Eliana Willis

The Malsmoke hacking group is now abusing a vulnerability in Microsoft’s e-signature verification tool to deploy malware and steal user data.

On Wednesday, Check Point Research (CPR) said that as of now, over 2,100 victims have been detected worldwide in a new campaign, with the majority resident in the United States, Canada, and India – although evidence of the malware has been found in 111 countries.  Dubbed ZLoader, the malicious code has been used in the past to deliver banking Trojans and has been closely connected to multiple ransomware strains.  The new campaign is thought to have started in November 2021. During its initial attack stages, the malware’s operators have decided to use Atera, legitimate remote management software, as the springboard to infect a system. While it is not known how the malicious package containing Atera is currently being distributed, upon installation, Atera will also show a fake Java installer. This file, however, is busy installing an agent that connects the endpoint PC to an attacker’s account, allowing them to remotely deploy malicious payloads.  Two .bat files are then uploaded to the victim’s machine: the first is responsible for tampering with Windows Defender, and the second is used to load ZLoader. During this stage, Windows Defender exclusions are added to stop the cybersecurity tool from launching alerts, existing software that may detect the manipulation of the task manager and cmd.exe is disabled, and further scripts used to disable “Admin Approval Mode” are executed.  In addition, a script is added to the startup folder for persistence and a PC reboot is forced to apply the system changes. 

Of note is a signed, malicious .DLL file used to infect a machine with ZLoader, according to the team. CPR said the file was modified and additional code was included by utilizing a known issue in the signature validation of crafted PE files, mentioned in CVE-2020-1599, CVE-2013-3900, and CVE-2012-0151.  While a fix was issued years ago, false positives against legitimate installers resulted in the patch being made opt-in.”Microsoft addressed the issue in 2013 with a Security Bulletin and pushed a fix,” the researchers say. “However, they stated after implementing it that they “determined that impact to existing software could be high.” Therefore, in July 2014, they pulled the stricter file verification and changed it to an opt-in update. In other words, this fix is disabled by default, which is what enables the malware author to modify the signed file.”The final ZLoader payload is then deployed. This malware, a banking Trojan in its own right, is able to steal user credentials, cookies, and sensitive information – including financial account login data – as well as act as a backdoor and loader for other malicious code.  In September, Microsoft warned that ZLoader is being spread through Google keyword advertisements to infect vulnerable PCs with Conti ransomware.  CPR believes that MalSmoke is behind the latest campaign due to coding similarities, the use of Java plugins as fake installers, and due to connections between registrar records for domains previously used by the group to spread Raccoon Stealer malware. According to the researchers, the authentication gap being exploited is a problematic area as Microsoft’s stricter signature options are not enabled by default – and while the cybersecurity firm recommends that users apply Microsoft’s update for Authenticode verification, this may also occasionally flag up legitimate installers as having an invalid signature.  “All in all, it seems like the ZLoader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis,” commented Kobi Eisenkraft, Malware Researcher at Check Point. “I strongly urge users to apply Microsoft’s update for strict Authenticode verification. It is not applied by default.” Microsoft and Atera have been made aware of the researchers’ findings. “We released a security update (CVE-2013-3900) in 2013 to help keep customers protected from exploitation of this vulnerability,” a Microsoft spokesperson told ZDNet. “Customers who apply the update and enable the configuration indicated in the security advisory will be protected. Exploitation of this vulnerability requires the compromise of a user’s machine or convincing a victim to run a specially crafted, signed PE file.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

China has released draft laws that will require, amongst others, mobile apps to be licensed if they provide news and go through a security assessment if they can influence public opinion. They also must adhere to cybersecurity guidelines and not endanger national security. The Cyberspace Administration of China (CAC) on Wednesday unveiled proposed legislation to further regulate services provided via mobile apps and ensure these operated alongside the country’s other laws, including the Personal Information Protection Law (PIPL) and Data Security Law.Under the draft laws, operators that provided news services through mobile apps would have to obtain the licence to do so. They also must deliver such services within the scope of the licence and as permitted under the licence. The CAC, however, did not elaborate on what exactly the licence would cover. 

