Information Technology

Gaming mods and cheat engines are being weaponized to target gamers in new malware campaigns. 

On Wednesday, researchers from Cisco Talos said the gaming tools are being used to deploy a cryptor — code designed to prevent reverse-engineering or analysis — for a variety of malware strains, the majority of which appear to be Remote Access Trojans (RATs).  The attack wave is focused on compromising the systems of gamers and modders. The initial attack vector begins with malvertising — adverts that lead to malicious websites or downloads — as well as YouTube how-to videos focused on game modding that link to malicious content.  There is already a vibrant marketplace for cheats and mods. Online gaming is now an industry worth millions of dollars — only propelled further with the emergence of competitive e-sports — and so some gamers will go so far as to purchase cheats to give them an edge.  Developers have upped their game, too, and will often upload their creations to VirusTotal to see if files are flagged as suspicious or malicious.  The risk in downloading system-modifying files is nothing new and the latest campaign only carries on the trend. Cheats, cheat engines, and mods have been found that contain cryptors able to hide RAT code and backdoors through multiple layers of obfuscation. Once a malicious mod or cheat has been downloaded and installed on a target machine, a dropper injects code into a new process to circumvent basic antivirus tools and detection algorithms. 

The malware is then able to execute. Samples tracked so far include the deployment of XtremeRAT, an information stealer that has been associated with spam campaigns and the deployment of Zeus variants. 
Cisco Talos
Cisco Talos notes that the cryptor uses Visual Basic 6, shellcode, and process injection techniques to make analysis difficult.  “As workers continue to operate remotely during the COVID-19 pandemic and mix work with their private computer usage, enterprises are even more likely to be attacked by compromised personal PC equipment belonging to their employees,” the researchers say. “Employees will sometimes download modding tools or cheat engines from questionable sources to tweak their PC or games running on the same machine they use for their job.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

There is now an end to the mystery of a nonsensical tweet issued by US Strategic Command.  The military agency, also known as USSTRATCOM, is responsible for nuclear operations, global strike management and missile defense, among other duties, sent out a strange message via its Twitter account on March 28. The tweet, simply “;l;;gmlxzssaw,” was liked and retweeted thousands of times and prompted over 1,500 comments in query. While the message was rapidly deleted and the agency asked its followers to disregard the message, journalist Mikael Thalen from the Daily Dot filed a Freedom of Information Act (FOIA) request asking for additional details concerning the tweet. In response to the FOIA request, the agency told Thalen that the US Strategic Command’s Twitter manager, while working from home, left his post for a moment and the account was, unfortunately, open. What happened next would make any parent currently working from home due to the coronavirus pandemic groan: his “very young” child “took advantage of the situation and started playing with the keys, and unfortunately, and unknowingly, posted the tweet,” according to the FOIA response.  When high-profile Twitter accounts start tweeting out nonsense or dubious messages — such as the infamous hijacking of celebrity accounts to promote a cryptocurrency scam in July 2020, there may be the concern that the profiles are under the control of unauthorized individuals. 

While the child in question certainly seized control of the account, even momentarily and — no doubt — without permission, the agency was keen to emphasize that there was nothing “nefarious” and no hacking took place.  “The post was discovered and notice to delete it occurred telephonically,” US Strategic Command added. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Photo by Andre Hunter on Unsplash
We all use Facebook because it’s the only way we can know what people we haven’t talked to in years have eaten for dinner. Far too many use Facebook as an echo chamber, providing a definitive source of confirmation bias for the craziest pet conspiracy theories. Facebook is also the primary news source for more than half of all adult Americans.

