Information Technology

Image via Joromo
A Chinese state-sponsored hacking group, also known as an APT, is suspected of having breached a Mongolian software company and compromised a chat app used by hundreds of Mongolian government agencies.

The attack is believed to have taken place earlier this year, in June, according to a report published today by Slovak security firm ESET.
The hackers targeted an app called Able Desktop, developed by a local company named Able Software. According to the company’s website, the app is an add-on that provides instant messaging capabilities to the company’s main product, a human resources management (HRM) platform.
Able Software claims its platform is used by more than 430 Mongolian government agencies, including the Office of the President, the Ministry of Justice, the Ministry of Health, various local law enforcement agencies, and many local governments.
Software abused by hackers since at least 2018
ESET says that because of its widespread use among government workers, the app has been at the center of several malware distribution efforts since at least 2018.
Initial attacks revolved around adding malware to the Able Desktop chat app and spreading a trojanized version of the app’s installer via email, hoping to trick employees into infecting themselves.
Payloads in these attacks included the HyperBro backdoor and the PlugX remote access trojan.

But while these attacks were successful, ESET says that things changed in June 2020, when the attackers appear to have found a way inside Able’s backend and compromised the system that delivers software updates to all Able software app.
ESET researchers say attackers abused this system on at least two occasions to deliver a malware-laced Able Desktop chat app through the official update mechanism.
For these attacks, the intruders again delivered the HyperBro backdoor, but they changed from PlugX to Tmanager as the remote access component.

Image: ESET
At the time of writing, it is unclear if the attackers used the compromised Able update feature to install malware on all the systems they could reach or if they only went after selected targets.
Beyond notifying Able Software, ESET was unable to provide such details.
Furthermore, ESET wasn’t able to pinpoint the attack on a particular group, as all the malware strains used in the attacks had been previously used by different China-linked APTs, such as LuckyMouse and TA428, but also to a collection of server infrastructure known as ShadowPad — itself linked to many more other Chinese APTs like CactusPete, TICK, IceFog, KeyBoy, and the umbrella group Winnti.
ESET believes these groups are either collaborating, using the same tools, or are subgroups part of a larger threat actor that controls their operations and targeting.

Image: ESET
Besides the ESET report, cyber-security firm Avast also published its own report on these attacks, also linking the perpetrators back to China and classifying the attacks as cyber-espionage. More

Image: Microsoft
Microsoft has raised the alarm today about a new malware strain that infects users’ devices and then proceeds to modify browsers and their settings in order to inject ads into search results pages.
Named Adrozek, the malware has been active since at least May 2020 and reached its absolute peak in August this year when it controlled more than 30,000 browsers each day.
But in a report today, the Microsoft 365 Defender Research Team believes the number of infected users is much, much higher. Microsoft researchers said that between May and September 2020, they observed “hundreds of thousands” of Adrozek detections all over the globe.
Based on internal telemetry, the highest concentration of victims appears to be located in Europe, followed by South and Southeast Asia.

Image: Microsoft
How Adrozek spreads and works
Microsoft says that, currently, the malware is distributed via classic drive-by download schemes. Users are typically redirected from legitimate sites to shady domains where they are tricked into installing malicious software.
The boobytrapped software installs the Androzek malware, which then proceeds to obtain reboot persistence with the help of a registry key.
Once persistence is assured, the malware will look for locally installed browsers such as Microsoft Edge, Google Chrome, Mozilla Firefox, or the Yandex Browser.

If any of these browsers are found on infected hosts, the malware will attempt to force-install an extension by modifying the browser’s AppData folders.
To make sure the browser’s security features don’t kick in and detect unauthorized modifications, Adrozek also modifies some of the browsers’ DLL files to change browser settings and disable security features.
Modifications performed by Adrozek include:
Disabling browser updates
Disabling file integrity checks
Disabling the Safe Browsing feature
Registering and activating the extension they added in a previous step
Allowing their malicious extension to run in incognito mode
Allowing the extension to run without obtaining the appropriate permissions
Hiding the extension from the toolbar
Modifying the browser’s default home page
Modifying the browser’s default search engine
All of this is done to allow Adrozek to inject ads into search results pages, ads that allow the malware gang to gain revenue by directing traffic towards ad and traffic referral programs.