Operators of apps that provided news, instant messaging, and other related services must require their users to register based on their mobile number and identification card number. Users who refused to do so or who used fraudulent identification data should not be permitted to use the app. App operators were expected to put in place the necessary mechanisms and tools to manage user registration and accounts as well as review information and monitor usage. Registered users who breached service agreements and laws must be issued warnings and access restricted or blocked, where necessary. In addition, mobile app operators that introduced technologies and functions that could potentially influence public opinion or mobilise the population, must carry out security assessments according to specifications laid out by CAC. The government agency, though, did not provide details on what these might entail. Operators also should not use their apps to facilitate activities that were illegal and that endangered national security or disrupted social cohesion. 

They must further comply with requirements stipulated in the country’s cybersecurity law. Should they uncover security flaws or other risks in their mobile app, they must take immediate steps to plug the security holes and notify users in a timely fashion. The relevant authorities also should be notified of the security flaw. If passed, the draft legal framework would apply to various media including text, picture, voice, and video, and information platforms delivered via the mobile app, including instant messaging, FAQs, and community forums. CAC said public feedback on the proposed law would close on January 20. It added that the regulation was slated to be passed later this year. The draft laws are the latest in China’s efforts to stem what the government perceives as problems within the digital economy, such as poor management of personal data.CAC last May called out 33 mobile apps for collecting more user data than it deemed necessary to offer their service. CAC said these companies, which included Baidu and Tencent Holdings, had breached local regulations and gathered personal information without consent from their users. RELATED COVERAGE More

Image: Cameron Spencer/Getty Images
During Australia’s federal Budget Estimates last year, Services Australia was grilled by senators about various initiatives under its remit, from the COVID-19 digital certificate rollout to the bungled robo-debt scheme. Of concern to Labor Senators Tim Ayres and Nita Green was the alleged lack of security of Australia’s COVID-19 digital certificates, with both of them criticising the certificate for being easily forged through man-in-the-middle cyber attacks. Providing responses to the senators’ concerns, Services Australia said it was aware of reports concerning man-in-the-middle cyber attacks via the Medicare Express Plus app, but brushed off the concerns by merely saying such attacks “require significant knowledge and expertise”. It added that there are currently no vulnerability disclosure programs in place nor any future plans to implement such a program for the digital vaccination certificates. This is despite security researcher Richard Nelson last year detailing the difficulty for the private sector and the public in reporting vulnerabilities about the certificates to government, which was referenced by Ayres during Budget Estimates. Services Australia also said the Digital Transformation Agency (DTA) had no plans to consider establishing bounty programs. “Services Australia takes the integrity of the Medicare system and the Australian Immunisation Register extremely seriously,” Services Australia said in its response to questions on notice. “Full cyber assessments are undertaken several times a year and we work closely with the Australian Signals Directorate and Australian Cyber Security Centre on potential vulnerabilities on mobile applications.”

As of the end of October, over 12.3 million Australians have downloaded COVID-19 digital certificates, the agency said in another response. For Australia’s other federal COVID-19 product, COVIDSafe, the DTA provided an update that monthly costs to run the app have been around what it expected of around AU$60,000 a month since it took over responsibility for the app. As of early October, there are 7.7 million COVIDSafe registrations, DTA added.The DTA had also been asked by Labor Senator Marielle Smith during Budget Estimates on how many people had downloaded the app and then deleted it, but the agency said it does not track that data. In regards to questions about Service Australia’s progress in refunding wrongly issued robo-debts, the agency provided more information about the people who are still yet to receive a refund. The agency said there are now around 8,500 people who are yet to receive a refund. Of these, 501 are deceased estates, 280 are incarcerated, 539 are indigenous, and 106 had a vulnerability indicator on their customer record at the time they were last in receipt of payment. Services Australia explained that these refunds had not been processed yet as the victims have not provided bank details to the agency in order to receive the payment. A Senate Committee inquiring into the robo-debt system is still awaiting for Services Australia and Minister for Government Services, Linda Reynolds, to provide documents about the legal advice Services Australia received in implementing robo-debt. Both have refused to provide that information under claims of public interest immunity. Related Coverage More

