Information Technology

Brazil is a world leader in phishing attacks, with one in five Internet users in the country targeted at least once in 2020, according to research. According to the report on phishing by cybersecurity firm Kaspersky, Brazil tops a list of five countries with the highest rate of users targeted for data theft throughout last year. The other nations cited are Portugal, France, Tunisia and French Guiana.The number of phishing attacks against mobile devices increased by more than 120% between February and March 2020 alone, according to the study. Factors behind the increase in scams include the boost in internet usage and access to services online such as internet and mobile banking and online shopping as a result of social distancing measures, as well as large-scale adoption of remote work and the anxiety around information about the pandemic.

The pandemic was a recurring theme of phishing attacks during 2020, according to the research. Techniques used wit a view of obtaining online account credentials and bank passwords ranged from websites offering face masks and hand sanitizers at times of scarcity, to bogus websites for registrations for social assistance programs and, more recently, fraudulent registration webpages for the Covid-19 vaccine. On the other hand, the Kaspersky study noted there was an improvement in the level of awareness of security threats online among Internet users. Despite the growth in phishing attacks, there was one particular aspect that has seen a decline relation to 2019: that year, more than 30% of Brazilians had tried, at least once, to open a link that led to a phishing page, compared to approximately 20% in 2020. “This demonstrates that campaigns and warnings about this type of scam means that users are more alert – but it does not mean that we do not need to evolve, as the statistics are still very bad”, said Fabio Assolini, senior security analyst at Kaspersky Brazil.Moreover, the study noted the percentage of victims of phishing attacks in Brazil is above the world average – 20% against the global average of 13%. According to Assolini, this disparity can be explained by the difficulty Internet users in Brazil have when it comes to recognizing fake emails, – 30% of Brazilians can’t tell whether an email is not genuine, according to previous research by the cybersecurity firm.

“We need to improve our digital education”, Assolini pointed out. “[Not being able to recognize threats] makes us vulnerable and prone to falling into ‘must-see promotions’ and other online scams.” More

Head of the Australian Cyber Security Centre (ACSC) Abigail Bradshaw has told senators “10s of organisations” have so far reached out to her agency regarding vulnerable Microsoft Exchange servers.”We have had feedback from 10s of organisations who have spotted the indicators of compromise and whom we’ve assisted,” Bradshaw said. “The fact that people are engaging us on the basis that they’ve identified indicators of compromise is evidence both of the fact that they’ve seen the advice because they’ve run the specific scripts, but also an understanding that they understand and are able to spot for themselves where there are vulnerabilities on their systems.”Must read: Everything you need to know about the Microsoft Exchange Server hackBradshaw’s remarks were in response to senators raising concerns on Wednesday night that around 7,000 servers in Australia were vulnerable to the threat, with 11,000 Australian IPs found as potentially vulnerable.”We have also used what we call part of our cyber hygiene improvement program, which has been funded under the Cyber Enhanced Situational Awareness and Response funding, which gives the ACSC capacity to run scans on externally facing internet connections, which has assisted us to observe the number of systems that still require patching, which means that we have some familiarity with the numbers of servers that were identified,” Bradshaw explained.She said the ACSC has been monitoring those flagged as vulnerable “extraordinarily closely” by running constant scans. She said the ACSC has observed a “very substantial degree of patching”. “And as a consequence, many, many fewer servers, which remain vulnerable since that date,” she said.

Here’s more: Microsoft: 92% of vulnerable exchange servers are now patched, mitigatedThe ACSC has also engaged directly with managing director of Microsoft Australia Steven Worrall, Bradshaw said, in regards to the results of its scanning.”[We] engage them on how we can assist them to get to any residual Microsoft customers who might be running that particular server,” she added. Director-General of the Australian Signals Directorate (ASD) Rachel Noble said her organisation was first made aware of the Microsoft Exchange issue on March 3, resulting in the ACSC sending out an email blast to its 63,500 subscribers. The ACSC also wrote directly to 100 of its Commonwealth government CISOs and an additional 50 in state and territory governments.RELATED COVERAGE More

Facebook said it has disrupted a network of hackers tied to China who were attempting to distribute malware via malicious links shared under fake personas. The social network’s cyber espionage investigations team has taken action against the group, disabled their accounts and notified the roughly 500 users who were targeted.

