Information Technology

BlackBerry’s security team has published details today about a new hacker-for-hire mercenary group they discovered earlier this year, and which they tied to attacks to victims all over the world.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The group, which BlackBerry named CostaRicto, is the fifth hacker-for-hire group discovered this year after the likes of:
BellTrox (aka Dark Basin) [1, 2, 3]
DeathStalker (aka Deceptikons) [1, 2]
Bahamut [1, 2]
Unnamed group [1]
CostaRicto’s discovery also comes to retroactively confirm a Google report from May, when the US tech giant highlighted the increasing number of hacker-for-hire mercenary groups, and especially those operating out of India.
However, while BellTrox has been linked to an Indian entity and Bahamut is suspected of operating out of India as well, details about CostaRicto’s current origins and whereabouts still remain unknown.
What is currently known is that the group has orchestrated attacks all over the globe across different countries in Europe, the Americas, Asia, Australia, and Africa.
However, BlackBerry says the biggest concentration of victims appears to be in South Asia, and especially India, Bangladesh, and Singapore, suggesting that the threat actor could be based in the region, “but working on a wide range of commissions from diverse clients.”
As for the nature of the targets, the BlackBerry Research and Intelligence Team said in a report today that “the victims’ profiles are diverse across several verticals, with a large portion being financial institutions.”

Furthermore, BlackBerry says that “the diversity and geography of the victims doesn’t fit a picture of a campaign sponsored by a particular state” but suggests that they are “a mix of targets that could be explained by different assignments commissioned by disparate entities.”
CostaRicto group linked to new sophisticated Sombra malware
BlackBerry also adds that while the group is using custom-built and never-before-seen malware, they are not operating using any innovative techniques.
Most of their attacks rely on stolen credentials or spear-phishing emails as the initial entry vector. These emails usually deliver a backdoor trojan that BlackBerry has named Sombra or SombRAT.
The backdoor trojan allows CostaRicto operators to access infected hosts, search for sensitive files, and exfiltrate important documents.
This data is usually sent back to CostaRicto command-and-control infrastructure, which BlackBerry says it is usually hosted on the dark web, and accessible only via Tor.
Furthermore, the infected hosts usually connect these servers via a layer of proxies and SSH tunnels to hide the malicious traffic from the infected organizations.
All in all, BlackBerry says these practices “reveal better-than-average operation security,” when compared to your usual hacking groups.
All the CostaRicto malware samples that BlackBerry discovered have been traced back to as early as October 2019, but other clues in the gang’s servers suggest the group might have been active even earlier, as far back as 2017.
Furthermore, researchers said they also discovered an overlap with past campaigns from APT28, one of Russia’s military hacking units, but BlackBerry believes the server overlap may have been accidental.
Hacker-for-hire groups — the new landscape
For many years, most hacking groups have operated as stand-alone groups, carrying out financially-motivated attacks, stealing data, and selling for their own profit.
The public exposures of BellTrox, DeathStalker, Bahamut, and CostaRicto this year show a maturing hacker-for-hire scene, with more and more groups renting their services to multiple customers with different agendas, instead of operating as lone wolfs.
The next step in investigating these groups will need to look at who their clients are. Are they private corporations or foreign governments. Or are they both? More

Back in 2008, Domain Name System (DNS) server cache poisoning was a big deal. By redirecting the results from DNS with misleading Internet Protocol (IP) addresses, hackers could redirect your web browser from the safe site you wanted to a fake one loaded with malware. Fixes were discovered and DNS cache poisoning attacks became rare. Now, thanks to a discovery by the University of California at Riverside researchers, a new way has been found to exploit vulnerable DNS caches: Sad DNS.

