Information Technology

Microsoft wants to help protect you from malware. 
Image: Getty Images/iStockphoto
Microsoft has posted an extensive account of its investigation of the systems used to fire out millions of emails distributing at least seven different types of malware.
Microsoft identifies two elements of the new email infrastructure it discovered in March and April, and then tracked for the rest of the year. It calls the first segment StrangeU because of it often using the word “strange” in new domains. The second segment used a domain generation algorithm, a technique for creating domain names randomly, and was thus dubbed RandomU.   

“The emergence of this infrastructure in March dovetailed with the disruption of the Necurs botnet that resulted in the reduction of service,” security researchers from the Microsoft 365 Defender Threat Intelligence Team said. 
SEE: Windows 10 Start menu hacks (TechRepublic Premium)
Necurs was a large and long-running botnet with a history in delivering the Dridex banking trojan, but it’s also been used to distribute ransomware, remote access trojans, and information-stealing trojans. 
Necurs is an example of a for-hire operation that leases delivery capacity as a service, while allowing attackers to focus on malware production. 
“The StrangeU and RandomU infrastructure appear to fill in the service gap that the Necurs disruption created, proving that attackers are highly motivated to quickly adapt to temporary interruptions to their operations,” Microsoft notes. 

The new email infrastructure has predominantly targeted machines in the US, Australia, and the UK in the wholesale distribution, financial services, and healthcare industries.
Initially, it was used to distribute commodity malware, but in September the Dridex and Trickbot operators started using the infrastructure too. Trickbot was taken down last October, but reappeared in January and has gained a new component that scans local networks for valuable open ports that can be attacked later.  
Some of the notable campaigns using StrangeU and RandomU since March include: 
Korean spear-phishing campaigns that delivered Makop ransomware in April and June
Emergency alert notifications that distributed Mondfoxia in April
Black Lives Matter lure that delivered Trickbot in June
Dridex campaign delivered through StrangeU and other infra from June to July
Dofoil (SmokeLoader) campaign in August
Emotet and Dridex activities in September, October, and November
On June 10, security firm Fortinet reported a mass email campaign with malicious Word attachments and subject headers that appeared to target people sympathetic to the BLM movement. The emails purported to seek feedback on the movement. As Microsoft notes, multiple campaigns that month carried Trickbot. 
SEE: Windows 10 toolbar: Here’s how Microsoft is adding news, weather and traffic
Microsoft notes these campaigns mostly targeted corporate email accounts in the US and Canada and avoided consumer accounts. The campaigns were also small, designed to evade detection. 
The Dridex campaigns from late June and through July used StrangeU and compromised corporate email accounts to deliver Excel documents with malicious macros.    

Microsoft
Despite all this complexity, Microsoft notes that many of the fundamentals remain the same.
“As attacks continue to grow in modularity, the tactics that attackers use to deliver phishing email, gain initial access on systems, and move laterally will continuously become more varied. This research shows that despite these disparities and the increased resiliency attackers have built, the core tactics and tools that they use are still limited in scope, relying repeatedly on familiar malicious macros, lures, and sending tactics,” it said. More

A small but complex malware variant is targeting supercomputers worldwide.

Reverse engineered by ESET and described in a blog post on Tuesday, the malware has been traced back to attacks against supercomputers used by a large Asian Internet Service Provider (ISP), a US endpoint security vendor, and a number of privately-held servers, among other targets. 
The cybersecurity team has named the malware Kobalos in deference to the kobalos, a small creature in Greek mythology believed to cause mischief. 
Kobalos is unusual for a number of reasons. The malware’s codebase is tiny but is sophisticated enough to impact at least Linux, BSD, and Solaris operating systems. ESET suspects it may possibly be compatible with attacks against AIX and Microsoft Windows machines, too. 
“It has to be said that this level of sophistication is only rarely seen in Linux malware,” commented cybersecurity researcher Marc-Etienne Léveillé.
While working with the CERN Computer Security Team, ESET realized the “unique, multiplatform” malware was targeting high performance computer (HPC) clusters. In some cases of infection, it appears that ‘sidekick’ malware hijacks SSH server connections to steal credentials that are then used to obtain access to HPC clusters and deploy Kobalos. 
“The presence of this credential stealer may partially answer how Kobalos propagates,” the team says. 