But Facebook is not without its problems beyond simply being what I have called “a pox on humanity.” There was the Cambridge Analytica scandal, where Facebook shared confidential information on millions of its users to an outside firm. There was Facebook’s little email harvesting operation, where it improperly grabbed email information from millions of users without consent. Then there were the hundreds of millions of passwords Facebook stored in plain text, completely unencrypted. But yet we keep on using Facebook. Last week, I decided I wanted to gather some informal data on what people thought of Facebook and three other companies: Google, Amazon, and Microsoft. I often use Twitter’s polling feature to reach out to my small army of followers and gather sentiment information. Also: Quitting the five tech giants: Could you really flee Facebook? I do this for work, certainly, but I also do this because I have an unhealthy obsession with charts, and Twitter can slake that thirst in a matter of minutes — and definitively after the poll finishes its 24 hour run. Yes, I get as much of a dopamine rush from looking at charts as I do looking at puppies. Who do you trust…least? In any case, I did a poll that asked, “Who do you trust…least?” Now, you have to understand I’ve done a LOT of Twitter polls. I’ve even done highly-charged politics-related Twitter polls. Not once, not in the hundred or so polls I’ve run, has the response been as lopsided as the result was from asking “Who do you trust…least?”

Look at this:

Who do you trust … least?— David Gewirtz (@DavidGewirtz) March 24, 2021

In all the polls I’ve ever done, I’ve never seen one where one answer so completely dominated the others. Even Google, which has turned its earlier motto of “Don’t be evil” into some sort of self-parody, and whose entire business model is sucking up your information so you can be advertised to, is vastly less distrusted than Facebook. The  wildly asymmetrical results of this poll are unprecedented among all my previous polls. Now, I fully understand this isn’t a scientific poll. I did scientific polls when I was working on my graduate degree. I even know how to use regression analysis and p-values to reject the null hypothesis. Also: Tone down the bile on Facebook and Twitter: Your job may depend on it But Twitter polls also aren’t that unscientific. When I use Twitter for polls, I’m polling a specific constituency, in this case my Twitter followers, which means it’s a constituency of people likely interested in tech, coffee, government, snark, and puppies. I reach out to tens of thousands of users, and those who wish to answer, do. Granted, a landline phone poll, which used to be the gold standard of polling until people stopped using landline phones, is slightly more random. But the very fact that someone is reachable at a landline (even in the days before smartphones) immediately set up a demographic weighting towards a particular set of psychographics to the exclusion of others. Also: Big bad Libra: Do we really need (or want) Facebook to reinvent money? So I would argue that my little Twitter poll is just as scientifically valid as more traditional polls — just as long as you understand that my polling audience has a specific coverage bias based on their original decision to follow my tweets. But the fact that the coverage bias is reasonably well known means it can be factored into the results of the poll. What I mean by this is we can’t necessarily say that everyone distrusts Facebook. Instead, we have to limit our population to “tech savvy people distrust Facebook,” which is fair enough. Of course, there are a whole lot of tech savvy people out there. All of this goes to one simple, holy cow-level fact: Facebook’s level of distrust is almost off the charts. Yet, most of us still use Facebook daily — and there’s no sign of that ever ending. Also: Does Facebook cause friends to fight? What do you think? Did you answer my Twitter poll? If not, how would you have voted?  And share with us what you think about Facebook. Are you a regular user? Have you managed to extricate yourself from its reach? Let us know in the comments below.

Social Networking

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

VMware has patched a pair of severe vulnerabilities that could lead to the theft of administrator credentials in vRealize. 

vRealize Operations is described as an artificial intelligence (AI)-based platform that provides “self-driving IT operations management for private, hybrid, and multi-cloud environments.”On Tuesday, the software vendor published a security advisory for the security flaws which impact VMware vRealize Operations, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.  The vulnerabilities were reported privately to VMware by Positive Technologies penetration tester Egor Dimitrenko. The first vulnerability, tracked as CVE-2021-21975, is a server-side request forgery (SSRF) bug with a CVSS score of 8.6 out of 10.  Found in the vRealize Operations Manager API, the security flaw permits threat actors with network access to perform SSRF attacks and steal administrator credentials.  The second bug, CVE-2021-21983, was also discovered by Dimitrenko in the same API. This arbitrary write vulnerability, issued a severity score of 7.2, does require an attacker to be authenticated and have network access to exploit. 

