Hacks of the week


SmokeLoader Malware Found Spreading via Fake
Meltdown/Spectre Patches



New KillDisk Variant Hits Financial Organizations in
Latin America



GhostTeam Adware Can Steal Facebook Credentials


‘Hacking Incident’ Impacts Nearly 280,000 Medicaid
Patients



Hackers Hijack DNS Server of BlackWallet to Steal
$400,000



U.S. Cyber Command Operation Disrupted Internet
Access of Russian Troll Factory on Day of 2018 

Midterms



UPnP-enabled Connected Devices in the Home and
Unpatched Known Vulnerabilities

Denial of Service attack on the victim’s source of ad revenue, Google AdSense

    We expect services to protect themselves from fraudulent activity. Automated
services
tend to be particularly tempting to unscrupulous individuals that seem to think that they can pull one over
on an unmanned operation. So it
makes plenty of sense
for Google AdSense to be constantly vigilant for any bot activity trying to
extract artificial ad views to collect on the bounty of ad revenue. But what if
our fences become cages?

    Security
researcher Brian Krebs details a new extortion scheme that recently targeted
one of his readers involving a Denial of Service attack on the victim’s source
of ad revenue, Google AdSense. The attacker threatens the victim with the loss of
revenue by flooding the victim’s website with traffic that is indicative of
fraudulent activity. It seems obvious how a criminal mind would use fraudu-

lent activity
to create false views to draw upon the stone of advertising wealth, but the effort
of keeping up with defensive algorithms might just not be worth the trouble if
shaking down the customer is easier. Why break into the ATM when you can
threaten the card holder?
    The extortion
note sent to the victim details how there will be an increase in fraudulent
traffic that will trigger an investigation by Google. This might increase ad revenue
for a short while, but they’ll maintain the attack if they don’t pay up. The
attacker then claims that Google will award a permanent ban if the attack persists.
All this will go away if the victim simply pays up a five thousand dollar fee
in the form of Bitcoin. Or at least, that’s what they claim. The attacks are
situated best against victims who have significant traffic on their site already meaning
that they most likely rely on that ad revenue for income and would be more
inconvenienced by paying than they would be bankrupted otherwise the
attacker’s efforts would all be wasted.

    Google claims that the best course of action when subject such forms of
sabotage is to contact the AdSense help center immediately and to discontinue
any contact with any persons who would
threaten such fraudulent actions.
Contacting their Ad
Traffic Quality team will lead to an investigation into the traffic and will
allow Google to monitor and evaluate the traffic. Hopefully this will enhance
the ability for AdSense to employ their extensive safeguards which filter out
any fraudulent page views to then protect both the advertisers and the
customers of AdSense.

Sources:

·       
https://krebsonsecurity.com/2020/02/pay-up-or-well-make-google-ban-
your-ads/
·       
https://network-times.com/general/new-blackmail-mail-demands-bitcoin-
payment-from-google-adsense-users/
·       
https://threatpost.com/hacker-scheme-threatens-adsense-customers-with
-account-suspension/152943/

Two-Day Shutdown of U.S. Gas Pipeline complements of ransomware

    Many people believe that cybersecurity training and
awareness isn’t important in their jobs, especially if their role isn’t
technical. However, social engineering has led to the human element being the
weakest link in the cybersecurity chain and attackers can be very resourceful
and clever in their attempts. A recent attack on a U.S. natural gas compression
facility shows just how important this awareness can be.

    The Cybersecurity and Infrastructure Security Agency
(CISA) issued an alert this week stating that attackers had compromised the IT
and Operation Technology (OT) networks of a natural gas compression facility.
They deployed ransomware that encrypted data on both networks, causing a Loss
of View event affecting Human Machine Interfaces (HMIs), data historians, and
polling servers. Human operators could no longer monitor the status of
operations, which lead the 
company to enact an operational shutdown of the entire
pipeline for 2 days while parts were replaced and backups were restored. 

    The
attack did not result in any operational loss of control, however. 
he attackers didn’t get into the network through some
zero-day vulnerability or magical hacking skills: they used a spear-phishing
campaign to get an employee to click a malicious link. The link allowed them
access to the IT network where they were able to pivot into ICS machines due to
a lack of segregation 
between the corporate business network and the operations
network. The ransomware only affected Windows-based systems and not
Programmable Logic Controllers (PLCs).

    The CISA recommends asset owners to ensure IT and OT
networks are segregated and provide logical zones within to help stop lateral
movement. They also 
recommend multi-factor authentication for remote access
to operations net- works and a robust backup system. Another failing point in
this attack was the lack of preparedness in the emergency response plan for
cyberattacks: it only addressed physical safety threats.