Kobalos is, in essence, a backdoor. Once the malware has landed on a supercomputer, the code buries itself in an OpenSSH server executable and will trigger the backdoor if a call is made through a specific TCP source port.
Other variants act as middlemen for traditional command-and-control (C2) server connections.
Kobalos grants its operators remote access to file systems, allows them to spawn terminal sessions, and also acts as connection points to other servers infected with the malware. 
ESET says that a unique facet of Kobalos is its ability to turn any compromised server into a C2 through a single command. 
“As the C2 server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C2 server,” the researchers noted. 
The malware was a challenge to analyze as all of its code is held in a “single function that recursively calls itself to perform subtasks,” ESET says, adding that all strings are encrypted as a further barrier to reverse engineering. As of now, more research needs to be conducted in the malware — and who may be responsible for its development.
“We were unable to determine the intentions of the operators of Kobalos,” ESET commented. “No other malware, except for the SSH credential stealer, was found by the system administrators of the compromised machines. Hopefully, the details we reveal today in our new publication will help raise awareness around this threat and put its activity under the microscope.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A company that fell victim to a ransomware attack and paid cyber criminals millions for the decryption key to restore their network fell victim to the exact same ransomware gang under two weeks later after failing to examine why the attack was able to happen in the first place.
The cautionary tale is detailed by the UK’s National Cyber Security Centre (NCSC) in a blog post about the rise of ransomware.

ZDNet Recommends

The unnamed company fell victim to a ransomware attack and paid millions in bitcoin in order to restore the network and retrieve the files.
SEE: Network security policy (TechRepublic Premium)
However, the company just left it at that, failing to analyse how cyber criminals infiltrated the network – something that came back to haunt them when the same ransomware gang infected the network with the same ransomware less than two weeks later. The company ended up paying a ransom a second time.
“We’ve heard of one organisation that paid a ransom (a little under £6.5million with today’s exchange rates) and recovered their files (using the supplied decryptor), without any effort to identify the root cause and secure their network. Less than two weeks later, the same attacker attacked the victim’s network again, using the same mechanism as before, and re-deployed their ransomware. The victim felt they had no other option but to pay the ransom again,” the NCSC blog said.
The NCSC has detailed the incident as a lesson for other organisations – and the lesson is that if you fall victim to a ransomware attack, find out how it was possible for cyber criminals to embed themselves on the network undetected before the ransomware payload was unleashed.

“For most victims that reach out to the NCSC, their first priority is – understandably – getting their data back and ensuring their business can operate again. However, the real problem is that ransomware is often just a visible symptom of a more serious network intrusion that may have persisted for days, and possibly longer,” said the blog post by an NCSC technical lead for incident management.
In order to install ransomware, cyber criminals may have been able to gain backdoor access to the network – potentially via a previous malware intrusion – as well as having administrator privileges or other login credentials.
If the attackers have that, they could easily deploy another attack if they wanted to – and did, in the example detailed above, as the victim hadn’t examined how their network was compromised.
Examining the network following a ransomware incident and determining how the malware was able to enter the network as well as staying undetected for so long is, therefore, something all organisations that fall victim to ransomware should be considering alongside restoring the network – or preferably, before they even think about restoring the network.
Some might believe that paying the ransom to criminals is going to be the quickest and most cost-effective means of restoring the network – but that’s also rarely the case. Because not only is the ransom paid, potentially at a cost of millions, but the post-event analysis and rebuilding of a damaged network also costs large amounts.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
And as the NCSC notes, falling victim to a ransomware attack will often lead to an extended period of disruption before operations resemble anything normal.
“Recovering from a ransomware incident is rarely a speedy process. The investigation, system rebuild and data recovery often involves weeks of work,” said the post.
The best way to avoid any of this is to ensure your network is secure against cyberattacks in the first place by doing things like making sure operating systems and security patches are up to date and applying multi-factor authentication across the network.
It’s also recommended that organisations regularly backup their networks – and store those backups offline – so in the event of a successful ransomware attack, the network can be restored with the least disruption possible.

MORE ON CYBERSECURITY More

At least one major ransomware gang is abusing vulnerabilities in the VMWare ESXi product to take over virtual machines deployed in enterprise environments and encrypt their virtual hard drives.

