Eliana Willis

The SideCopy advanced persistent threat (APT) group has expanded its activities, and now, new Trojans are being used in campaigns across India. 

The APT has been active since at least 2019 and appears to focus on targets of value in cyberespionage. Last year, Cyware said that SideCopy was involved in a number of attacks, including those targeting Indian defense forces and military personnel. On Wednesday, researchers from Cisco Talos said a recent surge in activity “signals a boost” in the APT’s development of techniques, tactics, and tools, with multiple, new remote access trojans (RATs) and plugins now in play.  An interesting aspect of SideCopy is the group’s attempts to confuse security researchers by copying techniques usually reserved for Sidewinder, a separate APT believed to have attacked the Pakistani military and other targets across China.  SideCopy has also taken reference from Transparent Tribe, also known as PROJECTM, APT36, or Mythic Leopard. This group also strikes at Indian government and military units; however, Transparent Tribe has recently shifted its focus to Afghanistan.  According to Talos, SideCopy has expanded from the deployment of a C#-based RAT called CetaRAT, the Allakore Trojan, and njRAT to four new customized Trojans and two further commodity RATs known as Lilith and Epicenter.  SideCopy’s original infection chain used malicious .LNK files and .DLLs to deploy a Trojan on a victim’s machine. Link lures will often relate to the Indian army operational; however, the group also uses honeytraps — in particular, the promise of explicit photos of women.

However, since last year, SideCopy’s attack chain has evolved to a .LNK file, three HTML application files, three loader .DLLs, and then multiple RATs — including two versions of CetaRAT deployed in the same strike. Decoy documents and images may also be used in the initial stages of an attack.  In other variations, such as an attack chain that was designed to deploy njRAT, the group used a dropper hidden in a self-extracting .RAR archive, and in others, the .LNK element is completely abandoned in favor of malicious .ZIP archives hosted on attacker-controlled websites.   DetaRAT, ReverseRAT, and MargulasRAT are new Trojans joining CetaRAT. They contain typical functions for this kind of malware — the creation of a link between a victim machine and a command-and-control (C2) server, data theft, process tampering, clipboard data stealing, and screenshot capture — with the exception of ReverseRAT, which is a simple reverse shell and removable drive monitor.  Once infected, plugins are also deployed, including functions such as enumeration, keylogging, and browser credential stealers. One set of plugins of note are “Nodachi,” written in the Goland programming language and designed to steal files from an Indian multi-factor authentication (MFA) app called Kavach.  “What started as a simple infection vector by SideCopy to deliver a custom RAT has evolved into multiple variants of infection chains delivering several RATs,” Talos says. “The use of these many infection techniques — ranging from LNK files to self-extracting RAR .exes and MSI-based installers — is an indication that the actor is aggressively working to infect their victims.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Following the latest series of ransomware attacks, the White House has said the US will take action against the gangs involved, if the Russian government doesn’t. The June ransomware attack on Colonial Pipeline, which distributes much of the fuel to the eastern seaboard of the US, was a turning point in discussions about cybercrime between US president Joe Biden and Russian president Vladimir Putin. 

Kaseya attack

Biden in June said critical infrastructure should be “off-limits” to these style of cyberattacks and is pressuring Putin to get a grip on ransomware gangs operating in Russia’s jurisdiction. While the US intelligence community has not attributed the attack to one gang, most cybersecurity experts are pointing to gangs operating out of Russia.SEE: Network security policy (TechRepublic Premium)The question over ransomware came up again after last week’s attack on US tech firm Kaseya, whose VSA remote management and monitoring software was compromised, leading to about 1,500 companies being affected. While few critical infrastructure providers appear to have been hit, it has forced the closure of dozens of Coop supermarket stores in Sweden since Sunday. Affected Coop stores remained closed until Tuesday as it replaced cash registers. REvil offers its ransomware infrastructure as a service to any gang who’s willing to pay. The attackers have demanded $70 million for a universal decryption key that would resolve the issue for Kaseya, its managed service provider (MSP) customers, and MSPs’ customers. White House press secretary Jen Psaki on Tuesday offered an update to the US response to Russian-based cybercrime.

