Information Technology

Trickbot malware is a thorn in the side of cybersecurity professionals and is now targeting the customers of 60 major institutions in phishing attacks and through web injections. 

Trickbot began its journey as a relatively simple Banking Trojan alongside the likes of Zeus, Agent Tesla, Dridex, and DanaBot. However, after the Dyre botnet was retired in 2016 and the infrastructure supporting the prolific Emotet botnet was disrupted by Europol and the FBI last year, more attention has been paid to Trickbot activities. The malware is modular, which means that users can adopt the software to conduct a wide range of attacks – and these assaults can be tailored depending on the desired victims. On February 16, Check Point Research (CPR) published a new study on Trickbot, noting that the malware is now being used in targeted attacks against customers of 60 “high profile” organizations, many of whom are located in the United States.  The companies themselves are not the victims of the malware. Instead, TrickBot operators are leveraging the brands’ reputations and names in numerous attacks.  According to CPR, the brands being abused by TrickBot include the Bank of America, Wells Fargo, Microsoft, Amazon, PayPal, American Express, Robinhood, Blockchain.com, and the Navy Federal Credit Union, among others.  Financial organizations, cryptocurrency exchanges, and technology firms are all on the list. 

The researchers have also provided technical details on three key modules – out of roughly 20 that Trickbot can use – used in attacks and to prevent analysis or reverse-engineering.  The first, injectDll, is a web injection module that can compromise a browser session. This module can inject JavaScript code into a browser to perform banking data and account credential theft, such as by diverting victims to malicious pages that appear to be owned by one of the legitimate companies mentioned above.  In addition, the module’s web inject format uses a tiny payload that is obfuscated to prevent detection.    TabDLL uses five steps to steal information. The malicious code opens up LSASS application memory to store stolen data, injects code into explorer.exe, and then forces the victim to enter login credentials before locking them out of their session. The credentials are then stolen and exfiltrated from LSASS using Mimikatz, before being whisked away to the attacker’s command-and-control (C2) server.  Furthermore, this module is also able to use the EternalRomance exploit to spread Trickbot across SMBv1 networks.  The third module of note is pwgrabc, designed to steal credentials from applications including the Chrome, Edge, Firefox and Internet Explorer browsers; Microsoft Outlook, FileZilla, TeamViewer, Git, and OpenSSH.  “Trickbot remains a dangerous threat that we will continue to monitor, along with other malware families,” the researchers say. “No matter what awaits TrickBot botnet, the thorough efforts put into the development of sophisticated TrickBot code will likely not be lost and the code would find its usage in the future.” In a separate research study published by IBM Trusteer in January, variants of Trickbot have been discovered that contain new features designed to hamper researchers trying to analyze the malware through reverse-engineering.  Alongside server-side injections and HTTPS C2 communication, Trickbot will throw itself in a loop if ‘code beautifying’ is detected – the automatic clean-up of code to make it more readable and easier to analyze. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A businessman has pleaded guilty to charges laid against him for selling and using surveillance tools and malware in Mexico and the United States. 

On February 15, the US Department of Justice (DoJ) said that Carlos Guerrero, a resident of Chula Vista, California and Tijuana, Mexico, admitted to “conspiring to sell and use hacking tools manufactured by private companies in Italy, Israel and elsewhere.”The 48-year-old appeared in a San Diego federal court, where prosecutors alleged that Guerrero owned a number of companies registered in the US and Mexico that were used as sales brokers for “interception and surveillance tools.” According to the DoJ, the firms worked with Mexican government clientele, commercial, and private customers.  In 2014 and 2015, Guerrero worked with an Italian company that developed tools for hacking devices and tracking victim locations.  Over time, the businessman expanded his reach and secured further brokerage deals with other surveillance software developers located in Israel and elsewhere.  By 2016 – 2017, Guerrero was brokering the sales of hardware able to jam signals, kits designed to intercept and eavesdrop on Wi-Fi connections, IMSI catchers, and software able to compromise the WhatsApp messaging system. 