Image: Kevin Frayer/Getty Images
China on Tuesday evening confirmed it will increase oversight on how local tech companies operate their platforms both locally and overseas through two new sets of rules. The first set of rules, set to be enforced on February 15, is focused on cybersecurity reviews and will require local tech companies with personal information on over 1 million users to undergo a security review before being allowed to list onto overseas stock exchanges. Announced by the Cyberspace Administration of China (CAC), the rules did not specify whether cybersecurity reviews would be required for companies that list in Hong Kong.As part of a cybersecurity review process, the Chinese government can urge tech companies to make organisational changes to fulfil their commitments to the cybersecurity review.The CAC said the new listing requirement was established to address the risk of key infrastructure, data, and personal information being used maliciously by foreign actors. The new listing requirement adds another layer of uncertainty for Chinese companies looking to expand overseas, as Chinese companies like China Telecom have already received the stock exchange boot from the US. The US Securities and Exchange Commission last month also gained powers to ban foreign companies listed in the US from trading if their auditors do not comply with requests for information from American regulators.Looking at the rest of the cybersecurity review measures, the CAC said any companies that carry out data processing activities that affect or may affect national security will also be required to undergo a cybersecurity review, although the Cyberspace Administration of China did not provide definitions on what activities would meet that threshold.

The second set of rules announced by the CAC, set to come into effect in March, target the use of algorithm recommendations by tech companies and require them to establish algorithm mechanism reviews, user registration reviews, and programs protecting minors. All online platforms will also be required to provide users with the option to turn off or modify how they access algorithm recommendation services, as well as provide users with information on how their personal data is used in the provision of such services.Both sets of rules follow a big year of tech crackdowns in China, when new laws came into force around data protection, online gaming for minors, gig economy rights. Along with new legislation, the Chinese government also slapped big penalties against tech giants, such as removing Didi from app stores and fining Alibaba 18.2 billion yuan. Just prior to the new year, China’s internet security regulator also suspended all of its contracts with Alibaba Cloud after one of its security engineers discovered the Log4J vulnerability and reported it to Apache. The Ministry of Industry and Information Technology suspended its contracts with Alibaba Cloud as it “did not effectively support the Ministry of Industry and Information Technology to carry out cyber security threats and vulnerability management”, according to local media outlets.RELATED COVERAGE More

Image: perinjo/ GETTY
The United States Federal Trade Commission has issued a warning that it will chase companies that do not remedy the vulnerability in the Java logging package Log4j.”The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” the agency said on Tuesday.”Failure to identify and patch instances of this software may violate the FTC Act.”The agency cited its $700 million settlement with Equifax in 2019 as an example of what could happen if customer data is exposed.”The Log4j vulnerability is part of a broader set of structural issues. It is one of thousands of unheralded but critically important open-source services that are used across a near-innumerable variety of internet companies,” the FTC said. ”These projects are often created and maintained by volunteers, who don’t always have adequate resources and personnel for incident response and proactive maintenance even as their projects are critical to the internet economy.”This overall dynamic is something the FTC will consider as we work to address the root issues that endanger user security.”

Earlier on Tuesday, Microsoft said people might not be aware of how widespread the Log4Shell issue is in their environments, and warned that attempts to exploit it remained high to the end of 2021.”At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments,” the software giant said. “Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.”Cloudflare warned last month it had detected activity related to the remote code exploit as early as December 1, which meant the vulnerability was in the wild for at least nine days before it was publicly disclosed.

more Log4j More

Oregon-based venue operator McMenamins said employee data was accessed during a ransomware attack that occurred on December 12. In a statement, the company explained that even though they managed to “block” the attack, employee information dating back to 1998 was compromised. 

The employee files included standard information (name, address, phone number, date of birth, race, disability status, and more) as well as sensitive information (Social Security numbers, bank account information, health insurance plans, income amount, and disciplinary notes). Breach notification letters were sent to anyone who worked for the company between July 1, 2010 and December 12, 2021, while those employed from January 1, 1998 and June 30, 2010 were only provided with a notice on the company website about options for support. The hackers gained access to business records, human resources data, and payroll data files, encrypting the data for employees at the company between 1998 and 2010. McMenamins released the public notice on its website because it has lost access to the contact information for those that worked for the company between those years. The company was able to recover the files from 2010 to 2021 and send breach notification letters to those victims. The Oregonian reported that McMenamins told the Oregon Department of Justice that 14,861 people were sent breach notification letters, while up to 30,000 people may have had their information involved in the breach. “As soon as we realized what was happening, we blocked access to our systems to contain the attack that day. It appears that cybercriminals gained access to company systems beginning on December 7 and through the launch of the ransomware attack on December 12. During this time, they installed malicious software on the company’s computer systems that prevented us from using or accessing the information they contain,” the company said in a notice on their website. 

