Information Technology

A new, “sophisticated” Android spyware app disguising itself as a software update has been discovered by researchers. 
Zimperium
According to Zimperium zLabs, the malware masquerades as a System Update application while quietly exfiltrating user and handset data. It should be noted that the sample app detected by the team was found on a third-party repository and not the official Google Play Store. Once installed, the victim’s device is registered with a Firebase command-and-control (C2) server used to issue commands while a separate, dedicated C2 is used to manage data theft.  The team says that data exfiltration is triggered once a condition has been met, including the addition of a new mobile contact, a new app is installed, or on receipt of an SMS message.  The malware is a Remote Access Trojan (RAT) and able to steal GPS data and SMS messages, contact lists, call logs, harvest images and video files, covertly record microphone-based audio, hijack a mobile device’s camera to take photos, review browser bookmarks and histories, eavesdrop on phone calls, and steal operational information on a handset including storage statistics and lists of installed applications.  Instant messenger content is also at risk as the RAT abuses Accessibility Services to access these apps, including WhatsApp. 

If the victim device has been rooted, database records can also be taken. The app can also search specifically for file types such as .pdf, .doc, .docx, .xls, and .xlsx. 

The RAT will also attempt to steal files from external storage. However, considering some content — such as videos — can be too large to steal without impacting connectivity, thumbnails alone are exfiltrated. “When the victim is using Wi-Fi, all the stolen data from all the folders are sent to the C2, whereas when the victim is using a mobile data connection, only a specific set of data is sent to C2,” the researchers note.  Limiting the use of mobile connectivity is a way to prevent users from suspecting their device has been compromised. In addition, as soon as information has been packaged up and sent to the C2, archive files are deleted in an effort to stay undetected.  To make sure only relevant and recent data is taken, the RAT’s operators have imposed time limits on content — such as the newest GPS records, which are stolen time and time again if stolen data records contain values that are over five minutes in the past. Photos, too, are set to 40 minutes timers.  Zimperium describes the malware as part of a “sophisticated spyware campaign with complex capabilities.” Earlier this month, Google pulled a number of Android apps from the Play Store that contained a dropper for banking Trojans. The utility applications, including a virtual private network (VPN) service, recorder, and barcode scanner, were used to install mRAT and AlienBot. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The KrebsOnSecurity name has been invoked in a string of cyberattacks linked to critical Microsoft Exchange Server vulnerabilities. 

Exchange attacks

Security expert Brian Krebs from KrebsOnSecurity is no stranger to figures in the criminal space who appear to delight in everything from turning him into a meme, launching denial-of-service (DoS) attacks against his website, and SWATing — hoax calls made to law enforcement that not only waste police time but can also be dangerous. Now, a domain similar to the legitimate KrebsOnSecurity security resource has been connected to threat actors exploiting a set of critical bugs in Microsoft Exchange Server. According to a new report released by the Shadowserver Foundation, 21,248 Microsoft Exchange servers have recently been compromised that are communicating with brian[.]krebsonsecurity[.]top. Krebs says that the compromised systems appear to have been hijacked and Babydraco backdoors are facilitating communication to the malicious domain. Web shells, used for remote access and control, are being deployed to a previously-undetected address in each case, /owa/auth/babydraco.aspx.  In addition, a malicious file named “krebsonsecurity.exe” is fetched via PowerShell to facilitate data transfers between the victim server and domain.  “The motivations of the cybercriminals behind the Krebonsecurity dot top domain are unclear, but the domain itself has a recent association with other cybercrime activity — and with harassing this author,” Krebs commented. 

