Information Technology

A new spear-phishing campaign is attempting to infect PCs with Trickbot, one of the most prevalent and potent forms of malware around today, a joint advisory from the FBI and Cybersecurity and Infrastructure Security Agency (CIA) has warned. Trickbot started life as a banking trojan but has become one of the most powerful tools available to cyber criminals, who are able to lease out access to infected machines in order to deliver their own malware – including ransomware. Now its authors are using a new tactic to attempt to deliver it to victims, warns the joint FBI and CISA alert – phishing emails which claim to contain proof of a traffic violation. The hope is that people are scared into opening the email to find out more. The malicious email contains a link which sends users to a website hosted on a server compromised by the attackers which tells the victim to click on a photo to see proof. They click the photo, they actually download a JavaScript file which, when opened, connects to a command and control server which will download Trickbot onto their system.Trickbot creates a backdoor onto Windows machines, allowing the attackers to steal sensitive information including login credentials, while some versions of Trickbot are capable of spreading itself across entire networks. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)The modular nature of Trickbot means it’s highly customisable, with additional attacks by the malware known to include dropping further malware – such as Ryuk or Conti ransomware – or until recently, serving as a downloader for Emotet malware. Trickbot is also able to exploit infected machines for cryptomining.

A coalition of cybersecurity companies attempted to disrupt Trickbot in October last year, but the malware didn’t stay quiet for long, with its cyber criminal authors quickly able to resume their operations. “The takedown efforts in October were unlikely to permanently disrupt or disable this very capable commodity malware that has been active on the threat landscape at scale for years. It has a strong infrastructure and the ability to continue operating,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint told ZDNet.”To completely remove Trickbot from the landscape would be extremely difficult and likely require a coordinated international law enforcement effort like we saw with Emotet. In fact, after the actions of October 2020, we saw Trickbot campaigns resume within weeks, and it has been active continually since,” she added.Trickbot remains a powerful tool for cyber criminals and a clear danger for enterprises and organisations of all sizes – but there are measures recommended by CISA and the FBI which can be taken in order help protect networks from the malware.Providing social engineering and phishing email to employees can help them to avoid threats by being wary of certain types of messages. Organisations should also be implementing a proper cybersecurity programme with a formalised security patch management process so cyber attacks can’t exploit known vulnerabilities to gain a foothold on the network. It’s also recommended that multi-factor authentication is applied across the enterprise, so malware which steals login credentials to move across the network can’t do so as easily.MORE ON CYBERSECURITY More

Google has announce the winners of its $313,337 2020 Google Cloud Platform (GCP) bug bounty prize that was split among just six security researchers. This was the second year Google has run the GCP vulnerability reward program and offered six researchers a share of $313,337, or triple the $100,000 pool it created for the 2019 program. The prizes go to researchers who’ve submitted reports on exceptional security flaws in GCP. So this isn’t a reward for a bug bounty, but an additional prize and recognition for submissions to Google’s vulnerability reward program.  

More on privacy

The first prize of an impressive $133,337 in the 2020 GCP program went to Ezequiel Pereira, a Uruguayan university student and security enthusiast, who found a remote code execution (RCE) flaw in the Google Cloud Deployment Manager. SEE: Security Awareness and Training policy (TechRepublic Premium)Google paid the $133,337 prize to Pereira on top of a $31,337 reward for the original report he submitted last year, meaning he’s landed $164,674 for this one report. “The bug discovered by Ezequiel allowed him to make requests to internal Google services, authenticated as a privileged service account,” writes Harshvardhan Sharma, an information security engineer at Google. It is a server-side request forgery (SSRF) attack.  Pereira started exploring Deployment Manager API methods by enabling it on the Google Cloud Console. From there he went to the metrics page of the console and looked at the Filters section to view a a list called Methods, where he found two documented API versions called “v2” and “v2beta”, and also two undocumented API versions called “alpha” and “dogfood”.   