“Guerrero admitted to knowing that, in some cases, his Mexican government clients intended to use the interception equipment for political purposes, rather than for legitimate law enforcement purposes,” prosecutors say.  In one example, Guerrero “knowingly” arranged for a mayor in Mexico to use the brokered technologies to break into a rival’s iCloud, Hotmail, and Twitter accounts. In another, a Florida-based sales representative was targeted for their phone and email records in exchange for a $25,000 payment.  Guerrero is yet to be sentenced. He faces a maximum penalty of five years in prison and a $250,000 fine.  “The world we live in is increasingly interconnected by technology meant to improve our lives, but as seen in this case, this same technology can be acquired by bad actors with harmful intentions,” commented Chad Plantz, Special Agent in Charge for HSI San Diego. “HSI and our law enforcement partners will remain committed to bringing to justice those who attempt to manipulate these platforms for nefarious purposes.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The State of Missouri will not prosecute a journalist branded a “hacker” for viewing website source code and reporting a serious security leak. 

In October 2021, St. Louis Post-Dispatch reporter Josh Renaud published a story documenting the exposure of Social Security numbers belonging to teachers, administrators, and counselors caused by security flaws in the Missouri Department of Elementary and Secondary Education’s website. Over 100,000 SSNs were reportedly exposed.  Renaud discovered the issue in a search function on the website and all it took to find SSNs was to press F12 and view the website’s HTML through the developer console.  The news outlet did not go ahead with the story until the department took the impacted pages down and remove the search tool.  St. Louis Post-Dispatch reported the flaw, that allowed anyone with a browser to view this sensitive data, privately to DESE prior to publication. However, Missouri Governor Mike Parson took a dim view of the responsible disclosure.  On Twitter, Parson alleged that the journalist “took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.”

Parson said: “This matter is serious. The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires. A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code. We will not rest until we clearly understand the intentions of this individual and why they were targeting Missouri teachers.” Locke Thompson, a Cole County Prosecutor, has declined to press charges. In a statement last week (.PDF), Thompson thanked the governor for his concerns and while “there is an argument to be made that there was a violation of law,” the “issues at the heart of the investigation have been resolved through non-legal means.” “As such, it is not in the best interest of Cole County citizens to utilize the significant resources and taxpayer dollars that would be necessary to pursue misdemeanor criminal charges in this case,” the prosecutor said.  The Cole County Prosecutor’s Office will not comment further on the case. After the threat of prosecution was dissolved, Post-Dispatch Publisher Ian Caso said that the “accusations against our reporter were unfounded and made to deflect embarrassment for the state’s failures and for political purposes.” Renaud said the decision was a “relief” but does not “repair the harm done to me and my family.” In an interview with St. Louis on the Air, the journalist added that the governor has missed an opportunity to “change the public discourse” and “to change the way the politics are done in the state.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Home Affairs Minister Karen Andrews.
Image: Tracey Nearmy/Getty Images
Home Affairs Minister Karen Andrews introduced three new Bills into Parliament on Thursday, covering the federal government’s ransomware action plan, critical aviation and marine cybersecurity, and mobile phone access in prisons. The first of the three Bills contains criminal law reforms announced in October last year as part of Home Affairs’ ransomware action plan to create tougher penalties for cybercriminals. Chief among these penalties are an increased maximum penalty of 10 years’ imprisonment for cybercriminals that use ransomware and a new maximum penalty of 25 years’ imprisonment for criminals that target Australia’s critical infrastructure. Labelled by Home Affairs Secretary Mike Pezzullo earlier this week as the government’s “offence” against cyber threats, the Bill also seeks to criminalise individuals buying and selling malware for the purpose of committing a computer offence and dealing with stolen data. The Bill, if passed, would also expand law enforcement’s ability to monitor, freeze, and seize ill-gotten gains of criminals to also cover digital assets, including those held by digital currency exchanges. According to Andrews, the reforms are a response to the growing threat of malicious cyber attacks. “This Bill gives Australian law enforcement agencies the legal tools and capabilities they need to pursue and prosecute ransomware gangs and the pervasive threat of ransomware attacks on Australia and Australians,” Andrews said. “The Morrison government will not tolerate attacks on Australia’s critical infrastructure, small businesses, or targeting the most vulnerable members of our community. Cybercriminals use ransomware to do Australians real and long-lasting harm.”