The hackers — believed to be part of the Earth Empusa or Evil Eye groups — were targeting activists, journalists and dissidents, predominantly among Uyghurs from Xinjiang in China, living abroad in Turkey, Kazakhstan, the US, Syria, Australia, and Canada. Facebook said the highly focused campaign was aimed at collecting information about these targets by infecting their devices with malicious code for surveillance purposes. The links that were shared through Facebook included links to both legitimate and lookalike news websites, as well as to fake Android app stores. In the case of the news websites, Facebook’s head of cyber espionage investigations Mike Dvilyanski said the hackers were able to compromise legitimate websites frequently visited by their targets in a process known as a watering hole campaign intended to infect devices with malware. The hackers also created lookalike domains for Turkish news websites and injected malicious code that would infect the target’s device with malware. Similarly, third-party lookalike app stores were built to trick targets into downloading Uyghur-themed apps with malicious code that would allow the hackers to exploit the devices they were installed on. Facebook said the group took steps to conceal their activity by only infecting people with iOS malware when they passed certain technical checks, including IP address, operating system, browser, and country and language settings.On Facebook, the malicious infrastructure was blocked and the accounts were taken down. Facebook said its cyber team first became aware of the hacking efforts in mid-2020 based on intensification of the activity on the Facebook platform. It’s believed that the efforts extend back to 2019.

“Measuring impact and intent can be challenging but we do know even for the small number of users around the world, the consequences [of being hacked] can be very high and that is why the team took this so seriously,” said Nathaniel Gleicher, head of security policy for Facebook. “It’s a small number of targets, under 500 for the entire campaign, but that is only for the aspects that touched Facebook in some way. The majority of what this threat actor has done took place off Facebook.”RELATED: More

IBM on Wednesday announced a new suite of security services that aim to help enterprises apply a unified security approach across dispersed hybrid cloud environments. 

IBM said the expanded Security Services for Cloud portfolio is designed to help companies connect and simplify cloud security across ecosystems, bringing together IBM and third-party technologies alongside support to manage security across cloud environments including AWS, Google Cloud, IBM Cloud and Microsoft Azure.The new services leverage AI and automation to help enterprises identify and prioritize risks, respond to potential threats across cloud environments, and connect that data with their broader security operations and on-premises systems, IBM said.”Cloud security can appear daunting, with defenders facing an expansive attack surface, shared responsibility models and rapidly evolving cloud platforms and tools,” said Vikram Chhabra, Global Director of Offering Management and Strategy for IBM Security Services. “We cannot assume that legacy approaches for security will work in this new operating model – instead, security should be modernized specifically for the hybrid cloud era, with a strategy based on zero trust principles that bring together context, collaboration and visibility across any cloud environment.”Updates to the portfolio include new advisory and managed security services that reduce the risk of cloud misconfigurations and provide insights into potential risks and threats. IBM is also rolling out new container security services including integration with IBM Security X-Force Red vulnerability management, which identifies and ranks container-related vulnerabilities in order to prioritize remediation. More

Researchers have discovered hundreds of fleeceware mobile apps on Google Play and the Apple App Store that are earning their developers millions of dollars. 