If these conditions are met, however — such as by triggering the first vulnerability to steal the necessary credentials — this permits attackers to “write files to arbitrary locations on the underlying photon operating system,” according to VMware.  Patches have been issued for the vulnerabilities, which impact vRealize Operations Manager 7.5.0, 8.0.1, 8.0.0, 8.1.1, 8.1.0, 8.2.0, and 8.3.0 on any type of operating system deployment. The security flaws also impact VMware Cloud Foundation versions 3x and 4x, alongside vRealize Suite Lifecycle Manager 8x.  VMware has provided security patches and workarounds for IT administrators who are unable to immediately apply the fixes.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Mozilla, the maker of the Firefox browser, has launched two new features as part of its virtual private network offering that launched last year.Mozilla launched the VPN service last year at $5 a month. It’s available in the US, the UK, Canada, New Zealand, Singapore, and Malaysia.

ZDNet Recommends

Also: The best VPN servicesThe Mozilla VPN will now tell users when they’ve joined a network that doesn’t require a password or is using weak encryption. The notification on Windows, Linux, Mac, Android and iOS tells users when they’re on a poorly secured network, which may be helpful as restrictions ease and people are more comfortable travelling around again.On the home front, Mozilla has added Local Area Network Access, to allow devices to communicate together while the VPN is still active. Users need to check a box in Network Settings when connected to a home network. “Occasionally, you might need to print out forms for an upcoming doctor visit or your kid’s worksheets to keep them busy,” Mozilla notes. “Now, we’ve added Local Area Network Access, so your devices can talk with each other without having to turn off your VPN. Just make sure that the box is checked in Network Settings when you are on your home network. This feature is available on Windows, Linux, Mac and Android platforms.”

Also: VPN: Picking a provider and troubleshooting tips (free PDF) TechRepublicAs for the VPN’s expanded availability, Mozilla says that it will bring the service to more countries in the spring timeframe. Mozilla has faced questions about how the service will work. The browser maker has published an FAQ and support pages for both the browser extension and the full-device VPN product. In a crowded VPN market, Mozilla hopes to stand out by offering fast browsing; it said its VPN is based on the WireGuard protocol’s 4,000 lines of code, which it said is a fraction in size of legacy protocols used by other VPN service providers. More

Microsoft’s inaugural Security Signals report for March 2021 shows that 80% of enterprises have experienced one firmware attack during the past two years, but less than a third of security budgets are dedicated to protecting firmware.  Firmware attacks are tricky to deal with. State-sponsored hacking group APT28, or Fancy Bear, was caught in 2018 using a Unified Extensible Firmware Interface (UEFI) rootkit to target Windows PCs. There have also been attacks that rely on hardware drivers, such as RobbinHood, Uburos, Derusbi, Sauron and GrayFish, as well as ThunderSpy, a theoretical attack aimed at Thunderbolt ports.

Microsoft launched a new range of “Secured-Core” Windows 10 PCs last year to counter malware that tampers with the code in motherboards that boots a PC. It’s also released a UEFI scanner in Microsoft Defender ATP to scan inside the firmware filesystem for the presence of malware. SEE: Network security policy (TechRepublic Premium) But enterprises aren’t treating the firmware attacks seriously enough, according to a study that Microsoft commissioned Hypothesis Group to conduct.   “The study showed that current investment is going to security updates, vulnerability scanning, and advanced threat protection solutions,” Microsoft notes.    “Yet despite this, many organizations are concerned about malware accessing their system as well as the difficulty in detecting threats, suggesting that firmware is more difficult to monitor and control. Firmware vulnerabilities are also exacerbated by a lack of awareness and a lack of automation.”

It’s worth noting that Microsoft is promoting its “emerging class of secured-core hardware”, such as the Arm-based Surface Pro X, which start at $1,500, with the SQ2 processor, or HP’s Dragonfly laptops that retail for no less than $2,000.  But the company does have a point. Firmware lives below the operating system and is where credentials and encryption keys are stored in memory, where it’s not visible to antivirus software. “Many devices in the market today don’t offer visibility into that layer to ensure that attackers haven’t compromised a device prior to the boot process or at runtime bellow the kernel. And attackers have noticed,” Microsoft says.  SEE: Phishing: These are the most common techniques used to attack your PC The question is whether security teams are looking enough at future threats. Microsoft thinks they’re not. The Security Signals survey found that 36% of businesses invest in hardware-based memory encryption and 46% are buying in hardware-based kernel protections. Microsoft’s study found that security teams are focussing on “protect and detect” models of security, pointing out that only 39% of security teams’ time is spent on prevention.  The lack of proactive defense investment in kernel attack vectors is an example of this outdated model, according to Microsoft. Most of the 1,000 enterprise security decision makers interviewed (82%) said they don’t have enough resources to address high-impact security work because they’re too busy dealing with patching, hardware upgrades, and mitigating internal and external vulnerabilities. More

Researchers have explored how the coronavirus pandemic has affected the cybercrime space and the common trends found between COVID-related schemes.

In a new Trend Micro report viewed by ZDNet, the team explored the increased dependence on online services prompted by the pandemic — and how threat actors are trying to cash in. Due to physical business and office closures, lockdowns, and stay-at-home orders, companies trying to survive have needed to either ramp up their online services or create them from scratch — ranging from e-commerce shops to delivery services.  Government and medical organizations, too, suddenly had to expand their online presence in order to offer telehealth services and vaccine appintment registration.  As new platforms spring up to cater to consumer economic and medical needs, threat actors are pivoting to campaigns designed to impersonate legitimate sources in the hopes of malware deployment and data theft.  “Cybercriminals usually impersonate known entities and create convincing replicas of email, website, or apps from legitimate sources,” the researchers note. “Due to this, users might have a harder time identifying legitimate platforms from malicious ones. This might be especially true for those who are using online systems heavily for the first time, such as many of the elderly.” Misinformation, too, is of concern, with companies including Facebook and Twitter introducing strike systems for prolific spreaders of coronavirus-based fake news and data.

