Information Technology

The Bizarro banking Trojan has targeted customers of at least 70 banks as it moves from its Brazilian base to Europe.

This week, Kaspersky researchers said the Trojan variant, originating in Brazil — as many seem to do — is now striking users in not only in Brazil, but Argentina, Chile, Spain, Portugal, France, and Italy, with customers of banks in these areas being lured into handing over their account credentials for the purposes of financial theft. However, the attack chain isn’t purely digital, as money mules are used at the end of a successful compromise to cash out funds or transfer stolen money. The banking Trojan, likened to the “Tetrade” family of four strains running rampant across Brazil, is distributed via spam emails containing an MSI installer package.  Social engineering is performed to try and fool potential victims into accepting and executing the installer including by way of messages pretending to be tax notifications and alerts.  Once launched, the installer downloads a .ZIP archive fetched from a compromised website or server. The researchers have found Azure and AWS servers that were used to host the malware, alongside hijacked WordPress domains.  The archive contains a malicious .DLL, written in Delphi, a AutoHotkey script runner executable, and a script that calls an exported function from the .DLL. This function, which is obfuscated, contains the malicious code required to trigger the banking Trojan. 

On startup, Bizarro will kill existing browser processes, including any active sessions with online banking services. As soon as the victim restarts their session, bank credentials are quietly captured by the malware and sent to an attacker’s command-and-control (C2) server.  To improve the chances of capturing this valuable data, Bizarro also disables autocomplete functionality in a browser.  Fake pop-ups are also shown to users, some of which are tailored to appear as messages from online banking services warning of security updates or PC compromise. These pop-ups may freeze PCs and hide taskbars, while at the same time, requesting identity checks by the client.  This is where a second-stage attack comes into play. The messages will try and lure victims into submitting two-factor authentication (2FA) codes — when this security measure is enabled — by asking them to download a malicious smartphone app and scanning a QR code for ‘authentication’ purposes.  The malware will capture operating system information and is also able to perform screen captures, keylogging, and will monitor clipboards for cryptocurrency wallet addresses.  If any are detected, wallet addresses are replaced by those owned by the threat actors in the hopes that the victim may unwittingly transfer cryptocurrency.  As a Trojan, Bizarro also contains backdoor functionality that manages the C2 connection.  This is not the only banking Trojan from Brazil that has expanded to other regions. Now joining the likes of Guildma, Javali, Melcoz, and Grandoreiro, the operators are expected to continue striking targets in multiple countries, as well as continue to improve their malware over time. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Amazon has reportedly extended a ban on US law enforcement using Rekognition until further notice. 

On Tuesday, Amazon said that the one-year ban on US police being permitted to use the facial recognition technology solution would continue to stand, as reported by The Washington Post.The previous one-year moratorium, announced in June 2020, was designed to give Congress time to debate and pass “appropriate rules” for the ethical use of facial recognition technology by law enforcement agencies. At the time, Amazon said: “We’ve advocated that governments should put in place stronger regulations to govern the ethical use of facial recognition technology, and in recent days, Congress appears ready to take on this challenge.” However, despite a handful of federal-level proposals being put on the table, none have been passed.  Amazon’s moratorium will now be in place “indefinitely” until lawmakers addressed issues raised surrounding the use of Rekognition to identify potential suspects in criminal cases.  Rekognition is image and video analysis software that leverages deep learning. Amazon describes the facial recognition aspect of the software as “highly accurate facial analysis and facial search capabilities that you can use to detect, analyze, and compare faces for a wide variety of user verification, people counting, and public safety use cases.”

