Information Technology

A zero-day vulnerability in Zoom which can be used to launch remote code execution (RCE) attacks has been disclosed by researchers. 

Pwn2Own, organized by the Zero Day Initiative, is a contest for white-hat cybersecurity professionals and teams to compete in the discovery of bugs in popular software and services.  The latest competition included 23 entries, competing in different categories including web browsers, virtualization software, servers, enterprise communication, and local escalation of privilege.  For successful entrants, the financial rewards can be high — and in this case, Daan Keuper and Thijs Alkemade earned themselves $200,000 for their Zoom discovery.  The researchers from Computest demonstrated a three-bug attack chain that caused an RCE on a target machine, and all without any form of user interaction.  As Zoom has not yet had time to patch the critical security issue, the specific technical details of the vulnerability are being kept under wraps. However, an animation of the attack in action demonstrates how an attacker was able to open the calculator program of a machine running Zoom following its exploit.  As noted by Malwarebytes, the attack works on both Windows and Mac versions of Zoom, but it has not — yet — been tested on iOS or Android. The browser version of the videoconferencing software is not impacted. 

In a statement to Tom’s Guide, Zoom thanked the Computest researchers and said the company was “working to mitigate this issue with respect to Zoom Chat.” In-session Zoom Meetings and Zoom Video Webinars are not affected. “The attack must also originate from an accepted external contact or be a part of the target’s same organizational account,” Zoom added. “As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust.” Vendors have a 90-day window, which is standard practice in vulnerability disclosure programs, to resolve the security issues found. End-users just need to wait for a patch to be issued — but if worried, they can use the browser version in the meantime.  “This event, and the procedures and protocols that surround it, demonstrate very nicely how white-hat hackers work, and what responsible disclosure means,” Malwarebytes says. “Keep the details to yourself until protection in the form of a patch is readily available for everyone involved (with the understanding that vendors will do their part and produce a patch quickly).” Other successful attacks of note during the content include: Apple Safari: Jack Dates, kernel-level code execution, $100,000 Microsoft Exchange: DEVCORE, complete server takeover, $200,000 Microsoft Teams: OV, code execution, $200,000 Ubuntu Desktop: Ryota Shiga, standard user to root, $30,000

Previous and related coverageHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

US educational organizations are being targeted by threat actors intent on compromising their networks to covertly mine cryptocurrency. 

Otherwise known as cryptojacking attacks, this form of assault is usually mired in stealth as the overall aim is to quietly install cryptocurrency mining components that leech stolen computational power. Miner software abused by cyberattackers may attempt to generate cryptocurrency including Monero (XMR), Litecoin (LTC), Bitcoin (BTC), and Ethereum (ETH), and even if small amounts are mined, compromising large numbers of systems can make these attacks lucrative.   According to a new advisory released by Palo Alto Network’s Unit 42 team, cryptojacking incidents have recently taken place against educational institutions in Washington State. The researchers say that a UPX-packed cpuminer — used to mine LTC and BTC — has been delivered by way of malicious traffic.  The first attack, spotted on February 16, involved a malicious HTTP request sent to a domain owned by an educational establishment that at first seemed like a “trivial command injection vulnerability,” according to the team, but upon further examination, revealed that it was actually a command for a webshell backdoor.  If deployment is successful, the backdoor is then able to call and execute the cryptomining payload. In addition, the malware will download a mini shell that pretends to be a wp-load.php file.

“Since the mini shell is not moved elsewhere, we speculate that the current directory of the mini shell, as well as the backdoor, is a web directory exposed to the internet,” the report says.  Cryptocurrency mined on infected systems is sent to two wallets owned by the operators (1,2).  In two other incidents, there were some differences when it came to user agent strings, pass values, and algorithms, but the general attack method remained the same.  “The malicious request […] exhibits several similarities,” Unit 42 noted. “It’s the same attack pattern delivering the same cpuminer payload against the same industry (education), suggesting it’s likely the same perpetrator behind the cryptojacking operation.” In March, a study of K-12 schools across the United States revealed a “record-breaking” year of cybersecurity incidents in 2020. The report cataloged over 400 incidents including ransomware, phishing attempts, website defacement, and denial-of-service (DoS) attacks.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

