Information Technology

Image: Manthana Chaiwong, ZDNet
Ransomware gangs that steal a company’s data and then get paid a ransom fee to delete it don’t always follow through on their promise.

The number of cases where something like this has happened has increased, according to a report published by Coveware this week and according to several incidents shared by security researchers with ZDNet researchers over the past few months.
These incidents take place only for a certain category of ransomware attacks — namely those carried out by “big-game hunters” or “human-operated” ransomware gangs.
These two terms refer to incidents where a ransomware gang specifically targets enterprise or government networks, knowing that once infected, these victims can’t afford prolonged downtimes and will likely agree to huge payouts.
But since the fall of 2019, more and more ransomware gangs began stealing large troves of files from the hacked organizations before encrypting the victims’ files.
The idea was to threaten the victim to release its sensitive files online if the company wanted to restore its network from backups instead of paying for a decryption key to recover its files.
Some ransomware gangs even created dedicated portals called “leak sites,” where they’d publish data from companies that didn’t want to pay.

Image: ZDNet

If hacked companies agreed to pay for a decryption key, ransomware gangs also promised to delete the data they had stolen.
In a report published this week, Coveware, a company that provides incident response services to hacked companies, said that half of the ransomware incidents it investigated in Q3 2020 had involved the theft of company data before files were encrypted, doubling the number of ransomware incidents preceded by data theft it saw in the previous quarter.
But Coveware says that these types of attacks have reached a “tipping point” and that more and more incidents are being reported where ransomware gangs aren’t keeping their promises.
For example, Coveware said it had seen groups using the REvil (Sodinokibi) ransomware approach victims weeks after the victim paid a ransom demand and ask for a second payment using renewed threats to make public the same data that victims thought was deleted weeks before.
Coveware said it also saw the Netwalker (Mailto) and Mespinoza (Pysa) gangs publish stolen data on their leak sites even if the victim companies had paid the ransom demand. Security researchers have told ZDNet that these incidents were most likely caused by technical errors in the ransomware gang’s platforms, but this still meant that the ransomware gangs hadn’t deleted the data as they promised.
Further, Coveware also said it observed the Conti ransomware gang send victims falsified evidence as proof of having deleted the data. Such evidence is usually requested by the victim’s legal team, but sending over falsified proof means the ransomware gang never intended to delete the data and was most likely intent on reusing at a later point.
On top of this, Coveware said it also saw the Maze ransomware gang post stolen data on their leak sites accidentally, even before they notified victims that they had stolen their files.
This has also happened with the Sekhmet and Egregor gangs; both considered to have spun off from the original Maze operation, Coveware said.
In addition to these, ZDNet also learned of additional incidents from other companies providing incident response services for ransomware attacks.
Most of these incidents involve the Maze gang, the pioneer of the ransomware leak site, and the double-extortion scheme. More exactly, they involve “affiliates,” a term that describes cybercriminals who bought access to the Maze ransomware-as-a-service (RaaS) platform and were using the Maze ransomware to encrypt files.
But while some affiliates play by the rules, some haven’t. There have been cases where a former Maze affiliate who was kicked out of the Maze RaaS program had approached and tried to extort former victims with the same stolen data for the second time, data which they promised to delete.
There have also been cases where Maze affiliates accidentally posted stolen data on the Maze leak site, even after a successful ransom payment. The data was eventually taken down, but not after the posts on the Maze site got hundreds or thousands of reads (and potential downloads).
Things got worse throughout the year for Maze affiliates as antivirus companies started detecting Maze payloads and blocking the encryption and stopping attacks.
In many of these cases, the Maze affiliates had to settle for using only the data they managed to steal before the encryption was blocked and often had to settle for smaller ransom payments.
Seeking new avenues of profits, in at least two cases, a Maze group attempted to sell employee credentials and personal data to security researchers posing as underground data brokers.