For example, law enforcement departments could submit an image of a suspect and search for a match with databases containing mugshots or other identification records.  Previously, access to Rekognition was sold to law enforcement agencies. However, there are concerns relating to privacy, ethical use, accuracy, racial discrimination and the technology potentially playing a part in false convictions and injustice when it comes to facial recognition technologies.In 2018, the American Civil Liberties Union (ACLU) published a report revealing Rekognition incorrectly matched 28 members of Congress as individuals who had previously been arrested. Amazon refuted the report. There is also concern that facial recognition technology could be inherently racially biased. Following on from ACLU’s research, studies conducted by organizations including The University of Texas at Dallas, MIT, and Harvard have also questioned the accuracy of algorithms used to identify some groups by facial recognition software — including people of color, women, and particular age brackets — and these misclassifications could have real-world ramifications in criminal cases.  Independently, a number of US cities and states — including San Diego and San Francisco — have implemented their own rules to curtail the use of facial recognition by the police.  Debates are underway in approximately 20 states, and in recent weeks, Virginia imposed the toughest laws against its use to date — law enforcement agencies are now required to obtain permission by the state legislature before purchasing or using facial recognition technologies.  Amazon is not the only provider of such solutions that has tried to distance itself from law enforcement clientele. IBM exited the business over worries that its technology could be abused, and Microsoft says it will not sell facial recognition technology to police departments until appropriate federal laws have been passed.  Update 21.28 BST: Added further clarification and Amazon’s response to ACLU’s research. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybercriminals began searching the web for vulnerable Exchange Servers within five minutes of Microsoft’s security advisory going public, researchers say. 

According to a review of threat data from enterprise companies gathered between January and March this year, compiled in Palo Alto Networks’ 2021 Cortex Xpanse Attack Surface threat report and published on Wednesday, threat actors were quick-off-the-mark to scan for servers ripe to exploit.  When critical vulnerabilities in widely adopted software are made public, this may trigger a race between attackers and IT admins: one to find suitable targets — especially when proof-of-concept (PoC) code is available or a bug is trivial to exploit — and IT staff to perform risk assessments and implement necessary patches.  The report says that in particular, zero-day vulnerabilities can prompt attacker scans within as little as 15 minutes following public disclosure. Palo Alto researchers say that attackers “worked faster” when it came to Microsoft Exchange, however, and scans were detected within no more than five minutes.  On March 2, Microsoft disclosed the existence of four zero-day vulnerabilities in Exchange Server. The four security issues, collectively impacting on-prem Exchange Server 2013, 2016, and 2019, were exploited by the Chinese advanced persistent threat (APT) group Hafnium — and other APTs, including LuckyMouse, Tick, and Winnti Group, quickly followed suit.The security disclosure triggered a wave of attacks, and three weeks later, they were still ongoing. At the time, F-Secure researchers said vulnerable servers were “being hacked faster than we can count.”

Read on: Everything you need to know about the Microsoft Exchange Server hackIt is possible that the general availability of cheap cloud services has helped not only APTs but also smaller cybercriminals groups and individuals to take advantage of new vulnerabilities as they surface.”Computing has become so inexpensive that a would-be attacker need only spend about $10 to rent cloud computing power to do an imprecise scan of the entire internet for vulnerable systems,” the report says. “We know from the surge in successful attacks that adversaries are regularly winning races to patch new vulnerabilities.” The research also highlights Remote Desktop Protocol (RDP) as the most common cause of security weakness among enterprise networks, accounting for 32% of overall security issues, an especially problematic area as many companies made a rapid shift to cloud over the past year in order to allow their employees to work remotely.  “This is troubling because RDP can provide direct admin access to servers, making it one of the most common gateways for ransomware attacks,” the report notes. “They represent low-hanging fruit for attackers, but there is reason for optimism: most of the vulnerabilities we discovered can be easily patched.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

New research shows how Cobalt Strike is being weaponized in campaigns deploying malware ranging from the Trickbot banking Trojan to Bazar. 