    User training and cybersecurity awareness can go a long
way in helping to prevent attacks like these. Humans may always be the weak
link in cybersecurity, and it requires effort on the part of everyone in an
organization to help protect it, no matter what their role may be.

Sources




Emotet banking Trojan gets smarter

    Emotet banking Trojan has been around since 2014 as banking malware. As the software was changed, the developers added additional spamming and malware delivery services found in other
banking malware. Key to Emotet is how it incorporates functionality allowing the software to evade detection by antimalware products.

    Emotet also uses  Worm-like capabilities to help spread to other connected computers. Because of
this, the Department of Homeland Security (DHS) concludes that Emotet malware is one of the most costly and destructive pieces of malware out there. Emotet spreads on a connected network using a list of common passwords in a brute-force attack. The primary off network propagation mechanism used by Emotet is spam laced with malware. By 2018 newer versions included stealth, new targets, and the ability to install other malware such as ransomware onto infected machines. This was the cause of the July 2019 Lake City, Florida ransomware attack.

    Malwarebytes Labs reported a botnet-driven spam campaign in September of 2019 where opening the infected attached Microsoft Word document initiates a macro which downloaded Emotet. A key functionality to Emotet is the ability to deliver custom modules or plugins suited for specific tasks such as stealing Outlook contacts or spreading over a LAN.

    Binary Defense has identified a new functionality that uses the wlanAPI interface to enumerate all Wifi networks in the area, and then attempts to spread to these networks and infect all devices that
it can access. With this new propagation method, if a nearby Wi-Fi-capable host is infected, it can attack another Wifi using the same brute-force weak password attacks used on a local network. Zdnet summarized the Wifi spreader’s modus operandi nicely as follows: Once a host is infected Emotet downloads and runs the Wi-Fi spreader module. The Wi-Fi spread-er module lists all Wi-Fi devices enabled on the host and extracts a list of all the locally reachable Wi-Fi networks. The module then performs a brute-force attack on each Wi-Fi network by using two internal lists of easy-to-guess passwords. If the brute-force attack succeeds, the Emotet Wifi spreader now has direct access to another network and moves into a second brute-force attack attempting to guess the usernames and passwords of servers and computers connected to this Wifi network much like a connected network attack. If this second brute-force attack succeeds, Emotet begins its infection cycle again widening its reach.

    The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning on the increased activity related to targeted Emotet attacks roughly two weeks ago, advising admins and users to review the Emotet Malware alert for guidance. Fortunately, all it takes to stop the malware’s spread is having effective passwords on your infrastructure, hosts, and accounts. Emotet will thrive on users who don’t use such good passwords, or who never changed the factory-default access pass-words when they set up their routers.

Sources:

  • https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/
  • https://www.zdnet.com/article/emotet-trojan-evolves-to-spread-via-a-wifi-connection/
  • https://www.tomsguide.com/news/emotet-wifi-worm

SweynTooth, targeting Bluetooth

    Bluetooth technology seems to be nearly everywhere now. It is an extremely convenient method to make all sorts of different devices speak the same language and perform greater functions. As we already know though, when computing devices can communicate trouble soon follows in one form or another. This week the details of 12 different security vulnerabilities, collectively called SweynTooth, targeting Bluetooth low energy devices became public. 11 of the 12 vulnerabilities are just denial of service vulnerabilities. The twelfth however allows a complete security bypass on affected devices.

    The group releasing the vulnerabilities is comprised of 3 researchers from the Singapore University of Technology and Design, Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang.
Most devices that implement Bluetooth connectivity do not implement it from the ground up. They instead rely on a specialized system on a chip (SoC) from a larger manufacturer to handle the inner Bluetooth workings and interface with it via a software development kit (SDK). The SDK can allow them to configure specific parameters for connectivity as well as receiving/sending information over the link. Due to most devices sharing SoCs with other devices it is no surprise that a vulnerability in a specific SoC may affect hundreds or thousands of otherwise unrelated devices.

    The vulnerabilities released this week affect SoCs from Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics, and Telink Semiconductor. The devices using these SoCs range from smart watches, smart locks, and even medical devices.

    As stated the majority of these vulnerabilities are able to trigger denial of service. They trigger a denial of service by sending specially crafted packets to the target device to put it into a deadlocked state where it can no longer process incoming or outgoing data.

    To make the device functional again a reboot is required. Most of these attacks require only 1 or 2 packets to be transmitted to exploit successfully. The most dangerous vulnerability of the set is CVE-2019-19194, which can allow an attacker to completely bypass secure communication protections. An attacker using this vulnerability may be able to access functions on the affected device as if they were an authorized user. This could lead to information leakage or even code execution in certain cases.