“As the President made clear to President Putin when they met, if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own,” said Psaki. She said a high level of the US national security team has been in touch with a high level of Russian officials to discuss the attacks.But she said that even if the ransomware gangs were not operating with the permission of the Russian government, stopping the attacks was still Russia’s responsibility.”Even as it is criminal actors who are taking these actions against the United States or entities – private-sector entities in the United States, even as – even without the engagement of the Russian government, they still have a responsibility. That continues to be the President’s view and the administration’s view,” she said.  The G7 alliance, which includes Canada, France, Germany, Italy, Japan, the UK and the US, in June warned countries from which ransomware gangs operated to reign them in. Colonial ended up paying $4 million to its ransomware attackers while JBS, which was also compromised by a REvil-related gang, paid $11 million.   Kaseya on Tuesday issued a statement outlining its efforts to minimize impact on critical infrastructure. 

It said the REvil attack impacted about 50 Kaseya customers. “Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised,” Kaseya said in a statement. SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefThe attack exploited a previously unknown flaw in Kaseya’s VSA software and only impacted customers with on-premise VSA servers. Kaseya however took its VSA software-as-a-service (SaaS) product offline too and was expected to bring it back online on July 6. The company issued a notice late on July 6 that it deferred its SaaS restoration due to an undisclosed issue. “We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service. We will be providing a status update at 8 AM US EDT,” it said in a statement.    More

Law enforcement has arrested an individual suspected of being a prolific cybercriminal responsible for phishing, carding, and bank fraud. 

Kaseya attack

On Tuesday, Interpol and Group-IB revealed the results of a two-year probe into “Dr HeX,” a target of Interpol’s Operation Lyrebird, leading to a suspect being apprehended in May with the help of Moroccan police.Interpol has accused the miscreant of prolific cybercrime, including phishing campaigns targeting French speakers and widespread website defacement. He is also suspected of developing and selling phishing exploit kits, used to steal the financial details of victims and to conduct financial fraud, on underground forums.  Dr HeX reportedly impersonated online banking services to lure unwitting visitors into submitting their account credentials and was also involved in the carding industry — the sale and use of credit card information without the owner’s consent. In addition, the alleged cybercriminal targeted French-speaking telecom firms, numerous banks in the country, and enterprise companies with attacks designed to distribute malware.  The individual, as of yet unnamed, is being accused of targeting “thousands of unsuspecting victims over several years.”

Cybersecurity firm Group-IB, a member of the Project Gateway initiative — a collaborative effort between Interpol and private sector organizations to tackle cybercrime — was heavily involved in the investigation.  Group-IB has actively monitored the activities of Dr HeX, which allegedly included attacks on 134 websites between 2009 and 2018.  The firm used signatures left on the defaced domains, together with a phishing kit containing the same Dr HeX brand — and a contact email — to map out the cybercriminal’s activities and to help track the suspect down. Further investigation led to the discovery of a YouTube channel and connections to an Arabic crowdfunding platform. The team then found two domains registered with the same email address included in the phishing kit, and overall, a total of five email accounts, six nicknames, and the suspect’s YouTube, Facebook, Instagram, and Skype accounts were discovered.”Group-IB analysts have also found the cybercriminal’s posts on several popular underground platforms intended for malware trading that indicate the latter’s involvement in malware development,” the company added. The suspect, a citizen of Morocco, is now under investigation for his alleged criminal activities.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The UK Information Commissioner’s Office (ICO) has launched an investigation into the improper use of private emails and communication channels by government officials. 

Kaseya attack

Following Matt Hancock’s abrupt departure after breaking social distancing guidelines, concerns were raised that the former health secretary, as well as minister Lord Bethell, had potentially conducted government business across improper channels — including private email accounts. An investigation may also include other online forms of communication, such as WhatsApp. Elizabeth Denham, the UK’s Information Commissioner, said on July 6 that the data protection watchdog is now investigating the Department of Health and Social Care, branding the suggestion that officials are using these accounts to “conduct sensitive official business” as “concerning.” “It concerns the public to feel there may be a loss of transparency about decisions affecting them and their loved ones,” Denham commented. “And as the regulator of data protection and freedom of information laws, it concerns me.” The Information Commissioner has now served official notices on the department and others who may be connected to the inquiry, requesting information and the preservation of evidence.  The ICO’s probe will try to establish whether or not government officials have used private correspondence channels in their roles in ways that have breached freedom of information regulations or data protection laws. 