Microsoft released emergency patches to tackle four zero-day vulnerabilities in Exchange Server 2013, 2016, and 2019 on March 2. The security flaws can be exploited to launch remote code execution attacks and server hijacking.  A selection of mitigation tools have also been released for IT administrators who cannot immediately patch their deployments, and at last count, the Redmond giant says that roughly 92% of internet-facing Exchange servers have been either patched or mitigated.  However, just because a fix has been applied does not mean that a server has not already been targeted by threat actors and so security checks and audits also have to be conducted.  Last week, Microsoft warned of subsequent attacks following widespread Exchange server hijacking, including reconnaissance, cryptocurrency mining operations, and ransomware deployment.  “Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions,” the company said.  The US Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert warning organizations of webshell deployment post-exploit in Exchange servers.  Microsoft has provided Indicators of Compromise (IoC) which can be found here.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Optus
Optus has announced its WiFi Secure product, which makes use of active monitoring by McAfee software sitting on home routers in an attempt to block the spread of malware and other malicious threats. The telco said as the number of internet-connected devices in the home continues to rise, there has been a growing need to “automatically protect” those potential threat vectors. “It’s built into the Optus compatible modems and, helps to make sure all internet traffic passing through the modem, to any device on that network, is safe — even those without a display screen,” Optus said. Optus customers on a family plan will get the blocking at no additional cost, otherwise WiFi Secure will cost AU$5 a month. The software on the router is connected to the McAfee Global Threat Intelligence Cloud Network, and is claimed to not receive any personally identifiable information. ZDNet has asked if the router fails gracefully if the McAfee cloud is not reachable. “Based on activity from millions of sensors worldwide and a dedicated research team, this always-on, cloud-based threat intelligence service collects and publishes online threats that are uploaded to your network every minute to provide you and your family the latest protection,” the telco said. Taking another route, Australian incumbent telco Telstra has been using upstream DNS filtering, phishing text, and scam call blocks to fight malicious threats.

Dubbed Cleaner Pipes, the DNS side of the initiative focuses on blocking command and control communications of botnets, the downloading of remote access trojans, as well as other forms of malware. Related Coverage More

Australian Prime Minister Scott Morrison has reshuffled his ministry on Monday, with ministers Christian Porter and Linda Reynolds that are currently away on leave remaining in the ministry. After being the first Minister for Home Affairs, Peter Dutton has been shifted to Defence and become the government’s leader in the House of Representatives. Taking Dutton’s place is Karen Andrews, who leaves the role of Minister for Industry, Science and Technology. With Porter currently on leave and undertaking a defamation action against the ABC over historical rape allegations, the Western Australian MP has handed many of his duties over to Senator Michaelia Cash. That arrangement was formalised on Monday, as Cash becomes Attorney-General, with Porter filling the role vacated by Andrews. Also on leave is Senator Reynolds, however, Morrison has seen it fit to shift her from Defence to Minister for Government Services and NDIS. Now former Minister for Government Services Stuart Robert will now be Minister for Employment, Workforce, Skills, Small and Family Business. Asked why Stuart Robert should be promoted after overseeing robodebt, getting taxpayers to pay over AU$2,000 a month for his home internet, and falsely blaming a DDoS attack for government IT issues, Morrison pointed to the government’s ability to get money into the hands of citizens. “The reason that millions were able to get access and support through both particularly for the JobSeeker payment over the course of the pandemic was a direct result of that minister’s ability to scale up and put in place one of the most significant responses we’ve ever seen from a social security agency in this country in our history,” Morrison said.

“He’s been appointed to this job because he’s done an outstanding job in the one that he’s been doing.” See also: The people of Australia are a DDoS machine that the government cannot handle The prime minister also lashed out at social media as being a “key degrader” of respect in Australia. “It can be a very dangerous tool in disrespectful hands, and we’ve seen that with the trolling and abuse and harassment particularly of women,” he said. “Our government has stood up to the big tech companies on this like no other government in the world, and we have taken on the fights with them that no others would.” The government is trying to protect its razor-thin majority after a Queensland MP said he would stand down at the next election following allegations he had been trolling women online and taking upskirt photos. “He is committed to undertake the behavioural change he needs to undertake, and that’s what he needs to do, and he needs to come back with a completely different attitude and a completely different behaviour,” the prime minister said. “He was elected to this place by the people in his electorate.” Over the weekend, TV network Channel Nine was hit by a cyber attack, reportedly one involving ransomware, which prevented it broadcasting some live shows. The network said the attack had hit its email and editing systems. Back in Canberra, the email systems of Parliament, provided by the Department of Parliamentary Services, were reportedly down. The attack was said to be “unsophisticated” and “clumsy”. Foreign Minister and acting Defence Minister Marise Payne said the events were a “salutary reminder” for businesses to implement the Essential Eight cyber controls.Related Coverage More