The attacks, first seen last October, have been linked to intrusions carried out by a criminal group that deployed the RansomExx ransomware.
According to multiple security researchers who spoke with ZDNet, evidence suggests the attackers used CVE-2019-5544 and CVE-2020-3992, two vulnerabilities in VMware ESXi, a hypervisor solution that allows multiple virtual machines to share the same hard drive storage.
Both bugs impact the Service Location Protocol (SLP), a protocol used by devices on the same network to discover each other; also included with ESXi.
The vulnerabilities allow an attacker on the same network to send malicious SLP requests to an ESXi device and take control of it, even if the attacker has not managed to compromise the VMWare vCenter server to which the ESXi instances usually report to.
In attacks that have taken place last year, the RansomExx gang has been seen gaining access to a device on a corporate network and abusing this initial entry point to attack local ESXi instances and encrypt their virtual hard disks, used to store data from across virtual machines, causing massive disruptions to companies, as ESXi virtual disks are usually used to centralize data from multiple other systems.
Reports of these attacks have been documented on Reddit, shared on Twitter, presented at a security conference last month, and confirmed in interviews with ZDNet over the past two months.

Free threat intel – identify and patch VMware ESX vulnerabilities CVE-2019-5544 and CVE-2020-3992.Ransomware group using them to bypass all Windows OS security, by shutting down VMs and encrypting the VMDK’s directly on hypervisor.
— Kevin Beaumont (@GossiTheDog) November 7, 2020

For now, only the RansomExx (also known as Defray777) gang has been seen abusing this trick, but in a mysterious update last month, the operator of the Babuk Locker ransomware has also announced an eerily similar feature —although successful attacks have not yet been confirmed.

System administrators at companies that rely on VMWare ESXi to manage the storage space used by their virtual machines are advised to either apply the necessary ESXi patches or disable SLP support to prevent attacks if the protocol isn’t needed. More

Cybersecurity firm Rapid7 said it has signed a deal to acquire Alcide, a developer of Kubernetes security technology, for roughly $50 million. The security analytics provider revealed the deal on Monday, saying the acquisition will help its customers manage the security of their cloud and container environments.

Based in Tel Aviv, Alcide’s technology aims to bridge security and DevOps with code-to-production security for Kubernetes deployments. 
According to Rapid7, Alcide’s cloud workload protection platform (CWPP) can be combined with the company’s existing cloud security posture management service to offer customers a more unified platform for application security management. 
“We are thrilled to welcome Alcide to Rapid7,” said Corey Thomas, CEO of Rapid7. “The technical talent within Israel’s cybersecurity ecosystem is unparalleled and we look forward to working together with the Alcide team to provide organizations with comprehensive cloud security that drives business growth and innovation.”
Rapid7’s purchase of Alcide comes on the heels of its acquisition of DivvyCloud in April 2020. The company said both acquisitions are meant to bolster its ability to provide customers with a cloud native security platform for managing risk and compliance.
RELATED: More

Getty Images/iStockphoto
Cyber-security experts say they spotted a new component of the Trickbot malware that performs local network reconnaissance.

Named masrv, the component incorporates a copy of the Masscan open-source utility in order to scan local networks for other systems with open ports that can be attacked at a later stage.
The idea behind masrv is to drop the component on newly infected devices, send a series of Masscan commands, let the component scan the local network, and upload the scan results to a Trickbot command and control server.
If the scan finds systems with sensitive or management ports left open inside an internal network —which is very common in most companies— the Trickbot gang can then deploy other modules specialized in exploiting those loopholes and move laterally to infect new systems.
Most likely a test module for now
“Not overall novel — but strange for it to be included in Trickbot,” Suweera DeSouza, a malware analyst at Kryptos Logic, and the one who discovered masrv, told ZDNet today.
DeSouza said she believes the module is still under testing, something that Trickbot has done before with other modules in the past, which have often ended up being added to its large arsenal of second-stage components.
“We only came across one variant of this module,” DeSouza said.

“The recent module compiled was on December 4, 2020. Since then we haven’t come across the module being used again.”
A technical analysis and indicators of compromise for the new masrv Trickbot module, authored by DeSouza and her colleagues, is available on the Kryptos Logic blog.
Trickbot is the new king after Emotet’s demise
Other malware strains have also been known to include network reconnaissance modules before but such modules aren’t a common sighting.
After law enforcement agencies have taken down the Emotet malware botnet last week, Trickbot is now considered the primary de-facto threat to corporate environments.
Trickbot, too, narrowly survived a takedown attempt itself, last fall. After several ups and downs, the botnet came back to life again towards the end of January. More

Cloud services provider Akamai said Monday that it has acquired Inverse, a Montreal-based open-source consulting and integration company. 