According to the ICO, transparency is critical to democratic principles — and when a government has been making decisions over a period of 18 months that have deeply impacted our lives, the need to maintain security standards cannot be overlooked. Denham said that following a national crisis, and considering that the government’s own Code of Practice sets clear guidelines for data protection, “it is through transparency and explaining these decisions that people can understand and trust them.” “The use of private correspondence channels does not in itself break freedom of information or data protection rules,” she said. “But my worry is that information in private email accounts or messaging services is forgotten, overlooked, autodeleted, or otherwise not available when a freedom of information request is later made. This frustrates the freedom of information process, and puts at risk the preservation of official records of decision making.”Once completed, the results of the investigation will be published.  The ICO can take a variety of actions depending on the results of the investigation. This could include simple best-practice recommendations and enforcement notices up to criminal prosecution — a prospect that may be considered if there is any evidence that “information has been deliberately destroyed, altered, or concealed after it has been requested under the Freedom of Information Act.” Denham says that she will “not comment further until the conclusion of our investigative work.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has released an out-of-band patch for the security flaw known as PrintNightmare that is under attack already and lets attackers take control of a PC.The PrintNightmare bug is being tracked as CVE-2021-1675 and CVE-2021-34527. It’s a critical bug in the Windows print spooler with exploit code in the public domain before Microsoft had a chance to release a patch for it. Admins were advised to disable the Print Spooler service until a patch was made available. 

The remote code execution vulnerability surfaces when the Windows Print Spooler service improperly performs privileged file operations, according to Microsoft. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” it warned in an advisory. SEE: Network security policy (TechRepublic Premium)Microsoft has now completed its investigation and released security updates to address the security bug.     “The security updates released on and after July 6, 2021 contain protections for a remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527, as well as for CVE-2021-1675,” Microsoft said. 

“We recommend that you install these updates immediately,” Microsoft said. The bug looks to be a serious concern at Microsoft, which has taken the rare step of releasing patches for Windows 7. That version of Windows reached the end of mainstream support on January 14, 2020. Very occasionally Microsoft releases patches for unsupported versions of Windows. It did that for Windows XP in 2017 after the WannaCry ransomware attacks, which were blamed on North Korean hackers. Windows 7 accounts for a smaller share of all Windows PCs out there today, but the numbers remained significantly large enough for Google to maintain Chrome support for Windows 7 until July 2021. SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefHowever, some versions of Windows will get patches at a later date. “Updates are not yet available for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012. Security updates for these versions of Windows will be released soon,” Microsoft noted. It’s also published queries that security teams who use Microsoft 365 Defender can use to hunt down exploits for the print spooler vulnerability.  More

Logo: Kaspersky Lab/Composition: ZDNet
Suppose you are in the business of generating passwords, it would probably be a good idea to use an additional source of entropy other than the current time, but for a long time, that’s all Kaspersky Password Manager (KPM) used. In a blog post to cap off an almost two year saga, Ledger Donjon head of security research Jean-Baptiste Bédrune showed KPM was doing just that. “Kaspersky Password Manager used a complex method to generate its passwords. This method aimed to create passwords hard to break for standard password crackers. However, such method lowers the strength of the generated passwords against dedicated tools,” Bédrune wrote. One of the techniques used by KPM was to make letters that are not often used appear more frequently, which Bédrune said was probably an attempt to trick password cracking tools. “Their password cracking method relies on the fact that there are probably ‘e’ and ‘a’ in a password created by a human than ‘x’ or ‘j’, or that the bigrams ‘th’ and ‘he’ will appear much more often than ‘qx’ or ‘zr’,” he said. “Passwords generated by KPM will be, on average, far in the list of candidate passwords tested by these tools. If an attacker tries to crack a list of passwords generated by KPM, he will probably wait quite a long time until the first one is found. This is quite clever.” The flip side was that if an attacker could deduce that KPM was used, then the bias in the password generator started to work against it.