While stalkerware, spyware, and malvertising apps infect devices for spying, data theft, and in order to bombard users with ads to generate fraudulent revenue, fleeceware apps attempt to lure handset owners to download software before charging them extortionate ‘subscription’ fees. Often enticed with ‘free’ trials, users will then be overcharged to use the app, which in some cases can reach upward of $3,000 per year.  Software subscriptions, such as for professional services, enterprise solutions, and creative platforms can be expensive — but unlike these legitimate offerings, there is generally nothing special about fleeceware.  Developers rake in the proceeds from their creations, and while not illegal, it can be hard for users to figure out how to escape subscription charges — and it appears this method of generating app revenue continues to rise in popularity.  This week, Avast researchers said they have found a total of 204 fleeceware apps on both Apple’s App Store and the Google Play Store.  A total of 134 apps have been found on Apple’s iOS platform with an estimated 500 million downloads and projected revenues of $365 million. 

When it comes to Google Play, 70 fleeceware apps have been discovered with 500 million downloads and a profit margin of $38.5 million for the time they have been active and available.  Predominant fleeceware app trends include astrology, horoscopes, photo and filter software, music lessons, cartoon creation, QR code/PDF document scanners, and video clip editing.  The majority of fleeceware apps examined by Avast offer a three-day trial before subscriptions begin.  “Once the trial is over, the user is charged a recurring high subscription fee, generating substantial revenue for the developers,” the researchers say. “There’s also the possibility that users forget to cancel the free trial, resulting in expensive fees.” These apps do generally provide the features they advertise, but even if just a handful of users fail to notice subscription payments going out, then this creates revenue far beyond what the software is likely to be worth. Subscriptions range from weekly to monthly charges of everything from $4 to $66 a week.  Even if a user deletes the app after they notice outgoing payments, this does not mean their subscription stops — which allows the developer to cash in further. Google and Apple are not responsible for refunds after a certain time period, and while the companies may choose to refund as a goodwill gesture in some cases — such as when children rack up huge bills through in-app purchases — they are not obliged to do so. Therefore, the only options may be to try and contact developers directly or to request a bank chargeback.  Both companies warn of active subscriptions when an app is deleted, but Avast says “it’s evident that fleeceware apps continue to bring in revenue.” Apple and Google have provided support pages to help mobile users manage app subscriptions.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Salt Project has issued a secondary fix for a command injection vulnerability after the first attempt to patch the issue partially failed.

The vulnerability, tracked as CVE-2020-28243, impacts SaltStack Salt before 3002.5. SaltStack Salt is automation and infrastructure software made available to the open source community. “The minion’s restartcheck is vulnerable to command injection via a crafted process name,” the bug’s description reads. “This allows for a local privilege escalation (LPE) by any user able to create files on the minion in a non-blacklisted directory.” The vulnerability was discovered by Immersive Labs’ security researcher Matthew Rollings in November 2020. If exploited, the command injection bug could allow attackers to craft process names and elevate their privileges on a local level. Container escapes were also possible, and as long as particular conditions were met, remote users may be able to tamper with process names — although this would be a difficult attack to pull off.   CVE-2020-28243 was resolved on February 4 as part of a wider security release. At least, in part. According to Rollings, the fix for the LPE security flaw did prevent command injection, but did not go far enough and still allowed argument injections. While not as severe as the original issue, failing to patch this problem could have led to denial-of-service and software crashes. 

The first fix issued by the Salt Project added shlex, a command shell sanitizing library, to prevent command injections.  “The developer that added this fix made an error,” Rollings explained. “Their usage of shlex does not provide any additional protection. The shlex.split function takes an input string and splits it into the command and its arguments using spaces as the delimiter. We control the package variable, which means we can inject additional arguments into the command.” According to the researcher, argument injections can still occur even if sanitization is in place, under the same conditions.  SaltStack’s fix was issued without coordinated disclosure with Immersive Labs, a factor that the cybersecurity firm says prevented the patch from being adequately tested.  “If they had communicated on the solution, the issue would have been spotted and a secondary fix wouldn’t have been necessary,” the company says. However, once the error in the patch was noticed and reported, SaltStack then privately shared the second attempt prior to publication.  The second fix, issued on March 23, now builds arrays to stop package names from being tampered with. “Thankfully, the second time around SaltStack shared the fix for approval before publication,” Rollings says. “This is a step in the right direction and shows more of a proactive than reactive approach to security, which is always better in the long run.” ZDNet has reached out to the Salt Project and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

An upgraded variant of Purple Fox malware with worm capabilities is being deployed in an attack campaign that is rapidly expanding. 