On Wednesday, Intel 471 published a report exploring the abuse of Cobalt Strike, a commercial penetration testing tool released in 2012 which can be used to deploy beacons on systems to simulate attacks and test network defenses. In January, security analysts said that Cobalt Strike, alongside the Metasploit framework, was used to host over 25% of all malicious command-and-control (C2) servers deployed in 2020.  The popular penetration testing kit, of which source code for version 4.0 was allegedly leaked online in 2020, has been abused by threat actors for years and has become a go-to tool for advanced persistent threat (APT) groups including Carbanak and Cozy Bear.  According to Fox-IT, thousands of instances of Cobalt Strike abuse have been recorded, but most threat actors will use legacy, pirate, or cracked copies of the software.  “Cobalt Strike has become a very common second-stage payload for many malware campaigns across many malware families,” Intel 471 notes. “Access to this powerful and highly flexible tool has been limited by the product’s developers, but leaked versions have long spread across the internet.” The researchers say that the existing abuse of Cobalt Strike has been linked to campaigns ranging from ransomware deployment to surveillance and data exfiltration, but as the tool allows users to create malleable C2 architectures, it can be complicated to trace C2 owners. 

However, the team has conducted an investigation into the use of Cobalt Strike in post-exploitation activities.  Trickbot was chosen as a starting point. Trickbot banking Trojan operators have dropped Cobalt Strike in attacks dating back to 2019 — alongside Meterpreter and PowerShell Empire — as well as in attacks traced by Walmart Global Tech and SentinelLabs. The Hancitor group (MAN1/Moskalvzapoe/TA511), has also now begun using Cobalt Strike. Once linked to the deployment of the Gozi Trojan and Evil Pony information stealer, as noted by Palo Alto Networks, recent infections have shown that these tools have been replaced with Cobalt Strike. During post-exploit activities, Hancitor will then deploy either a Remote Access Trojan (RAT), information stealers, or, in some cases, spambot malware.  “The group setting up the Cobalt Strike team servers related to Hancitor prefer to host their CS beacons on hosts without a domain,” Intel 471 says. “The CS beacons will call home to the same set of IPs. Stagers are downloaded from infrastructure set up via Yalishanda bulletproof hosting service. It’s important to note that Hancitor only drops Cobalt Strike on machines that are connected to a Windows domain. When this condition isn’t met, Hancitor may drop SendSafe (a spambot), the Onliner IMAP checker, or the Ficker information stealer.” The researchers also explore the use of Cobalt Strike by threat actors distributing the Qbot/Qakbot banking Trojan, of which one of the plugins — plugin_cobalt_power3 — enables the pen testing tool.  “The configuration extracted from the Qbot-related Cobalt Strike beacon doesn’t show any links to any other groups that we are aware of,” the report states. “When comparing this activity to samples reported by other researchers, we observed different public Malleable-C2 profiles used, but commonalities in hosting infrastructure.” Operators of SystemBC malware variants, as reported by Proofpoint, utilizes SOCKS5 proxies to mask network traffic and have been included as a payload in both RIG and Fallout exploit kits. According to Intel 471, ransomware operators have also adopted SystemBC, which has dropped Cobalt Strike during campaigns across 2020 and early 2021. However, the team has not attributed these recent campaigns to specific, known threat actors.  Also of note, in early 2021, Bazar campaigns were recorded as sending and distributing Cobalt Strike rather than typical Bazar loaders used by the threat actors in the past.  “Cobalt Strike is a powerful tool that’s being leveraged by people that shouldn’t be leveraging it at all: a growing number of cybercriminals,” the researchers say. “That said, not all deployments of Cobalt Strike are the same. Some deployments demonstrate bad operational security by re-using infrastructure and not changing their malleable-C2 profiles. Additionally, some operators drop Cobalt Strike on many infected systems, while others will only deploy the tool very selectively.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
Australian payments processor Eftpos has announced the expansion of its digital age verification trial, which will see the company’s new digital identity solution, connectID, be used to prove purchasers are over the age of 18.The trial uses a digital age verification process for purchasing alcohol online.Eftpos said the trial’s expansion followed a successful initial run in partnership with Retail Drinks Australia.The initial trial involved connectID, global Identity Service Provider Yoti, Sydney-based craft beer retailer Beer Cartel, and was supported by technology partner MyIntegrator. Eftpos said the group was able to successfully demonstrate end-to-end transactions, with auditable age verification.The expanded trial, Eftpos said, will now involve additional online liquor merchants and further identity service providers, including Australia Post.See also: Australia Post a ‘trusted’ service provider for government identification”This solution makes it simple for consumers to identify themselves, while also helping alcohol merchants meet their compliance obligations,” Eftpos’ Rob Allen said in a statement.

