Information Technology

Image: SonicWall
Almost 800,000 internet-accessible SonicWall VPN appliances will need to be updated and patched for a major new vulnerability that was disclosed on Wednesday.

Discovered by the Tripwire VERT security team, CVE-2020-5135 impacts SonicOS, the operating system running on SonicWall Network Security Appliance (NSA) devices.
SonicWall NSAs are used as firewalls and SSL VPN portals to filter, control, and allow employees to access internal and private networks.
Tripwire researchers say SonicOS contains a bug in a component that handles custom protocols.
The component is exposed on the WAN (public internet) interface, meaning any attacker can exploit it, as long as they’re aware of the device’s IP address.
Tripwire said exploiting the bug is trivial even for unskilled attackers. In its simplest form, the bug can cause a denial of service and crash devices, but “a code execution exploit is likely feasible.”
The security firm said it reported the bug to the SonicWall team, which released patches on Monday.
On Wednesday, when it disclosed the CVE-2020-5135 bug on its blog, Tripwire VERT security researcher Craig Young said the company had identified 795,357 SonicWall VPNs that were connected online and were likely to be vulnerable.
CVE-2020-5135 is considered a critical bug, with a rating of 9.4 out of 10, and is expected to come under active exploitation once proof-of-concept code is made publicly available. Exploiting the vulnerability doesn’t require the attacker to have valid credentials as the bug manifests before any authentication operations.
The bug is also SonicWall’s second major bug this year, after CVE-2019-7481, disclosed earlier this winter.
Tenable and Microsoft researchers have shared this week Shodan dorks for identifying SonicWall VPNs and getting them patched. More

Image: BlueMauMau on Flickr
The card details of more than three million customers of Dickey’s Barbecue Pit, the largest barbecue restaurant chain in the US, have been posted this week on a carding and fraud marketplace known as Joker’s Stash.
The discovery was made by Gemini Advisory, a cyber-security firm that tracks financial fraud.
“We worked with several partner financial institutions who independently confirmed our findings,” a Gemini Advisory spokesperson said in response to a report the company shared with ZDNet today.
The company said it discovered the breach earlier this week after cybercriminals began advertising a massive collection of payment card details named “Bleeding Sun.”

Image: ZDNet

Image: ZDNet
After analyzing the data together with its financial partners, Gemini said the data appears to had been obtained after hackers compromised the in-store Point-of-Sale (POS) system used at Dickey’s restaurants.
Gemini says hackers appear to have compromised 156 of Dickey’s 469 locations, with the compromised restaurants located across 30 states; and with the highest exposure being in California and Arizona.

Image: Gemini Advisory (supplied)
The security firm said the card data appears to have been collected between July 2019 and August 2020.
The payment card records are mostly for cards using outdated magstripe technologies and are being sold for a median price of $17 per card.
When reached out for comment on today’s report, Dickey’s provided the following statement, indicating that the company is still investigating the incident.
“We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved. We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.”  More

A ransomware gang going by the of Egregor has leaked data it claims to have obtained from the internal networks of two of today’s largest gaming companies — Ubisoft and Crytek.
Data allegedly taken from each company has been published on the ransomware gang’s dark web portal on Tuesday.
Image: ZDNet
Details about how the Egregor gang obtained the data remain unclear.
Ransomware gangs like Egregor regularly breach companies, steal their data, encrypt files, and ask for a ransom to decrypt the locked data.
However, in many incidents, ransomware gangs are also get caught and kicked out of networks during the data exfiltration process, and files are never encrypted. Nevertheless, they still extort companies, asking victims for money to not leak sensitive files.
Usually, when negotiations break down, ransomware gangs post a partial leak of the stolen files on so-called leak sites.
On Tuesday, leaks for both Crytek and Ubisoft were posted on the Egregor portal at the same time, with threats from the ransomware crew to leak more files in the coming days.
For the Ubisoft leak, the Egregor group shared files to suggest they were in possession of source code from one of the company’s Watch Dogs games. On its web portal, the group touted they were in possession of the source code for the Watch Dogs: Legion game, scheduled to be released later this month. It was, however, impossible to verify that these files came from the new game, rather than an existing release.

Image: ZDNet
For the past year, security researchers have tried to reach out and notify Ubisoft about several of its employees getting phished, with no results, which may provide a clue of how the hackers might have got it.
But while hackers leaked only 20 MB from Ubisoft, they leaked 300 MB from Crytek, and this data contained a lot more information.
The Crytek files included documents that appeared to have been stolen from the company’s game development division. These documents contained resources and information about the development process of games like Arena of Fate and Warface, but also Crytek’s old Gface social gaming network.

