Information Technology

Image: Aqua Security

An analysis of one year’s worth of cyber-attacks recorded in cloud honeypot servers reveals that the vast majority of hackers target cloud infrastructure with the purpose of deploying crypto-mining malware rather than exfiltrate sensitive corporate information, set up DDoS infrastructure, or other forms of cybercrime.
According to Aqua Security’s 2020 Cloud Native Threat Report, which tracked and analyzed 16,371 attacks between June 2019 and July 2020, attacks against cloud systems exploded at the start of the year when the company recorded a 250% jump in attacks from the previous year.
During these attacks, hackers tried to gain control over the honeypot servers and then download and deploy a malicious container image.
Aqua said that 95% of these images were aimed towards mining cryptocurrency, while the rest were used for setting DDoS infrastructure, something that has not been a common occurrence until recently.
“Our analysis suggests that the threat landscape shifted towards organized cybercrime, which is investing in infrastructure,” Aqua said.
The involvement of organized cybercrime groups not only led to a spike in attacks but also raised the complexity of these intrusions.
Intrusion methods diversified, and malware complexity improved, Aqua said.
From scanning the internet for cloud servers exposed online without a password, exploiting vulnerabilities in unpatched systems, and carrying out brute-force attacks, hacker groups have been recently orchestrating supply-chain attacks.
These are attacks where hackers plant malware in regular-looking container/server images that they upload to public registries.
Aqua Security says the malware stored inside these malicious containers springs into action and performs malicious actions only after the image is deployed, making it impossible to detect malicious payloads using static analysis or signature-based security systems.
This has led to multiple groups adopting supply-chain attacks as a method of targeting companies managing cloud infrastructure. [i.e., some of previous cases I, II, III, and IV]
Furthermore, the malware is also getting more complex, slowly inching closer to the complexity of malware seen targeting desktops. Aqua said it saw malware strains using multi-stage payloads, 64-bit encoding to hide their malicious code, and techniques to disable competing malware on the same system.
All of this suggests a maturing cybercrime scene that is primarily focused on generating revenue, and the easiest way to do that is by mining cryptocurrency (Monero) on the hacked servers.
For more details on attacks targeting cloud infrastructure, please refer to Aqua Security’s 71-page 2020 Cloud Native Threat Report. More

A 51-year-old US citizen has been charged with running a diamond and cryptocurrency-based Ponzi scheme.

Prosecutors claim that Jose Angel Aman, from Washington, DC., operated a fraudulent investment scheme across the United States and Canada, luring investors with promises of quick returns in the diamond trade.
The US Department of Justice (DoJ) said on Friday that Aman was the operator of a Ponzi scheme from May 2014 to May 2019. Together with his partners, Aman allegedly solicited individuals to invest in “diamond contracts,” in which their money would be used to buy large, rough, uncut diamonds. 
These diamonds would then be cut and polished in order to be resold at a profit. To instill trust in the organization, Aman said that funds were backed by his own physical colored diamond stock, apparently worth $25 million. 
See also: DoJ arrests Ponzi operators planning to retire ‘RAF’ through cryptocurrency scam
As is the case with many Ponzi and get-rich-quick schemes, investors expect to see a cut of the profits and without this, Ponzi schemes are exposed and collapse quickly. Therefore, Aman allegedly used investor funds to pay off earlier investment “interest,” and as more investors joined the pool, the transfer of funds down the chain continued — without any legitimate profit obtained from diamond purchases. 
When funds ran low and the operator was at risk of being exposed, he allegedly created “Reinvestment Contracts” to entice users to roll over their cash into new ‘deals’ in order to buy Aman time to sign up new investors. 
However, this could not carry on forever, and US prosecutors say that Aman set up Argyle Coin as the Ponzi scheme was on the verge of collapse. Argyle Coin claimed to be a cryptocurrency-project backed by diamond trading, and as a fresh wave of investment poured into the coffers, only a “fraction of the money received” was used to create a cryptocurrency token.
CNET: Best iPhone VPNs of 2020
Instead, the DoJ says the majority of the funds were used to pay off investors from the previous Ponzi program, under the names Natural Diamonds Investment Co. (Natural Diamonds) and Eagle Financial Diamond Group Inc (Eagle). 
“During the course of the Ponzi scheme, Aman and his partners collected over $25 million from hundreds of investors,” prosecutors say. “Aman allegedly used the money to make purported interest payments to investors, to pay business expenses, to pay commissions to the partners, and to support his own lavish lifestyle.”
Investor funds were allegedly used for purposes including housing rent, horse purchases, and riding lessons.
TechRepublic: Microsoft detects wave of cyberattacks two months before US presidential election
In 2019, the Securities and Exchange Commission (SEC) obtained an emergency court order to freeze Argyle Coin’s operations. The US District Court for the Southern District of Florida granted a request for a temporary restraining order and asset freeze while the cryptocurrency organization was investigated. 
Aman is facing charges of wire fraud, which could result in up to 20 years behind bars, as well as restitution payments. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