Image: Microsoft
But if this wasn’t bad enough, Microsoft says that on Firefox, Adrozek also contains a secondary feature that extracts credentials from the browser and uploads the data to the attacker’s servers.
A massive operation expected to grow even further
Microsoft says the Adrozek operation is extremely sophisticated, and especially in regards to its distribution infrastructure.
The OS maker said it tracked 159 domains that hosted Adrozek installers since May 2020. Each domain hosted on average 17,300 dynamically-generated URLs, and each URL hosted more than 15,300 dynamically-generated Adrozek installers.
“While many of the domains hosted tens of thousands of URLs, a few had more than 100,000 unique URLs, with one hosting almost 250,000. This massive infrastructure reflects how determined the attackers are to keep this campaign operational,” Microsoft said.
“The distribution infrastructure is also very dynamic. Some of the domains were up for just one day, while others were active for longer, up to 120 days.”
All in all, due to its prolific use of polymorphism to constantly rotate its malware payloads and distribution infrastructure, Microsoft expects the Adrozek operation to grow even more in the coming months.
“End users who find this threat on their devices are advised to re-install their browsers,” Microsoft said today. More

The winners of the 2020 Pwnie Awards were announced earlier today at the Black Hat Europe security conference.

The awards are to the cyber-security field what the Oscars and the Razzie awards, combined, are to the movie industry.
Each year, cyber-security professionals are invited to nominate and then vote for both the best and worst in their industry. This includes selecting the best and most ingenious vulnerabilities discovered over the past twelve months, but also the worst vendor responses and epic fails that have ended up putting users at risk.
For the past decade, the Pwnie Awards ceremony has taken place during the Black Hat USA security conference, each August, in a Las Vegas hotel, where organizers usually hand out plastic pony dolls with pink hair to the winners of their categories.
However, this year marked the first time since its inception that the Pwnie Awards was hosted in a virtual format and also moved to the European edition of the Black Hat conference, which usually takes place at the end of November and start of December. Reasons? The COVID-19 pandemic, of course.
But, without further ado, here are this year’s winners, along with links to their respective research, if available online:
Best server-side bug: BraveStarr – a remote code exploit in the Telnet daemon on Fedora 31 servers.
Best client-side bug: For a zero-click MMS attack on Samsung phones, bug discovered by the Google Project Zero team.
Best privilege escalation bug: Checkm8 – an unpatchable hardware jailbreak for seven generations of Apple silicon.
Best cryptography attack: Zerologon – a bug in Microsoft’s Netlogon authentication protocol that can be performed by adding adding a bunch of zero characters in certain Netlogon authentication parameters.
Most innovative research: TRRespass – bypassing TRR protections on modern RAM cards to carry out Rowhammer attacks.
Lamest vendor response: Daniel J. Bernstein – for mishandling a bug way back in 2005.
Most under-hyped research: To Gabriel Negreira Barbosa, Rodrigo Rubira Branco (BSDaemon), Joe Cihula (Intel), for discovering CVE-2019-0151 and CVE-2019-0152 in Intel’s System Management Mode (SMM) and Trusted Execution Technology (TXT).
Most epic fail: Microsoft for CurveBall, a bug in how the company implemented elliptic curve signatures on Windows, allowing for easy spoofing of HTTPS sites and legitimate apps.
Epic achievement: To Guang Gong, a known Chinese bug hunter, for discovering CVE-2019-5870, CVE-2019-5877, CVE-2019-10567, three bugs that allowed remote takeovers of Android Pixel devices [see PDF]. More

Razvan Negrea
The European Council voted on Wednesday to locate the EU’s future cybersecurity research hub in Bucharest, Romania’s capital.

