Information Technology

In the cyber-security field, the term OST refers to software apps, libraries, and exploits that possess offensive hacking capabilities and have been released as either free downloads or under an open source license.

OST projects are usually released to provide a proof-of-concept exploit for a new vulnerability, to demonstrate a new (or old) hacking technique, or as penetration testing utilities shared with the community.
Today, OST is one of the most (if not the most) controversial topics in the information security (infosec) community.
One one side, you have the people who are in favor of releasing such tools, arguing that they can help defenders learn and prepare systems and networks for future attacks.
On the opposing side, you have the ones who say that OST projects help attackers reduce the costs of developing their own tools and hiding activities into a cloud of tests and legitimate pen-tests.
An interactive map for OST usage
These discussions have been taking place for more than a decade. However, they have always been based on personal experiences and convictions, and never on actual raw data.
This is what Paul Litvak, a security researcher for cyber-security firm Intezer Labs, has tried to address earlier this month, in a talk at the Virus Bulletin security conference.
Litvak compiled data on 129 open source offensive hacking tools and searched through malware samples and cyber-security reports to discover how widespread was the adoption of OST projects among hacking groups — such as low-level malware gangs, elite financial crime groups, and even nation-state sponsored APTs.
The results were compiled in this interactive map.
The most popular OSTs
Litvak found that OSTs are broadly adopted across the entire cybercrime ecosystem. From famous nation-state groups like DarkHotel to cybercrime operations like TrickBot, many groups deployed tools or libraries that had been initially developed by security researchers but are now regularly used for cybercrime.
“We found [that] the most commonly adopted projects were memory injection libraries and RAT tools,” Litvak said.
“The most popular memory injection tool was the ReflectiveDllInjection library, followed by the MemoryModule library. For RATs [remote access tools], Empire, Powersploit and Quasar were the leading projects.”
The lateral movement category was dominated by Mimikatz — to nobody’s surprise.
UAC bypass libraries were dominated by the UACME library. However, Asian hacking groups appeared to have preferred Win7Elevate, most likely due to Windows 7’s larger regional installbase.
The only OST projects that weren’t popular were those implementing credential-stealing features.
Litvak believed they were not popular because of similar tools provided by black-hats on underground hacking forums, tools that come with superior features, which malware gangs chose to adopt instead of offensive tools provided by the infosec community.
Ways to mitigate broad OST abuse
But Litvak made even a more interesting observation. The Intezer Labs researcher said that OST tools that implemented complex features that required a deeper level of understanding to use were also rarely employed by attackers — even if their offensive hacking capabilities were obvious.
Going on this observation, Litvak argues that security researchers who wish to release offensive hacking tools in the future should also take this approach and introduce complexity into their code, to dissuade threat actors from adopting their toolsets.
If this isn’t possible, Litvak argued that security researchers should at least make their code unique by “sprinkl[ing] the library with special or irregular values” in order to allow easy fingerprinting and detection.
“For example, such an approach was adopted by the author of Mimikatz, where a generated ticket’s lifetime is left to 10 years by default – a highly irregular number,” Litvak said.
The researcher’s talk is also embedded below. A PDF version of his research is available here.
[embedded content] More

They’re hooking these things up to the company network? Quite bonkers.
Tech companies like to believe they’re inherently fascinating.