“To everyone. I f*cked up. And I am sorry.”
These are the words of “Chef Nomi,” the creator of the SushiSwap project, after suddenly liquidating his stock, causing a massive price crash of over 70% to the SushiSwap token. 

SushiSwap is a Decentralized Finance (DeFi) project created by Chef Nomi based on a UniSwap decentralized exchange (DEX) fork for bootstrapping liquidity. 
See also: PayPal hiring push hints at future cryptocurrency support
When Chef Nomi liquidated funds from the development wallet last week — cashing in roughly $14 million in ETH in the process by swapping out SushiSwap tokens (SUSHI) — the community and investors in the project immediately felt the impact.
At its peak, SushiSwap was worth $10.76. At the time of writing, the token is now valued at $2.32. As reported by Coin Desk, once Chef Nomi liquidated their holdings, prices plummeted from $4.44 to $1.20. 
CNET: Hackers out of Russia, China, Iran are targeting US election, Microsoft finds
The community response was immediate, with accusations of an exit scam battering the young project’s reputation. Chef Nomi took to Twitter to defend their actions, insisting that the move was comparable to the creator of Litecoin cashing out funds. However, as users pointed out, the SushiSwap project was only several weeks old. 

It was not long before the backlash caused a U-turn by the anonymous creator, who transferred ownership to FTX CEO Sam Bankman-Fried and then decided to return the funds cashed out from the developer wallet. 
“I have returned all the $14M worth of ETH back to the treasury,” Chef Nomi said in a tweet dated September 11. “And I will let the community decide how much I deserve as the original creator of SushiSwap. In any currency (ETH/SUSHI/etc). With any lockup schedule you wish.”
TechRepublic: 22 cybersecurity courses for aspiring and in-demand IT security pros
Seemingly apologetic, the developer said “I f*cked up. And I am sorry,” adding:

“I hope that SushiSwap continues to evolve. Don’t let my mistake deter it from being a 100% community-run AMM. The success of SushiSwap will set a precedent for many more community-run projects.”