Here’s how it works: First, DNS is the internet’s master address list. With it, instead of writing out an IPv4 address like “173.245.48.1,” or an IPv6 address such as “2400:cb00:2048:1::c629:d7a2,” one of Cloudflare’s many addresses, you simply type in “http://www.cloudflare.com,” DNS finds the right IP address for you, and you’re on your way.
With DNS cache poisoning, however, your DNS requests are intercepted and redirected to a poisoned DNS cache. This rogue cache gives your web browser or other internet application a malicious IP address. Instead of going to where you want to go, you’re sent to a fake site. That forged website can then upload ransomware to your PC or grab your user name, password, and account numbers. In a word: Ouch!
Modern defense measures — such as randomizing both the DNS query ID and the DNS request source port, DNS-based Authentication of Named Entities (DANE), and Domain Name System Security Extensions (DNSSE) — largely stopped DNS cache poisoning. These DNS security methods, however, have never been deployed enough, so DNS-based attacks still happen.
Now, though researchers have found a side-channel attack that can be successfully used against the most popular DNS software stacks, SAD DNS. Vulnerable programs include the widely used BIND, Unbound, and dnsmasq running on top of Linux and other operating systems. The major vulnerability is when the DNS server’s operating system and network are configured to allow Internet Control Message Protocol ICMP error messages. 
Here’s how it works: First, the attacker uses a vice to spoof IP addresses and a computer able to trigger a request out of a DNS forwarder or resolver. Forwarders and resolvers help work out where to send DNS requests. For example, with a forwarder attack, when the attacker is logged into a LAN managed by a wireless router such as a school or library public wireless network. Public DNS resolvers, such as Cloudflare’s 1.1.1.1 and Google 8.8.8.8, can also be attacked. 
Next, the researchers used a network channel affiliated with, but outside of, the main channels used in the DNS requests. It then figures out the source port number by holding the channel open long enough to run 1,000 guesses per second until they hit the right one. With the source port derandomized, the group inserted a malicious IP address and successfully pull off a DNS cache poisoning attack.

In their study, they found just over 34% of the open resolver population on the internet is vulnerable. They found that 85% of the most popular free public DNS services are open to attacks. 
You can check to see if you’re open to attack simply by going to this Sad DNS web page and following the instructions. I’ll add that I’m both very security and network conscious and my systems were vulnerable. 
There are ways to stop these attacks. Indeed, we already have these methods. DNSSEC would help, but it’s still not deployed enough. If you used the relatively new RFC 7873 DNS cookie that would help as well. 
The simplest mitigation, though, is to disallow outgoing ICMP replies altogether. This comes at the potential cost of losing some network troubleshooting and diagnostic features. 
Another easy fix is to set the timeout of DNS queries more aggressively. For example, you should set it so that’s less than a second. This way the source port will be short-lived and disappear before the attacker can start injecting rogue responses. The downside, however, is the possibility of introducing more retransmitted queries and overall worse performance.
Whichever method you use, one thing though is clear. If you run a DNS server or forward you must do something. This attack is too easy. It will soon be used by criminal hackers. And, while I certainly recommend the quick and easy fixes, would it really kill you to finally start using DNSSEC? It’s way past time for everyone to adopt it. 
As for users, you must be more careful than ever that when you go to a commerce site like Amazon or your local bank that the site really is the one you think it is. If you don’t, you can kiss your online identity and a lot of money goodbye.
Related Stories: More

Cyber-security firm Comodo has open-sourced this week its endpoint detection and response (EDR) solution, becoming the first major security vendor to take this route.

Released as OpenEDR, the project’s source code was released this week on GitHub after Comodo touted the move to open source back in September [1, 2].
EDRs are considered the next step in the evolution of antivirus software. Classic antivirus software is designed to block malware when it executes.
EDRs are built differently, with a more proactive approach. They work by actively monitoring for suspicious behavior on endpoints and the local network and then sending alerts to a company’s IT staff to investigate.
They don’t necessarily look for confirmed threats but, instead, can also look for indicators of suspicious activity that sometimes precedes actual malware infections or threat actor intrusions.
“We are offering our EDR as open source because we feel strongly that as cyber-threats increase, every company should have access to this capability regardless of budget or ability to purchase it,” Alan Knepfer, President and Chief Revenue Officer at Comodo, said back in September.
“Our competitors offer endpoint protection that falls short of protecting customers, and then charge additional for EDR capability. This kind of pricing strategy from cybersecurity vendors will weaken the cybersecurity resources available to enterprises.