Everything they do carries with it a large portent of the future.
They perform research to back up their case, often coupled with a dramatic headline. 
This is a sample that just crossed my eyes. I mean, literally crossed my eyes: “IoT, Authentication and Cloud Services Drive Staggering Increase in PKI adoption and in Certificate Volume.” 
Naturally, I was staggered. So much so that I looked further. There were many numbers and many words, densely packed together.
I needed to concentrate. For this was the annual Global PKI and IoT Trends Study, performed by the Ponemon Institute on behalf of security company nCipher, which is now owned by Entrust. Which will surely soon be bought by a company called Enlighten, Enhance or, I don’t know, Enematronics.
Last year, I perused this study and offered the thought that IT and security professionals believe regular employees are just the worst.
Well, here we are again and things don’t seem to have got much better. More than 6,000 IT and security professionals were interviewed for this study and I detected that the understandably dry presentation concealed their rabid need to ululate in public and retrain as fire-eaters.
I also detected a touch of hypocrisy in at least one element of their beings.
I therefore asked John Grimm, Entrust’s vice president strategy for digital solutions, whether my suspicions had validity.
This study seems to reveal that IT people are being driven demented by the fact that they have no idea what sort of Internet of Things devices are being connected to their corporate networks.
What sort of employee does that? (My suspicions fall upon the people in sales and, well, senior executives who think they can do anything,)
Grimm explained: “This is often consumer devices that the user is using for convenience. An Alexa for verbal commands, a smartwatch for email on the go, a connected coffee pot to have coffee ready for the first worker in.”
How painfully modern to think that employees need Amazon’s Alexa to function at work. And a connected coffee pot? Is it too much trouble to make it on your own nut-milk latte when you get there? It seems not.
“The danger is that these devices aren’t typically secured by design,” Grimm told me. “They can basically be like an open door or window to the network that an attacker uses as a means to get on the network and look for more valuable resources — intellectual property, personal information, and more.”
Essentially, then, corporate IT departments are now making it a priority to find devices that careless or halfwitted employees have hooked up so that they can have an easy morning.
“Once IT teams prioritize discovery and employ tools to scan the network for such devices, they can decide whether to allow them to remain, blacklist them, or add security agents to them before allowing ongoing connectivity,’ Grimm told me.
At this point, I felt deep sympathy with the IT community, as they desperately try to keep corporations away from another embarrassing headline.
But then I noticed another oddity, one that was equally disturbing.
It seems that these IT professionals put securing delivery of patches and updates to IoT devices as their lowest priority. This despite the fact that they ranked altering the function of a device (say, by loading malware) as the biggest thing to fear.
I sensed Grimm might find this somewhat frustrating. Or even a touch hypocritical.
“It’s like replacing the tires on your car when the brakes aren’t working,” he told me. I thought I detected the rolling of eyeballs and the gritting of teeth.
I see swathes of hope in all this.
Employees remain perfectly human, failing to anticipate the most dramatic issues because they’re enthralled by the mundane things technology can do for them. (And goodness do they whine when the network is suddenly down for urgent maintenance.)
IT and security professionals are also perfectly human. They might seem like automatons, but they’re just as willfully inconsistent and maddeningly myopic as everyone else. More

In our tech-first a world is full digital transparency between couples actually required in a relationship? And how dangerous could our oversharing be?
If you are in a relationship, but are not married, do you share your passwords with your significant other? It seems that most Americans do.

A recent survey by British Virgin Islands-based VPN service provider ExpressVPN asked 1,506 American adults in an exclusive (non-married) relationship to find out their password sharing habits across social media platforms.
The survey showed that couples share a variety of passwords with each other, and they most commonly share within the first six months of dating.
The most commonly shared passwords between couples are for video streaming (78%), mobile devices (64%), and music streaming (58%). Almost half (47%) of Americans in a relationship share social media passwords and 38% share their personal email passwords.
Most services, apart from social media and mobile device accounts (which are shared most with family), are more commonly shared with a significant other than family or friends.
Respondents said that sharing passwords is most indicative of trust (70%), commitment (63%), intimacy (54%), marriage-material (51%), affection (48%), and vulnerability (47%).
Among those sharing video streaming services, Netflix (86%), Hulu (57%), and Amazon Prime Video (52%) are shared most with a significant other.
Millennials and Generation Z are also more likely to share passwords with their significant others across all platforms, as compared to older folks
Among people who do not share passwords with anyone, the most common objection is that the same username and password combination is often used for additional accounts
Overall, respondents are most concerned about personal data privacy in regard to sharing login information for mobile wallets (72%), personal email (68%) and social media accounts (68%).
Over one in four (26%) confess they have shared someone else’s login information for a video streaming account without their consent. Almost one in three (30%) say they have had their own login information used without their consent.).
Among respondents, men are more guilty than women of still secretly using an ex’s login information / password post-break up:
Express VPN

×
sharing-passwords-express-vpn-eileen-brown-zdnet.png

Over one in four (26%) currently use their ex’s game streaming services account and online news subscriptions (26%). A quarter (25%) access their ex’s photo sharing program, and food/grocery delivery sites.
Almost one in four (23%) currently access social media accounts, mobile wallets, music, and video streaming services and one in five access their ex’s personal email accounts.
One in four 25% of respondents confess to currently tracking an ex’s real-time location and 30% confess to secretly logging in to an ex’s social media account at least once, with 23% admitting to still doing so currently.
It is not surprising that over one in three (36%) of respondents indicate regret in sharing passwords with a significant other, either during the relationship or after a breakup—with men feeling more regretful than women (40% vs. 32%).
Harold Li, vice president, ExpressVPN said: “Unfortunately, password sharing can lead to risks beyond cybersecurity and potentially be used as a tool of coercive control or abuse in relationships.”
Swapping passwords is a 21st-century rite of passage in a relationship but it seems to be a slippery slope to digital mistrust and could pose a serious threat to personal privacy and cybersecurity. More