The “dogfood” API piqued his interest because he knew Google uses the term “dogfooding” for its own teams using their software products internally before releasing them to the public. The second prize of $73,331 went to David Nechuta for another SSRF bug in Google Cloud Monitoring that could be used to leak the authentication of the service account used for the service’s uptime check feature. The prize is on top of $31,000 he received for the original report.  SEE: Cybercrime groups are selling their hacking skills. Some countries are buyingThe third prize of $73,331 was awarded to Dylan Ayrey and Allison Donovan for the report and write-up Fixing a Google Vulnerability. They pointed out issues in the default permissions associated with some of the service accounts used by GCP services.Other recipients included Bastien Chatelard for his report and write-up Escaping GKE gVisor sandboxing using metadata; Brad Geesaman for his report and write-up CVE-2020-15157 “ContainerDrip” Write-up; and Chris Moberly for the report and write-up Privilege Escalation in Google Cloud Platform’s OS Login. More

Facebook is finally expanding its support of physical security keys to mobile devices, the company announced Thursday. Facebook has supported security keys on desktop since 2017 and will now enable iOS and Android users to log in to their account via the physical key.

A security key is a device that generates an encrypted, one-time security code for use in two-factor authentication (2FA) systems. Modern security keys support a variety of hardware formats, such as USB-A and USB-C, Lightning for iPhone users, and even Bluetooth.In most cases, security codes for 2FA are sent to a user’s phone via text-based SMS message. But security keys go the route of hardware-based authentication, requiring an actual physical device that’s inserted into a device as a second form of identification.Security keys are thought to be more effective at preventing phishing attacks and data breaches than 2FA via SMS, because even if someone’s credentials are compromised, account login is impossible without that physical key.In addition to expanding support for security keys to mobile, Facebook said it also plans to expand its Facebook Protect program availability globally and add more groups outside of political campaigns and candidates in the coming year. The social media giant launched Facebook Protect in 2019 in the US.Facebook doesn’t manufacture its own security keys but is encouraging users to purchase them directly from vendors.Also: Best VPN service in 2021: Safe and fast don’t come free | Best security key in 2021

“Since 2017, we’ve encouraged people that are at high risk of being targeted by malicious hackers: politicians, public figures, journalists and human rights defenders,” Facebook said in a blog post. “We strongly recommend that everyone considers using physical security keys to increase the security of their accounts, no matter what device they use.” More

Malicious Xcode projects are being used to hijack developer systems and spread custom EggShell backdoors. 

The malware, dubbed XcodeSpy, targets Xcode, an integrated development environment (IDE) used in macOS for developing Apple software and applications.According to research published by SentinelLabs on Thursday, the Run Script feature in the IDE is being exploited in targeted attacks against iOS developers by way of Trojanized Xcode projects freely shared online.  Legitimate, open source Xcode projects can be found on GitHub. However, in this case, XcodeSpy projects are offering “advanced features” for animating iOS tab bars — and once the initial build is downloaded and launched, a malicious script is deployed to install the EggShell backdoor.  The malicious project explored by the researchers is a ripped version of TabBarInteraction, a legitimate project that has not been compromised.  The Run script of the IDE has been quietly tampered with to connect an attacker’s command-and-control (C2) server to a developer’s project. In particular, Apple’s IDE functionality that allows custom shell scripts to deploy on launching an instance of an app is the subject of abuse.  The C2 is then contacted by the script to pull and download a custom variant of the EggShell backdoor, which installs a user LaunchAgent for persistence.

Two variants of EggShell have been detected — and one of which shares an encrypted string with XcodeSpy.  The backdoor is able to hijack the victim developer’s microphone, camera, and keyboard, as well as grab and send files to the attacker’s C2. SentinelLabs says that at least one US organization has been caught up in attacks of this nature and developers in Asia may have also succumbed to the campaign, which was in operation at least between July and October last year.  Samples of the backdoors were uploaded to VirusTotal on August 5 and October 13. XcodeSpy was first uploaded on September 4, however, the researchers suspect the attacker may have uploaded the sample themselves in order to test detection rates.  “While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software,” the researchers say. “Consequently, all Apple developers are cautioned to check for the presence of malicious Run scripts whenever adopting third-party Xcode projects.”  Back in August, Trend Micro tracked XCSSET malware in Xcode projects, thought to have been spread to compromise Safari browser sessions for phishing, cross-site scripting (XSS) attacks, and the theft of developer data.  The team said the discovery ultimately led to a “rabbit hole of malicious payloads.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have analyzed an active campaign targeting US taxpayers in order to spread both NetWire and Remcos Trojans. 

