Information Technology

A new Point-of-Sale (PoS) malware is targeting devices used by “hundreds of thousands” of organizations in the hospitality sector, researchers have warned. 

Dubbed ModPipe, the malware is a backdoor able to harvest sensitive information in PoS devices running Oracle Micros Restaurant Enterprise Series (RES) 3700, management software that is particularly popular in the United States. 
RES 3700 is described by Oracle as the “most widely installed restaurant management software in the industry today.” The software suite is used to manage PoS, loyalty programs, reporting, inventory, promotions, and mobile payment. 
On Thursday, ESET researchers said in a blog post that the operators of ModPipe likely have a “deep knowledge” of the software, as the malware contains a custom algorithm designed to harvest RES 3700 POS database passwords by decrypting them from Windows registry values. 
See also: ESET takes down VictoryGate cryptomining botnet
This direct, sophisticated approach is in contrast to the standard PoS malware method, in which “noisy” keylogging and credit card skimming is often practiced. 
Alternatively, it may be that the cyberattackers were able to steal the software and reverse-engineer the code following a 2016 data breach at Oracle’s PoS division. 

Once executed on a PoS device, ModPipe will access database contents, including system configuration, status tables, and some PoS data concerning transactions — but it does not seem that in its basic state, the malware is able to grab credit card numbers or expiry dates. 
According to the researchers, this sensitive information is protected by encryption standards implemented by RES 3700 — and so the only payment card-related data threat actors will be able to access is cardholder names. 
ModPipe’s modular architecture comprises of a 32/64-bit dropper, a loader, and the main payload that creates a “pipe” used to connect with other malicious modules, as well as serve as a dispatch point for communication between the malware and a C2. 
ModPipe is also able to download additional modules from an attacker’s command-and-control (C2) server to extend its malicious capabilities. 
The modules found by ESET, so far, include GetMicInfo — the module containing the custom algorithm — which is also able to intercept and decrypt database passwords; ModScan 2.20, which gathers PoS information by scanning IP addresses; and ProcList, which monitors running processes. 
CNET: Misinformation about election fraud has flooded the internet. Here’s how to spot false reports
The majority of PoS malware will hone in on guest or customer payment card data as this is the most valuable information a PoS device will process. Without a module to grab and decrypt this information, ESET says the operator’s business model remains “unclear.”
However, it should be noted that there may be such a module and it just hasn’t been found — yet. 
“To achieve this the attackers would have to reverse engineer the generation process of the “site-specific passphrase,” which is used to derive the encryption key for sensitive data,” the researchers note. “This process would then have to be implemented into the module and — due to use of the Windows Data Protection API (DPAPI) — executed directly on the victim’s machine.”
TechRepublic: Phishing, deepfakes, and ransomware: How coronavirus-related cyberthreats will persist in 2021
It is not currently known how the malware is being distributed, but the team says that the majority of infections tracked are from the US. 
ZDNet has reached out to Oracle and will update when we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft is urging users to abandon telephone-based multi-factor authentication (MFA) solutions like one-time codes sent via SMS and voice calls and instead replace them with newer MFA technologies, like app-based authenticators and security keys.

The warning comes from Alex Weinert, Director of Identity Security at Microsoft. For the past year, Weinert has been advocating on Microsoft’s behalf, urging users to embrace and enable MFA for their online accounts.
Citing internal Microsoft statistics, Weinert said in a blog post last year that users who enabled multi-factor authentication (MFA) ended up blocking around 99.9% of automated attacks against their Microsoft accounts.
But in a follow-up blog post today, Weinert says that if users have to choose between multiple MFA solutions, they should stay away from telephone-based MFA.
The Microsoft exec cites several known security issues, not with MFA, but with the state of the telephone networks today.
Weinert says that both SMS and voice calls are transmitted in cleartext and can be easily intercepted by determined attackers, using techniques and tools like software-defined-radios, FEMTO cells, or SS7 intercept services.
SMS-based one-time codes are also phishable via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.