Image: ZDNet

Image: ZDNet

Image: ZDNet
Neither Ubisoft nor Crytek responded to emails seeking comment on the leaks. None of the companies reported major security incidents weeks, nor any abnormal and prolonged downtimes, suggesting the Egregor intrusion didn’t likely impact cloud and gaming system, but merely backend office and work networks, where most ransomware incidents usually incur damages.
However, in an email interview with ZDNet, the Egregor gang provided more details about the two incidents. The ransomware operators said they breached the Ubisoft network, but only stole data, and did not encrypt any of the company’s files.
On the other hand, “Crytek has been encrypted fully,” the Egregor crew told ZDNet.
The Egregor group said that neither company engaged in discussions, despite their intrusions, and no ransom has been officially requested yet.
“In case Ubisoft will not contact us we will begin posting the source code of upcoming Watch Dogs and their engine,” the group threatened, promising to publish more data in a press release tomorrow. More

Image: SWIFT
The US Department of Justice has unsealed today charges against 14 members of an international money laundering group known as QQAAZZ.

US authorities said the group has been active since 2016 and operated by advertising its services on Russian-speaking hacker forums.
There, the group established connections with some of today’s largest malware operations, including the likes of operators of malware botnets like Dridex, Trickbot, and GozNym.
According to the DOJ, QQAAZZ members operated a large network of bank accounts and money mules that allowed malware gangs to funnel money from hacked accounts to new, clean destinations.
QQAAZZ members were organized on a business-like hierarchy. Leaders would handle customer communications, mid-level managers recruited money mules, and money mules opened bank accounts and picked up money from ATMs, when needed.
US officials said the group managed a huge network of bank accounts around the world using fake identities and shell companies.
These accounts would serve as landing spots for funds received from hacks, malware infections, and other cybercrime operations. The money would travel through the QQAAZZ accounts and get converted into cryptocurrency.
In a digital form, the cryptocurrency would then be passed through a “tumbling” service to anonymize transactions even more, and then the funds would be returned back to the cybercrime groups, with QQAAZZ operators retaining a cut varying from 40% to 50% for their efforts.
20 arrests made in a transnational operation
Besides the 14 suspects charged today [indictment PDF], the DOJ said it also charged five others in October 2019 [indictment PDF].
US authorities said that while charges were filed in the US, this was an international crackdown against the QQAAZZ group, and other criminal prosecutions were initiated in other countries, such as Portugal, Spain, and the US.
Sixteen countries were involved in an international operation against QQAAZZ, which Europol named “Operation 2BaGoldMule.”
As part of this crackdown, Europol said participant countries carried out more than 40 house searches across Latvia, Bulgaria, the United Kingdom, Spain and Italy, and made 20 arrests.

Image: Europol More

Security researchers said they found clues linking recent attacks with the Thanos ransomware to a group of Iranian state-sponsored hackers.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

While investigating security incidents at several Israeli prominent organizations, security researchers from ClearSky and Profero said they linked the intrusions to MuddyWater, a known Iranian state-sponsored hacking group.
The intrusions followed similar patterns, with two tactics being recorded.
MuddyWater would use phishing emails carrying malicious Excel or PDF documents that, when opened, would download and install a malware strain from the hackers’ servers.
In the second scenario, MuddyWater would scan the internet for unpatched Microsoft Exchange email servers, exploit the CVE-2020-0688 vulnerability, install a web shell on the server, and then download and install the same malware seen before.
But ClearSky says this second-stage malware wasn’t just any piece of malicious code, but a strain that has been seen and documented only once before.
Named PowGoop, this PowerShell-based threat has been seen only once in early September and was used to install the Thanos ransomware, according to a report from fellow security firm Palo Alto Networks. Other Thanos (or Hakbit) ransomware attacks have used other malware strains to deploy the ransomware, namely the ubiquitous GuLoader, a completely different malware strain, written in Visual Basic 6.0.
In a report shared with ZDNet today, ClearSky says they stopped the intrusions before attackers could have done any harm, but the company is now raising a sign of alarm in regards to all past Thanos ransomware incidents.
In an interview this week, ClearSky security researchers told ZDNet they believe MuddyWater would have tried to install the Thanos ransomware as a means to hide their attacks and destroy evidence of intrusions by encrypting files on hacked networks.
The tactic of deploying ransomware to hide intrusions has been used before by other state-sponsored operations and has been well documented.
Past Thanos ransomware attacks now need to be revisited and searched for evidence in a new light. Was the attack a cybercrime group, or was it Iranian hackers?
The question needs to be asked because Thanos, which is offered as a Ransomware-as-a-Service, is rented on Russian-speaking hacker forums and is believed to be employed by multiple threat groups.