The tax season is now upon us and as US residents file their returns ahead of a deadline in April, this is also a prime time for cybercriminals to launch campaigns tailored to take advantage of the annual requirement. Phishing campaigns, unless they are nothing more than mass spray-and-pray attempts, will usually hook on a particular theme or situation to try and elicit enough of a reaction to fool a victim into clicking a malicious link or downloading a malware-laden attachment.  Examples include a ‘fraud’ alert from a bank, demands for student loan repayments, fake criminal investigations by the IRS, or notices from legitimate companies such as PayPal warning of unauthorized transactions.  When it comes to tax season, personal finance-themed phishing emails often include tax return-related content, and this is the hook that the active campaign’s operators have chosen to use.  According to research published by Cybereason on Thursday, the phishing messages come with documents attached that utilize malicious macros to deploy both NetWire and Remcos Remote Access Trojans (RATs).  Phishing document samples revealed that once opened, the content will blur and victims are asked to enable macros and editing in order to view the text. If they accept, a “heavily obfuscated” macro drops a malicious .DLL payload — a dropper for one of the two Trojans — in the /temp directory. 

The .DLL is then injected into Notepad software and the infection chain continues with the decryption of payload data via an XOR key in order to free up executable code. A connection to a command-and-control (C2) server is established and the OpenVPN client is downloaded, together with a side-loaded trojanized .DLL to maintain remote persistence.  This side-loaded .DLL is responsible for unpacking another .DLL, loaded into memory, and injecting it into Notepad. Another package is then pulled from the legitimate image hosting service imgur, and this package — hidden within an image file in a technique known as steganography — is one of either of the Trojans.  Remcos and NetWire RAT functionality includes taking screenshots, keylogging, stealing browser logs and clipboard data, file harvesting, the theft of OS information, and the ability to download and execute additional malware.  The RATs are both commercially available in underground forums and are offered on a cheap Malware-as-a-Service (MaaS) subscription basis, available for as little as $10 per subscription — which keeps the potential criminal customer base of the Trojan variants large.  “The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect,” commented Assaf Dahan, Cybereason head of threat research. “The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Americans lost over $4.2 billion to cybercriminals and scammers in 2020, according to FBI figures based on complaints it received.  Over the year, the FBI’s Internet Crime Center (IC3) received 791,790 complaints of suspected internet crime, or about 300,000 more than it did in 2019 when the agency recorded estimated losses at more than $3.5 billion. 

More on privacy

“In 2020, while the American public was focused on protecting our families from a global pandemic and helping others in need, cyber criminals took advantage of an opportunity to profit from our dependence on technology to go on an Internet crime spree,” the FBI says in its Internet Crime Report 2020.  SEE: Network security policy (TechRepublic Premium) Once again, business email compromise (BEC) or email account compromise (EAC) were by far the biggest sources of reported losses, totaling $1.8 billion across 19,369 complaints. That’s up slightly from $1.77 billion in reported losses from 23,775 BEC complaints in 2019. Last year saw a steep rise in BEC complaints stemming from identity theft and funds being converted into cryptocurrency.  The identity theft frequently occurred after a victim provided a form of ID to a tech support scammer or romance scammers. The stolen ID would be used to set up a bank account to receive stolen BEC funds and convert those to a less traceable cryptocurrency, according to IC3. 

The technique and switch to cryptocurrency differs from previous years when a senior executive’s email address may have been spoofed and used to instruct a subordinate to wire funds to the fraudster’s bank account.  The FBI report notes that tech support fraud continues to be a growing problem, but recently victims have complained about criminals posing as customer support for banks, utility companies or virtual currency exchanges.  While the pandemic caused a brief lull in this type of fraud, losses in this category grew to $146 million, or 171% more than losses from 2019. IC3 received 15,421 complaints from victims in 60 countries.  Ransomware is the other threat that won’t go away. The IC3 received 2,474 complaints and reported losses of $29.1 million. The report, however, notes that this is an underestimate as it doesn’t account for does victim reports made directly to FBI field offices and agents.   “The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered,” the FBI stresses in the report.  SEE: Phishing: These are the most common techniques used to attack your PC The most common type of internet crime type reported to IC3 was phishing (including vishing, smishing, and pharming), with 241,342 complaints. This was more than twice the number of phishing complaints IC3 received in 2019.     Notable rises in reported losses from specific crime types when comparing years (2019 versus 2020) included: confident fraud/romance ($475 million versus $600 million); corporate data breach ($53 million versus $129 million); investment fraud ($222 million versus $336 million); personal data breach ($120 million versus $194 million); ransomware ($8.8 million versus $29 million); and tech support ($54 million versus $146 million).  More