A simple technique has helped cybercrime gangs steal more than $22 million in user funds from users of the Electrum wallet app; a ZDNet investigation has discovered.
This particular technique was first seen in December 2018. Since then, the attack pattern has been reused in multiple campaigns over the past two years.
ZDNet has tracked down multiple Bitcoin accounts where criminals have gathered stolen funds from attacks they carried out over the course of 2019 and 2020, with some attacks taking place as recently as last month, in September 2020.
Reports from victims submitted to Bitcoin abuse portals reveal the same story.
Users of the Electrum Bitcoin wallet app received an unexpected update request via a popup message, they updated their wallet, and funds were immediately stolen and sent to an attacker’s Bitcoin account.

Looking at how cybercriminals are stealing funds, this technique works because of the inner workings of the Electrum wallet app and its backend infrastructure.
To process any transactions, Electrum wallets are designed to connect to the Bitcoin blockchain through a network of Electrum servers — known as ElectrumX.

Image: Peter Kacherginsky
However, while some wallet applications control who can manage these servers, things are different in Electrum’s open ecosystem, where everyone can set up an ElectrumX gateway server.
Since 2018, cybercrime gangs have been abusing this loophole to spin up malicious servers and wait for users to randomly connect to their systems.
When this happens, the attackers instruct the server to show a popup on the user’s screen, instructing the user to access an URL and download and install an Electrum wallet app update.

Image: SoberNight

Image: Peter Kacherginsky
Usually, this update download link is not for the official Electrum website, located at electrum.org, but to lookalike domains or GitHub repositories.
If users don’t pay attention to the URL, they eventually end up installing a malicious version of the Electrum wallet, which the next time the user tries to use will ask for a one-time passcode (OTP).
Normally, these codes are only requested before sending funds, and not at the Electrum wallet’s startup. If users enter the requested code —and most do, thinking they are using the official wallet— they effectively give official approval for the malicious wallet to transfer all of their funds to an attacker’s account.
Since December 2018, users have reported around ten Bitcoin accounts being used in what’s currently known as the “fake Electrum update scam.”
These wallets currently hold 1980 bitcoin, which is roughly just over $22 million in current currency. Taking into account the 202 bitcoin stolen in our original December 2018 report, this brings the total to more than $24.6 million stolen with one simple technique.
However, it must be said that a large chunk of these funds appear to have been stolen in one single incident in August, when a user reported losing 1,400 bitcoin (~$15.8 million) after updating an Electrum wallet.
Since this technique was first seen in late 2018, the Electrum team has taken several steps to mitigate this attack.
They first implemented a server blacklisting system on Electrum X servers to block malicious additions to their networks, and they also added an update preventing servers from showing HTML formatted popups to end users.
Nevertheless, a malicious server usually slips through the cracks here and there, and the attack still works very well for Bitcoin users still using older versions of the Electrum wallet app to manage funds. More

Ransomware operators are now turning to network access sellers in their droves to cut out a difficult step in the infection process. 