Further, phone network employees can be tricked into transferring phone numbers to a threat actor’s SIM card — in attacks known as SIM swapping—, allowing attackers to receive MFA one-time codes on behalf of their victims.
On top of these, phone networks are also exposed to changing regulations, downtimes, and performance issues, all of which impact the availability of the MFA mechanism overall, which, in turn, prevents users from authenticating on their account in moments of urgency.
SMS and voice calls are the least secure MFA method today
All of these make SMS and call-based MFA “the least secure of the MFA methods available today,” according to Weinert.
The Microsoft exec believes that this gap between SMS & voice-based MFA “will only widen” in the future.
As MFA adoption increases overall, with more users adopting MFA for their accounts, attackers will also become more interested in breaking MFA methods, with SMS and voice-based MFA naturally becoming their primary target due to its large adoption.
Weinert says that users should enable a stronger MFA mechanism for their accounts, if available, recommending Microsoft’s Authenticator MFA app as a good starting point.
But if users want the best, they should go with hardware security keys, which Weinert ranked as the best MFA solution in a blog post he published last year.
PS: This shouldn’t mean that users should disable SMS or voice-based MFA for their accounts. SMS MFA is still way better than no MFA. More

Image: Mitchell Luo
Google has released today Chrome version 86.0.4240.198 to patch two zero-day vulnerabilities that were exploited in the wild.
These two bugs mark the fourth and fifth zero-days that Google has patched in Chrome over the past three weeks.
The difference this time is that while the first three zero-days were discovered internally by Google security researchers, these two new zero-days came to Google’s attention after tips from anonymous sources.
Details about the attacks where the Chrome two zero-days have been used have not been made public, at the time of writing.
According to the Chrome 86.0.4240.198 changelog, the two zero-days are tracked and described as follows:
CVE-2020-16013 – Described as an “inappropriate implementation in V8,” where V8 is the Chrome component that handles JavaScript code.
CVE-2020-16017 – Described as a “use after free” memory corruption bug in Site Isolation, the Chrome component that isolates each site’s data from one another.
It is currently unknown if the two vulnerabilities have been used together, as part of an exploit chain, or used individually. The first one was reported on Monday, while the second was reported earlier today, on Wednesday.
These two zero-days come after Google also patched:

Most zero-days are usually employed in targeted attacks against a small number of selected targets, so most users shouldn’t needlessly panic.
While it’s unclear the level of danger for regular users, Chrome users are still advised to update to v86.0.4240.198 via the browser’s built-in update function (see Chrome menu, Help option, and About Google Chrome section) as soon as possible. More

Two recent ransomware waves that targeted Israeli companies have been traced back to Iranian threat actors, multiple sources have told ZDNet today.
The ransomware attacks have been taking place since mid-October, have ramped up this month, and have repeatedly focused on Israeli targets.
Israeli companies of all sizes have been targeted by threat actors using the Pay2Key and WannaScream ransomware strains.
Hackers breached corporate networks, stole company data, encrypted files, and asked for huge payouts to deliver a decryption key.
Furthermore, adding to this tactic, this week, the Pay2Key ransomware gang also launched a “leak directory” on the dark web where the group is now leaking data they stole from companies who refused to pay the ransom demand, Ram Levi, Founder and CEO of Konfidas, a cybersecurity consulting firm based in Israel, told ZDNet today.

Image: ZDNet
The Pay2Key attacks are a curious case because, unlike most other ransomware operations taking place today, these attacks have repeatedly and primarily focused on infecting Israeli companies.
Attacks with the WannaScream ransomware have been spotted across the globe, but Omri Segev Moyal, Founder and CEO of Israeli security firm Profero, told ZDNet that this ransomware is currently available via a Ransomware-as-a-Service (RaaS) model and that one group who rents the ransomware from its creators is targeting Israeli companies in particular.
Ransom payments lead back to Iran

Profero, who is one of the local security firms that are currently providing Incident Response (IR) services to the many beleaguered Israeli companies, said today it tracked several payments Israeli companies made to Excoino, a cryptocurrency exchange based in Iran.