Apple has released an emergency update to patch a serious vulnerability (https://support.apple.com/en-us/HT212258) found in iOS, iPadOS, and watchOS. The patches are iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3, respectively.  The vulnerability, discovered by Google’s Threat Analysis Group, affects Apple’s WebKit browser engine, and what makes this an urgent update is the fact that the Apple claims that the vulnerability is being actively exploited. Details from Apple are limited, but such vulnerabilities could be used to carry out malicious actions such as directing users to phishing sites.  Underlining the seriousness of this vulnerability is the fact that Apple has pushed out iOS 12.5.2 for older devices — iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). Bottom line, this patch is important. Install it now. On the iPhone and iPad, fire up Settings and head over to General > Software Update. For the Apple Watch, go into the Apple Watch app.  More

Sierra Wireless, the multinational manufacturer of Internet of Things devices, has resumed production after being hit by a ransomware attack.The Canadian company became the victim of a ransomware attack against its IT systems on March 20, disrupting internal operations and production facilities.But now Sierra Wireless has restored production at its manufacturing sites and is working towards restoring internal networks.The company has been working with cybersecurity law firm Blake, Cassels and Graydon LLP and cybersecurity investigators from KMPG in response to the ransomware attack, and to analyse what happened. “Security is a top priority, and Sierra Wireless is committed to taking all appropriate measures to ensure the highest integrity of all of our systems,” said Sam Cochrane, CFO at Sierra Wireless. “I’m proud of the efforts of our IT team and external advisors as they have mitigated the attack and made real progress in getting operations up and running,” Cochrane added.SEE: IoT: Major threats and security tips for devices (free PDF) (TechRepublic)

The impact of the attack was limited to internal Sierra Wireless systems, with customer-facing products unaffected by ransomware, because IT systems for internal operations and those for customer operations are separated.”At this point in its investigation of the ransomware attack, the company does not expect there to be any product security patches, or firmware or software updates required as a result of the attack,” the company said in a statement.It’s unclear when the remaining systems affected by the ransomware attack will be restored. At the time of writing, Sierra Wireless hasn’t disclosed what form of ransomware encrypted the network, or how the organisation ended up falling victim to the cyber attack.Ransomware continues to remain  an issue for organisations across the world and a recent report detailed it as the biggest cybersecurity concern for chief information security officers (CISOs) and chief security officers (CSOs).MORE ON CYBERSECURITY More

Many on-premises Exchange servers are being patched, but Microsoft warns that its investigations have found multiple threats lurking on already-compromised systems.Microsoft is raising an alarm over potential follow-on attacks targeting already compromised Exchange servers, especially if the attackers used web shell scripts to gain persistence on the server, or where the attacker stole credentials during earlier attacks.

Exchange attacks

Microsoft released patches for Exchange on-premises systems on March 2. Four Exchange bugs were already under attack from a state-sponsored hacking group called Hafnium. SEE: Security Awareness and Training policy (TechRepublic Premium)Microsoft earlier this week said that 92% of vulnerable Exchange servers had been patched or had mitigations applied. However, cybersecurity firm F-Secure said “tens of thousands” of Exchange servers had already been breached.      In a new blog post, Microsoft reiterated its warning that “patching a system does not necessarily remove the access of the attacker”.”Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions,” the Microsoft 365 Defender Threat Intelligence Team notes. 

