulnerability in the Nortek Linear eMerge E3 access
controller. This is a physical access control that determines who can use which
door and when. The Linear eMerge E3 has been deployed across multiple industries
from healthcare to banking to manufacturing and more. According to the
SonicWall team, “It runs on embedded Linux Operating System and the system
can be managed from a browser via embedded web server.”

    But SonicWall didn’t discover the vulnerability. It’s over eight months old and
it’s actually 10 vulnerabilities that exist on the E3 controllers. It was originally
made public in a May 2019 research report from Applied Risk where six of the
10 vulnerabilities were identified as critical. Some of the issues, such as default
credentials on the devices and stored cleartext credentials, should be shocking.
But sadly they are all too commonplace, especially in the world of IoT.
After Nortek neglected to issue patches, Applied Risk released proof of concept
exploit code in November 2019 with the hope of forcing the company to address
the issue. At this time, no patch has been released. SonicWall noted that
over 2300 eMerge devices could be easily found – a small number compared to
how many connected devices there are in total – but this is just one model from
one manufacturer. There are still millions of IoT devices out there, easily discoverable,
and every single one has vulnerabilities waiting to be found.

Sources

• https://www.zdnet.com/article/hackers-are-hijacking-smart-building-access-systems-to-launch-ddos-attacks/

• https://applied-risk.com/assets/uploads/whitepapers/Nortek-Linear-E3-Advisory-2019.pdf

• https://securitynews.sonicwall.com/xmlpost/linear-emerge-e3-access-controller-actively-being-exploited/

    Popular antivirus program, Avast, has been cashing in by selling its customers web browsing history. A joint investigation by PCMag and Motherboard found the antivirus company selling its customers’ highly sensitive web browsing data to many of the worlds largest companies. Through leaked company documents and contracts, the investigation found Avast was running a side business along with its primary Antivirus product. What’s worse is that the investigation found documents which showed that Avast intended to keep this quiet, such as confidentiality agreements intended to hide both Avast and the client companies purchasing the data.

    The Avast subsidiary program responsible for the harvesting and sale of client’s internet browsing histories is called Jumpshot. Their sales pitch for selling your internet history is “Every search. Every click. Every buy. On every site.” That pitch convinced companies such as Home Depot®, Microsoft®, Pepsi and McKinsey to purchase the data, often for millions. One product that Jumpshot sold to big-name clients included an “All Clicks Feed”, which tracked user behavior in stunning detail across websites visited.

    Avast has more than 435 million active monthly users, but they claim that the data comes from roughly 100 million subscribers who “opted-in” to having their browsing data sold. Many users contacted by Motherboard claimed they had no idea of opting into anything, and many vented their frustrations publicly on the company’s Twitter page. Avast responded with the blanket statement: “Please be assured, Jumpshot does not acquire any personally identifiable information from our users. We are fully compliant with GDPR & the California Consumer Privacy Act (CCPA). Users may choose to adjust their privacy levels using the settings available in our products.”.

    Continued pressure from the public and in particular outraged Avast subscribers forced the hand of the antivirus giant to change course and shut down the Jumpshot program entirely. Avast announced the decision to shut down Jump-shots data collection activities effective immediately with a statement form the CEO, Ondrej Vleck, on Thursday morning. The statement said that the board of directors have decided to “terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.”.

Sources:

• https://www.vice.com/en_us/article/wxejbb/avast-antivirus-is-shutting-down-jumpshot-data-collection-arm-effective-immediately

• https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation

National Cyber Awareness System:

Safeguard Websites from Cyberattacks (REPOST)

Protect personal and organizational public-facing websites from defacement,
data breaches, and other types of cyberattacks by following cybersecurity best
practices. The Cybersecurity and Information Security Agency (CISA) encourages
users and administrators to review CISA’s updated Tip on Website Security and take
the necessary steps to protect against website attacks.   

For more information, review:

• CISA Insight:
  Enhance Email and Web Security,  
• National Institute of Standards and Technology (NIST) Special
  Publication (SP) 800-44: Guidelines on Securing Public Web Servers,
  and  
• NIST SP
  800-95: Guide to Secure Web Services.