Named the European Cybersecurity Industrial, Technology and Research Competence Centre, or the ECCC, the new hub is set to start operating next year.
The new research hub will operate separately from ENISA (European Union Agency for Network and Information Security), the EU’s official cybersecurity agency.
While ENISA will be focused on standards, the European Council said the ECCC will be “the EU’s main instrument for pooling investment in cybersecurity research, technology and industrial development.”
Although not a formal EU agency, the ECC will be tasked with funding new cybersecurity research, providing financial support and technical assistance to cybersecurity start-ups and SMEs, and promoting cyber-security standards.
The new hub is part of the EU’s focus on shoring up its digital market. Under the new Digital Europe program, the EU plans to allocate more than €2 billion to cybersecurity from the EU budget for years 2021-2027.
More about the ECCC and its responsibilities can be found on the hub’s official website.

🎉#Bucharest to be the host of the future EU #Cyber Centre🎉Hub for high tech and innovation, featuring a thriving digital ecosystem, dynamic and young, Romania’s capital will take this task in a responsible and dedicated manner, to the benefit of the entire European Union👏👏👏
— Romania in the EU 🇷🇴 (@romaniaineu) December 9, 2020

Seven countries filed applications to host the new cybersecurity research hub. The list of applicants included Bucharest (Romania), Brussels (Belgium), Munich (Germany), Leon (Spain), Vilnius (Lithuania), Warsaw (Poland), and Luxembourg.
EU state members selected Bucharest as host for the new agency in two rounds of voting on Wednesday, December 9. Bucharest was chosen over Brussels in a 15-12 vote in the last round.
All applicants had strong cases. For example, the Lithuanian delegation offered to host the ECCC in the famous Vilnius TV tower, one of the tallest buildings in the world.
Leon offered to host the agency in its huge former train station and also relied on the fact that it was designated as Spain’s cybersecurity center and already hosting a high-performance computing center.
Brussels used its proximity to other EU agencies to promote its bid, but this turned out to be a weak point in the end, after Romanian officials used the fact that Romania was denied the possibility to host any EU agency or hub since the country joined the EU in 2007 as its primary point for securing a successful vote in the last round.
Bucharest also promoted its burgeoning IT sector, with the city already hosting many cybersecurity firms for decades, and offered to let the EU choose to host the research hub in one of three buildings: a classic villa in Bucharest’s old center, a modern office tower, or a typical government building near Bucharest’s government bodies, per its official bid [PDF]. More

Proof-of-concept exploit code has been published this week for a new attack technique that can bypass the Kerberos authentication protocol in Windows environments and let intruders access sensitive network-connected services.

Named the Bronze Bit attack, or CVE-2020-17049, patching this bug caused quite the issue for Microsoft already.
The OS maker delivered an initial fix for Bronze Bit attacks in the November 2020 Patch Tuesday, but the patch caused authentication issues for Microsoft’s customers, and a new update had to be deployed this month to fix the previous issues.
On Wednesday, a day after Microsoft delivered the final patches, Jake Karnes, a security engineer at NetSPI, published a technical breakdown of the vulnerability so network defenders can understand how they are vulnerable and why they need to update, despite the patching process’ rocky start.
Accompanying his theoretical and practical breakdowns was also proof-of-concept exploit code that system administrators can use to check and see if the patch was installed correctly.
Golden, Silver, and now the Bronze ticket attack
According to Karnes, the Bronze Bit attack is another variation of the older and widely known Golden Ticket and Silver Ticket attacks against Kerberos authentication.
All three are post-compromise techniques that can be used after an attacker has breached a company’s internal network.

An attacker who infected at least one system on a network and extracted password hashes can use those hashes to bypass and forge credentials for other systems on the same network, as long as the network relies on the Kerberos authentication protocol, which has been included in all standard Windows versions since 2000.
The difference between Golden Ticket, Silver Ticket, and now the Bronze Bit attacks is in what parts of the Kerberos authentication protocol attackers go after.
In the case of Bronze Bit, attackers target the S4U2self and S4U2proxy protocols that Microsoft added as extensions to the Kerberos protocol.
“The attack uses the S4U2self protocol to obtain a service ticket for a targeted user to the compromised service, using the service’s password hash,” Karnes says.
“The attack then manipulates this service ticket by ensuring its forwardable flag is set (flipping the “Forwardable” bit to 1). The tampered service ticket is then used in the S4U2proxy protocol to obtain a service ticket for the targeted user to the targeted service,” he adds.