These examples confirm what many security researchers had already suspected — namely, that ransomware gangs can’t be trusted or taken on their word.
“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end,” Coveware wrote in its report. “Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future.”
The security firm is now recommending that companies never consider that any of their data to be deleted and plan accordingly, which usually involves notifying all impacted users and employees.
The advice needs to be given because some companies have been using the excuse that they’ve paid the ransom demand and that the ransomware gang made a pinky-promise to delete the data as an excuse not to notify their users and employees.
Since many of the documents stolen in ransomware attacks contain sensitive personal and financial details, if resold, these documents can be very useful for a slew of fraudulent operations that a victim company’s customers or employees need to be aware of and prepare for. More

Apple has released security updates today for iOS to patch three zero-day vulnerabilities that were discovered being abused in attacks against its users.
According to Shane Huntley, Director of Google’s Threat Analysis Group, the three iOS zero-days are related to the recent spat of three Chrome zero-days[1, 2, 3] and a Windows zero-day that Google had previously disclosed over the past two weeks.
Just like in the four previous cases, Google has not shared details about the attacker(s) or their target(s).

Targeted exploitation in the wild similar to the other recently reported 0days. Not related to any election targeting.
— Shane Huntley (@ShaneHuntley) November 5, 2020

While it’s unknown if the zero-days have been used against selected targets or en-masse, iOS users are advised to update to iOS 14.2, just to be on the safe side.
The same security bugs have also been fixed in iPadOS 14.2 and watchOS 5.3.8, 6.2.9, and 7.1, and have also been backported for older generation iPhones via iOS 12.4.9, also released today.
According to Google Project Zero team lead Ben Hawkes, whose team discovered and reported the attacks to Apple, the three iOS zero-days are:
CVE-2020-27930 — a remote code execution issue in the iOS FontParser component that lets attackers run code remotely on iOS devices.
CVE-2020-27932 — a privilege escalation vulnerability in the iOS kernel that lets attackers run malicious code with kernel-level privileges.
CVE-2020-27950 — a memory leak in the iOS kernel that allows attackers to retrieve content from an iOS device’s kernel memory.
All three bugs are believed to have been used together, part of an exploit chain, allowing attackers to compromise iPhone devices remotely. More

Image: Licya
Campari Group, the famed Italian beverage vendor behind brands like Campari, Cinzano, and Appleton, has been hit by a ransomware attack and has taken down a large part of its IT network.
The attack took place last Sunday, on November 1, and has been linked to the RagnarLocker ransomware gang, according to a copy of the ransom note shared with ZDNet by a malware researcher who goes online by the name of Pancak3.

Image supplied
The RagnarLocker gang is now trying to extort the company into paying a ransom demand to decrypt its files.
But the ransomware group is also threatening to release files it stole from Campari’s network if the company doesn’t pay its ransom demand in a week after the initial intrusion.
Screenshots of Campari’s internal network and corporate documents have been posted on a dark web portal where the RagnarLocker gang runs a “leak site”, as proof of the intrusion. Included in these proofs is even a copy of the contract signed by Campari with US actor Matthew McConaughey for the Wild Turkey bourbon brand.

In a text chat window available to RagnarLocker victims, a Campari representative has not replied to the ransomware gang.
Instead, the Italian company appears to have chosen to restore its encrypted systems rather than pay the ransom demand, according to a short press release published on Tuesday, where Campari said it’s working on a “progressive restart in safety conditions.”

In the same press release, Campari also said it detected the intrusion as soon as it took place and immediately moved in to isolate impacted systems, and that the incident is not expected to have any significant impact on its financial results.
However, at the time of writing, Campari websites, email servers, and phone lines are still down, five days after the attack.
A Campari representative also couldn’t be reached because of the company’s current state of affairs.
Campari is the second major beverage vendor after Arizona Beverages that’s knocked online because of a ransomware attack in the past two years. More

Working from home has come with problems a few of us ever considered before. Just ask well-known New Yorker writer and pundit Jeffrey Toobin who was caught, uh, amusing himself, on a Zoom call. Wouldn’t it be nice if you could be sure your webcam and microphone were off? Dell thinks so, which is why they’ve offered Linux kernel code to support its Dell Privacy controls.

