Information Technology

Cyber criminals are exploiting security vulnerabilities in VPN servers to encrypt networks with a new form of ransomware, and may have disrupted industrial facilities in the process. The ransomware is detailed in a report by secuity company Kaspersky, following an investigation into a ransomware attack against an unspecified victim in Europe. 

At least one of the attacks targeting these facilities managed to encrypt industrial control servers with ransomware, resulting in the temporary shutdown of operations. Kaspersky did not identified the victim of the successful ransomware attack, or how the incident was recolved, but have detailed the ransomware which encrypted the network and how cyber criminals were able to gain access. Known as Cring, the ransomware first appeared in January and exploits a vulnerability in Fortigate VPN servers (CVE-2018-13379). Fortinet issued a security patch to fix the vulnerability last year, but cyber criminals can still deploy the exploit against networks which have yet to apply the security update. By exploiting unpatched VPN applications, attackers are able to remotely access the username and password, allowing them to manually login to the network. From here, the attackers download Mimikatz, an open-source application to view and save authentication credentials, and us this to steal additional usernames and passwords to move laterally around the network and also deploy tools including Cobalt Strike, a legitimate penetration software tool abused by attackers, to gain additional control over infected systems. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Then, with the aid of malicious PowerShell scripts, the attackers are able to encrypt all of the systems which have been compromised across the network with Cring ransomware. At this point, a note by the attackers tells the victim their network has been encrypted with ransomware and that a ransom needs to be paid in Bitcoin to restore the network. While there’s no information on how the incident at the European industrial facility was resolved, researchers note that the failure to apply the security patch to protect against a known vulnerability was the “primary cause” of the incident. Other factors which allowed the attackers to deploy ransomware on the network include the lack of timely security updates applied to the antivirus software that’s supposed to protect the network – and how some components of the antivirus were even turned off, reducing the ability to detect intrusions or malicious activity. The way this particular network was configured also helped the attackers by allowing them to move between different systems which didn’t all need to be on one network. “There were no restrictions on access to different systems. In other words, all users were allowed to access all systems. Such settings help attackers to distribute malware on the enterprise network much more quickly, since successfully compromising just one user account provides them with access to numerous systems,” said Vyacheslav Kopeytsev, senior security researcher at Kasperky. To help protect networks from Cring ransomware attacks, it’s recommended that Fortigate VPN servers are patched with the relevant security updates to prevent the known vulnerability from being exploited. It’s also recommended that VPN access is restricted to those who need it for operational reasons and that ports which don’t need to be exposed to the open web are closed. Researchers also suggest that critical systems are backed up offline, so if the worst happens and the network falls victim to a ransomware attack, it can be restored without the need to pay criminals.

MORE ON CYBERSECURITY More

An Italian man has been arrested on suspicion of paying a hitman to assassinate his former partner. 

According to a Europol alert on Wednesday, the suspect dove into the darkest corners of the internet to find a hitman and eventually located a website claiming to offer these services on the dark web. It is necessary to use the Tor network to access the deep web — an underlayer that is not indexed by typical search engines — and a sector of this area, known as the dark web, is where illegal activities and purchases take place.  After contact was made, someone apparently happy to perform the task of assassinating his ex-girlfriend was paid roughly €10,000 in Bitcoin (BTC).   However, Europol and the Italian Postal and Communication Police apparently caught wind of the plan and an “urgent, complex crypto-analysis” was performed.  At the same time Europol was attempting to unmask the suspect and trace the BTC transfer, Italian law enforcement reached out to the cryptocurrency exchange in which the suspect’s virtual currency was originally purchased. The exchange, which has not been named, provided the police with further information.  “The timely investigation prevented any harm to be perpetrated against the potential victim,” Europol says.   

The European agency, as well as various law enforcement groups, use a range of tools to monitor and track cryptocurrency transactions suspected of being linked to criminal activities.  Interpol, for example, uses and was involved in the development of GraphSense, a blockchain-based analytics tool for cryptocurrency address and transfer searches. The organization is currently working on a new tool, dubbed “Darkweb Monitor,” which will focus on cryptocurrency intelligence gathering for law enforcement purposes.  In related news this week, the US Department of Justice (DoJ) announced a jail term of 12 years, without parole, for a Missouri resident who tried to buy dangerous chemicals online. The “highly toxic” compound, purchased through what appeared to be a dark web vendor, was paid for in BTC and delivery details were addressed to a minor. A police sting revealed the man may have bought the chemical due to a breakup, with documents found in the home revealing “a desire for the person who caused the heartache to die,” according to prosecutors.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have discovered a new backdoor employed by the Lazarus hacking group in targeted attacks against the freight industry. 