“The model of charging for multiple layers because they fail in protecting customers is not a healthy business model for the long term. We are putting an end to that by open sourcing the world’s most sophisticated EDR,” Knepfer added.
Comodo’s OpenEDR will include all the basic functionality of an EDR. This will include the ability to roll out custom detection rules and IOCs, real-time monitoring of workstation filesystems, detection of fileless threats, a recommendation engine that advises of measures that need to be taken, a GUI, and a threats vector investigation capability.
A technical breakdown of OpenEDR is available here, while the project’s support forum is here.
Besides OpenEDR, other open-source EDR and similar solutions also available today include the likes of: More

KuCoin says that 84% of cryptocurrency funds stolen during a cyberattack has now been recovered. 

On November 11, KuCoin chief executive and co-founder Johnny Lyu said in a Twitter thread that the majority of the impacted assets have been recovered via “judicial recovery, contract upgrades, and on-chain tracking.” 
However, Lyu does not intend to reveal further details until the “case is closed,” apparently upon request by law enforcement. 
See also: KuCoin cryptocurrency exchange hacked for $150 million
KuCoin’s hack took place on September 26. The Singapore-based cryptocurrency exchange stored a number of assets in hot wallets — Internet-accessible repositories for virtual coins — rather than cold wallets, where cryptocurrency is stored safely away from the web. 
After detecting “some large withdrawals,” KuCoin’s team realized the hot wallets were being drained of cryptocurrency including Bitcoin (BTC), Ethereum (ETH), and ERC-20 tokens. 
It is estimated that at least $150 million in cryptocurrency was stolen during the incident, but KuCoin has not confirmed the exact amount lost. However, the company says that they have obtained “substantial proof” of who is responsible.

CNET: Misinformation about election fraud has flooded the internet. Here’s how to spot false reports
Lyu added that service has resumed for 176 different tokens and all remaining coin withdrawal or trading that is still frozen is due to reopen before November 22. 
According to KuCoin’s security incident update page, at the time of writing, this will include Vid (VI), Add.xyz (PLT), DMM: Governance (DMG), Ankr (ANKR), and BABB (BAX). 
On Thursday, the cryptocurrency exchange reopened deposit and withdrawals for CargoX (CXO), adbank (ADB), and Perth Mint Gold Token (PMGT). 
TechRepublic: Phishing, deepfakes, and ransomware: How coronavirus-related cyberthreats will persist in 2021
“Again, I would like to thank all the individuals and institutions who helped us in this incident, together, we will make a stronger crypto community,” the CEO commented. “Looking forward, KuCoin will continue to safeguard our users and bring more crypto hidden gems to the world as we always did.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new Point-of-Sale (PoS) malware is targeting devices used by “hundreds of thousands” of organizations in the hospitality sector, researchers have warned. 

Dubbed ModPipe, the malware is a backdoor able to harvest sensitive information in PoS devices running Oracle Micros Restaurant Enterprise Series (RES) 3700, management software that is particularly popular in the United States. 
RES 3700 is described by Oracle as the “most widely installed restaurant management software in the industry today.” The software suite is used to manage PoS, loyalty programs, reporting, inventory, promotions, and mobile payment. 
On Thursday, ESET researchers said in a blog post that the operators of ModPipe likely have a “deep knowledge” of the software, as the malware contains a custom algorithm designed to harvest RES 3700 POS database passwords by decrypting them from Windows registry values. 
See also: ESET takes down VictoryGate cryptomining botnet
This direct, sophisticated approach is in contrast to the standard PoS malware method, in which “noisy” keylogging and credit card skimming is often practiced. 
Alternatively, it may be that the cyberattackers were able to steal the software and reverse-engineer the code following a 2016 data breach at Oracle’s PoS division. 