“ConnectID is collaboratively working with state governments, industry associations, businesses, and online merchants to simplify and manage a range of customer identity needs and requirements, helping solve compliance requirements for many different sorts of businesses.” Eftpos first revealed connectID in middle of last year, with the aim of making it easier for Australians to share, store, and receive personal identity information online.”While connectID securely facilitates the identity verification or data exchange, it does not store the identity data. Identity service providers store consumer identities and take responsibility for providing this secure information only under the consent of the identity owner,” Eftpos added.The connectID solution, like the postal service’s Digital ID, was designed to work within the federal government’s Trusted Digital Identity Framework (TDIF) and the banking industry’s TrustID framework.”ConnectID has applied to become the first accredited non-government operator of a digital identity exchange in Australia, as interoperability is key to the connectID solution,” Allen continued. The expanded trial comes ahead of the NSW government’s legislation that will require consumers to verify their age before they’re able to purchase alcohol online, which is set to commence in July next year.RELATED COVERAGEResearchers want Australia’s digital ID system thrown out and redesigned from scratchResearchers find myGovID is subject to an easily-implemented code proxying attack, while the digital identity solution from Australia Post does not possess a fundamental requirement for accreditation.Minister says law enforcement to be denied access in new digital ID legislationAlso flags privately-owned PharmacyID and payments company Eftpos as eager to provide identity services once the Bill becomes law.Eftpos uses Beem It acquisition to build out QR payment systemThe new national QR code utility is pencilled in for July go-live, with rollout completion expected by next year. More

Three state-backed financial groups in China have issued a joint statement warning against the use of cryptocurrencies as payment, citing their volatility as a high risk. They further remind industry players that digital currencies cannot be used in any financial activities in the country. National Internet Finance Association of China, China Banking Association, and Payment and Clearing Association of China said Tuesday that its members should not be involved in transactions dealing with cryptocurrencies. These included activities encompassing intermediary services that facilitate trading as well as the exchange of fiat money.The three groups collectively represent local online companies that provide financial services, local banks, and payment companies. 

Read this

Why Singapore doesn’t need Bitcoin

The island will get its first Bitcoin ATM in March, but does it really need another currency which main appeal is the anonymity it offers, especially since Singapore is reportedly susceptible to money laundering?

Read More

Their joint warning came in a week that had seen Bitcoin’s value dip significantly following Tesla’s Elon Musk announcement his company had halted use of the cryptocurrency over concerns about its impact on the environment. Without singling out Bitcoin, the three industry groups said cryptocurrencies were not recognised by China’s central bank and had been flagged for their financial risks as well as potential ties to money laundering. They noted that virtual currencies had no real value and prices were easily manipulated. They should not be circulated as money and contracts involving their use were not protected by law, they said, adding that any party that participated in such investments or transactions would have to bear the consequences and losses. They reminded consumers to be aware of the risks and refrain from taking part in activities involving cryptocurrencies. China over the years had warned repeatedly about initial coin offerings or digital currencies, describing these as illegal and driven by market speculation that could disrupt “economic and financial order”. Crypto exchanges also were outlawed, though, individuals still were permitted to own cryptocurrencies. 