Now, with vaccine programs underway worldwide, COVID-19 vaccines are being used as the latest social engineering lures.According to recent Trend Micro data, over the past few months, there has been an uptick in spam campaigns using the coronavirus vaccine as a subject to spread Emotet, Fareit, Agent Tesla, and Remcos across the US, Italy, and Germany, alongside other countries.  An Emotet Trojan campaign, tracked across January, used a variety of email lures including Daily COVID reporting.doc, DAILY COVID-19 Information.doc, NQ29526013I_COVID-19_SARS-CoV-2.doc, and GJ-5679 Medical report Covid-19.doc.  An analysis of over 80 linked samples also revealed vaccine-related email subjects such as COVID-19 Vaccine Survey and COVID-19 Vaccine Clinic with Walgreens To Do Now. This particular campaign used roughly 100 command-and-control (C2) servers before being taken down by law enforcement.  The Fareit Trojan campaign also uses COVID-19 vaccines as bait and messages have been sent fraudulently under the name of the World Health Organization (WHO). Subjects included Corona-virus(COVID-19), Common vaccine, Corona-Virus Disease (COVID-19) Pandemic Vaccine Released, and Latest vaccine release for Corona-virus(COVID-19).  Malicious attachments, designed to deploy the information-stealing malware, were packaged up as .arj and .rare file formats with names including Corona-virus vaccine.arj, vaccine release for Corona-virus(COVID-19)_pdf.rar, and COVID-19 VACCINE SAMPLES.arj.Lokibot, Agent Tesla, Formbook, Remcos, and Nanocore have also been spread through coronavirus-related scams, and in some samples detected, the same phishing tactics have been applied to spread the Android Anubis malware.  The European Medicines Agency (EMA) was targeted last year, with confidential, internal emails stolen and tampered with to undermine vaccine development efforts, and now, the UK’s National Health Service (NHS) is being impersonated in a phishing scheme which ‘invites’ recipients to book a vaccine.  As one of the leading countries, at present, in rolling out vaccines, this lure may be particularly successful as citizens are either waiting to be called up or are waiting for their invitation for a second jab.  “The email entices a user to confirm that they accept the invitation for vaccination,” the report notes. “Whether the “accept” or “disregard” button of the invitation is clicked, the email redirects to a landing page. This page displays a form requesting the user’s full name, birth date, address, and mobile number.” A similar scam has been traced in Mexico, in which a website is being used to mimic a legitimate vaccine lab, El Chopo, to harvest victim data by pretending to be a service for vaccine cards and appointment scheduling. With many vaccines requiring cold storage, other campaigns are focused on businesses and trying to profit from the need to establish cold supply chain procedures. In September, for example, the team tracked a scam requesting quotes for Unicef for Gavi’s Cold Chain Equipment Optimization Platform (CCEOP). Email attachments were linked to phishing and data-stealing domains.SMS messages are also being used as an attack vector, including messages ranging from vaccine ‘eligibility’ checks, registration, COVID-19 relief payments, appointment booking, and offers of health ‘supplements’ to fight the virus. Trend Micro’s report also notes an uptick in the registration of malicious domains concerning the pandemic. Roughly 75,000 malicious domains have been found that relate to ‘covid,’ however, a transition is now underway that is changing ‘covid’ to ‘vaccine’.  Many of these malicious domains are attempting to mimic legitimate pharmaceutical organizations and brand names, including BioNTech, Gam-COVID-Vac, and Sputnik.  While all this is taking place in the clear web, it should be noted that scam artists are also working in the underground, touting fake and illegal coronavirus vaccines.”The hidden service and anonymity afforded by the dark web have made it an ideal place for cybercriminals to sell illegal vaccines,” Trend Micro says. “A recent report talks about an underground site where operators claim to have developed a vaccine that is not only ready for purchase but also available for shipping worldwide. Another darknet site required buyers to send their personal details and even their COVID-19 infection status and known diseases to an email address. These details must also be submitted with payment in the form of Bitcoin. We believe this is a scam site.”Interpol issued an alert in 2020 warning of organized criminal gangs advertising, selling, and administering fake vaccines.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A whistleblower involved in the response to a data breach suffered by Ubiquiti Networks has claimed the incident was downplayed and could be described as “catastrophic.”

On January 11, the networking equipment and Internet of Things (IoT) devices provider began sending out emails to customers informing them of a recent security breach. The company said that someone had obtained “unauthorized access” to Ubiquiti systems hosted by a “third-party cloud provider,” in which account information was stored for the ui.com web portal, a customer-facing device management service.  At the time, the vendor said information including names, email addresses, and salted/hashed password credentials may have been compromised, alongside home addresses and phone numbers if customers input this data within the ui.com portal.  Ubiquiti did not reveal how many customers may have been involved.  Customers were asked to change their passwords and to enable two-factor authentication (2FA).  Several months later, however, a source who “participated” in the response to the security breach told security expert Brian Krebs that the incident was far worse than it seemed and could be described as “catastrophic.”

Speaking to KrebsOnSecurity after raising his concerns through both Ubiquiti’s whistleblower line and European data protection authorities, the source claimed that the third-party cloud provider explanation was a “fabrication” and the data breach was “massively downplayed” in an attempt to protect the firm’s stock value.  In a letter penned to European regulators, the whistleblower wrote: “It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.” According to the alleged responder, cybercriminals gained administrative access to AWS Ubiquiti databases via credentials stored and stolen from an employee’s LastPass account, permitting them to obtain root admin access to AWS accounts, S3 buckets, application logs, secrets for SSO cookies, and all databases, including those containing user credentials.  The source also told Krebs that in late December, Ubiquiti IT staff found a backdoor planted by the threat actors, which was removed in the first week of January. A second backdoor was also allegedly discovered, leading to employee credentials being rotated before the public was made aware of the breach.  The cyberattackers contacted Ubiquiti and attempted to extort 50 Bitcoin (BTC) — roughly $3 million — in return for silence. However, the vendor did not engage with them.  ZDNet has reached out to Ubiquiti Networks and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More