    This specific vulnerability only appears to affect the Telink SMP family of SoCs.
Before releasing the vulnerability details to the public the researchers followed responsible disclosure guidelines and notified the affected vendors. After 90 days the research went public, with 6 of the 12 vulnerabilities still without patches. When updates become available affected devices should be upgraded to prevent these attacks.

Sources:

  • https://www.theregister.co.uk/2020/02/13/dozen_bluetooth_bugs/
  • https://www.bleepingcomputer.com/news/security/sweyntooth-bug-collection-affects-hundreds-of-bluetooth-products/

Pay a Ransom or Suffer a Data Breach?

    A ransomware variant referred to as Ragnar Locker is specifically targeting services
used by managed service providers and threatening the public release of found documents. Managed service providers remotely manage a customer’s IT infrastructure and end-user systems. With the remote management services stopped, the ransomware can infect without intervention. The scariest thing about this ransomware is that it also claims to perform data exfiltration. According to the attackers, before the execution of the ransomware, they will perform reconnaissance and specific pre-deployment tasks on the network and the devices connected to it. The attackers state that one of these pre deployment tasks is to steal files and upload them to their server. They then say that if the ransom is not paid, the data will be publicly released.

    The idea of ransomware coupled with a data breach seems similar to blackmail but is a relatively new concept. While not the first ransomware to claim that data was stolen, in October 2019, Maze ransomware released 700MB of stolen data from an affected company after they refused to pay the ransom. Then, in December, the criminals behind Maze created a website dedicated to those who refused to pay. This site contained the company names, date of infection, and any data stolen from that company. Around this time, the Sodinokibi ransomware also stated that they would start exfiltrating user data. While there haven’t been any observed dumps related to Sodinokibi, researchers confirmed that they are exfiltrating data as part of their attacks. However, just because the ransom note says that data theft is part of the attack, doesn’t mean that it was.

    Telling users that their data will be made public if the ransom isn’t paid can be a convincing tactic to increase the rate of payment. In the business setting, the disclosure of sensitive data could make the organization liable for fines exceeding the cost of the ransom demand.

    If the ransom note says that data theft occurred, it is essential to independently verify this as it is often used as a scare tactic. If unable to determine whether data theft occurred, a search of the ransomware variant may provide details as to its behavior. In addition to this, ensuring that backups are in place is an essential part of any ransomware recovery plan. Ragnar Locker is just one of
many ransomware strains that now say that they are exfiltrating data. Expect to see more and more ransomware variants claiming data exfiltration with some following up on that promise.

Sources

  • https://www.bleepingcomputer.com/news/security/ragnar-lockerransomware-targets-msp-enterprise-support-tools/
  • https://www.coveware.com/blog/marriage-ransomware-data-breach

WhatsApp

    Modern communication revolves around the internet and the digital age, allowing people to communicate instantaneously no matter where they are in the world. There are many messaging applications that have come along through the years, but one of the most popular ones used today is WhatsApp. However, security researchers at PerimeterX recently found a vulnerability in WhatsApp that could allow Remote Code Execution (RCE) and the ability to remotely view files on a target system.

    WhatsApp, now owned by Facebook, is one of the most popular messaging apps in the world. The desktop platform alone has over 1.5 billion monthly active users. WhatsApp is known for its end-to-end encryption of messages, making it popular among political dissidents in countries where such activities could be severely punished, as well as among criminal groups and privacy enthusiasts.

    The vulnerability, CVE-2019-18426, is related to the app’s use of JavaScript and was discovered by PerimeterX cybersecurity researcher Gal Weizman. An attacker can modify both links and website previews in messages to appear legitimate through code manipulation of the JavaScript, while also redirecting the victim to malicious sites or downloads. This Cross-Site Scripting (XSS) attack can inject malicious links into messages that appear to be coming from friends of the target. The payload of these malicious links could be malware that allows an attacker to remotely execute code on the target’s machine for a variety of purposes. The XSS vulnerability stems from a gap in the Content Security Policy (CSP) used by WhatsApp, which also leads to an attacker being able to gain read permissions on the local file system for both Mac and Windows desktop apps.

    The vulnerability has been patched in desktop version 0.3.9309 and newer. Also, newer versions of Chrome protect against these types of JavaScript modifications, but other browsers such as Safari do not. Always ensure that your browsers and apps are up to date with the latest patches to ensure maximum protection on the technical side. User training to always be suspicious, especially of links, can also go a long way towards protecting organizations from these types of attacks.