On Monday, Accenture’s Cyber Threat Intelligence (CTI) team released new research on emerging cybersecurity trends, including an investigation into the nature of relationships between ransomware operators and exploit sellers. 
According to Accenture senior security analysts Thomas Willkan and Paul Mansfield, buying network access points and already compromised ways to infiltrate a target system are rising in popularity, including the purchase of stolen credentials and vulnerabilities. 
During attacks, ransomware operators must first find an entry point into a network. Compromised employee accounts, misconfigurations in public-facing systems, and vulnerable endpoints may all be used to deploy this particular family of malicious code, leading to the encryption of files, disks, and a demand for payment in return for a decryption key. 
See also: COVID-19 pandemic delivers extraordinary array of cybersecurity challenges
It is hard to estimate how many successful ransomware attacks have taken place this year. Europol believes that these specific attacks often go unreported, with only major incidents — such as the recent death of a woman in need of urgent care who was forced to divert from Duesseldorf hospital due to a ransomware infection — becoming public knowledge. 
Paying a ransom these days can reach six-figure sums, or more, depending on the target and their estimated worth. Now, ransomware groups are seeking to cut out the initial access stage of an attack, speeding up the process — and potentially the opportunity for illicit revenue.
Network access sellers typically develop an initial vulnerability and then sell their work in underground forums for anywhere between $300 and $10,000. 
The majority of network access offerings in the underground will include the target by industry and the type of access, ranging from Citrix to Remote Desktop Protocol (RDP), and may also document the number of machines detected on the network. 
CNET: How social networks are preparing for a potential October hack-and-leak
“Since the start of 2020 and the emergence of the now-popular “ransomware with data theft and extortion” tactics, ransomware gangs have successfully utilized dark web platforms to outsource complicated aspects of a network compromise,” the researchers say. “A successful ransomware attack hinges on the development and maintenance of stable network access which comes with a higher risk of detection and requires time and effort. Access sellers fill this niche market for ransomware groups.”
As of September this year, Accenture has tracked over 25 persistent network access sellers — alongside the occasional one-off — and more are entering the market on a “weekly basis.” 
Many of the sellers are active on the same underground forums haunted by ransomware groups including Maze, NetWalker, Sodinokibi, Lockbit, and Avaddon. 
Sellers have now begun touting their offerings on single forum threads, rather than separate posts, and RDP remains a popular option for network access. In an interesting twist, rather than sell-off a zero-day vulnerability to one seller, some traders are using these unpatched bugs to exploit numerous corporate networks and sell access to threat actors in separate bundles to generate additional revenue. 
TechRepublic: COVID-19 budgets, data security, and automation are concerns of IT leaders and staff
Citrix and Pulse Secure VPN clients are also being mentioned in adverts. 
“Network access sellers are taking advantage of remote working tools as more of the workforce works from home as a result of the COVID-19 pandemic,” Accenture says. “This symbiotic relationship [sellers and cyberattackers] facilitates continuous targeting of government and corporate entities and streamlines the network compromise process, allowing cyber criminals to act quicker and more efficiently.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The impact of ransomware continues to grow. According to data from global investigations firm Kroll, ransomware was the most most common security issue it has being called in to deal with in 2020, while ransomware attacks accounted for over one-third of all cases up to September.
And here’s how attackers are getting in: in nearly half (47%) of the ransomware cases Kroll has investigated, gangs used the open remote desktop protocol, a tool that has been used by many companies to help staff work from home, but which can also give attackers a way in if it is not correctly secured. 
More than a quarter (26%) of cases were traced back to a phishing email, and a smaller number used particular vulnerability exploits (17%), including — but not limited to — Citrix NetScaler CVE-2019-19781 and Pulse VPN CVE-2019-11510. This was followed by account takeovers, at 10%. 

How are ransomware gangs getting into organisations?
Image: Kroll
Kroll said it had seen three sectors struck especially hard this year: professional services, healthcare, and technology and telecoms. That’s in contrast to recent data from IBM, which suggested that manufacturing, the professional services sector and government were the most likely to be hit.
Ryuk, Sodinokibi and Maze were the top three ransomware variants causing problems in 2020, according to Kroll, comprising 35% of all cyber-attacks. Ransomware tends cycle through periods of activity before going quiet again, as the developers work to upgrade it before returning to action. As such, Kroll said it had seen a resurgence in Ryuk attacks recently.
Many ransomware variants are now stealing copies of corporate data and threatening to publish it: specifically, by downloading between 100gb and 1tb of proprietary or sensitive data to maximize the pressure to pay the ransom. Kroll said 42% of its cases with a known ransomware variant were connected to a ransomware group actively exfiltrating and publishing victim data. 
In some cases, ransomware gangs have been reneging on promises to delete data after the first ransom is paid and demanding a second payment, it warned. Gangs can also up the pressure in different ways: Maze claims that credentials harvested from non-paying victims will be used for attacks against the victims’ partners and clients, while one of Kroll’s healthcare clients found that the gang had sent emails directly to their patients threatening to expose their personal health data.
Beyond ransomware, Kroll said business email compromise (BEC) remained a top threat for organisations and was involved in 32% of cases, followed by unauthorised access to systems.
Devon Ackerman, head of incident response at Kroll North America, said: “We have seen a predictable surge in cyber-attacks so far in 2020 as the COVID-19 pandemic has given malign actors increased opportunities to cause havoc. The ongoing evolution of ransomware creators is constantly shifting the goalposts for those trying to defend data and systems, so vigilance must remain at the top of CIO’s to do list.”
Making it harder for ransomware gangs to gain that initial access is probably the best way of protecting your organisation from attack, which means ensuring that essential security steps are taken. This includes blocking any unnecessary RDP access, securing all remote access with strong two-factor authentication, ensuring that all software is patched and up to date, as well as ensuring that staff are trained to spot phishing emails. 
Having up-to-date backups that are not connected to the corporate network is also recommended. More