Insecure Internet of Things (IoT) devices are potentially putting society as a whole at risk from cyberattacks because cyber criminals are able to exploit these common products that haven’t been designed with any form of security in mind. IoT products have become a staple in many homes and places of work because they’re perceived as helpful to everyday life.

Internet of Things

However, many IoT devices get installed onto networks without proper security procedures in place, either because the user isn’t aware of how to boost the security of the device – for example, by changing the password – or the device doesn’t come with a password or options for securing it at all.In some cases, IoT devices are leaking data onto the internet because the vendor hasn’t properly configured security – whether by mistake, or because of a requirement to rush it out to the market without adding security by design. Either way, poor security in IoT devices can have major consequences.SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)”It’s not even just the damage that it can cause to you from the exposure of your personal data; it’s the damage it can cause to really our whole society,” Craig Young, principal security researcher at Tripwire, told the ZDNet Security Update video series.”When you look back at IoT botnets nets – Mirai, for example – they’ve demonstrated that if you pull together all of these devices, you have some substantial resources”.

Mirai caused major issues in 2016 when IoT devices infected with malware were roped into a botnet targeting online infrastructure provider Dyn with a massive DDoS attack, knocking a number of major services offline.Each individual IoT device only has a small amount of computing power, but an army of millions of devices all directing traffic towards a single target is a powerful tool for online disruption. And with so many IoT devices available and easy to find on the internet, it’s something that cyber criminals are looking to exploit.”What I do worry about is when you’ve got products that are little computers that are pulling down firmware updates from some company that can get hacked and have that firmware replaced with malware. That’s the doomsday scenario,” said Young.”There’s a lot of reason to believe that vendors really don’t take that infrastructure seriously they’re rushing out the door with features and not taking the time to lay the groundwork for security,” he added.SEE: Phishing: These are the most common techniques used to attack your PCAnd while there are initiatives designed at improving Internet of Things security, and information security researchers are attempting to find and disclose problems so they can be repaired, for now it remains an issue as insecure IoT devices are so readily available.”There are so many different companies in the IoT space and there are not enough security researchers going out of their way to work with them and fix these things,” said Young.Users can try to help ensure the IoT devices they install on their network are secure by, when possible, buying products by vendors that are known and trustworthy, rather than a cheap product from a vendor you’ve never heard of before. Users should also ensure that, when possible, the device isn’t secured with a default password. MORE ON CYBERSECURITY More

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

Intel and DARPA outlined a three-year partnership to develop and manufacture Application Specific Integrated Circuit (ASIC) processors as nations scramble to make secure semiconductors domestically. DARPA (U.S. Defense Advanced Research Projects Agency) and Intel said they will design custom chips that have security countermeasure technologies. The partnership is called Structured Array Hardware for Automatically Realized Applications (SAHARA).With cybersecurity and nation-state threats becoming common issues, countries are looking to put more manufacturing within their borders and secure the supply chain. Intel is the only advanced semiconductor manufacturer in the US. Under the partnership, Intel will supply its Intel eASIC structured ASIC technology with enhanced security. Defense and commercial electronics developers can then develop and deploy the processors. The chips are based on Intel’s 10nm semiconductor process. As for security, Intel will partner with the University of Florida, Texas A&M and University of Maryland to develop security countermeasure technologies. The aim is to bolster the protect data and intellectual property against reverse engineering and counterfeiting. The universities will test the security of the processors. Last week, Intel and Microsoft said they have signed a deal to better secure data in cloud and virtual environments. More