The project creator said that they will continue to “participate in the discussion and technical implementation of SushiSwap” as a background figure, but whether or not the community will forgive, forget, and accept their future contributions remains to be seen. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Academics have developed a new technique for attacking secure computer systems by abusing speculative execution, a CPU mechanism that’s normally used for performance optimizations.
The technique, named BlindSide, was detailed in a paper [PDF] published last week by a team of academics from the Stevens Institute of Technology in New Jersey, ETH Zurich, and the Vrije University in Amsterdam.
Researchers say that BlindSide can be used to craft exploits that bypass ASLR (Address Space Layout Randomization) on modern operating systems.
BlindSide can bypass ASLR
Memory addresses are important for an attacker. If an attacker knows where an app executes its code inside the memory, a hacker can fine-tune exploits that attack particular applications and steal sensitive information. As its name hints, ASLR works by randomizing the location where code executes inside memory, effectively neutralizing attacks until attackers find a way around ASLR.
To bypass ASLR, an attacker typically needs to find an “information leak” type of vulnerability that leaks memory locations; or the attacker can probe the memory until they find the proper location where another app runs and then modify their code to target that memory address space.
Both techniques are hard to pull off, and especially the second, which often leads to system crashes or to the attacker’s noisy probing being detected by security systems.
The new BlindSide attack works by moving this probing behavior into the realm of speculative execution.
Speculative execution, to the rescue!
Speculative execution is a performance-boosting feature of modern processors. During speculative execution, a CPU runs operations in advance and in parallel with the main computational thread.
When the main CPU thread reaches certain points, speculative execution allows it to pick an already-computed value and move on to the next task, a process that results in faster computational operations. All the values computed during speculative execution are discarded, with no impact on the operating system.
Academics say that this very same process that can greatly speed up CPUs can also “[amplify] the severity of common software vulnerabilities such as memory corruption errors by introducing speculative probing.”
Effectively, BlindSide takes a vulnerability in a software app and exploits it over and over in the speculative execution domain, repeatedly probing the memory until the attacker bypasses ASLR.
Since this attack takes place inside the realm of speculative execution, all failed probes and crashes don’t impact the CPU or its stability as they take place and are suppressed and then discarded.
All the attacker needs is a simple memory corruption vulnerability they can exploit on a system. In their research paper, the team used a single buffer overflow on the Linux kernel to:
Break KASLR with BlindSide to mount a reliable ROP exploit;
Break arbitrary randomization schemes with BlindSide to mount an architectural data-only exploit (leaking the root password hash);
Break fine-grained randomization and kernel execute-only memory to dump the full kernel text and mount a reliable ROP exploit.
[embedded content]
The researchers said that BlindSide effectively allows attackers to “hack blind,” without needing to worry about ASLR.
BlindSide attacks also work regardless of architecture, being tested on both Intel and AMD CPUs alike.
In addition, BlindSide attacks also work despite the recent mitigations that CPU vendors have added against speculative execution attacks like Spectre, Meltdown, and others.
The team’s research paper proposes several mitigations that OS makers could deploy to counter BlindSide attacks. More

The owner of controversial video-sharing app TikTok has a September 15 deadline to either sell to a US company or see the service banned from the US market, following President Donald Trump’s executive order that labelled the platform as a “national emergency”.
Microsoft threw its hat in the ring prior to the official announcement from the president, saying it wanted to scoop up TikTok and add “world-class security, privacy, and digital safety protections” to the app if it did.
It soon reportedly joined forces with Walmart to co-bid for the Chinese company’s US, Canadian, Australian, and New Zealand operations.
Microsoft officials had characterised the discussions as “preliminary”, noting it was not intending to provide any further updates on the discussions until there was a definitive outcome.
But in approaching the deadline, ByteDance said it would not include TikTok’s algorithm as part of the sale, according to a South China Morning Post report. The Chinese company has also told Microsoft it would not be its new owner.
“ByteDance let us know today they would not be selling TikTok’s US operations to Microsoft,” the company said in a blog post.
“We are confident our proposal would have been good for TikTok’s users, while protecting national security interests.”
Sunday’s blog post reiterated what Microsoft has stated from the start — that the potential acquisition would have required “significant changes” to the app’s current state.
“To do this, we would have made significant changes to ensure the service met the highest standards for security, privacy, online safety, and combatting disinformation, and we made these principles clear in our August statement,” it said.
“We look forward to seeing how the service evolves in these important areas.”
Following Microsoft’s bid, Oracle also began holding talks with ByteDance, showing its interest in the video-sharing app.
The Wall Street Journal on Monday morning reported Oracle would shortly be announced as TikTok’s “trusted tech partner” and that the video-sharing platform’s sale would not exactly be structured as an acquisition.
As of the start of August, TikTok has clocked over 175 million downloads in the US, and around 800 million globally.
“TikTok automatically captures vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search histories,” the executive order made by Trump said.
“This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information — potentially allowing China to track the locations of federal employees and contractors, build dossiers of personal information for blackmail, and conduct espionage.”
TikTok struck back, confirming it would launch a lawsuit against the US government with regards to its ban. Any potential lawsuit, however, would not prevent the company from being compelled to sell off the app in the US market. 
TikTok also reiterated its previous stance that it has worked to engage the Trump administration for almost a year to “provide a construction solution” to resolve concerns the latter had about the app. 
“We strongly disagree with the Administration’s position that TikTok is a national security threat,” it said.
HERE’S MORE More