Critical Patch Update is a collection of patches for multiple
security vulnerabilities. These patches are usually cumulative, but each
advisory describes only the security patches added since the previous
Critical Patch Update advisory. Thus, prior Critical Patch Update
advisories should be reviewed for information regarding earlier
published security patches. Please refer to:

• Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts
to maliciously exploit vulnerabilities for which Oracle has already
released security patches. In some instances, it has been reported that
attackers have been successful because targeted customers had failed to
apply available Oracle patches. Oracle therefore strongly recommends
that customers remain on actively-supported versions and apply Critical
Patch Update security patches without delay.

This Critical Patch Update contains 334 new security patches across
the product families listed below. Please note that an MOS note
summarizing the content of this Critical Patch Update and other Oracle
Software Security Assurance activities is located at January 2020 Critical Patch Update: Executive Summary and Analysis.

Go here for more info

Cisco has released security updates to address vulnerabilities in Cisco
Webex Video Mesh, Cisco IOS, and Cisco IOS XE Software. A remote attacker could
exploit these vulnerabilities to take control of an affected system. For
updates addressing lower severity vulnerabilities, see the Cisco
Security Advisories webpage.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users
and administrators to review the Cisco
Webex Video Mesh Advisory and the Cisco
IOS and IOS XE Software Advisory and apply the necessary updates.

    With an estimated 25,000 hosts still vulnerable and proof-of-concept (PoC) exploit code now being released, things went from bad to worse for those affected by the vulnerability CVE-2019-19881. In December, Mikhail Klyuchnikov, a
researcher at Positive Technologies disclosed a vulnerability that would allow
for direct access to a company’s network from the Internet. He stated that this
vulnerability affects all versions of Citrix Application Delivery Controller
(NetScaler ADC) and Citrix Gateway (NetScaler Gateway). Klyuchnikov also
stressed how severe this vulnerability was, stating that its exploitation would be
trivial, and that it would have a widespread effect on commercial organizations.
Dmitry Serebryannikov, another researcher at Positive Technologies stated that
“Citrix applications are widely used in corporate networks. This includes their
use for providing terminal access of employees to internal company applications from any device via the Internet.” At the time, it was estimated that the
vulnerability affected more than 80,000 companies, most operating within the
United States. While no technical details were available at the time, we now
know that the vulnerability is a result of the VPN handler failing to sanitize usersupplied inputs. This allows for an unauthenticated attacker to perform remote
code execution via directory traversal.

    It wasn’t until January 10th, 18 days after Positive Technologies released their
report, that the first PoC was publicly released by Project Zero India. Some researchers felt that this release was irresponsible as many systems were still
vulnerable and an official patch had not yet been released. Despite this, the cat
was now out of the bag and many researchers then began to drop their own
PoC’s. One day later, the weaponization of these PoC’s began. Reports of exploits implementing reverse shells and the development of automated scanners
began to pop up. Those operating honeypots observed a spike in activity after
these releases and reported up to 30,000 requests per hour. As for the total
number of systems still affected, out of 60,000 scanned Citrix endpoints, it was
determined that 25,121 or around 40 percent of them were still vulnerable.
System administrators should be aware of this vulnerability and if their organization is vulnerable, take the steps necessary to remediate the issue. That includes following and implementing the remediation steps within Citrix’s security bulletin. The Cybersecurity and Infrastructure Security Agency (CISA) released
a program that would allow system administrators to check if they are vulnerable to CVE-2019-19781. Citrix has announced the release of patches that will fix
this issue starting on January 20th and extending through January 31st.

Sources

• https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/

• https://threatpost.com/unpatched-citrix-flaw-exploits/151748/

    A popular app allowing parents to track their baby’s special moments by storing
videos, pictures, height, weight, location, and other milestones in a child’s development has leaked thousands of those special moments online.
Peekaboo Moments, developed by Bithouse Inc., failed to secure an Elasticsearch database containing over 70 million log files containing Peekaboo Moments user’s data, including links to videos, photos, and geo-location coordinates.