In another move aimed at restricting the development of Chinese technology, the US Commerce Department has added seven Chinese supercomputing entities to its Entity List for allegedly supporting China’s military efforts. The newly added entities that are companies include the Shanghai High-Performance Integrated Circuit Design Center, Sunway Microelectronics, Tianjin Phytium Information Technology. The remaining organisations are the National Supercomputing Centers in Jinan, Shenzhen, WuXi, and Zhengzhou.Companies placed on the Entity List are banned from buying parts and components from US companies without government approval.According to the department, these entities are involved with building supercomputers used as part of China’s military efforts to destabilise military modernisation efforts and build weapons of mass destruction programs. “Supercomputing capabilities are vital for the development of many — perhaps almost all — modern weapons and national security systems, such as nuclear weapons and hypersonic weapons. The Department of Commerce will use the full extent of its authorities to prevent China from leveraging US technologies to support these destabilising military modernisation efforts,” US Secretary of Commerce Gina Raimondo said. The newest Entity List additions are the latest among many that the US has made against Chinese businesses, including Huawei, which was placed on the Entity List almost two years ago. In the past year, the US has added Chinese chipmaker SMIC, drone company DJI Technology, and a bevy of other Chinese-based technology companies to the list.

The reasons for doling out these restrictions have ranged from preventing China’s alleged efforts of destabilising military activities, to standing up against the repression of Uyghur Muslims and other Muslim ethnic minorities within China, to spying. In addition to placing various Chinese companies on the Entity List, the US government has also enforced other restrictions onto Chinese technology companies by labelling them as national security threats or Communist Chinese military companies (CCMC). Related Coverage More

Facebook has removed a troll farm, spreaders of misinformation, and creators of deepfake images in its latest moderation efforts. 

The company’s latest Coordinated Inauthentic Behavior (CIB) report, published this week (.PDF), lists Facebook’s most recent efforts to reduce coordinated, inauthentic behavior across the network.According to the March CIB report, Facebook investigated and wiped out a “long-running” troll farm located in Albania. The troll farm’s members primarily targeted an Iranian audience and are thought to have ties to Mojahedin-e Khalq (MEK), a political-militant group made up of several thousand members.  MEK was exiled to Albania in the 1980s and now appears to be running a network made up of both genuine and fake accounts to spread information that is critical of the Iranian government and that praises MEK’s activities.  Facebook says that MEK-related content sharing spiked in 2017 and 2020 via three separate clusters, but the majority of the group’s efforts to grow an audience have failed.  “Most of its accounts were run by operators in Albania who routinely shared technical infrastructure,” the company notes. “This meant that the same operator was able to run multiple accounts; conversely, multiple operators were able to run the same account. These are some of the hallmarks of a so-called troll farm — a physical location where a collective of operators share computers and phones to jointly manage a pool of fake accounts as part of an influence operation.”

In addition, Facebook is tackling deepfakes, images generated through the application of artificial intelligence (AI). While the company started taking down fake imagery three years ago, now, generative adversarial networks (GAN) are using deepfakes to pose as independent news outlets and investigative journalists.  After reviewing research provided by FireEye on a GAN network located in Spain and El Salvador, the firm removed accounts and pages that were publishing information concerning a mayoral election at “spam-like” rates. A further two networks have also been wiped out, bringing Facebook’s total deletion count to seven operations that made use of AI-generated images.  The social media giant has also documented its customary disruption of inauthentic networks. In total, 14 CIB operations were disrupted in March that originated from countries including Argentina, Egypt, Israel, Mexico, and Georgia, leading to the deletion of over 1,100 accounts, 255 pages, and 34 groups.  Last month, Facebook said it had managed to detect and take down a Chinese network of cyberattackers using the platform to distribute malware. The operators, thought to be part of Earth Empusa or Evil Eye groups, used fake profiles to target journalists and activists.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals are exploiting security vulnerabilities in VPN servers to encrypt networks with a new form of ransomware, and may have disrupted industrial facilities in the process. The ransomware is detailed in a report by secuity company Kaspersky, following an investigation into a ransomware attack against an unspecified victim in Europe. 