Image: Jake Karnes
Karnes says the attack was possible because the portion of the Kerberos service ticket where the Forwardable flag resides is not signed, and the Kerberos process is not able to detect service tickets that have been tampered with.
“This exploit bypasses 2 existing protections for Kerberos delegation, and provides an opportunity for impersonation, lateral movement, and privilege escalation,” the researcher added.
Karnes also the attack’s name comes from the Golden Ticket and Silver Ticket attacks, which use similar principles, but is named Bronze Bit instead of Bronze Ticket because the attack relies on flipping just a single bit. More

Operators of the njRAT Remote Access Trojan (RAT) are leveraging Pastebin C2 tunnels to avoid scrutiny by cybersecurity researchers. 

On Wednesday, Palo Alto Networks’ Unit 42 cybersecurity team said njRAT, also known as Bladabindi, is being used to download and execute secondary-stage payloads from Pastebin, scrapping the need to establish a traditional command-and-control (C2) server altogether. 
See also: Your email threads are now being hijacked by the QBot Trojan
Since October, at the least, operators have used Pastebin, a text storage and release platform, as a host for payloads which differ in form and shape. In some cases, dumps are base64 encoded, in others, hexadecimal and JSON data masks the true nature of a dump, some are compressed blobs, and others are simply plaintext instructions containing embedded, malicious URLs.
The team says that njRAT variants will call upon shortened URLs linking to Pastebin in an attempt to “evade detection by security products and increase the possibility of operating unnoticed.”
Developed in .NET, njRAT is a widely-used Trojan that is able to hijack the functions of a compromised machine remotely, including taking screenshots, exfiltrating data, keylogging, and killing processes such as antivirus programs. In addition, the RAT is able to execute secondary, malicious payloads and connect infected PCs to botnets. 
The “Pastebin C2 tunnel” now in use, as described by the researchers, creates a pathway between njRAT infections and new payloads. With the Trojan acting as a downloader, it will grab encoded data dumped on Pastebin, decode, and deploy.

CNET: Hackers access documents related to authorized COVID-19 vaccines
In samples viewed by the team, one payload was decoded as a .NET executable that abuses Windows API functions for keylogging and data theft. Other samples, similar in function, required multiple layers of decoding to reveal the final payload. 
JSON-formatted data, disguised on Pastebin, is believed to potentially act as configuration files for the malware. Pastebin dumps have also been used to point toward software downloads, including links to ProxyScraper. 
TechRepublic: Phishing emails: More than 25% of American workers fall for them
Palo Alto says the Pastebin-based command architecture is still active and utilized by the RAT to deliver secondary payloads. 
“Based on our research, malware authors are interested in hosting their second-stage payloads in Pastebin and encrypting or obfuscating such data as a measure to evade security solutions,” the team says. “There is a possibility that malware authors will use services like Pastebin for the long term.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A potential remote code execution (RCE) bug has been patched in one of Starbucks’ mobile domains. 

The US coffee giant runs a bug bounty platform on HackerOne. A new vulnerability report submitted by Kamil “ko2sec” Onur Özkaleli, first submitted on November 5 and made public on December 9, describes an RCE issue found on mobile.starbucks.com.sg, a platform for Singaporean users. 
See also: FireEye’s bug bounty program goes public
According to the advisory, ko2sec discovered an .ashx endpoint on mobile.starbucks.com.sg that was intended for handling image files. However, the endpoint did not restrict file type uploads, which means that attackers abusing the issue could potentially upload malicious files and remotely execute arbitrary code. 
While the full bug bounty report has been restricted by Starbucks, it is noted that the bug bounty hunter’s analysis of the issue revealed “additional endpoints on other out of scope domains that shared this vulnerability.”
CNET: Hackers access documents related to authorized COVID-19 vaccines
A CVE has not been issued for the critical vulnerability but a severity score of 9.8 has been added to the report. 