When the ransomware action plan was first announced, Andrews said the legislation would sit alongside a mandatory ransomware incident reporting regime, which would require organisations with a turnover of over AU$10 million per year to formally notify government if they experience a cyber attack. Concrete details of the ransomware reporting regime are still yet to surface, however.The second Bill that was introduced into Parliament by Andrews on Thursday was the Transport Security Amendment (Critical Infrastructure) Bill 2022 (TSACI Bill), which Andrews said is aimed at bolstering the cyber defence of Australia’s airports and seaports.”The aviation and maritime transport sectors that support our economy and way of life are targets for criminals, terrorists. and malicious foreign actors. This is why in times of emergency we must be prepared to protect our critical aviation and maritime sectors,” Andrews said. Unlike the pair of Critical Infrastructures that already entered Parliament, with the first of them becoming law last year, the TSACI Bill is focused on creating additional reporting requirements for aviation and maritime entities whereas the other two Bills were drafted to generally cover entities across Australia’s 11 designated critical infrastructure sectors. The federal government said critical aviation and maritime needed additional reporting requirements against cyber threats due to the impact of the COVID-19 pandemic, as well as for times of emergency. This includes a new requirement for critical aviation and maritime entities to report cybersecurity incidents to both Home Affairs and the Australian Signals Directorate (ASD). Examples of cybersecurity incidents are malware, phishing, denial of service, and cross-site scripting, the Bill’s explanatory memorandum details. The new Bill also classifies cybersecurity incidents that have a relevant impact on a critical aviation or maritime asset to be unlawful interference. If the person who created the cybersecurity incident that had a relevant impact is convicted, they could potentially face the tougher penalties proposed in the aforementioned ransomware action plan legislation. A cybersecurity incident will be deemed to have created a relevant impact if it affected the availability, integrity, reliability or confidentiality of information about the asset.The Bill also seeks to create an “all hazards” reporting framework that will require critical aviation and maritime entities to consider and be resilient to any natural disasters, cyber vulnerabilities, and supply chain disruptions that could impact their ability to provide services. According to the TSACI Bill’s explanatory memorandum, the new reporting requirements align with the reporting requirements contained in the first Critical Infrastructure Bill and work alongside the existing reporting requirements for other types of aviation and maritime security incidents. The last of three Bills is legislation to assist state and territory corrective services authorities identify, investigate, and prevent illegal mobile phone criminal activity in Australia’s prisons. If passed, the Bill would amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to provide prison authorities with the ability to access telecommunications data to track down illegal mobile phone use activity in prisons. “It is vital for prison authorities to have the powers they need to uncover illicit mobile phones and access their telecommunications data to prevent and prosecute criminal and national security offences inside Australia’s prisons,” Andrews said. “Australians expect our prison authorities to have the legal powers they need to identify and prosecute an inmate or inmates found to be linked to illegal mobile phones, to stop criminal activity, and to stop inmates establishing criminal networks within our prison system. Prior to the prison mobile phone legislation coming before Parliament, Andrews already provided immediate access to these powers to Corrective Services NSW, using her temporary declaration powers under the TIA Act. Related Coverage More

Phishing attacks impersonating emails from LinkedIn have grown 232% since the start of February, according to cybersecurity firm Egress.The company released a report about cybercriminals using display name spoofing and stylized HTML templates to socially engineer victims into clicking on phishing links in Outlook 365 and then entering their credentials into fraudulent websites. 

ZDNet Recommends

Many people have become accustomed to seeing emails from LinkedIn saying things like “You appeared in 4 searches this week,” “You have 1 new message,” and “Your profile matches this job.”But now, cybercriminals are using webmail addresses with a LinkedIn display names to send fake emails with the same subject lines. “The emails use multiple stylized HTML templates, including the LinkedIn logo, brand colors and icons. Within the body of the email, the cybercriminal uses other well-known organizations’ names (including American Express and CVS Carepoint) to make the attacks more convincing,” Egress explained. “When clicked, the phishing links send the victim to a website that harvests their LinkedIn log-in credentials. The footer features elements from LinkedIn’s genuine email footer, including their global HQ address, hyperlinks to unsubscribe and to their support section, and the recipient’s information.”
Egress
Egress noted that the emails were particularly concerning right now because so many people are looking for new jobs and switching employers, making them more likely to click on malicious links that look identical to some LinkedIn messages.

Yehuda Rosen, senior software engineer at nVisium, added that LinkedIn has hundreds of millions of users, many of whom are very accustomed to seeing frequent, legitimate emails from LinkedIn. They may inevitably click without carefully checking that each and every email is real.Also: Microsoft allows US users to cut politics from their LinkedIn feedsA record number of people have already left their jobs and are looking for work, and Egress said they have seen a variety of targets in different industries across North America and the UK.”The attacks we have seen are bypassing traditional email security defenses to be delivered into people’s inboxes. We advise organizations to examine their current anti-phishing securing stack to ensure they have intelligent controls deployed directly into people’s mailboxes,” Egress said.”Individuals should take extreme caution when reading notification emails that request them to click on a hyperlink, particularly on mobile devices. We recommend hovering over links before clicking on them and going directly to LinkedIn to check for messages and updates.” More