Purple Fox, first discovered in 2018, is malware that used to rely on exploit kits and phishing emails to spread. However, a new campaign taking place over the past several weeks — and which is ongoing — has revealed a new propagation method leading to high infection numbers.  In a blog post on Tuesday, Guardicore Labs said that Purple Fox is now being spread through “indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes.” Based on Guardicore Global Sensors Network (GGSN) telemetry, Purple Fox activity began to climb in May 2020. While there was a lull between November 2020 and January 2021, the researchers say overall infection numbers have risen by roughly 600% and total attacks currently stand at 90,000.  The malware targets Microsoft Windows machines and repurposes compromised systems to host malicious payloads. Guardicore Labs says a “hodge-podge of vulnerable and exploited servers” is hosting the initial malware payload, many of which are running older versions of Windows Server with Internet Information Services (IIS) version 7.5 and Microsoft FTP. Infection chains may begin through internet-facing services containing vulnerabilities, such as SMB, browser exploits sent via phishing, brute-force attacks, or deployment via rootkits including RIG.  As of now, close to 2,000 servers have been hijacked by Purple Fox botnet operators. 

Guardicore Labs researchers say that once code execution has been achieved on a target machine, persistence is managed through the creation of a new service that loops commands and pulls Purple Fox payloads from malicious URLs.  The malware’s MSI installer disguises itself as a Windows Update package with different hashes, a feature the team calls a “cheap and simple” way to avoid the malware’s installers being connected to one another during investigations.  In total, three payloads are then extracted and decrypted. One tampers with Windows firewall capabilities and filters are created to block a number of ports — potentially in a bid to stop the vulnerable server from being reinfected with other malware.  An IPv6 interface is also installed for port scanning purposes and to “maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets,” the team notes, before a rootkit is loaded and the target machine is restarted. Purple Fox is loaded into a system DLL for execution on boot.  Purple Fox will then generate IP ranges and begin scans on port 445 to spread.  “As the machine responds to the SMB probe that’s being sent on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords or by trying to establish a null session,” the researchers say. The Trojan/rootkit installer has adopted steganography to hide local privilege escalation (LPE) binaries in past attacks.  Indicators of Compromise (IoCs) have been shared on GitHub. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft says that 92% of Exchange servers vulnerable to a set of critical vulnerabilities have now been patched or mitigations have been applied.  The Redmond giant’s Security Response team said there is “strong momentum” in patches or mitigation tools being applied to internet-facing, on-prem servers and the latest data shows a 43% improvement worldwide in comparison to last week.  Microsoft cited telemetry from RiskIQ, which is working with the tech giant to manage the fallout of the security incident, in a tweet posted on Monday.  Microsoft released emergency patches for Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 on March 2. At the time, the company said that four zero-day vulnerabilities which could lead to data theft and overall server hijacking were being actively exploited in “limited, targeted attacks.”However, it was not long before multiple advanced persistent threat (APT) groups began to join in Exchange Server-based campaigns and it is estimated that thousands of systems belonging to organizations worldwide have been compromised. Alongside the emergency patches, Microsoft has also published a mitigation guide and created a one-click mitigation tool including a URL rewrite for one of the vulnerabilities to stop an attack chain from forming.  In addition, Microsoft Defender Antivirus has been upgraded to include automatic mitigation capabilities for the zero-day vulnerabilities. 

The issue with these vulnerabilities, however, is that applying a patch or mitigations will not remove existing infections. F-Secure says “tens of thousands” of servers have already been breached and others “[are] being hacked faster than we can count.” While patches and mitigations are being applied at a fast rate, IT administrators must check their systems for indicators of compromise (IoCs) and perform security audits to see if their servers have been exploited prior to security updates being applied.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More