An online database left exposed online without a password has leaked the personal details of hundreds of thousands of users who signed up for online dating sites.
The leaky database, an Elasticsearch server, was discovered at the end of August by security researchers from vpnMentor.
The database was taken offline on September 3 after vpnMentor tracked down its owner in Mailfire, a company that provides online marketing tools.
vpnMentor researchers said the database stored copies of push notifications that various online sites were sending to their users via Mailfire’s push notification service.
Push notifications are real-time messages that companies can send to smartphone or browser users who agreed to receive such messages.
The leaky database stored more than 882 GB of log files pertaining to push notifications sent via Mailfire’s service, with the logs being updated in real-time, as new notifications were being sent out.
In total, vpnMentor said the log files contained details for 66 million individual notifications sent over the previous 96 hours, with personal details for hundreds of thousands of users.
vpnMentor, who analyzed the leaked data while searching for the database owner, said it found notifications belonging to more than 70 websites.
Some of the sites where e-commerce stores and classified ads networks from Africa; however, the vast majority of notifications originated from domains linked to dating sites.
These dating sites promised men the opportunity to find a young female partner in various areas of the globe, such as Eastern Europe or Eastern Asia.
Most of these sites used visually-looking designs, and while using different domains, appeared to be part of a larger network.
Without any doubt, the notifications sent by this network of dating sites was just spam, trying to lure users to return to the site, claiming that a new user had sent them a message.
But while spamming users with push notifications is not actually an issue, especially if the users agreed to receive these messages, the problem was that personal data was also involved.
According to copies of the exposed logs seen by ZDNet, the leaky Elasticsearch server didn’t only contain copies of the notifications but they also included a “debug” area where personal information for the user receiving the notification was also included.
Some of the data we found in these debug fields included names, age, gender information, email addresses, general geographical locations, and IP addresses.
Furthermore, the notifications also contained links back to the user’s profile, in case the user clicked or tapped on the notification. These links also contained authentication keys, meaning anyone with this URL would have been able to access a user’s profile on the dating site without needing a password.
Image: ZDNet
Anyone who would have found this database over the course of the past few weeks would have been able to learn the identities of users who signed up on these dating sites and access their profiles to read private messages or see past connections.
As vpnMentor researchers have pointed out, this leaky server was a disaster waiting to happen. If this data leaks online, the users of these sites would most likely face extortion attempts, similar to how Ashley Madison users faced blackmail attempts for years. These extortion attempts had a severe toll on Ashley Madison users, with some taking their own lives after their personal love life was exposed to the public.
Mailfire did not return a request for comment. Some of the dating sites that we found in the leaky server included Kismia, Julia Dates, Emily Dates, Asian Melodies, Ukrainian Charm, Asia Charm, JollyRomance, OneAmour, ValenTime, Rondevo, Victoria Brides, Loveeto, Oisecret, WetHunt, Cum2Date, Jolly.me, and many more. More