Must-see offers

The Dell Privacy Drivers support its newest laptops; hardware-based privacy buttons. These key combinations stop any application from accessing its laptops’ built-in microphone and camera. To ensure that the microphone can’t be used to listen in on you, you’ll press ctrl+F4. To lock down the webcam you’ll press  ctrl+F9.
Once this new code is incorporated into the Linux kernel, no program can access the audio or video streams. Since this works at the operating system level, besides making accidents harder to do, it should block spyware or other kinds of malware that try to sneak a peek at you.
Of course, this isn’t the first time privacy has been built into a Linux-powered laptop. The specialist Linux PC vendor Purism, for example, has long made both privacy and strict support for open-source software its trademark. Its machines already come with hardware to block video and audio streams.
That said, it’s still noteworthy that one of the world’s largest PC vendors now thinks Linux is so important to its audience that it’s supporting its new privacy hardware from the start. All too often in the past, companies made Linux support for less common PC hardware features such as fingerprint readers and security mechanisms an afterthought.
Related Stories: More

Image: ZDNet
GitHub has denied rumors today of getting hacked after a mysterious entity shared what they claimed to be the source code of the GitHub.com and GitHub Enterprise portals.
The “supposed” source code was leaked via a commit to GitHub’s DMCA section.
The commit was also faked to look like it originated from GitHub CEO Nat Friedman.
But in a message posted on YCombinator’s Hacker News portal, Friedman denied that it was him and that GitHub got hacked in any way.
Friedman said the “leaked source code” didn’t cover all of GitHub’s code but only the GitHub Enterprise Server product. This is a version of GitHub Enterprise that companies can run on their own on-premise servers in case they need to store source code locally for security reasons but still want to benefit from GitHub Enterprise features.
Friedman said this source code had already leaked months before due to its own error when GitHub engineers accidentally “shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers.”

Image: ZDNet
Friedman promised that GitHub was going to fix the two bugs exploited by the leaker and prevent unauthorized parties from attaching their code to other people’s projects via faked identities.

“In summary: everything is fine, situation normal, the lark is on the wing, the snail is on the thorn, and all’s right with the world,” Friedman said.
Not the first time
But this is not the first time that this happened on GitHub.
One of the two bugs was used just days earlier when a security researcher attached the source code of the youtube-dl library to GitHub’s DMCA section.
The security researcher’s gesture came as a form of protest after GitHub decided to honor a suspicious DMCA takedown request against the youtube-dl library from music recording industry group RIAA.

Image: ZDNet
While the mystery leaker never explained their actions, it is believed that the person who leak the GitHub Enterprise Server code was also protesting against GitHub’s decision to honor RIAA’s DMCA request and take down youtube-dl, a project that lets users download raw audio and video files from YouTube and other services — which RIAA argued was heavily used to pirate its songs catalog.
For the past week, hundreds of other users have been re-uploading the youtube-dl code on their own accounts and daring RIAA to send them a DMCA request too. GitHub has warned users not to do so, as they risk getting banned by its automated systems. More

Cisco has found a security bug that impacts remote workers using its Webex Meetings Virtual Desktop App for Windows. 
With the company’s Webex Meetings one of the main enterprise options for online video meetings with teammates, the product is probably getting even higher use due to remote working as the COVID-19 pandemic rolls on across the world. 

Networking

Cisco has warned that the bug in Webex Meetings Desktop App for Windows is a high-severity security flaw. 
However, it can only be exploited when Webex Meetings Desktop App is in a virtual desktop environment on a hosted virtual desktop (HVD) and configured to use the Cisco Webex Meetings virtual desktop plug-in for thin clients. 
The plug-in is designed to support HVD users, such as remote workers who are connecting to a corporate network from a personal computer.
The flaw may allow an attacker to execute arbitrary code on a targeted system with the targeted user’s privileges. 
“A successful exploit could allow the attacker to modify the underlying operating system configuration, which could allow the attacker to execute arbitrary code with the privileges of a targeted user,” Cisco explains in an advisory. 