On Thursday, ESET said the new backdoor malware, dubbed Vyveva, was traced in an attack against a South African freight and logistics firm. While the initial attack vector for deploying the malware is not yet known, examining machines infected with the malware revealed strong links to the Lazarus group.  Lazarus is an advanced persistent threat (APT) group of North Korean origin. The state-sponsored cyberattackers are prolific and are deemed responsible for the global WannaCry ransomware outbreak; $80 million Bangladeshi bank heist; attacks against South Korean supply chains, cryptocurrency theft, the 2014 Sony hack, and various other assaults against US organizations.  Vyveva is one of the latest weapons discovered in the Lazarus arsenal. The backdoor was first spotted in June 2020 but could have been in use since at least 2018.The backdoor is able to exfiltrate files, gather data from an infected machine and its drives, remotely connect to a command-and-control (C2) server and run arbitrary code. In addition, the backdoor uses fake TLS connections for network communication, a component for connecting to its C2 via the Tor network, and command-line execution chains employed by the APT in past campaigns. There are coding similarities to the older Lazarus malware family Manuscrypt/NukeSped. 

Vyveva also includes a “timestomping” option which allows timestamp creation/write/access times to be copied from a ‘donor’ file, alongside an interesting feature for file copying: the ability to filter out particular extensions and focus only on specific types of content, such as Microsoft Office files, for exfiltration.  The backdoor contacts its C2 every three minutes through watchdog modules, sending a stream of data to its operators including when drives are connected or disconnected, as well as the number of active sessions and logged-in users — activities likely linked to cyberespionage. “These components can [also] trigger a connection to the C2 server outside the regular, preconfigured three-minute interval, and on new drive and session events,” ESET notes. The researchers added that the backdoor’s codebase allows them to attribute Vyveva to Lazarus with “high confidence.” In February, the US Department of Justice (DoJ) indicted two alleged North Korean hackers and expanded charges against another for being part of Lazarus. Assistant Attorney General John Demers has described the APT as a “criminal syndicate with a flag.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Phishing attacks remain a huge problem and crooks are spending a lot of time and effort to ensure that, for the potential victim, clicking on a bad link is the most intuitive and easiest thing to do.A common technique used in emails sent by cyber criminals attempting phishing attacks is to claim that the victim needs to click a link or download an attachment as a matter of urgency.

This could claim to be anything from important corporate documents in an enterprise environment, to a parcel delivery notification, winning a prize, or even a phony threat about court summons.SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) The messages are designed so that clicking on the phishing link is the easiest thing to do, with the aim of directing the user to a page designed to steal login credentials or other personal information.Crooks will design these phishing pages to look almost indistinguishable from the real one they’re mimicking, which is all part of a plan to make the operation as smooth as possible – with no reason for the user to question if anything is wrong.”Part of the problem is that phishing signals are often indistinguishable from positive user experience attributes,” Troy Hunt, creator of HaveIBeenPwned and digital advisor to Nord Security told ZDNet Security Update.

“It’s easy when you’ve got a link, because you just click on it and you go straight to the right place and it deep links you through to that potentially fraudulent transaction,” he added.For example, if a user had concerns that a link claiming to be from their bank could be a phishing email, they could choose not to follow the link, but instead open a new window and go to the bank’s website to check to see if there really was a message from their account.By doing this, they avoid the potentially dangerous phishing link. But phishing attacks remain successful because people are still coerced into clicking links. SEE: Ransomware: Why we’re now facing a perfect stormThat’s despite a recent privacy survey by NordVPN, which suggests that while people say they know how to stay safe online, they’ll still fall victim to phishing and other cyberattacks – because cyber criminals are highly capable at using social engineering to coerce victims into doing what they want. “Humans are ultimately fallible. Unfortunately it’s the organic matter behind the keyboard that is often the vulnerable part of the loop,” said Hunt. “We need to have that balance of the education and the training, with the technology to back it up and help us out when things do go wrong,” he added.Organisations can offer training to staff in order to help them identify phishing attacks, while encouraging the use of tools like multi-factor authentication and password managers can also help keep people protected from phishing attacks. MORE ON CYBERSECURITY More