   Sources:

Critical vulnerability in the Nortek Linear eMerge E3 access controller

    Take a look around and note all of the electronics around you. How many devices
are in the room with you? How many are communicating? Look beyond the
obvious computer, cell phone, and smart watch. Are there headphones? Key
fobs? Door locks? Anything with a circuit board can be hacked and anything
that is trying to connect makes it easier. Every device comes with vulnerabilities
– it’s just a matter of whether someone has found them yet.

    When security researchers come across a vulnerability they typically report it to
the company that develops the product before going public with the discovery.
This is done in good faith so that the company has time to issue a patch. In a
perfect world, the vulnerability is announced and includes a statement that it’s
already been fixed so we can all grab the update if we need to. Unfortunately,
that isn’t always the case.

    This week, researchers from SonicWall reported active exploitation of proof of
concept code for a critical vulnerability in the Nortek Linear eMerge E3 access
controller. This is a physical access control that determines who can use which
door and when. The Linear eMerge E3 has been deployed across multiple industries
from healthcare to banking to manufacturing and more. According to the
SonicWall team, “It runs on embedded Linux Operating System and the system
can be managed from a browser via embedded web server.”

    But SonicWall didn’t discover the vulnerability. It’s over eight months old and
it’s actually 10 vulnerabilities that exist on the E3 controllers. It was originally
made public in a May 2019 research report from Applied Risk where six of the
10 vulnerabilities were identified as critical. Some of the issues, such as default
credentials on the devices and stored cleartext credentials, should be shocking.
But sadly they are all too commonplace, especially in the world of IoT.
After Nortek neglected to issue patches, Applied Risk released proof of concept
exploit code in November 2019 with the hope of forcing the company to address
the issue. At this time, no patch has been released. SonicWall noted that
over 2300 eMerge devices could be easily found – a small number compared to
how many connected devices there are in total – but this is just one model from
one manufacturer. There are still millions of IoT devices out there, easily discoverable,
and every single one has vulnerabilities waiting to be found.

Sources

  • https://www.zdnet.com/article/hackers-are-hijacking-smart-building-access-systems-to-launch-ddos-attacks/
  • https://applied-risk.com/assets/uploads/whitepapers/Nortek-Linear-E3-Advisory-2019.pdf
  • https://securitynews.sonicwall.com/xmlpost/linear-emerge-e3-access-controller-actively-being-exploited/

Avast, has been cashing in by selling its customers web browsing history

    Popular antivirus program, Avast, has been cashing in by selling its customers web browsing history. A joint investigation by PCMag and Motherboard found the antivirus company selling its customers’ highly sensitive web browsing data to many of the worlds largest companies. Through leaked company documents and contracts, the investigation found Avast was running a side business along with its primary Antivirus product. What’s worse is that the investigation found documents which showed that Avast intended to keep this quiet, such as confidentiality agreements intended to hide both Avast and the client companies purchasing the data.

    The Avast subsidiary program responsible for the harvesting and sale of client’s internet browsing histories is called Jumpshot. Their sales pitch for selling your internet history is “Every search. Every click. Every buy. On every site.” That pitch convinced companies such as Home Depot®, Microsoft®, Pepsi and McKinsey to purchase the data, often for millions. One product that Jumpshot sold to big-name clients included an “All Clicks Feed”, which tracked user behavior in stunning detail across websites visited.

    Avast has more than 435 million active monthly users, but they claim that the data comes from roughly 100 million subscribers who “opted-in” to having their browsing data sold. Many users contacted by Motherboard claimed they had no idea of opting into anything, and many vented their frustrations publicly on the company’s Twitter page. Avast responded with the blanket statement: “Please be assured, Jumpshot does not acquire any personally identifiable information from our users. We are fully compliant with GDPR & the California Consumer Privacy Act (CCPA). Users may choose to adjust their privacy levels using the settings available in our products.”.

    Continued pressure from the public and in particular outraged Avast subscribers forced the hand of the antivirus giant to change course and shut down the Jumpshot program entirely. Avast announced the decision to shut down Jump-shots data collection activities effective immediately with a statement form the CEO, Ondrej Vleck, on Thursday morning. The statement said that the board of directors have decided to “terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.”.

Sources:

• https://www.vice.com/en_us/article/wxejbb/avast-antivirus-is-shutting-down-jumpshot-data-collection-arm-effective-immediately

• https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation

Safeguard Websites from Cyberattacks

National Cyber Awareness System:

Safeguard Websites from Cyberattacks (REPOST)

 
Original
release date: January 21, 2020

Protect personal and organizational public-facing websites from defacement,
data breaches, and other types of cyberattacks by following cybersecurity best
practices. The Cybersecurity and Information Security Agency (CISA) encourages
users and administrators to review CISA’s updated Tip on
Website Security and take
the necessary steps to protect against website attacks.   

For more information, review: