Information Technology

The Trickbot Trojan has been revised with a new set of anti-reverse engineering features including the capability to crash computers if analysis tools are detected.

Over the years, Trickbot has evolved from its original state as a banking Trojan to a wider suite of malicious components. Following the retirement of Dyre in 2016 and the disruption of the Emotet botnet by law enforcement in 2021, Trickbot has filled the gap for many threat actors and is now used to steal financial data and to facilitate the execution of ransomware – and due to its versatile, modular nature, has also become a popular option for deploying other forms of malware. “Between takedown attempts and a global pandemic, it has been diversifying its monetization models and growing stronger,” researchers from IBM Trusteer say. In a new report on the malware’s current development, IBM Trusteer has found that the malware’s usage continues to escalate and samples of recent Trickbot injections have revealed new features designed to prevent analysis.  Reverse engineering in cybersecurity aims to dissect a malware sample, dismantling the code to find out how it operates — and potentially how to defend against it. There are three major lines of defense used by the malware to try and prevent reverse engineering from being successful outside of typical obfuscation. The first trick used by the Trojan is the use of server-side injections, rather than loading them from infected machines.

“Keeping injections on infected machines means they are more likely to land in the hands of security researchers,” the researchers explained. “Injections kept locally are also less agile and harder to manipulate in real-time. To move beyond these risks, Trickbot’s operators inject from their server, known as server-side injections. To facilitate fetching the right injection at the right moment, the resident Trickbot malware uses a downloader or a JavaScript (JS) loader to communicate with its inject server.” The second method of note is the use of HTTPS communication when injections are fetched from Trickbot’s command-and-control (C2) server. Flags are used to specify the page a victim is browsing and requests from unknown – or “unwelcome” – sources can be ignored, locking up data streams and barring researchers from properly analyzing communication flows.  Certificate errors are also blocked to stop victims from being aware of the C2 server link.  The third line of defense, however, is the most interesting update. An anti-debugging script has been added to code that can trigger a memory overload if a security researcher performs “code beautifying,” a technique use to make large swathes of code more readable and easier to analyze.  If Trickbot detects this type of decoding, the malware will throw itself into a loop.  “TrickBot uses a RegEx to detect the beautified setup and throw itself into a loop that increases the dynamic array size on every iteration. After a few rounds, memory is eventually overloaded, and the browser crashes,” the team says. “The goal is to anticipate the typical actions researchers will take and ensure their analysis fails.” IBM Trusteer says that Base64 obfuscation, redundant junk script and code, and native function patches are also used to sideline and confuse researchers.  In other security news this month, the FBI issued a warning related to the spread of Diavol ransomware, a strain of malware that uses similar machine fingerprint methods to Trickbot in identifying victim PCs.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The UK’s National Cyber Security Center (NCSC) has released NMAP scripts to help defenders search for specific vulnerabilities in their networks. 

On January 25, the NCSC said the trial project is a joint effort between the cybersecurity guidance organization and the Industry 100 (i100).i100 is a cohort of public and private sector companies working with the NCSC to “bring industry and government expertise together in a way that helps us all learn lessons, identify systemic vulnerabilities and reduce the future impact of cyberattacks.” The project is called Scanning Made Easy (SME) and is a collection of NMAP Scripting Engine (NSE) scripts developed to tackle what NCSC calls a “frustrating” problem: the use of scripts that are not suitable, or necessarily safe, to run.  “When a software vulnerability is disclosed, it is often easier to find proof-of-concept code to exploit it, than it is to find tools that will help defend your network,” the organization says. “To make matters worse, even when there is a scanning script available, it can be difficult to know if it is safe to run, let alone whether it returns valid scan results.” The i100 and NCSC’s script package is based on the industry-standard NSE framework that has been in development for decades and can be used to write simple scripts and automate network tasks.  When SME is run, a script will deploy to check for specific vulnerabilities that could impact the security of an organization. A description of the vulnerability and a link to the associated vendor’s advice on how to mitigate the flaw are also included. 

“While there won’t be a script for every single vulnerability, our plan is that scripts will be developed, and continuously reviewed, for critical vulnerabilities and for vulnerabilities that are consistently causing headaches for system administrators,” the NCSC says. To ensure SME’s framework and scripts are constant, a set of developer guidelines has been published. If developers want to submit a script, they have to be in the .nse format, “relate to one of the high priority vulnerabilities impacting the UK,” run in isolation, have a low false-positive rate, and they must be as unintrusive as possible.  In addition, the NCSC requires scripts to be made public and to be freely available under open source terms. NCSC will then verify submitted scripts before adding them to the SME portfolio. The first script being released is for vulnerabilities in the Exim message transfer agent (MTA). Known collectively as 21Nails and discovered by Qualys, CVE-2020-28017 through CVE-2020-28026 can be chained together to perform remote code execution (RCE) and gain root privileges.  In related security news this week, a critical memory corruption vulnerability in polkit that impacts a range of Linux distros has been disclosed by researchers.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

GitHub announced that two-factor authentication will be available to all users through GitHub Mobile this week. In a blog post, GitHub’s Berk Veral said GitHub Mobile 2FA will be available to all users in the App Store and Play Store. The feature is another way GitHub users can enable two-factor authentication alongside security keys and WebAuthn, one-time passcodes, and SMS.”GitHub Mobile provides a strong alternative to existing one-time passcode options offered by third-party applications and via SMS, with an experience that is fully baked into the GitHub services you already use,” Veral said. “GitHub is committed to keeping our platform secure and enabling developers to secure their accounts. One way we’re doing that is by helping more developers adopt two-factor authentication (2FA) for their accounts. Over the past year, we’ve led the way in improving developer account security with the introduction of support for security keys as an authentication mechanism for git operations and enforcing two factor authentication for all npm publishers.”Veral noted that the GitHub Mobile 2FA app was a “strong” alternative experience that is “fully baked into the GitHub services you already use.”For those who already have two-factor authentication enabled on their GitHub accounts and have the mobile app installed, all you have to to is update the app to start using the Mobile 2FA feature. 
GitHub
GitHub also provides links to help those looking to install it and urged anyone who hasn’t already enabled two-factor authentication to do so through the account settings platform. Those who haven’t already set it up will need to use SMS or another time-based one-time password to set it up for the first time before they can use Mobile 2FA. 

“Once set up, you’ll receive a push notification to your mobile device when you sign in to your GitHub.com account on any browser. You can approve or reject the sign in- attempt. If you approve it, you’ll be logged into GitHub.com immediately,” Veral explained. “If you already set up 2FA with a security key, GitHub will use that as the primary two factor authentication channel. Security keys provide the strongest available protection of your account credentials. Read more about how GitHub is integrating authentication with security keys.”GitHub repeatedly pushed its users to enable two-factor authentication last year and in August, announced that they would stop accepting account passwords when authenticating Git operations. The platform began requiring people to use stronger authentication factors like personal access tokens, SSH keys, or OAuth or GitHub App installation tokens for all authenticated Git operations on GitHub.com. “If you have not done so already, please take this moment to enable 2FA for your GitHub account. The benefits of multifactor authentication are widely documented and protect against a wide range of attacks, such as phishing,” Github’s Mike Hanley explained last year.  More

Application security company F5 Networks delivered better-than-expected Q1 financial results, reporting non-GAAP net income of $179 million, or $2.89 per diluted share, and a GAAP revenue of $687 million. But the company warned it may have supply chain constraints throughout 2022. F5 attributed the Q1 revenue growth to a 19% increase in product revenue and a 2% increase in global services revenue growth compared to Q1 2021. F5 saw non-GAAP product revenue grow due to a 47% increase in software revenue and a 1% increase in systems revenue. 

F5 expects to deliver Q2 revenue in the range of $610 to $650 million. François Locoh-Donou, F5’s president and CEO, said the company saw strong demand for their application security and delivery solutions, leading to the 10% revenue growth in Q1.”Demand for software solutions was particularly strong, with non-GAAP software revenue growing 47% compared to the same period in the prior year,” Locoh-Donou said.”Demand drivers across our business are as strong as they have ever been. Customers increasingly see F5 as an innovator uniquely equipped to help them build and scale both their traditional and modern application environments with our software- and systems-based solutions.”Deeper into the earnings report, the company said it expects its ability to “meet customers’ continued strong demand for systems will be restricted by supply chain constraints for the remainder of fiscal year 2022.”The company is expecting fiscal year 2022 revenue growth to be in the range of 4.5% to 8%, down from previous expectation of 8% to 9% growth. 

The report sent F5 shares down 14% in after-hours trading.Last year, the company announced that it would acquire distributed multi-cloud application security and load-balancing software company Volterra of Santa Clara, California. F5 Networks also announced that it is acquiring cloud security company Threat Stack for $68 million.

Tech Earnings More

If it’s not one thing, it’s another. After one real Linux problem — the heap overflow bug in the Linux kernel’s fs/fs_context.c program — is found and fixed, then a new security problem is discovered. This time security company Qualys has uncovered a truly dangerous memory corruption vulnerability in polkit’s pkexec, CVE-2021-4034. Polkit, formerly known as PolicyKit, is a systemd SUID-root program. It’s installed by default in every major Linux distribution.

How dangerous is it? Very. This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualys wrote in its brief description of the problem: “This vulnerability is an attacker’s dream come true.”Their dream is our nightmare. Why is it so bad? Let us count the ways: Pkexec is installed by default on all major Linux distributions. Qualys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they’re sure other distributions are also exploitable.Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, “Add a pkexec(1) command”).An unprivileged local user can exploit this vulnerability to get full root privileges.Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way.And, last but not least, it’s exploitable even if the polkit daemon itself is not running.Lovely, simply lovely.

Also: This sneaky ransomware is now targeting Linux servers, tooIt’s so dangerous because the program itself is so powerful; it’s a component for controlling system-wide privileges in Unix-like operating systems. While we know Linux can be attacked, Solaris and other Unix systems may also be vulnerable. We do know, however, that OpenBSD can’t be attacked by exploits using this vulnerability.Red Hat rates the PwnKit as having a Common Vulnerability Scoring System (CVSS) score of 7.8. This is high. When used correctly, Polkit provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed with root permission. In other words, pkexec is like the sudo command. Indeed, Debian developers describe it as “the sudo of systemd.”This vulnerability, which has been hiding in plain sight for 12+ years, is a problem with how pkexec reads environmental variables. The short version, according to Qualys, is: “If our PATH is “PATH=name=.”, and if the directory “name=.” exists and contains an executable file named “value”, then a pointer to the  string “name=./value” is written out-of-bounds to envp[0].” While Qualys won’t be releasing a demonstration exploit, the company is sure it won’t take long for exploits to be available. Frankly, it’s not that hard to create a PwnKit attack.Also: In 2022, security will be priority number one for Linux and open-source developersThis is why you should obtain and apply a patch as quickly as possible from your Linux distributor. If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation. For example, this root-powered shell command will stop attacks:# chmod 0755 /usr/bin/pkexecCould you already have been attacked? It’s possible. If there’s been a sloppy attack on your system, see if there are traces in the logs. Typically this will be either “The value for the SHELL variable was not found in the /etc/shells file” or “The value for environment variable […] contains suspicious content.” But a sophisticated attacker can make a PwnKit assault without leaving any traces in the logs.Now, if you’ll excuse me, I have a lot of Linux machines to patch. Good luck with your systems.

Open Source More

Google has provided new information on the end of the troubled development process for the FLoC (Federated Learning of Cohorts) it had hoped to use as a replacement for cookies, and it has done so as part of its reveal of another proposed replacement: Topics. 

The search giant’s first attempt to replace the third-party cookie with its own technology was met with staunch opposition from some, a wary eye from others, and very little positive feedback. It originally committed, in early 2021, to ending third-party cookie support within its Chrome browser in 2022. At that time, Google intended for FLoC to replace cookies with a new technology which it claimed was far more anonymized and still able to yield conversion rates of 95% for every ad dollar spent. Obviously, things didn’t work out quite as the company had hoped. It eventually ended the development of FLoC in July 2021, around the same time it announced that Chrome would continue supporting third party cookies until at least mid-2023. The company had remained cagey on how it planned to move forward with its still-extant plans to replace the cookie until now. Dubbed simply “Topics,” the new technology aims to track users anonymously using a new API designed to fulfill Google’s four main privacy goals: The technology must make it “difficult to reidentify significant numbers of users across sites using just the API.”It should offer a viable replacement for “a subset of the capabilities of third-party cookies.”Any recorded data must be “less personally sensitive” than what is being collected today. The API should be understandable to users and transparent in its intentions. Google apparently feels its Topics API meets all of these criteria while still providing the data interest-based ads (IBAs) need to continue operating at a level similar to their current cookie-based endeavors. In addition to posting a GitHub entry revealing the technical details of Topics, Google’s Privacy Sandbox lead Ben Galbraith also held a press briefing in which he revealed additional parameters to several news outlets. Among them was the fact that Topics will initially attempt to track the user’s behavior across up to 300-350 specific areas of interest. These areas are based on the IAB Audience Taxonomy, which contains a much more comprehensive list of 1,500 or so trackable areas of interest.  Google’s GitHub post noted that this is an initial design, hinting at the fact that those 350, or so, might expand further in the future. According to Galbraith, if they do, they will not be expanding into what Google called “sensitive topics,” which includes things like the user’s race and gender. 

In practical operation, the Topics API lets the user’s browser share three of their detected areas of interest when the user visits a site using IBAs. The API will randomly select those three from among the top five it detected. One topic will be chosen from the top five for each of the previous three weeks to give a better but still anonymized picture of the user’s recent online browsing history. Google intends for users to be able to get personally involved with their Topics as well, noting that they will be able to disable the tracking of specific areas of interest while also being able to review what Topics have been chosen for them at any given point. This level of transparency and user control addresses two of the biggest issues Google heard about in feedback surrounding the failed FLoC proposal: that it was too opaque and added too much personalized “digital fingerprinting” data to the system. The company’s aforementioned promise to avoid “sensitive” topics likewise addresses an unfortunate tendency that FLoC had for automatically creating ad cohorts around topics like gender and race. Google plans to begin testing Topics with external parties sometime later this quarter. It remains to be seen whether this technology will fare any better than FLoC or if Google will once again be forced to continue accepting third-party cookies within its Chrome browser for years to come.  More

Tile
Sometimes, I question if my keys and wallet are like the toys in Toy Story, having their own entities and tip-toeing away when I’m not looking. True or not, you’ve got a friend in item trackers — like the Tile Mate — which can be attached to virtually any personal belonging and serve as a location beacon when it’s gone missing. Right now, Target has a

4-pack of the 2020 Tile Mates for just $39.99

. This bundle typically sells for $69.99 so you’re not only saving big, but essentially paying just $10 per Tile. This is the lowest price we’ve seen on the 4-pack offering and stock will be limited depending on your location, so act fast.

Tile Mate (2020) 4-pack for $39

$30 off

Tile

The Tile Mate (2020) is a tried-and-true gadget that, from my personal experience, works just as well tracking bags, wallets, and ID badges, as it does keys. Once paired to your iOS or Android device, you’ll be able to ping your Tile-attached item to sound an alarm. The tag also doubles as a phone-finder, triggering a sound notification from your mobile device with a press of a button, even if it’s on silent mode.Whether you’ve used a Tile product or not, the setup process is fairly straightforward, thanks to Bluetooth 5.0 and a built-in loop hole. The Tile Mate (2020) promises a tracking distance of up to 200 feet, which is just 50 feet less than the new 2022 model. However, many Tile users prefer the older model due to its replaceable battery. If you plan to use your Tile Mate for as long as possible, being able to replenish the battery every year is an invaluable feature.While supplies last, you can pick up a 4-pack for just $39 ($30 off). For reference, a single pack is typically priced at $24.99. So in this case, you’re paying just $10 a piece, with plenty to save as backups or share with your friends and family. Availability will vary depending on your area so act fast if you’re wanting a bundle for yourself.

Alternatives on saleInterested in more tech deals and reviews? Subscribe to the ZDNet Recommends newsletter and let our expert reviewers scour the internet for only the top products, services, and deals for you.

ZDNet Recommends More

Hackers are using Microsoft OneDrive in a multi-stage espionage campaign aimed at high-ranking government officials in Western Asia, according to a new report from Trellix. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Researchers with Trellix named the malware involved “Graphite” because it uses Microsoft’s Graph API to leverage OneDrive as a command and control server. The attack takes advantage of an MSHTML remote code execution vulnerability (CVE-2021-40444) to execute a malicious executable in memory, according to Trellix.”As seen in the analysis of the Graphite malware, one quite innovative functionality is the use of the OneDrive service as a Command and Control through querying the Microsoft Graph API with a hardcoded token in the malware. This type of communication allows the malware to go unnoticed in the victims’ systems since it will only connect to legitimate Microsoft domains and won’t show any suspicious network traffic,” Trellix explained. Christiaan Beek, lead scientist at Trellix Threat Labs, told ZDNet that he was surprised to see Microsoft OneDrive used as a Command and Control Server mechanism, noting that it was “a novel way of quickly interacting with the infected machines by dragging the encrypted commands into the victim’s folders.””Next OneDrive would sync with the victim’s machines and encrypted commands being executed, whereafter the requested info was encrypted and sent back to the OneDrive of the attacker,” Beek said, adding that what stood out most to him was “the multi-stage approach with a novel technique, multiple malware samples and the operational security of the actor.”Beek noted that the attack was successful but would not share more information about the hackers’ goals, saying the investigation is still ongoing. The attack was prepared in July 2021 and eventually deployed between September and November 5, according to the Trellix report. Trellix’s Marc Elias said it targeted “government officials overseeing national security policy and individuals in the defense industry.”

Elias wrote that the attack is split into multiple stages so that it stays as hidden as possible and said that while attribution was difficult, there was some evidence as to the potential culprit. “A number of the attack indicators and apparent geopolitical objectives resemble those associated with the previously uncovered threat actor APT28. While we don’t believe in attributing any campaign solely based on such evidence, we have a moderate level of confidence that our assumption is accurate,” Elias wrote. “That said, we are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were setup.”The first stage of the attack “likely” involves a spear-phishing email aiming to lure victims into opening an Excel file named “parliament_rew.xlsx.”Other techniques help the attacker to get around some antivirus scanning engines and office analysis tools, allowing it to continue undetected. “It is very likely that the developers of Graphite used the Empire OneDrive Stager as a reference due to the similarities of the functionality and the file structure used in the OneDrive account of the actors,” the study explained. “One of the lure documents we mentioned before (named ‘parliament_rew.xlsx’) might have been aimed for targeting government employees. Besides targeting government entities, it appears this adversary also has its sights on the defense industry. Another document with the name ‘Missions Budget.xlsx’ contained the text ‘Military and civilian missions and operations’ and the budgets in dollars for the military operations in some countries for the years 2022 and 2023.”From their telemetry, they discovered that Poland and other Eastern European countries were of interest to the hackers and noted that the lure documents “show its activities are centered in specific regions and industries.” The report notes that the attacks occurred during the border tensions between Armenia and Azerbaijan. The hackers behind the project worked only worked from Monday to Friday, according to Trellix, and the timestamps show they only worked during normal business hours in the GMT+3 time zone, which includes Moscow Time, Turkey Time, Arabia Standard Time and East Africa Time.”Another interesting discovery during the investigation was that the attackers were using the CLSID (D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D) for persistence, which matched with an ESET report in which researchers mentioned a Russian Operation targeting Eastern European countries. Analyzing and comparing code-blocks and sequences from the graphite malware with our database of samples, we discovered overlap with samples in 2018 being attributed to APT28,” Trellix explained. “Although we mentioned some tactics, techniques and procedures (TTPs) of the actors behind this campaign, we simply do not have enough context, similarities or overlap to point us with low/moderate confidence towards APT28, let alone a nation-state sponsor. However, we believe we are dealing with a skilled actor based on how the infrastructure, malware coding and operation was setup.” More