But recent versions of the Thanos ransomware also come with a component that rewrites the computer’s MBR and prevents systems from booting. These types of attacks can be extremely disruptive, as systems could be temporarily bricked and might need to be restored from scratch.
ClearSky researcher Ohad Zaidenberg told ZDNet that he believes MuddyWater dipping its toe into ransomware deployments might also be related to the recent mounting political tensions and back-and-forth cyberattacks between Iran and Israel.
MuddyWater has a long history of hacks, but most past operations were geared towards very stealthy intelligence collection. Ransomware, in any form, is not stealthy and can be very destructive, especially when threat actors chose not to honor ransom payments and deliver decryption keys, something that Zaidenberg says could be a possibility, especially when viewed in the current political context. More

Microsoft has just completed a study of an experimental architecture that it now thinks would have mitigated about two-thirds of the memory-safety vulnerabilities fixed in 2019.  
As Microsoft has previously outlined, 70% of all security bugs over the past decade have been memory-safety bugs, which happen when software accesses system memory beyond its allocated size and memory addresses.   

The abundance of memory-safety bugs is one reason Microsoft is exploring the Rust programming language as a potential replacement for some Windows components written in C++. As Microsoft recently explained, it’s exploring Rust and other avenues because it’s reaching the limits of what it can do to prevent memory issues. 
“We need to look out to the industry to see what the best alternative to C++ is. And it turns out that language is a language called Rust,” Microsoft Rust expert Ryan Levick said earlier this year in a talk about systems programming.
Rewriting old code in another language like Rust is one option. Another option in Microsoft’s “quest to mitigate memory-corruption vulnerabilities” is CHERI or Capability Hardware Enhanced RISC (reduced instruction set computer) Instructions.
Work on the CHERI Instruction-Set Architectures (ISAs) is underway at Cambridge University in partnership with RISC chip-designer Arm and Microsoft. CHERI has similar goals to Project Verona, Microsoft’s experimental Rust-inspired language development for safe infrastructure programming.
CHERI “provides memory-protection features against many exploited vulnerabilities, or in other words, an architectural solution that breaks exploits”, said Nicolas Joly, Saif ElSherei, Saar Amar of the Microsoft Security Response Center (MSRC). 
The group assessed the “theoretical impact” of CHERI on all the memory-safety vulnerabilities that Microsoft received in 2019 and concluded that it would have “deterministically mitigated” at least two-thirds of all those issues. 
Cambridge University explains that “CHERI extends conventional hardware Instruction-Set Architectures (ISAs) with new architectural features to enable fine-grained memory protection and highly scalable software compartmentalization”.
Its memory-protection features allow historically memory-unsafe programming languages such as C and C++ to be adapted for protection against widely exploited vulnerabilities.  
CHERI ISA has the potential to save Microsoft a lot of money in delivering security patches in each month’s Patch Tuesday update, which regularly exceed 100 patches a month.    
Microsoft is open to the possibility that even when enabling CHERI’s strictest protections, it could be cheaper to make existing code CHERI-compatible than rewriting existing code in a memory-safe language, such as Rust or Project Verona’s Rust-inspired variant.  
The Microsoft team reviewed the seventh version of CHERI ISA, the latest version of CHERI. The researchers also used CheriBSD, based on the FreeBSD operating system with memory protection and software compartmentalization features supported by the CHERI ISA.
“We conservatively assessed the percentage of vulnerabilities reported to the Microsoft Security Response Center in 2019 and found that approximately 31% would no longer pose a risk to customers and therefore would not require addressing through a security update on a CHERI system based on the default configuration of the CheriBSD operating system,” the Microsoft researchers wrote in the research paper. 
With additional mitigations recommended in its research paper, Microsoft also estimates the CHERI protections could have deterministically mitigated nearly half the vulnerabilities the MSRC addressed through a security update in 2019.
More on Microsoft, programming language Rust and Project Verona More

In today’s cyber-security landscape, the Emotet botnet is one of the largest sources of malspam — a term used to describe emails that deliver malware-laced file attachments.
These malspam campaigns are absolutely crucial to Emotet operators.
They are the base that props up the botnet, feeding new victims to the Emotet machine — a Malware-as-a-Service (MaaS) cybercrime operation that’s rented to other criminal groups.
To prevent security firms from catching up and marking their emails as “malicious” or “spam,” the Emotet group regularly changes how these emails are delivered and how the file attachments look.
Emotet operators change email subject lines, the text in the email body, the file attachment type, but also the content of the file attachment, which is as important as the rest of the email.
That’s because users who receive Emotet malspam, besides reading the email and opening the file, they still need to allow the file to execute automated scripts called “macros.” Office macros only execute after the user has pressed the “Enable Editing” button that’s shown inside an Office file.