The company — which runs dozens of hotels, bars, movie theaters, concert venues, restaurants, and more across the Pacific Northwest — said it is offering victims one year of identity theft protection and credit monitoring services. McMenamins is still recovering from the attack and noted on their website that email systems are still down. They contacted the FBI, local law enforcement, and the Attorney Generals of Oregon and Washington to notify them of the attack. The company has already hired a cybersecurity firm to help with the recovery process. The company’s properties are still open, but their credit card processing and hotel reservation system was affected. Guests at their hotels have been asked to call them to manage bookings. No customer or partner data was involved in the attack, according to the company. They said it is unclear when their systems will be fully back up and running. Bleeping Computer reported in December that the Conti ransomware group was behind the attack on McMenamins. Both CISA and the FBI said in September that they have seen more than 400 attacks involving Conti’s ransomware targeting US organizations as well as international enterprises.”We’re devastated our people need to do so, but we’re urging them to vigilantly monitor their accounts and healthcare information for anything unusual. They should immediately notify their financial institutions or health providers if they see anything out of sort,” said company founder Brian McMenamin.  More

Google announced on Tuesday that it is acquiring Israeli cybersecurity startup Siemplify for a reported $500 million. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Google Cloud Security vice president Sunil Potti said Siemplify is a leader in the security orchestration, automation and response (SOAR) field. Their platform will be integrated into Google Cloud’s security team “to help companies better manage their threat response.””In a time when cyberattacks are rapidly growing in both frequency and sophistication, there’s never been a better time to bring these two companies together. We both share the belief that security analysts need to be able to solve more incidents with greater complexity while requiring less effort and less specialized knowledge. With Siemplify, we will change the rules on how organizations hunt, detect and respond to threats,” Potti said. “Providing a proven SOAR capability unified with Chronicle’s innovative approach to security analytics is an important step forward in our vision. Building an intuitive, efficient security operations workflow around planet-scale security telemetry will further realize Google Cloud’s vision of a modern threat management stack that empowers customers to go beyond typical security event and information management (SIEM) and extended detection and response (XDR) tooling, enabling better detection and response at the speed and scale of modern environments.”Potti explained that Siemplify’s platform was built to help streamline the tasks of SOC analysts and assist them in responding to cyber threats. According to Potti, the acquisition is part of Google’s larger investment in SOAR capabilities.Siemplify CEO Amos Stern added that Chronicle’s “security analytics and threat intelligence” will be able to help many security operations centers.”We’re excited to join Google Cloud and build on the success we’ve had in the market helping companies address growing security threats,” Stern said.

In his own blog post, Stern said that since the company’s founding in 2015, they have acquired customers ranging from Fortune 500 companies to MSSPs. Calcalist, the first to report the $500 million price tag, noted that Siemplify currently has about 200 employees based in the US, UK and Israel. In October, Google Cloud partnered with Israeli cybersecurity firm Cybereason on an effort to provide Extended Detection and Response (XDR) tools to organizations looking for protection of their endpoints, networks, clouds and workspaces.  More

Credit: Lenovo
In November 2020, Microsoft took the wraps off its Pluton security chip, with the goal of bringing it to all Windows 10 PCs. It wasn’t until today, January 4, that any of Microsoft’s OEMs announced their first Pluton-powered PCs. At CES, Lenovo unveiled its Ryzen-6000-based ThinkPad Z series laptops running Windows 11, which will integrate the Microsoft Pluton processor. The coming ThinkPad Z series laptops will begin shipping in May 2022. Thanks to Pluton, these devices will be able to receive updated firmware using Windows Update. In the ThinkPad Z13 and Z16, Pluton will help protect Windows Hello credentials, according to Microsoft, by further isolating them from attackers. These new ThinkPads will use Pluton as their TPMs to protect encryption keys from physical attacks, Microsoft officials said. Microsoft pioneered Pluton first in Azure Sphere, its Linux-based microcontroller, and in Xbox. In a January 4 blog post, Microsoft officials noted that Pluton can be configured in three ways: As the Trusted Platform Module (TPM); as a security processor for non-TPM scenarios like platform resiliency; or inside a device where OEMs have opted to ship with the chip turned off. Windows will be able to use Pluton to securely integrate with other hardware security components in a way that gives Windows users and IT admins resiliency signals that can be used for zero-trust conditional access, officials added. At some point in the future, these signals will be reported to services like Intune through the Azure Attestation service, officials said. Microsoft’s blog post said that “in the future” there will be additional support from OEM partners for Pluton. More