This week @_CPResearch_ released an analysis of ransomware targeting Israeli SME dubbed “Pay2Key”. Using intelligence sources and our latest CryptoCurrency monitoring capabilities, we have been able to track the exit strategy of the threat actors leading to Iranian exchange. pic.twitter.com/64WzsonAjQ
— Profero (@ProferoSec) November 11, 2020

“The overall sophistication of both the WannaScream and Pay2Key ransomware waves is very average. The low level of sophistication with Pay2Key enabled us to track the bitcoin flow easily,” Moyal told ZDNet.
“Our team pinpointed an exit strategy at Excoino, a cryptocurrency exchange based in Iran. This act is very uncommon for major ransomware operators,” the Profero exec added.
“An experienced operator will go through mixing services, swapping between different coins via Binance sub-exchanges such as ChangeNow, or other less familiar exchanges such as coin2cards.
“We haven’t seen any of those in this case. This might indicate the origin of the attackers, though it can be a false flag as we all aware in our industry.”
Profero’s findings and the links between Pay2Key and an Iran-based threat actor were also confirmed today by Check Point and a third source who spoke with ZDNet on the condition of anonymity.
Check Point, who first spotted the Pay2Key ransomware wave last week, plans to publish an in-depth report on its newest findings and the Iranian links on Thursday.
While payments have not been traced to Excoino for the WannaScream attacks, other indicators in the code and ransom negotiations process have also led Moyal and others to think that this ransomware group is also managed by an Iranian entity.
Bugs and data loss for some victims
Moyal’s assessment that both Pay2Key and WannaScream are unsophisticated operations was also confirmed by evidence from real-world incidents.
For example, in some early Pay2Key incidents, the ransomware’s command-and-control servers didn’t release a decryption key to some victims that paid the ransom demand, leaving companies unable to recover their files.
In the case of WannaScream, the ransomware decrypter, the app that victims receive to decrypt their files after paying the ransom demand, has also been throwing errors in some cases, similarly leaving companies unable to recover their data even after making payments.

Image (supplied by source)
In recent months, both Israel and Iran have accused each other of carrying out cyber-attacks against each other’s critical infrastructure[1, 2, 3].
At the time of writing, there was no evidence to link either Pay2Key or the WannaScream attacks that have taken place in Israel to an Iranian government entity beyond any doubt. Nonetheless, the door has been left open for future investigations. More

Microsoft has named former McAfee CEO Christopher Young as its Executive Vice President of Business Development. Young replaces former Microsoft Business Development chief Peggy Johnson, who left Microsoft in July to become CEO of Magic Leap.Young was CEO of cybersecurity vendor McAfee from April 2017 to February 2020. Microsoft announced Young would be the new Executive Vice President of Business Development on November 11. Like Johnson, Young will report directly to Microsoft CEO Satya Nadella and be a member of the Microsoft inner cycle, the Senior Leadership Team.In addition to heading McAfee, Young also has held management positions at Intel, Cisco, VMware, RSA and AOL. At Intel, where Young worked from October 2014 to April 2017, his most recent post was Senior Vice President and General Manager of the Intel Security Group. In 2017, he led the initiative to spin McAfee out of Intel as a standalone company, according to Microsoft’s press release.In his new role, Young is responsible for global business development strategies across the company. He will spearhead key strategic partnerships, including alliances, venture investments and joint ventures. More

DDoS attacks are getting more complex and more sophisticated while also getting cheaper and easier to carry out as cyber criminals take advantage of the sheer number of insecure internet connected devices.
Distributed Denial of Service attacks have been a problem for many years, with cyber attackers gaining control of armies of devices and directing their internet traffic at targets in order to take the victim offline.
The disruption this causes problems for both businesses and individual users who are prevented from accessing digital services they require – and that’s especially a problem as 2020’s coronavirus pandemic has forced people to be more reliant on digital services than ever before.
And now causing disruption with DDoS attacks is easier than ever before, even for less technically skilled cyber criminals, because according to researchers at Digital Shadows, the cyber criminals are offering DDoS services starting at an average cost of just $7 for disruption that can last for anything from a few minutes to a couple of hours – if the buyer wants the attack to last longer they’d need to pay more.But a starting price of $7 is down from an average of $25 in 2017, suggesting that the supply of DDoS-as-a-Service has notably increased over the last few years.
SEE: Network security policy (TechRepublic Premium)
One of the reasons that DDoS attacks have become cheaper and easier to carry out is because of the proliferation of Internet of Things devices. Large numbers of IoT products come with default usernames and passwords meaning it’s easy for hackers to take control of the them.
While a small handful of IoT devices won’t have much traffic-generating power, if attackers can compromise tens or hundreds of thousands of insecure IoT products, that traffic can help take down targets.