At least one of the attacks targeting these facilities managed to encrypt industrial control servers with ransomware, resulting in the temporary shutdown of operations. Kaspersky did not identified the victim of the successful ransomware attack, or how the incident was recolved, but have detailed the ransomware which encrypted the network and how cyber criminals were able to gain access. Known as Cring, the ransomware first appeared in January and exploits a vulnerability in Fortigate VPN servers (CVE-2018-13379). Fortinet issued a security patch to fix the vulnerability last year, but cyber criminals can still deploy the exploit against networks which have yet to apply the security update. By exploiting unpatched VPN applications, attackers are able to remotely access the username and password, allowing them to manually login to the network. From here, the attackers download Mimikatz, an open-source application to view and save authentication credentials, and us this to steal additional usernames and passwords to move laterally around the network and also deploy tools including Cobalt Strike, a legitimate penetration software tool abused by attackers, to gain additional control over infected systems. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Then, with the aid of malicious PowerShell scripts, the attackers are able to encrypt all of the systems which have been compromised across the network with Cring ransomware. At this point, a note by the attackers tells the victim their network has been encrypted with ransomware and that a ransom needs to be paid in Bitcoin to restore the network. While there’s no information on how the incident at the European industrial facility was resolved, researchers note that the failure to apply the security patch to protect against a known vulnerability was the “primary cause” of the incident. Other factors which allowed the attackers to deploy ransomware on the network include the lack of timely security updates applied to the antivirus software that’s supposed to protect the network – and how some components of the antivirus were even turned off, reducing the ability to detect intrusions or malicious activity. The way this particular network was configured also helped the attackers by allowing them to move between different systems which didn’t all need to be on one network. “There were no restrictions on access to different systems. In other words, all users were allowed to access all systems. Such settings help attackers to distribute malware on the enterprise network much more quickly, since successfully compromising just one user account provides them with access to numerous systems,” said Vyacheslav Kopeytsev, senior security researcher at Kasperky. To help protect networks from Cring ransomware attacks, it’s recommended that Fortigate VPN servers are patched with the relevant security updates to prevent the known vulnerability from being exploited. It’s also recommended that VPN access is restricted to those who need it for operational reasons and that ports which don’t need to be exposed to the open web are closed. Researchers also suggest that critical systems are backed up offline, so if the worst happens and the network falls victim to a ransomware attack, it can be restored without the need to pay criminals.

MORE ON CYBERSECURITY More

An Italian man has been arrested on suspicion of paying a hitman to assassinate his former partner. 

According to a Europol alert on Wednesday, the suspect dove into the darkest corners of the internet to find a hitman and eventually located a website claiming to offer these services on the dark web. It is necessary to use the Tor network to access the deep web — an underlayer that is not indexed by typical search engines — and a sector of this area, known as the dark web, is where illegal activities and purchases take place.  After contact was made, someone apparently happy to perform the task of assassinating his ex-girlfriend was paid roughly €10,000 in Bitcoin (BTC).   However, Europol and the Italian Postal and Communication Police apparently caught wind of the plan and an “urgent, complex crypto-analysis” was performed.  At the same time Europol was attempting to unmask the suspect and trace the BTC transfer, Italian law enforcement reached out to the cryptocurrency exchange in which the suspect’s virtual currency was originally purchased. The exchange, which has not been named, provided the police with further information.  “The timely investigation prevented any harm to be perpetrated against the potential victim,” Europol says.   

The European agency, as well as various law enforcement groups, use a range of tools to monitor and track cryptocurrency transactions suspected of being linked to criminal activities.  Interpol, for example, uses and was involved in the development of GraphSense, a blockchain-based analytics tool for cryptocurrency address and transfer searches. The organization is currently working on a new tool, dubbed “Darkweb Monitor,” which will focus on cryptocurrency intelligence gathering for law enforcement purposes.  In related news this week, the US Department of Justice (DoJ) announced a jail term of 12 years, without parole, for a Missouri resident who tried to buy dangerous chemicals online. The “highly toxic” compound, purchased through what appeared to be a dark web vendor, was paid for in BTC and delivery details were addressed to a minor. A police sting revealed the man may have bought the chemical due to a breakup, with documents found in the home revealing “a desire for the person who caused the heartache to die,” according to prosecutors.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have discovered a new backdoor employed by the Lazarus hacking group in targeted attacks against the freight industry. 