   The unsecured database was discovered by Dan Ehrlich, from the USbased computer security consulting firm Twelve Security. Peekaboo Moments
appears to be run by a Chinese based company, and the Singapore-based Alibaba Cloud hosted the server in question. According to the Peekaboo Moments
Google app profile page, the company states, “We completely understand how
these moments are important to you,” and “Data privacy and security come as
our priority. Every baby’s photos, audios & videos or diaries will be stored in
secured space. Only families and friends can have access to baby’s moments at
your control.”
At this point, it is not clear how long the Elasticsearch server has been exposed
or who has accessed the data.

    The Peekaboo Moments app has been downloading over a million times, according to the Google app page, and still boasts
a review rating of 4.6 out of 5 by over 69,000 reviews. The Information Security
Media Group (ISMG) has reached out multiple times to Peekaboo Moments
CEO Jason Liu, based in San-Francisco for information on the breach with no
reply. ISMG also reached out to Ehrlich for comment, and he stated, “I’ve never
seen a server so blatantly open,” and that, “Everything about the server, the
company’s website and the iOS/Android app was both bizarrely done and grossly insecure.”

    The data breach also exposed Facebook API keys used to upload photos and
videos from the popular app to Peekaboo Moments user accounts. The API keys
allow attackers to gain access to content on Peekaboo user’s Facebook pages.
Facebook was notified Wednesday of the breach, but it has not responded yet,
nor is it known if they have revoked the developers compromised API keys.
Founder of the data breach notification service Have I Been Pwned, Troy Hunt,
explains that the data breach itself is relatively standard. But what is disturbing
is the complete unresponsiveness from the developers. “Here we have an organization trusted by a huge number of people to protect their precious memories, and they won’t even respond to reports of a very serious data security incident,” Hunt says. “That’s very alarming.”

Sources:

• https://www.bankinfosecurity.com/babys-first-breach-app-exposes-babyphotos-videos-a-13603

• https://www.infosecurity-magazine.com/news/peekaboo-moments-databreach/

    In the first three quarters of 2019, the world saw nearly 152 million ransom-ware attacks affecting every sector from government to education to healthcare. As the threat continues to grow, it costs businesses over $75 million per year. One cybersecurity group estimated a new ransomware infection happening every 14 seconds in 2019 and they expect that to accelerate to an infection every 11 seconds by 2021. Given that there are plenty of victims willing to pay to get their data back, it’s no wonder that adversaries continue to develop new strains of ransomware while consistently integrating the most effective pieces of existing ones.

    Starting off 2020 is yet another new ransomware strain dubbed SNAKE. Discovered by MalwareHunterTeam, this enterprise–targeting malware is going after big business. SNAKE starts by removing the system’s Shadow Volume Copies, then kills any processes “related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and more.”


    SNAKE then encrypts all of the computer’s files, except for certain system files. Researchers observed that it took longer than most other ransomware strains to finish the encryption process. The encrypted files are appended with five random characters after the file extension. The malware also adds an “EKANS” (SNAKE in reverse) file marker to each encrypted file.


    Once the files are encrypted, SNAKE leaves the ransom note (Fix–Your–Files.txt) in the public Desktop folder. No specific ransom amount is quoted in the note, but a contact email address is provided, as well as instructions on how to get proof that the attackers have a working decryption key. Researchers also point-ed out that the wording of the ransom note may indicate that the decryption key is meant for the entire affected network, not just single systems.


    At this time there is no free decryptor available, but researchers are working on it. For now, awareness is key as few details on infection vectors have been re-leased. If a link, email, or attachment looks suspicious, don’t open it – report it. See something, say something.

Sources:

 


• https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/

• https://www.scmagazine.com/home/security-news/ransomware/snake-ransomware-tries-to-slither-its-way-into-enterprise-networks/

• https://phoenixnap.com/blog/ransomware-statistics-facts