Owners of the devices are likely to be unaware that they’ve been compromised and that the traffic they generate is being used to help take the target of the cyber attackers offline.
DDoS for hire services have become popular as not only can they provide a simple way for cyber criminals to make money, the nature of the service means the individual or group can launch DDoS attacks while making harder for them to be tracked down.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
“This trend will likely increase in the future, thus making DDoS attacks a job that low-skilled criminals can do with professional threat actors’ efficiency,” said Stefano De Blasi, intelligence collection analyst at Digital Shadows.
However, it’s possible for organisations to protect against the potential impact of a DDoS attack by being aware of what their most critical assets are and to prepare contingency plans if their DDoS mitigation service somehow fails.
In addition to this, vendors and users can play a part in reducing the potential for DDoS attacks by avoiding the use of default passwords, so it isn’t easy for hackers to hijack devices to make them part of a botnet in the first place.
READ MORE ON CYBERSECURITY More

Image: Google, ZDNet
The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study — considered the largest one of its kind carried out to date.

Using telemetry data provided by NortonLifeLock (formerly Symantec), researchers analyzed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019.
In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps.
Researchers said that depending on different classifications of Android malware, between 10% and 24% of the apps they analyzed could be described as malicious or unwanted applications.
But the researchers focused specifically on the “who-installs-who relationships between installers and child apps” to discover the path malicious apps take to reach user devices.
The research team said it looked at 12 major categories that result in app installations, which included:
Apps installed from the official Play Store
Apps installed from alternative markets (aka third-party app stores),
Apps downloaded via web browsers
Apps installed via commercial PPI (pay-per-install) programs
Apps installed via backup and restore operations
Apps installed from an instant message (IM)
Apps installed via phone theme stores
App installed loaded on disk and installed via the local file manager
Apps installed from file sharing apps
Apps preloaded on the device (bloatware)
Apps installed via mobile device management (MDM) servers (apps installed by enterprises on their employee’s devices)
Apps installed via package installers
The results showed that around 67% of the malicious app installs researchers identified came from the Google Play Store.

In a distant second, with 10%, came alternative markets, dispelling a pretty common assumption that most Android malware these days comes from third-party app stores.

Image: Kotzias et al.
The research, titled “How Did That Get In My Phone? Unwanted App Distribution on Android Devices,” is available for download in PDF format and was authored by researchers from NortonLifeLock and the IMDEA Software Institute in Madrid, Spain.
A Google spokesperson did not return a request for comment sent almost three weeks ago. More

Palo Alto Networks has announced the acquisition of Expanse to boost the capabilities of the firm’s Cortex cybersecurity product portfolio. 

Announced on Wednesday, Palo Alto said the purchase will be used to bolster the Cortex portfolio with Expanse’s attack surface management solutions. 
The deal was secured for $670 million in cash and stock, as well as roughly $130 million in replacement equity awards — although these amounts may be adjusted. 
Founded in 2012, San Francisco-based Expanse develops solutions designed to monitor attack surfaces in order to perform risk assessments and mitigate threats. 
The platform includes a dashboard for discovering and monitoring Internet assets, software for monitoring suspicious network activity and analyzing traffic patterns, and also offers a selection of APIs and tools for integration with existing IT infrastructure. 
“Expanse’s data provides CISOs with a view of the enterprise from the outside, representing the view an attacker sees as they probe for points of weakness,” Palo Alto says. 
The company has secured $136 million in funding to date. Previous investors include TPG, IVP, and New Enterprise Associates. 

Expanse co-founders, Tim Junio and Matt Kraning, will join the Palo Alto Networks team once the deal is complete.
“Expanse’s mission is to discover and mitigate risks for our customers that no one else can find,” commented Junio. “The world’s largest and most complex organizations trust Expanse to continuously discover, inventory, monitor, and report against their dynamically changing attack surface. Matt and I look forward to joining forces with Palo Alto Networks to help secure the internet for enterprises and governments around the world.”
The acquisition is expected to close during Palo Alto Networks’ financial second quarter, subject to regulatory approval and other closing conditions. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More