On Thursday, ESET said the new backdoor malware, dubbed Vyveva, was traced in an attack against a South African freight and logistics firm. While the initial attack vector for deploying the malware is not yet known, examining machines infected with the malware revealed strong links to the Lazarus group.  Lazarus is an advanced persistent threat (APT) group of North Korean origin. The state-sponsored cyberattackers are prolific and are deemed responsible for the global WannaCry ransomware outbreak; $80 million Bangladeshi bank heist; attacks against South Korean supply chains, cryptocurrency theft, the 2014 Sony hack, and various other assaults against US organizations.  Vyveva is one of the latest weapons discovered in the Lazarus arsenal. The backdoor was first spotted in June 2020 but could have been in use since at least 2018.The backdoor is able to exfiltrate files, gather data from an infected machine and its drives, remotely connect to a command-and-control (C2) server and run arbitrary code. In addition, the backdoor uses fake TLS connections for network communication, a component for connecting to its C2 via the Tor network, and command-line execution chains employed by the APT in past campaigns. There are coding similarities to the older Lazarus malware family Manuscrypt/NukeSped. 

Vyveva also includes a “timestomping” option which allows timestamp creation/write/access times to be copied from a ‘donor’ file, alongside an interesting feature for file copying: the ability to filter out particular extensions and focus only on specific types of content, such as Microsoft Office files, for exfiltration.  The backdoor contacts its C2 every three minutes through watchdog modules, sending a stream of data to its operators including when drives are connected or disconnected, as well as the number of active sessions and logged-in users — activities likely linked to cyberespionage. “These components can [also] trigger a connection to the C2 server outside the regular, preconfigured three-minute interval, and on new drive and session events,” ESET notes. The researchers added that the backdoor’s codebase allows them to attribute Vyveva to Lazarus with “high confidence.” In February, the US Department of Justice (DoJ) indicted two alleged North Korean hackers and expanded charges against another for being part of Lazarus. Assistant Attorney General John Demers has described the APT as a “criminal syndicate with a flag.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Phishing attacks remain a huge problem and crooks are spending a lot of time and effort to ensure that, for the potential victim, clicking on a bad link is the most intuitive and easiest thing to do.A common technique used in emails sent by cyber criminals attempting phishing attacks is to claim that the victim needs to click a link or download an attachment as a matter of urgency.

This could claim to be anything from important corporate documents in an enterprise environment, to a parcel delivery notification, winning a prize, or even a phony threat about court summons.SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) The messages are designed so that clicking on the phishing link is the easiest thing to do, with the aim of directing the user to a page designed to steal login credentials or other personal information.Crooks will design these phishing pages to look almost indistinguishable from the real one they’re mimicking, which is all part of a plan to make the operation as smooth as possible – with no reason for the user to question if anything is wrong.”Part of the problem is that phishing signals are often indistinguishable from positive user experience attributes,” Troy Hunt, creator of HaveIBeenPwned and digital advisor to Nord Security told ZDNet Security Update.

“It’s easy when you’ve got a link, because you just click on it and you go straight to the right place and it deep links you through to that potentially fraudulent transaction,” he added.For example, if a user had concerns that a link claiming to be from their bank could be a phishing email, they could choose not to follow the link, but instead open a new window and go to the bank’s website to check to see if there really was a message from their account.By doing this, they avoid the potentially dangerous phishing link. But phishing attacks remain successful because people are still coerced into clicking links. SEE: Ransomware: Why we’re now facing a perfect stormThat’s despite a recent privacy survey by NordVPN, which suggests that while people say they know how to stay safe online, they’ll still fall victim to phishing and other cyberattacks – because cyber criminals are highly capable at using social engineering to coerce victims into doing what they want. “Humans are ultimately fallible. Unfortunately it’s the organic matter behind the keyboard that is often the vulnerable part of the loop,” said Hunt. “We need to have that balance of the education and the training, with the technology to back it up and help us out when things do go wrong,” he added.Organisations can offer training to staff in order to help them identify phishing attacks, while encouraging the use of tools like multi-factor authentication and password managers can also help keep people protected from phishing attacks. MORE ON CYBERSECURITY More