Image: Omar Al-Ghossen
When users are on the web they can opt out of a lot of tracking present, thanks to a combination of GDPR-induced prompts, ad and trackers blocks, and incognito modes — however, this is far from the case on mobile phones and apps. In an effort to close the gap, Apple believes efforts like its Identifier For Advertisers can help advertisers and preserve privacy. “Identifiers such as the Identifier For Advertisers (IDFA) and email address help identify a specific device across a network. They also allow advertisers to create a detailed profile of your activity across different apps or websites when they see your device identifier and associate your activity with it,” Apple says in an updated version of its A Day in the Life of your Data document. “The Identifier For Advertisers (IDFA) is a user-controllable identifier assigned by iOS to each device. As a software-based identifier rather than one that is tied to the hardware itself, the IDFA can be blocked for a particular app by the user via the App Tracking Transparency prompt. This gives the user control over IDFA-based tracking.” The updated document has added a pair of pages on advertising auctions and ad attribution, with Apple stating advertisers can track ad performance without tracking users. The mechanisms for this are its SKAdNetwork API and Private Click Measurement. Pointing to the way web browsers have clamped down on trackers on the web, Apple has dismissed concerns that clamping down on trackers in apps will force app creation to be less profitable. The tech giant believes advertisers will have to respond by providing users with a higher level of privacy and app makers will still be able to monetise from apps.

Apple said it would remove apps from its app store if a new way of fingerprinting was developed. Last month, Apple claimed in Australia that its store was not the most dominant app marketplace because the internet was an alternative. “Apple perceives and treats other distributors of apps, for platforms other than iOS, as significant competitors whose pricing and policies constrain Apple’s ability to exercise power over developers,” the iPhone maker said in a submission to the Australian Competition and Consumer Commission (ACCC).”Apple is not in a position to disregard the environment in which its app marketplace operates and does not accept the Commission’s characterisation of the Apple App Store as ‘the most dominant app marketplace by a large margin’.” Apple said it does not consider it has a substantial degree of power in any market relevant to the issues that are the subject of the ACCC’s current inquiry, nor does it agree there is a market failure that requires regulatory intervention or legal action. “Apple faces competitive constraints from distribution alternatives within the iOS ecosystem (including developer websites and other outlets through which consumers may obtain third party apps and use them on their iOS devices) and outside iOS,” it said. “Even if a user only owns iOS-based devices, distribution is far from limited to the Apple App Store because developers have multiple alternative channels to reach that user. “The whole web is available to them, and iOS devices have unrestricted and uncontrolled access to it. One common approach is for users to purchase and consume digital content or services on a website.” Days earlier, Apple said it was surprised to hear that developers have legitimate concerns about their ability to engage with Apple in the app review process. Related Coverage More

A man has been jailed for trying to buy a chemical weapon online capable of killing “hundreds” of people. 

On Tuesday, the US Department of Justice (DoJ) announced that Jason William Siesser, a resident of Missouri, will spend 12 years behind bars in federal prison without the possibility of parole. The 46-year-old tried to buy two and three 10ml vial batches of a “highly toxic chemical” through the dark web between June 14 and August 23, 2018. According to US prosecutors, three 10ml units of the chemical was enough to kill roughly 300 people.  The orders were made in the name of a minor and the equivalent of $150 in Bitcoin (BTC) was handed over. While in contact with the seller, Siesser told the trader he planned “to use it soon” after receipt.  However, the first delivery never arrived, leading to the second delivery — one Siesser thought was the chemical — but was in fact a controlled delivery sting by US police.  The man signed for the package and law enforcement, having obtained a warrant, raided his home. The investigating officers discovered 10 grams of toxic — and potentially deadly — cadmium arsenide, 100 grams of cadmium, and 500 ml of hydrochloric acid, compounds which were also ordered by the suspect in the same year.  When it comes to intent, the DoJ says, “writings located within the home articulated Siesser’s heartache, anger and resentment over a breakup, and a desire for the person who caused the heartache to die.”

In August 2020, Siesser pleaded guilty to one count of attempting to acquire a chemical weapon and one count of aggravated identity theft. The dark web is a layer beyond the ‘clear’ web which is not indexed by standard search engines. A handful of websites in this area are dedicated to illegal purposes, such as marketplaces for weapons, drugs, data dumps, and counterfeit documents.  The DeepDotWeb (DDW) portal, now defunct, used to provide links to dark web resources including marketplaces. Last week, the US agency said a former administrator of the portal has pleaded guilty for providing links to illegal trading posts and receiving millions of dollars in kickbacks via commission links.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new variant of Android malware has been discovered in an app on Google Play that entices users by promising free Netflix subscriptions.  On Wednesday, Check Point Research (CPR) said the “wormable” mobile malware was discovered in the Google Play Store, the official repository for Android apps. The malicious software, dubbed “FlixOnline,” disguises itself as a legitimate Netflix application and appears to focus on targeting the WhatsApp messaging application. The ongoing COVID-19 pandemic has forced many of us to stay at home for long durations, and with shops closed, bars shut, and limited trips outside permitted, we have turned to streaming services to pass the time. By the end of 2020, paid Netflix subscriber numbers smashed through the 200 million mark — likely spurred on due to COVID-19 — and malware operators have decided to jump on this trend. The fraudulent app promised global “unlimited entertainment” and two months of a premium Netflix subscription for free due to the pandemic. 

Once downloaded, however, the malware ‘listens in’ on WhatsApp conversations and auto-responds to incoming messages with malicious content. Upon installation, the app asks for overlay permissions — a common ingredient in the theft of service credentials — as well as Battery Optimization Ignore, which stops a device from automatically closing down software to save power. In addition, FlixOnline requests notification permissions that give the malware access to notifications related to WhatsApp communication, as well as the ability to ‘dismiss’ or ‘reply’ to messages.  Auto-responses to WhatsApp messages include the following, sent to contacts of the victim:

“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https:// bit[.]ly/3bDmzUw.” According to the researchers, the malware can propagate further via malicious links, steal WhatsApp conversation data, and has the ability to spread false information or harmful content through the messaging service when installed on Android devices.  The malicious link used in this campaign sends victims to a fake Netflix website that attempts to obtain a user’s credit card information and credentials. However, as this message is fetched from a command-and-control (C2) server, other campaigns could link to different phishing websites or malware payloads.  Approximately 500 victims were claimed by FlixOnline before detection, over a period of roughly two months, and it is likely the malware will appear again.  CPR informed Google of its findings and the app has now been removed from the Play Store. WhatsApp was also made aware of the campaign as a courtesy but as there is no exploitable vulnerability or issue that the malware uses to propagate through the messaging app, no action was required.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Information belonging to 553 million Facebook users has been posted online in an incident the company says was due to scraping and not a cyberattack. 

Facebook IDs, names, dates of birth, gender, location, and relationship status, among other data points, were leaked, with each dataset broken up by country and made freely available online. The mass data collection took place in 2019. In a blog post on Tuesday, the social media giant said that scraping was to blame, in which automated software lifts publicly available data from internet resources. In this case, a functionality issue in Facebook’s contact importer, prior to September 2019, allowed individuals to “imitate our app and upload a large set of phone numbers to see which ones matched Facebook users, [allowing them to] query a set of user profiles and obtain a limited set of information about those users included in their public profiles,” according to the company.While this did not include user credentials, it still allowed for the mass-scraping of profile data.  The social media giant has since updated the contact importer to hinder future scraping efforts, but the information already gathered is now out there.  In terms of data age, 2019 – 2021 is not a long period and this information can be valuable not just to threat actors — who may use contact details and phone numbers for purposes including phishing and social engineering — but also unscrupulous marketers in creating profiles for targeted ads, spam, or robocalls.

To see if you have been included in this data breach, you can go over to Have I Been Pwned, a search engine service offered by security expert Troy Hunt.  As data leaks occur, data dumps are added to the engine in order to allow the general public to type in an email address or phone number — in an international format — and see if their information has been published online.  Facebook’s record leak is the latest set to be added to the engine and you should check both your email and phone number, as only 2.5 million records contain an email address. Therefore, links to the Facebook breach might not appear if you just search your email but not your phone number.  While there is little that can be done once your data is exposed, if you have been involved in the leak, you should be wary of potential phishing scams or fraudulent cold calls.  Conducting a regular and general privacy check on your social media profiles is always worthwhile, and this can include whether or not you allow others to look you up on Facebook through an email address or phone number. “We are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists,” Facebook says. “We’re focused on protecting people’s data by working to get this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible.” The Irish Data Protection Commission is attempting to “establish the full facts” surrounding the data leak and noted that the watchdog has “received no proactive communication from Facebook.” “As the price of personal data climbs, breaches of any size — let alone half a billion users — should no longer be tolerated,” commented Adam Enterkin, Global SVP of Sales at BlackBerry. “Organizations have full responsibility for the data stolen; even seemingly low-stakes data can be used to exploit customers. If you collect it, protect it.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More