The government also had not clamp down on crypto mining, which was not referenced in the financial groups’ joint statement. Researchers last month cautioned that, unless more stringent regulations were implemented, China’s crypto mining could undermine the world’s sustainability efforts. The report estimated that the country accounted for more than 75% of Bitcoin’s hashing power or calculations, fuelled by China’s proximity to manufacturers of the required hardware and access to cheap power. And while it had outlawed financial activities involving cryptocurrencies, the Chinese government had created its own alternative that is commonly described as the digital version of the yuan or renminbi (RMB). Called Digital Currency Electronic Payments (DCEP), the digital yuan was developed on blockchain and cryptographic technologies and might later support near-field communication (NFC) capabilities, to allow offline money transfers between two digital wallets that were within proximity. DCEP could be downloaded on mobile devices using approved apps, which included AliPay, WeChat, and Apple Pay, and its use in trials kicked off last year amidst the global pandemic. Some residents in Shenzhen and Suzhou were given DCEP packets worth of yuan for use. The Chinese government was studying such trials and assessing the addition of new test cities.RELATED COVERAGE More

Image: Mozilla
Mozilla is currently testing a new security architecture for its Firefox browser in nightly and beta channels that sees each site be put into its own operating system process. As it currently stands, when Firefox launches, it starts a privileged parent process, eight processes for web content, up to two additional semi-privileged web content processes, and four utility processes for web extensions, GPU operations, networking, and media decoding. With the set number of processes, the potential exists for a malicious site to be placed into a process already in use by another site, and giving it access to shared process memory. Using a Spectre-like attack, the malicious site could access data from other sites in the same process. The current situation means any ads, or embedded pages and subframes, are placed into the same process as the parent page regardless of whether they are the same site or not. With Site Isolation, each of the embedded elements that are not part of the same site will have their own process, with the client operating system to provide memory protections and security guarantees. “In a more dangerous scenario, a malicious site could embed a legitimate site within a subframe and try to trick you into entering sensitive information,” Mozilla senior platform engineer Anny Gakhokidze wrote in a blog post. “In the case of a successful Spectre-like attack, a top-level site might access sensitive information it should not have access to from a subframe it embeds (and vice-versa) — the new Site Isolation security architecture within Firefox will effectively make it even harder for malicious sites to execute such attacks.”

Additionally, Firefox will treat http and https versions of a site as different sites, meaning they get put in separate processes. The feature will make use of a community-maintained list of domains that function as effective top level domains — sites like github.io or blogger.com that allow users to have their own subdomains — and need to have each subdomain treated as a separate site. Gakhokidze added the new architecture will improve Firefox in other ways, such as one site chewing up compute resources or having its garbage collected should not “degrade the responsiveness” of other pages, nor should a page crashing impact pages in other processes. “Using more processes to load websites allows us to spread work across many CPU cores and use the underlying hardware more efficiently,” the senior engineer wrote. Site Isolation was first unveiled by Firefox at the start of 2019, when it was dubbed Project Fission. Chrome has had its own version of isolation for some time. Users running Firefox Nightly that want to enable Site Isolation can head to about:preferences#experimental, toggle the Fission checkbox, and restart. Those running beta or release channel need to head to about:config, set fission.autostart to true, and restart. A word of warning to Linux users, however. A number of known issues on the Project Fission page state there is excessive memory usage and problems with X11 connector exhaustion to content with. Related Coverage More

Google is launching a new feature in Chrome for Android that helps users fix passwords that may have been compromised in a breach. The feature relies on the search giant’s artificial intelligence Duplex system, which became part of Google Assistant. 

Google I/O 2021

With this new feature, if Chrome detects a potentially compromised password, a “Change password” button will pop up from Assistant. When clicked, Chrome will navigate to the site with the compromised password and go through the entire process to change the password automatically. “Powered by Duplex on the Web, Assistant takes over the tedious parts of web browsing: scrolling, clicking and filling forms, and allows you to focus on what’s important to you,” said Patrick Nepper, senior product manager for Chrome. “And now we’re expanding these capabilities even further by letting you quickly create a strong password for certain sites and apps when Chrome determines your credentials have been leaked online.”Google also announced an update to its password manager, including a new tool that imports passwords from third-party password managers, deeper integration between Chrome and Android and automatic password alerts when a password is compromised in a breach.Google said automated password changes are rolling out gradually in Chrome on Android for users who sync their passwords. It’ll be available first in the US and only on select websites, but Google said it plans to expand the feature to more sites and more countries in the coming months.RELATED: More