One mitigating factor is that the vulnerability can only be exploited by a local attacker with limited privileges who had sent a malicious message to the affected software by using the virtualization channel interface. 
Nonetheless, Cisco has given the bug, tracked as CVE-2020-3588, a severity rating of 7.3 out of a possible 10. 
The bug has been fixed in the Webex Meetings Desktop App for Windows releases 40.6.9 and later and 40.8.9 and later. The issue was due to the desktop app improperly validating messages.
Cisco also notes that customers must update the affected app in the HVD in the virtual desktop environment. However, the plug-in does not need to be updated. 
Fortunately, Cisco’s Product Security Incident Response Team (PSIRT) has not observed any attacks in the wild and Cisco found the bug during internal testing. 
Cisco is also urging customers to update Webex Meetings sites and Webex Meetings Server due to vulnerabilities affecting the Webex Network Recording Player for Windows and Webex Player for Windows. 
There are three bugs that stem from the playback apps not doing enough to validate elements of Webex recordings stored in the Advanced Recording Format (ARF) – a video format for Webex – or the Webex Recording Format (WRF). 
The bugs are tracked as CVE-2020-3573, CVE-2020-3603, and CVE-2020-3604. They have a severity rating of 7.8. 
Attackers can exploit the flaws by sending target into opening a malicious ARF or WRF file through a link or email attachment, and then tricking the target into opening the file with the two Webex players. 
Webex Network Recording Player is used to play back ARF files, while Webex Player is used to play back WRF files. 
The playback applications are available from Cisco Webex Meetings and Cisco Webex Meetings Server. 
The Webex Network Recording Player is available from Cisco Webex Meetings sites and Cisco Webex Meetings Server. The Cisco Webex Player is available from Cisco Webex Meetings sites but not from the Cisco Webex Meetings Server.
While Cisco’s PSIRT has not observed any malicious activity using these flaws, they were found by security researcher Francis Provencher (PRL) who reported the issue to Cisco via Trend Micro’s Zero Day Initiative. 
Cisco notes there are no workarounds for this bug and has listed in its advisory the releases of Webex Meetings sites and Webex Meetings Server that need to be updated.  
More on Cisco and networking security More

A hacking campaign has compromised VoIP (Voice over Internet Protocol) phone systems at over 1,000 companies around the world over the past year in a campaign designed to make profit from selling compromised accounts.
While the main purpose appears to be dialling premium rate numbers owned by attackers or selling phone numbers and call plans that others can use for free, access to VoIP systems could provide cyber criminals with the ability to conduct other attacks, including listening to private calls, cryptomining, or even using compromised systems as a stepping stone towards much more intrusive campaigns.

More on privacy

Detailed by cybersecurity researchers at Check Point, one hacking group has compromised the VoIP networks of almost 1,200 organisations in over 20 countries by exploiting the vulnerability, with over half the victims in the UK. Industries including government, military, insurance, finance and manufacturing are believed to have fallen victim to the campaign.
SEE: 10 tips for new cybersecurity pros (free PDF)
Other countries where organisations fell victim to these attacks include the Netherlands, Belgium, the United States, Columbia and Germany.
The attacks exploit CVE-2019-19006, a critical vulnerability in Sangoma and Asterisk VoIP phone systems that allows outsiders to remotely gain access without any form of authentication. A security patch to fix the vulnerability was released last year, but many organisations have yet to apply it – and cyber criminals are taking advantage of this by scanning for unpatched systems.
“The vulnerability is an authentication bypass flaw, and the exploit is publicly available. Once exploited, the hackers have admin access to the VoIP system, which enables them to control its functions. This will not be detected unless an IT team is specifically looking for it,” Derek Middlemiss, security evangelist at Check Point Research, told ZDNet.