“If an attacker knows a person uses KPM, he will be able to break his password much more easily than a fully random password. Our recommendation is, however, to generate random passwords long enough to be too strong to be broken by a tool.” The big mistake made by KPM though was using the current system time in seconds as the seed into a Mersenne Twister pseudorandom number generator. “It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second,” Bédrune said. Because the program has an animation that takes longer than a second when a password is created, Bédrune said it could be why this issue was not discovered. “The consequences are obviously bad: every password could be bruteforced,” he said. “For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Bruteforcing them takes a few minutes.” Bédrune added due to sites often showing account creation time, that would leave KPM users vulnerable to a bruteforce attack of around 100 possible passwords. However, due to some bad coding leading to an out-of-bounds read on an array, Ledger Donjon found an additional smidgen of entropy. “Although the algorithm is wrong, it actually makes the passwords more difficult to bruteforce in some cases,” the post said. KPM versions prior to 9.0.2 Patch F on Windows, 9.2.14.872 on Android, or 9.2.14.31 on iOS were affected, with Kaspersky replacing the Mersenne Twister with BCryptGenRandom function on its Windows version, the research team said. Kaspersky was informed of the vulnerability in June 2019, and released the fix version in October that same year. In October 2020, users were notified that some passwords would need to be generated, with Kaspersky publishing its security advisory on 27 April 2021. “All public versions of Kaspersky Password Manager liable to this issue now have a new logic of password generation and a passwords update alert for cases when a generated password is probably not strong enough,” the security company said. In late 2015, Kaspersky said one in seven people were using just one password. “A strong password that differs for each account is an important basic element of protecting your digital identity,” David Emm, principal security researcher at Kaspersky Lab, said at the time in a delicious piece of irony. More Security News More

China has reportedly warned local companies it will tighten oversight of data security and overseas listings days after unveiling Didi has been subject to a government cybersecurity review. The State Council on Tuesday issued a statement indicating that it would crack down on the corporate sector across a range of areas, spanning from anti-trust to cybersecurity to fintech, Bloomberg said in a report. As part of the statement, China reportedly said rules for local companies listing overseas would be revised and publicly-traded firms would be held accountable for keeping their data secure. China also reportedly said it would step up its regulatory oversight of companies trading in offshore markets. China’s lawmakers have already commenced its crackdown, having passed new data security laws last month to strengthen the government’s control over digital information. The newly passed laws provide a broad framework for future rules on internet services, such as how certain types of data must be stored and handled locally.   The warning comes days after Didi was removed from app stores in China for breaching regulations relating to the collection and use of personal data, which occurred shortly after the company made its debut on the New York Stock Exchange. Beyond Didi, other Chinese tech giants like Alibaba and Tencent have come under government scrutiny in recent months, with Alibaba being hit with a record 18.2 billion yuan fine. 33 other mobile apps have also been called out by Beijing for collecting more user data than deemed necessary when offering services.

With government oversight intensifying in China, tech companies, including Apple, Facebook, Google, and Twitter, have jointly warned that they could stop offering their services in Hong Kong if the government goes ahead with plans to amend privacy and doxxing laws. The laws, if amended, would put the staff of companies at risk of being imprisoned while making digital platforms vulnerable to criminal investigations for doxxing posts made by the platforms’ users. The laws in question were proposed by Hong Kong’s Constitutional and Mainland Affairs Bureau in May as it said doxxing needed to be addressed due to it being prevalent against government members seeking to introduce an amendment Bill on extradition that led to the 2019 Hong Kong protests.On the same day of China’s warning of increased tech oversight, Ministry of Foreign Affairs Deputy Director Zhao Lijian reportedly told local media that China would “not allow any country to reap benefits from doing business with China while groundlessly accusing and smearing China”.While not mentioning Australia by name, Zhao said a “certain country” has been acting as a “cat’s paw for others” and that there are consequences associated with that, when asked about Australia’s loss of market share in China’s agricultural market. RELATED COVERAGE More