Nine vulnerabilities were added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) catalog of known exploited vulnerabilities this week, with two carrying a remediation date of March 1. The two vulnerabilities — CVE-2022-24086 and CVE-2022-0609 — relate to Adobe Commerce and Magento as well as Google Chrome. 
CISA
Adobe released an emergency patch on Monday to tackle CVE-2022-24086, which security companies have confirmed is being exploited in the wild. The tech giant said that the vulnerability impacts Adobe Commerce and Magento Open Source. It is being weaponized “in very limited attacks targeting Adobe Commerce merchants,” according to Adobe.The bug impacts Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), as well as earlier versions. The vulnerability has been issued a CVSS severity score of 9.8 out of 10. Adobe’s patches can be downloaded and manually applied here. Adobe urged customers using the Magento 1 e-commerce platform to upgrade to the latest version of Adobe Commerce after security company Sansec detected a mass breach of over 500 stores running the platform. In a statement to ZDNet, Adobe said it ended support for Magento 1 on June 30, 2020. “We continue to encourage merchants to upgrade to the latest version of Adobe Commerce for the most up-to-date security, flexibility, extensibility, and scalability,” an Adobe spokesperson said. “At a minimum, we recommend Magento Open Source merchants on Magento 1 to upgrade to the latest version of Magento Open Source (built on Magento 2), to which Adobe contributes key security updates.”

The other issue given a remediation date of March 1 is a Google Chrome Use-After-Free vulnerability. Google released a fix for the issue on Monday and said it was reported on February 10 by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group.”Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild,” Google Chrome’s Srinivas Sista added. The rest of the vulnerabilities on the list have remediation dates of August 15.CISA has increased the number of times they update the known exploited vulnerabilities catalog, adding more and more bugs more often in 2022. Their last update was just five days ago and included one vulnerability with a remediation date of February 24. More

Users of Apache Cassandra are being urged to upgrade their versions after JFrog’s Security Research team disclosed a remote code execution vulnerability that they said is “easy to exploit and has the potential to wreak havoc on systems.”Shachar Menashe, senior director of security research at JFrog, told ZDNet that even though these new vulnerabilities do not affect Apache Cassandra default installations where User Defined Functions (UDFs) are disabled, many Cassandra configurations enable them, causing the instance to be vulnerable to an RCE or DoS attack. “We recommend looking at your Cassandra configuration and — if UDFs are enabled — take the appropriate steps to remediate,” Menashe said.In a blog post, the JFrog’s Security Research team explained that CVE-2021-44521 was given a CVSS of 8.4 but said it only affects non-default configurations of Cassandra.They noted that Netflix, Twitter, Urban Airship, Constant Contact, Reddit, Cisco, OpenX, Digg, CloudKick and more use Cassandra because it is a “highly scalable, distributed NoSQL database that is extremely popular due to the benefits of its distributed nature.””Cassandra offers the functionality of creating user-defined-functions (UDFs) to perform custom processing of data in the database. Cassandra UDFs can be written by default in Java and JavaScript. In JavaScript it uses the Nashorn engine in the Java Runtime Environment (JRE) which is a JavaScript engine that runs on top of the Java Virtual Machine (JVM),” JFrog’s security researchers said. “Nashorn is not guaranteed to be secure when accepting untrusted code. Therefore, any service that allows such behavior must always wrap the Nashorn execution in a sandbox. As we were researching the Cassandra UDF sandbox implementation, we realized that a mix of specific (non-default) configuration options could allow us to abuse the Nashorn engine, escape the sandbox and achieve remote code execution. This is the vulnerability that we reported as CVE-2021-44521.”

Deployments become vulnerable to the issue when the cassandra.yaml configuration file contains certain definitions described in the blog, and JFrog said it also found other issues with those running Cassandra on some non-default configurations.They urged Apache Cassandra 3.0.x users to upgrade to 3.0.26, adding that 3.11.x users should upgrade to 3.11.12 and 4.0.x users should upgrade to 4.0.2. All of the updated versions resolve CVE-2021-44521. There are also several mitigations for those who cannot upgrade their Cassandra instances. Users can disable UDFs, if they are not actively used, by setting enable_user_defined_functions to false, and if UDFs are needed, users can set enable_user_defined_functions_threads to true. Users can also remove the permissions of creating, altering and executing functions for untrusted users by removing the following permissions: ALL FUNCTIONS, ALL FUNCTIONS IN KEYSPACE and FUNCTION for CREATE, ALTER and EXECUTE queries.Netenrich threat hunter John Bambenek said that while this is not as serious as Log4j, it does have the appearance of something that is mobile and potentially widespread. “Even though it requires non-default user configuration settings, I suspect that the settings are common in many applications around the world. Unfortunately, there is no way to know exactly how many installations are vulnerable and this is likely the kind of vulnerability that will be missed by automated vulnerability scanners,” Bambenek said. “Enterprises will have to go into the configuration files of every Cassandra instance to determine what their risk is.”Mike Parkin, an engineer at Vulcan Cyber, noted that any organization using Cassandra should be able to check their configuration easily, especially if they have configuration or risk management software, and correct it if it’s vulnerable. More