Where systems have been compromised, Microsoft urges admins to practice the principle of least privilege and mitigate lateral movement on a network.Least privilege will help address the common practice where an Exchange service or scheduled task has been configured with a highly privileged account to perform tasks like backups.”As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial web shell access due to an antivirus detection, as the account can be used to elevate privileges later,” Microsoft notes. Using DoejoCrypt ransomware, aka DearCry, as an example, Microsoft notes that the web shells used by that strain write a batch file to C:WindowsTempxx.bat. This was found on all systems hit by DoejoCrypt and may offer the attacker a route to regaining access where infections have been detected and removed.”This batch file performs a backup of the Security Account Manager (SAM) database and the System and Security registry hives, allowing the attackers later access to passwords of local users on the system and, more critically, in the LSA [Local Security Authority] Secrets portion of the registry, where passwords for services and scheduled tasks are stored,” Microsoft notes. Even where victims have not been ransomed, the attacker’s use of the xx.bat file allows them to explore a network via the web shell that dropped the file in the first place. The web shell also downloads the Cobalt Strike penetration testing kit before downloading the ransomware payload and encrypting files. In other words, a victim may not have been ransomed today, but the attacker has left the tools on the network to do it tomorrow. The other cybercrime threat to Exchange servers comes from malicious cryptocurrency miners. The Lemon Duck cryptocurrency botnet was observed exploiting vulnerable Exchange servers. Interestingly, the operators of Lemon Duck cleaned up an Exchange server with the xx.bat file and a web shell, giving it exclusive access to the Exchange server. Microsoft also found that it was being used to install other malware rather just mining for cryptocurrency.    Microsoft has published numerous indicators of compromise that network defenders can use to search for the presence of these threats and signs of credential theft. More

Cybersecurity still isn’t taken as seriously as it should be by boardroom executives – and that’s leaving organisations open to cyber attacks, data breaches and ransomware, the new boss of the National Cyber Security Centre (NCSC) has warned.In her first speech since taking the helm of the UK cybersecurity agency, CEO Lindy Cameron said cybersecurity should be viewed with the same importance to CEOs as finance, legal or any other vital day-to-day part of the enterprise.”The cybersecurity landscape we see now in the UK reflects huge progress and relative strength – but it is not a position we can be complacent about. Cybersecurity is still not taken as seriously as it should be, and simply is not embedded into the UK’s boardroom thinking,” said Cameron during a speech at Queen’s University, Belfast.

More on privacy

“The pace of change is no excuse – in boardrooms, digital literacy is as non-negotiable as financial or legal literacy. Our CEOs should be as close to their CISO as their finance director and general counsel.”SEE: Security Awareness and Training policy (TechRepublic Premium)Recent cyber incidents, including the cyber-espionage campaign exploiting SolarWinds and cyber attackers taking advantage of zero-day vulnerabilities in Microsoft Exchange Server, are just two examples of how organisations can find themselves facing large-scale cyberattacks. The NCSC says it helped detect and remove malware related to the Exchange attack from 2,300 machines at businesses in the UK. The aftermath of the attack has seen cyber criminals rush to exploit vulnerabilities before organisations have had a chance to apply the critical updates required to protect them.

“As our reliance on technology grows, it sadly also presents opportunities for those who want to do us harm online,” said Cameron, who cited ransomware as a major cybersecurity issue for businesses.”Ransomware remains a serious – and growing – threat, both in terms of scale and severity. Ransomware is not just about fraud – and theft – of money or data, serious as both are. It’s about the loss of key services and unenviable choices for unprepared businesses.” Such is the extent of the problem of ransomware targeting schools, colleges and universities in recent months, the NCSC put out an alert about the issue, with advice on how institutions can protect themselves. SEE: Phishing: These are the most common techniques used to attack your PCWhile digital technology brings many benefits, it also brings risks, as cyber criminals, nation-state hacking operations and others attempt to take advantage of vulnerabilities for their own ends: whether by stealing vast amounts of information, or attempting to compromise critical infrastructure.”We need to ensure that our adversaries – be they state or criminal, traditional or new – think twice before attacking UK targets,” said Cameron. “And we need to ensure that future generations are better equipped to deal with this complexity than any of their predecessors.”MORE ON CYBERSECURITY More