One of the most common means the hacked systems are exploited for is making outgoing calls without the VoIP system being aware, which would allow attackers to secretly dial premium rate numbers they’ve set up in order to generate money at the expense of the compromised organisation. And because businesses make so many legitimate phone calls on these systems, it’d be difficult to detect if a server is being exploited.
The attackers also make money by selling access to the systems to the highest bidder, something that could potentially be used for other cyberattacks that could be more dangerous to victims.
“It’s likely that those attacks can be leveraged for other malicious activity such as cryptomining and for eavesdropping,” said Middlemiss.
And it’s potentially possible for attackers to use a compromised VoIP system as a gateway to the rest of the network, opening up the possibility of stealing credentials or deploying malware.
“That’s depending on how the server is configured and connected to the rest of the corporate network. If it is not segmented from the rest of the network, attackers could move laterally,” he added.
SEE: Mobile security: These seven malicious apps have been downloaded by 2.4m Android and iPhone users
It’s recommended that organisations change default usernames and passwords on devices so they can’t easily be exploited and, if possible, analyse call billings on a regular basis for potentially suspicious destinations, volumes of traffic or call patterns.
And most importantly, organisations should apply the required security patches to prevent known vulnerabilities from being exploited.
“Always look for and apply new patches for everything on your network to ensure vulnerabilities like this are closed off,” said Middlemiss.
MORE ON CYBERSECURITY More

A new, Chinese advanced persistent threat (APT) group making the rounds performs DLL side-loading attacks including the phrase “KilllSomeOne.”

According to Sophos researcher Gabor Szappanos, the group — suspected to be of Chinese origin — is targeting corporate organizations in Myanmar using poorly-written English messages relating to political subjects. 
Side-loading utilizes DLL spoofing to abuse legitimate Windows processes and execute malicious code. While nothing new, Sophos said in a blog post on Wednesday that this APT combines four separate types of side-loading attack when carrying out targeted campaigns. 
Each attack type is connected by the same program database (PDB) path, and some of the samples recorded and connected to the cybercriminals contain the folder name “KilllSomeOne.”
See also: Promethium APT attacks surge, new Trojanized installers uncovered
“Two of these delivered a payload carrying a simple shell, while the other two carried a more complex set of malware,” Sophos says. “Combinations from both of these sets were used in the same attacks.”
In the first scenario, a Microsoft antivirus component is used to load mpsvc.dll, a malicious loader for Groza_1.dat. While encryption is in play, it is nothing more than a simple XOR algorithm and the key is the string: “Hapenexx is very bad.”

The second sample leverages AUG.exe, a loader called dismcore.dll, and the same payload and key are used — but in this case, both the file name and decryption key are encrypted with a one-byte XOR algorithm.
The Groza_1.dat payload is PE shellcode which loads the final payload into memory for execution, connecting to a command-and-control (C2) server which could be used to issue commands or deploy additional malware. An unused string called “AmericanUSA” was also noted. 
The other two samples, using payload file names adobe.dat and x32bridge.dat, are more sophisticated and use a shell to establish persistence, for obfuscation, and to “prepare file space for collecting data,” the researchers say. 
CNET: Election still too close to call: How to spot misinformation while you wait for results
One notable difference is a change in the encryption key, using the string “HELLO_USA_PRISIDENT.”
The payloads will deploy an installer and additional components for another DDL side-loading set of attacks in a number of directories and will assign the files “hidden” and “system” attributes. 
“The installer then closes the executable used in the initial stage of the attack, and starts a new instance of explorer.exe to side-load the dropped DLL component,” the team says. “This is an effort to conceal the execution.”
The malware will also wipe out running processes that could interfere with side-loading attempts, creates a registry key to establish persistence, and begins to exfiltrate data.  
TechRepublic: It’s an urgent plea this Election Day: Don’t click on ransomware disguised as political ads
According to the researchers, the APT doesn’t fit in neatly with standard cyberattack group descriptives as the messages hidden in their samples and the simple implementation of much of their coding leans toward script-kiddie levels — but at the same time, the targeting and deployment strategy is more commonly associated with sophisticated APTs. 
“Based on our analysis, it’s not clear whether this group will go back to more traditional implants like PlugX or keep going with their own code,” Sophos says. “We will continue to monitor their activity to track their further evolution.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More