The International Committee of the Red Cross (ICRC) released more details about a hack they discovered last month, tying the incident back to an authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution.Tagged as CVE-2021-40539, the vulnerability was spotlighted by several companies last year, including Microsoft, Palo Alto Networks, and Rapid7. Both the US Cybersecurity and Infrastructure Security Agency (CISA) and the German Federal Office for the Protection of the Constitution (BfV) released warnings that APT groups were exploiting the issue. In a joint advisory from September, CISA, the FBI, and the US Coast Guard Cyber Command said APT actors had already used CVE-2021-40539 to target “academic institutions, defense contractors and critical infrastructure entities in multiple industry sectors — including transportation, IT, manufacturing, communications, logistics, and finance.”In a statement on Wednesday, the ICRC admitted that it failed to apply the patch for CVE-2021-40539 before they were initially attacked on November 9, just one day after Microsoft warned that DEV-0322, a group operating out of China, was exploiting the vulnerability. “The attackers used a very specific set of advanced hacking tools designed for offensive security. These tools are primarily used by advanced persistent threat groups, are not available publicly, and therefore out of reach to other actors. The attackers used sophisticated obfuscation techniques to hide and protect their malicious programs. This requires a high level of skills only available to a limited number of actors,” the ICRC said.”We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address). The anti-malware tools we had installed on the targeted servers were active and did detect and block some of the files used by the attackers. But most of the malicious files deployed were specifically crafted to bypass our anti-malware solutions, and it was only when we installed advanced endpoint detection and response (EDR) agents as part of our planned enhancement programme that this intrusion was detected.”The organization added that CVE-2021-40539 allows malicious hackers to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.  

Once the hackers were inside the ICRC systems, they used other offensive security tools to hide their identity and masquerade as legitimate users and administrators. The hackers spent 70 days inside the ICRC system before they were discovered in January.The ICRC would not attribute the attack but did say they are still willing to communicate with the hackers. They are currently working with the National Cyber Security Center (NCSC) of Switzerland as well as national authorities in countries where the Red Cross and Red Crescent National Societies are operating. The hack leaked the names and contact information of 515,000 people that are part of the Restoring Family Links program, which works to reconnect missing people and children with their families after wars, violence, or other issues.The personal information includes the names, locations, and more of missing people and their families, unaccompanied or separated children, detainees, and other people receiving services from the Red Cross and Red Crescent Movement as a result of armed conflict, natural disasters, or migration. The login information for about 2,000 Red Cross and Red Crescent staff and volunteers was also been breached. The ICRC said it is still in the process of contacting all of the people involved in the hack, noting that the process “is complex and will take time.””Those most at risk are our top priority. Some of this is being done through phone calls, hotlines, public announcements, letters, and in some cases it requires teams to travel to remote communities to inform people in-person. We are making every effort to contact people who can be difficult to reach, such as migrants,” ICRC said, providing a list of contact details and an FAQ for those who may be affected.  “We also have developed workaround solutions enabling Red Cross and Red Crescent teams worldwide to continue providing basic tracing services for the people impacted by this breach while we rebuild a new digital environment for the Central Tracing Agency.”The US State Department spotlighted the attack in a statement earlier this month, calling on other countries to raise alarms about the incident.  The ICRC expressed concern that the stolen data would be “used by States, non-state groups, or individuals to contact or find people to cause harm.” The ICRC also said the attack would affect their ability to work with vulnerable populations who may no longer trust them with sensitive information. “This attack is an extreme violation of their privacy, safety, and right to receive humanitarian protection and assistance,” the organization said. “We need a safe and trusted digital humanitarian space in which our operational information, and most importantly the data collected from the people we serve, is secure. This attack has violated that safe digital humanitarian space in every way.” More