Once executed on a PoS device, ModPipe will access database contents, including system configuration, status tables, and some PoS data concerning transactions — but it does not seem that in its basic state, the malware is able to grab credit card numbers or expiry dates. 
According to the researchers, this sensitive information is protected by encryption standards implemented by RES 3700 — and so the only payment card-related data threat actors will be able to access is cardholder names. 
ModPipe’s modular architecture comprises of a 32/64-bit dropper, a loader, and the main payload that creates a “pipe” used to connect with other malicious modules, as well as serve as a dispatch point for communication between the malware and a C2. 
ModPipe is also able to download additional modules from an attacker’s command-and-control (C2) server to extend its malicious capabilities. 
The modules found by ESET, so far, include GetMicInfo — the module containing the custom algorithm — which is also able to intercept and decrypt database passwords; ModScan 2.20, which gathers PoS information by scanning IP addresses; and ProcList, which monitors running processes. 
CNET: Misinformation about election fraud has flooded the internet. Here’s how to spot false reports
The majority of PoS malware will hone in on guest or customer payment card data as this is the most valuable information a PoS device will process. Without a module to grab and decrypt this information, ESET says the operator’s business model remains “unclear.”
However, it should be noted that there may be such a module and it just hasn’t been found — yet. 
“To achieve this the attackers would have to reverse engineer the generation process of the “site-specific passphrase,” which is used to derive the encryption key for sensitive data,” the researchers note. “This process would then have to be implemented into the module and — due to use of the Windows Data Protection API (DPAPI) — executed directly on the victim’s machine.”
TechRepublic: Phishing, deepfakes, and ransomware: How coronavirus-related cyberthreats will persist in 2021
It is not currently known how the malware is being distributed, but the team says that the majority of infections tracked are from the US. 
ZDNet has reached out to Oracle and will update when we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft is urging users to abandon telephone-based multi-factor authentication (MFA) solutions like one-time codes sent via SMS and voice calls and instead replace them with newer MFA technologies, like app-based authenticators and security keys.

The warning comes from Alex Weinert, Director of Identity Security at Microsoft. For the past year, Weinert has been advocating on Microsoft’s behalf, urging users to embrace and enable MFA for their online accounts.
Citing internal Microsoft statistics, Weinert said in a blog post last year that users who enabled multi-factor authentication (MFA) ended up blocking around 99.9% of automated attacks against their Microsoft accounts.
But in a follow-up blog post today, Weinert says that if users have to choose between multiple MFA solutions, they should stay away from telephone-based MFA.
The Microsoft exec cites several known security issues, not with MFA, but with the state of the telephone networks today.
Weinert says that both SMS and voice calls are transmitted in cleartext and can be easily intercepted by determined attackers, using techniques and tools like software-defined-radios, FEMTO cells, or SS7 intercept services.
SMS-based one-time codes are also phishable via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.

Further, phone network employees can be tricked into transferring phone numbers to a threat actor’s SIM card — in attacks known as SIM swapping—, allowing attackers to receive MFA one-time codes on behalf of their victims.
On top of these, phone networks are also exposed to changing regulations, downtimes, and performance issues, all of which impact the availability of the MFA mechanism overall, which, in turn, prevents users from authenticating on their account in moments of urgency.
SMS and voice calls are the least secure MFA method today
All of these make SMS and call-based MFA “the least secure of the MFA methods available today,” according to Weinert.
The Microsoft exec believes that this gap between SMS & voice-based MFA “will only widen” in the future.
As MFA adoption increases overall, with more users adopting MFA for their accounts, attackers will also become more interested in breaking MFA methods, with SMS and voice-based MFA naturally becoming their primary target due to its large adoption.
Weinert says that users should enable a stronger MFA mechanism for their accounts, if available, recommending Microsoft’s Authenticator MFA app as a good starting point.
But if users want the best, they should go with hardware security keys, which Weinert ranked as the best MFA solution in a blog post he published last year.
PS: This shouldn’t mean that users should disable SMS or voice-based MFA for their accounts. SMS MFA is still way better than no MFA. More

Image: Mitchell Luo
Google has released today Chrome version 86.0.4240.198 to patch two zero-day vulnerabilities that were exploited in the wild.
These two bugs mark the fourth and fifth zero-days that Google has patched in Chrome over the past three weeks.
The difference this time is that while the first three zero-days were discovered internally by Google security researchers, these two new zero-days came to Google’s attention after tips from anonymous sources.
Details about the attacks where the Chrome two zero-days have been used have not been made public, at the time of writing.
According to the Chrome 86.0.4240.198 changelog, the two zero-days are tracked and described as follows:
CVE-2020-16013 – Described as an “inappropriate implementation in V8,” where V8 is the Chrome component that handles JavaScript code.
CVE-2020-16017 – Described as a “use after free” memory corruption bug in Site Isolation, the Chrome component that isolates each site’s data from one another.
It is currently unknown if the two vulnerabilities have been used together, as part of an exploit chain, or used individually. The first one was reported on Monday, while the second was reported earlier today, on Wednesday.
These two zero-days come after Google also patched:

Most zero-days are usually employed in targeted attacks against a small number of selected targets, so most users shouldn’t needlessly panic.
While it’s unclear the level of danger for regular users, Chrome users are still advised to update to v86.0.4240.198 via the browser’s built-in update function (see Chrome menu, Help option, and About Google Chrome section) as soon as possible. More

Two recent ransomware waves that targeted Israeli companies have been traced back to Iranian threat actors, multiple sources have told ZDNet today.
The ransomware attacks have been taking place since mid-October, have ramped up this month, and have repeatedly focused on Israeli targets.
Israeli companies of all sizes have been targeted by threat actors using the Pay2Key and WannaScream ransomware strains.
Hackers breached corporate networks, stole company data, encrypted files, and asked for huge payouts to deliver a decryption key.
Furthermore, adding to this tactic, this week, the Pay2Key ransomware gang also launched a “leak directory” on the dark web where the group is now leaking data they stole from companies who refused to pay the ransom demand, Ram Levi, Founder and CEO of Konfidas, a cybersecurity consulting firm based in Israel, told ZDNet today.

Image: ZDNet
The Pay2Key attacks are a curious case because, unlike most other ransomware operations taking place today, these attacks have repeatedly and primarily focused on infecting Israeli companies.
Attacks with the WannaScream ransomware have been spotted across the globe, but Omri Segev Moyal, Founder and CEO of Israeli security firm Profero, told ZDNet that this ransomware is currently available via a Ransomware-as-a-Service (RaaS) model and that one group who rents the ransomware from its creators is targeting Israeli companies in particular.
Ransom payments lead back to Iran

Profero, who is one of the local security firms that are currently providing Incident Response (IR) services to the many beleaguered Israeli companies, said today it tracked several payments Israeli companies made to Excoino, a cryptocurrency exchange based in Iran.

This week @_CPResearch_ released an analysis of ransomware targeting Israeli SME dubbed “Pay2Key”. Using intelligence sources and our latest CryptoCurrency monitoring capabilities, we have been able to track the exit strategy of the threat actors leading to Iranian exchange. pic.twitter.com/64WzsonAjQ
— Profero (@ProferoSec) November 11, 2020

“The overall sophistication of both the WannaScream and Pay2Key ransomware waves is very average. The low level of sophistication with Pay2Key enabled us to track the bitcoin flow easily,” Moyal told ZDNet.
“Our team pinpointed an exit strategy at Excoino, a cryptocurrency exchange based in Iran. This act is very uncommon for major ransomware operators,” the Profero exec added.
“An experienced operator will go through mixing services, swapping between different coins via Binance sub-exchanges such as ChangeNow, or other less familiar exchanges such as coin2cards.
“We haven’t seen any of those in this case. This might indicate the origin of the attackers, though it can be a false flag as we all aware in our industry.”
Profero’s findings and the links between Pay2Key and an Iran-based threat actor were also confirmed today by Check Point and a third source who spoke with ZDNet on the condition of anonymity.
Check Point, who first spotted the Pay2Key ransomware wave last week, plans to publish an in-depth report on its newest findings and the Iranian links on Thursday.
While payments have not been traced to Excoino for the WannaScream attacks, other indicators in the code and ransom negotiations process have also led Moyal and others to think that this ransomware group is also managed by an Iranian entity.
Bugs and data loss for some victims
Moyal’s assessment that both Pay2Key and WannaScream are unsophisticated operations was also confirmed by evidence from real-world incidents.
For example, in some early Pay2Key incidents, the ransomware’s command-and-control servers didn’t release a decryption key to some victims that paid the ransom demand, leaving companies unable to recover their files.
In the case of WannaScream, the ransomware decrypter, the app that victims receive to decrypt their files after paying the ransom demand, has also been throwing errors in some cases, similarly leaving companies unable to recover their data even after making payments.

Image (supplied by source)
In recent months, both Israel and Iran have accused each other of carrying out cyber-attacks against each other’s critical infrastructure[1, 2, 3].
At the time of writing, there was no evidence to link either Pay2Key or the WannaScream attacks that have taken place in Israel to an Iranian government entity beyond any doubt. Nonetheless, the door has been left open for future investigations. More