here

A coalition of tech companies has announced today a coordinated effort to take down the backend infrastructure of the TrickBot malware botnet.
Companies and organizations which participated in the takedown included Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec.
Preceding the takedown were investigations from all participants into TrickBot’s backend infrastructure of servers and malware modules.
Microsoft, ESET, Symantec, and partners spent months collecting more than 125,000 TrickBot malware samples, analyzing their content, and extracting and mapping information about the malware’s inner workings, including all the servers the botnet used to control infected computers and serve additional modules.
With this information in hand, Microsoft went to court this month and asked a judge to grant it control over TrickBot servers. Read a copy of the legal documents here.
“With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the TrickBot operators to purchase or lease additional servers,” Microsoft said in a press release today.
Efforts are now being taken together with internet service providers (ISPs) and computer emergency readiness teams (CERTs) around the world to notify all infected users.
TrickBot had infected more than one million computers
According to the coalition’s members, the TrickBot botnet had infected more than one million computers at the time of its takedown. Some of these infected systems also included Internet of Things (IoT) devices.
The TrickBot botnet was one of today’s biggest botnets.
The malware first started out in 2016 as a banking trojan before shifting into a multi-purpose malware downloader that infected systems and provided access to other criminal groups using a business model known as MaaS (Malware-as-a-Service).
Together with Emotet, the TrickBot botnet has been one of today’s most active MaaS platforms, often renting access to infected computers to ransomware gangs such as Ryuk and Conti.
However, the TrickBot gang also deployed banking trojans and infostealer trojans, and also provided access to corporate networks for BEC scammers, industrial espionage gangs, and even nation-state actors.
This is the second major malware botnet that has been taken down this year after Necurs in March.
The success of this takedown is, however, yet to be seen. Many other botnets have survived similar takedowns in the past. The best example of this is the Kelihos botnet, which survived three takedown attempts, rebuilding from scratch and continuing to operate. More

US President Trump has become subject to another fact-check warning on social media after claiming immunity to COVID-19.

In a tweet posted on Sunday, the US president claimed that physicians at the White House have given him a clean bill of health, and as a result, he is now “immune” to further infection by the novel coronavirus. 
Trump also claimed he is no longer contagious. 
See also: Twitter places public interest notice on President Trump’s tweet
“A total and complete sign off from White House Doctors yesterday,” the tweet reads. “That means I can’t get it (immune), and can’t give it. Very nice to know!!!”
After the message was published, Twitter slapped a warning label on the tweet. The microblogging platform says the tweet “violated the Twitter Rules about spreading misleading and potentially harmful information related to COVID-19.”

There are currently no concrete indicators that immunity from COVID-19 is assured following infection, and if resistance is built up due to the production of antibodies, it is not possible to know if an immune response is strong enough to fight off another case of the respiratory illness. 
In a statement on Saturday, White House physician Sean Conley said that Trump was no longer considered a “transmission risk to others,” but did not disclose if the president is now testing negative.
CNET: Huawei ban timeline: UK says there’s ‘clear evidence of collusion’ between Huawei and China
While Twitter may wipe out such messages and remove profiles entirely if they are spreading fake content surrounding the pandemic, as Trump is a significant political figure, the organization has chosen to keep the tweet accessible in the public interest. 
This is not the first time the US president has fallen afoul of Twitter’s rules. In May, a tweet posted by the US president was hidden with a warning due to the “glorification of violence.” Trump had commented on the riots and protests in the aftermath of George Floyd’s death, saying: “when the looting starts, the shooting starts.”
Trump has previously blasted Twitter for “interfering” with the US 2020 election due to the platform’s fact-checking policies. 
Facebook pulled a video from Trump’s Facebook page in August in which the president claimed children were “virtually immune” to COVID-19.
TechRepublic: How to secure your open source supply chain
The 74-year-old US official made his latest COVID-19 claims as he gears up to resume his campaign trail. With roughly three weeks to go before the US election and the final showdown with Democrat rival Joe Biden on November 3, Trump will first appear in Sanford, Florida, before attending planned rallies in Iowa and North Carolina this week. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More