Image: Microsoft
Tricking users to enable editing is just as important to malware operators as the design of their email templates, their malware, or the botnet’s backend infrastructure.
Across the years, Emotet has developed a collection of boobytrapped Office documents that use a wide variety of “lures” to convince users to click the “Enable Editing” button.
This includes:
Documents claiming they’ve been compiled on a different platform (i.e., Windows 10 Mobile, Android, or iOS) and the user needs to enable editing for the content to appear.
Documents claiming they’ve been compiled in older versions of Office and the user needs to enable editing for the content to appear.
Documents claiming to be in Protected View and asking the user to enable editing. (Ironically, the Protected View mechanism is the one blocking macros and showing the Enable Editing button/restriction.)
Documents claiming to contain sensitive or limited-distribution material that’s only visible after the user enables editing.
Documents showing fake activation wizards and claiming that Office activation has been completed and the user only needs to click enable editing to use Office; and many more.
But this week, Emotet arrived from a recent vacation with a new document lure.
File attachments sent in recent Emotet campaigns show a message claiming to be from the Windows Update service, telling users that the Office app needs to be updated. Naturally, this must be done by clicking the Enable Editing button (don’t press it).

Image: @catnap707/Twitter
According to an update from the Cryptolaemus group, since yesterday, these Emotet lures have been spammed in massive numbers to users located all over the world.
Per this report, on some infected hosts, Emotet installed the TrickBot trojan, confirming a ZDNet report from earlier this week that the TrickBot botnet survived a recent takedown attempt from Microsoft and its partners.
These boobytrapped documents are being sent from emails with spoofed identities, appearing to come from acquaintances and business partners.
Furthermore, Emotet often uses a technique called conversation hijacking, through which it steals email threads from infected hosts, inserts itself in the thread with a reply spoofing one of the participants, and adding the boobytrapped Office documents as attachments.
The technique is hard to pick up, especially among users who work with business emails on a daily basis, and that is why Emotet very often manages to infect corporate or government networks on a regular basis.
In these cases, training and awareness is the best way to prevent Emotet attacks. Users who work with emails on a regular basis should be made aware of the danger of enabling macros inside documents, a feature that is very rarely used for legitimate purposes.
Knowing how the typical Emotet lure documents look like is also a good start, as users will be able to dodge the most common Emotet tricks when one of these emails lands in their inboxes, even from a known correspondent.
Below is a list of the most popular Emotet document lures, according to a list shared with ZDNet by security researcher @ps66uk.

Image: Cryptolaemus

Image: Sophos

Image: @pollo290987/Twitter

Image: @ps66uk/Twitter

Image: Cryptolaemus

Image: Cryptolaemus

Image: @JAMESWT_MHT/Twitter

Image: @ps66uk/Twitter

Image: @ps66uk/Twitter

Image: @ps66uk/Twitter

Image: @Myrtus0x0/Twitter

Image: Cryptolaemus

Image: @catnap707/Twitter

Image: @ps66uk/Twitter

Image: @ps66uk/Twitter More

Hackney Council in London has said that a cyberattack earlier this week is continuing to have a “significant impact” on its services.
Earlier this week, the north London council said it had been the target of a serious cyberattack, which was affecting many of its services and IT systems.

More on privacy

“The attack is continuing to have a significant impact on council services and we ask residents to not contact us unless absolutely necessary,” it said.
SEE: Security Awareness and Training policy (TechRepublic Premium)
In an update on the situation the council said that its staff are working with the National Cyber Security Centre, National Crime Agency, external experts and the Ministry of Housing, Communities and Local Government to investigate and understand the impact of the cyberattack on its servers. It has also reported the incident to the Information Commissioner’s Office.
“We understand that residents will be anxious about the risk to their data, and we are working closely with the ICO, police agencies and other experts. We are committed to sharing further information about this as soon as we can, including what, if any, actions residents may need to take,” the council said.
The nature of the cyberattack, when it happened and what services are affected, is still unclear.
The council said that it was learning more about the attack but said it had decided not to share any more information at this stage “in order to make sure we do not inadvertently assist the attackers”. 
Earlier this year, a cyberattack on Redcar & Cleveland Borough Council cause significant problems and costs for the authority. More