Ko2sec was awarded $5,600 for his findings. 
The RCE is not the only submission the researcher has made to Starbucks. In October, Ko2sec described an account takeover exploit in the Starbucks Singapore website caused by open test environments. It was possible to target users by knowing their email address, view their personal information, and even use any credit loaded in their account wallets to make purchases. 
TechRepublic: Phishing emails: More than 25% of American workers fall for them
The bug bounty hunter received $6,000 for this previous report. 
To date, Starbucks has received 1068 vulnerability reports on HackerOne. The average bounty paid out for valid submissions is between $250 and $375, while critical bugs are worth $4000 – $6000. In total, the coffee chain has paid more than $640,000 to bug bounty hunters, with $20,000 cashed out in the past 90 days. 
ZDNet has reached out to Starbucks and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: APH
Minister for Home Affairs Peter Dutton introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 into Parliament on Thursday, labelling it as a significant step in the protection of critical infrastructure and essential services that Australians rely upon.
“Critical Infrastructure underpins the delivery of goods and services that are essential to the Australian way of life, our nation’s wealth and prosperity, and national security,” Dutton said.
“While Australia has not suffered a catastrophic attack on our critical infrastructure, we are not immune. Australia is facing increasing cybersecurity threats to essential services, businesses, and all levels of government.”
While Dutton said owners and operators of critical infrastructure are best placed to deal with such threats, he said it takes a team effort to bring about positive change.
The Bill seeks to amend the Security of Critical Infrastructure Act 2018 to implement “an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure”.
It extends the application of the Act to communications, transport, data and the cloud, food and grocery, defence, higher education, research, and health.
The Bill introduces a positive security obligation for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements to the Australian Signals Directorate (ASD); enhanced cybersecurity obligations for those entities most important to the nation; and government assistance to entities in response to significant cyber attacks on Australian systems.

Dutton on Thursday said the obligation to adopt and comply with a risk management program is designed to uplift core security practices of critical infrastructure assets by “ensuring entities take a holistic and proactive approach to identifying, preventing, and mitigating risks”.
The purpose of the framework requiring ASD reporting, he said, is to establish a “comprehensive understanding of the cybersecurity risks to critical infrastructure assets”.
“Through greater awareness, the government can better see malicious trends and campaigns, which would not be apparent to an individual victim of an attack. This will ensure that the government can appropriately advise and assist entities across the economy to better safeguard their assets from cyber attacks,” he continued.
Also contained within the Bill are last resort powers, which allow the government to step in to protect assets during or following a significant cyber attack.
Dutton said the Bill was developed through extensive consultation with industry.
See also: Tech giants not convinced Australia’s critical infrastructure Bill is currently fit for purpose
“The final Bill reflects the outcomes of the consultation process and ensures we have the right balance between taking effective steps to manage security of our critical infrastructure and appropriate checks and balances,” he claimed.
“This is not the end of consultation, the government is committed to continuing the conversation to ensure that the reforms are operationalised in the most appropriate and effective manner.”
This includes industry engagement on designing sector-specific requirements and guidance for the laws.
Elsewhere on Thursday, the Governor-General assented to the Foreign Investment Reform (Protecting Australia’s National Security) Bill 2020, which updates Australia’s foreign investment review framework with the overarching goal of addressing national security risks, strengthening compliance, and streamlining investment in non-sensitive businesses.
While the Bill aims to protect Australia, the country’s quantum technology sector, as well as the federal opposition, flagged it was worried about the problems the Bill could create for the nascent industry, mostly around investment opportunities.
Q-CTRL, Australia’s first venture capital-backed quantum technology company, previously said the broad definitions of “national security businesses” in the legislation encompass “effectively all emerging quantum technology companies and place our sector at a tremendous disadvantage relative to competitors formed in regions with larger and more mature investor bases including the US and EU”.
“Simply put, Australian venture capital is insufficiently mature to support growth in our industry at this stage, meaning that fully realising the potential of quantum technology in Australia necessitates the involvement of foreign investors,” Q-CTRL CEO, founder, and professor Michael Biercuk said.
RELATED COVERAGE More