In 2018, a security researcher discovered a major vulnerability in Bitcoin Core, the software that powers the Bitcoin blockchain, but after reporting the issue and having it patched, the researcher opted to keep details private in order to avoid hackers exploiting the issue.
Technical details were published earlier this week after the same vulnerability was independently discovered in another cryptocurrency, based on an older version of the Bitcoin code that hadn’t received the patch.
Bitcoin Inventory Out-of-Memory Denial-of-Service Attack
Called INVDoS, the vulnerability is a classic denial-of-service (DoS) attack. While in many cases, DoS attacks are harmless, they are not for internet-reachable systems, which need to have stable uptime in order to process transactions.
INVDoS was discovered in 2018 by Braydon Fuller, a Bitcoin protocol engineer. Fuller found that an attacker could create malformed Bitcoin transactions that, when processed by Bitcoin blockchain nodes, would lead to uncontrolled consumption of the server’s memory resources, which would eventually crash impacted systems.
“At the time of the discovery, this represented more than 50% of publicly-advertised Bitcoin nodes with inbound traffic, and likely a majority of miners and exchanges,” Fuller said in a paper [PDF] published on Wednesday.
Furthermore, INVDoS also impacted more than Bitcoin nodes (servers) running the Bitcoin Core software. Bitcoin nodes running Bcoin and Btcd were also impacted by the same bug as well.
Other cryptocurrencies that were built on the original Bitcoin protocol were also impacted, such as Litecoin and Namecoin.
Fuller said the bug was dangerous because it could “contribute to a loss of funds or revenue.”
“This could be through a loss of mining time or expenditure of electricity by shutting down nodes and delaying blocks or causing the network to temporarily partition,” he said.
“It could also be through disruption and delay of time-sensitive contracts or prohibiting economic activity. That could affect commerce, exchanges, atomic swaps, escrows and lightning network HTLC payment channels,” Fuller added.
Bug re-discovered two years later
The INVDoS bug was reported to all the responsible parties and patched, at the time, under the generic identifier of CVE-2018-17145, which didn’t include that many details, so as not to tip off attackers.
However, the same bug was re-discovered over the summer by Javed Khan, another Bitcoin protocol engineer, while hunting bugs in the Decred cryptocurrency.
Khan reported the bug to the Decred bug bounty program and was eventually disclosed to the broader world last month.
Full details about the entire INVDoS vulnerability were published earlier this week, so other cryptocurrencies that forked older versions of the Bitcoin protocols could check and see if they were impacted as well.
“There has not been a known exploitation of this vulnerability in the wild,” Fuller and Khan said. “Not as far as we know.” More

Image: Devin Edwards

A cybercrime group has been busy over the past months placing malicious ads on adult-themed websites in order to redirect users to exploit kits and infect them with malware.
Named Malsmoke, the group has operated on a scale far above similar other cybercrime operations and has abused “practically all adult ad networks.”
According to cyber-security firm Malwarebytes, which has been tracking Malsmoke’s attacks, for most of the time, the group has managed to place malicious ads (malverts) on mid-tier adult portals, but they recently “hit the jackpot” when they managed to sneak malverts on xHamster, one of the biggest adult video portals today, and one of the biggest sites on the internet, with billions of visitors each month.
The role of the group’s malicious ads was to use JavaScript trickery and redirect users from the adult portal to a malicious site that was hosting an exploit kit.
The exploit kits would then use vulnerabilities in Adobe Flash Player or Internet Explorer to install malware on the user’s computers, with the most common payloads being Smoke Loader, Raccoon Stealer, and ZLoader.
Naturally, only users still using Internet Explorer or Adobe Flash were targeted by these malicious ads.
The attacks can be considered as a last hurrah attempt to infect users with old-school hacking tools like exploit kits, whose usage has declined in recent years as modern browsers have become harder to hack.
Most exploit kits are built around vulnerabilities in Flash and IE, which has made them less efficient as most internet users have now either uninstalled Flash or moved to Chrome and Firefox.
With Flash being scheduled to reach end-of-life (EOL) at the end of the year, and with IE being slowly phased out by Microsoft, these are the last few months when malware gangs can still rely on exploit kits.
“Despite recommendations from Microsoft and security professionals, we can only witness that there are still a number of users (consumer and enterprise) worldwide that have yet to migrate to a modern and fully supported browser,” Malwarebytes said in a report published earlier this week.
“As a result, exploit kit authors are squeezing the last bit of juice from vulnerabilities in Internet Explorer and Flash Player.” More