Among its portfolio of services, Akamai highlighted Inverse’s technology for providing context and visibility into the IoT device landscape. 
Specifically, Akamai said Inverse offers a data repository and algorithms that can identify IoT and mobile device types — including HVAC, lighting systems, medical equipment, robotics and printers — and provide businesses with insights into the network behaviors of those devices in order to bolster security controls. 
“Gaining context and visibility into the device landscape, with what the devices are communicating and their typical behavior is critical,” said Robert Blumofe, EVP of platform and GM of Akamai’s enterprise division. “By combining the Inverse device fingerprint data repository with Akamai’s own security data from the 1.3 billion device interactions that take place daily across the Akamai Intelligent Edge security platform, we believe we can create an industry leading solution to apply zero trust controls and enhanced security to the full landscape of devices and workforce.”
Financial terms of the deal were not disclosed. Akamai is set to report its fourth quarter financial results on Feb. 9.
RELATED: More

As many as 59% of security vulnerabilities affecting Android are memory issues.
Image: Getty Images/iStockphoto
Google has explained how it is trying to improve Android security, and the steps it is taking to tackle common threats. 
It revealed that 59% of the critical and high-severity security vulnerabilities affecting its Android operating system are memory issues, such as memory corruption and overflows. 

Memory safety issues were by far the top category of security issue, followed by permissions bypass flaws, which accounted for 21% of those that Google security engineers fixed in 2019. 
SEE: Security Awareness and Training policy (TechRepublic Premium)
Memory issues are generally the top category of security flaw on major platforms like Java, Windows 10, and Chrome. Google engineers last year said 70% of Chrome security bugs are memory safety issues. Prior to that Microsoft engineers said 70% of all the bugs its fixed in its products were memory safety problems, or issues in software that allow access to memory in excess of the memory and addresses that were allocated by the operating system. 
Google today says it is encouraging developers to move to memory-safe program languages such as Java, Kotlin, and Rust, but is also attempting to improve the safety of C and C++. These are part of its efforts to harden Android and protect the OS against malware and exploits.  
“C and C++ do not provide memory safety the way that languages like Java, Kotlin, and Rust do. Given that the majority of security vulnerabilities reported to Android are memory safety issues, a two-pronged approach is applied: improving the safety of C/C++ while also encouraging the use of memory safe languages,” Google says in a blogpost from the Android Security & Privacy Team.

Amazon Web Services (AWS) and Microsoft are also pushing the adoption of Rust for the same security reasons. Mozilla created Rust to deal with C++ memory-related security issues in its Gecko engine for Firefox. Version 1.0 of Rust launched in 2015, but adoption is still relatively low. Microsoft is eyeing it for systems programming rather than application development. AWS used Rust to build Bottlerocket, its Linux-based container OS. 
In terms of Android, the vast majority of bugs Google has fixed in the past year have been in the media, Bluetooth and NFC components. The media library was the key component affected by the critical and remotely exploitable Stagefright bugs in Android that Google disclosed in 2015. 

Critical and high-severity security vulnerabilities affecting the Android operating system.
Image: Google
According to Google, its efforts to harden the media server framework in Android meant that in 2020 it received not a single report of remotely exploitable critical vulnerabilities in Android media frameworks. 
Google also details some of the security and performance trade offs its engineers weigh up when considering what additional mitigations to add to Android. This decision is complicated by the need for Android to support cheap Android phones. 
Beyond memory-safe languages, some of the mitigations in Android include sandboxing, Address Space Layout Randomization (ASLR), Control Flow Integrity (CFI), Stack Canaries, and Memory Tagging.
“Adding too much overhead to some components or the entire system can negatively impact user experience by reducing battery life and making the device less responsive. This is especially true for entry-level devices, which should benefit from hardening as well. We thus want to prioritize engineering efforts on impactful mitigations with acceptable overheads,” Google notes. 
SEE: Lightning does strike twice: If you get hacked once, you’ll probably be attacked again within a year
Google notes that the LLVM project’s Control Flow Integrity (CFI) was enabled in the media frameworks, Bluetooth, and NFC in Android Pie in 2018. 
Microsoft has also made contributions to improving CFI via the Windows security feature called Control Flow Guard. Last year it enabled CFG support in the Clang and LLVM C++ compiler and Rust.   
Both companies are attempting to provide safer systems programming features for C and C++. More