Information Technology

In an award-winning paper presented at the USENIX security conference this week, a team of academics from North Carolina State University presented a list of findings from operating a massive telephony honeypot for 11 months for the sole purpose of tracking, identifying, and analyzing the robocalling phenomenon in the US.
NCSU researchers said they ran 66,606 telephone lines between March 2019 and January 2020, during which time they said to have received 1,481,201 unsolicited calls — even if they never made their phone numbers public via any source.
The research team said they usually received an unsolicited call every 8.42 days, but most of the robocall traffic came in sudden surges they called “storms” that happened at regular intervals, suggesting that robocallers operated using a tactic of short-burst and well-organized campaigns.
In total, the NCSU team said it tracked 650 storms over 11 months, with most storms being of the same size.

Image: Prasad et al.
But the research team also said that not all calls during a storm were from the robocallers themselves and that a large chunk of calls also came from real persons.
Researchers believe this happened because, at the time of the storm, the robocalling operation had been using a technique known as “caller ID spoofing” to hide their real phone numbers and pass as real persons.
If victims of the robocalling campaign missed the call and called back the spoofed number, they’d eventually end up calling the research team’s honeypot telephone numbers.
Ironically, researchers also caught a storm outside of their honeypot network.

“Interestingly, a colleague in our lab was a victim of a storm event. He was overwhelmed with calls from hundreds of strangers complaining that they had received a call from him! Needless to say, he was unable to use his phone for a few days until the calls died down.”

But the NCSU team also recorded a 10% sample (~150,000) of the robocalls they received, which they later analyzed using audio processing tools to determine the source and content of the robocall itself.
Academics said they detected 2,687 unique robocalling campaigns, with the largest ones promoting student loans, health insurance, Google search promotion services, and Social Security scams.

Image: Prasad et al.
However, the research team’s biggest finding was that after answering 1.5 million robocalls across 66,000 phone numbers, researchers said they didn’t see a spike in subsequent robocalls.
“News reports and regulatory agencies recommend phone users to avoid answering calls from unknown numbers to reduce the number of robocalls,” researchers said.
“Surprisingly, we found that answering phone calls does not necessarily increase the number of robocalls you would receive. Phone users should be cautious when you get a call from an unknown number. However, occasionally answering an unsolicited phone call does not mean you will receive more robocalls.” (Emphasis ours.)
Additional details about the NCSU robocalling research project are available in the “Who’s Calling? Characterizing Robocalls through Audio and Metadata Analysis” academic paper [PDF]. The research team paper also received the conferences Distinguished Paper Award.
A recorded video of the research team’s USENIX talk is available here. More

Over 300,000 malicious links advertising fake get-rich-quick schemes designed to trick people into handing their money to cyber criminals have been taken down in a crackdown by the UK’s National Cyber Security Centre (NCSC).
The scams see fraudsters attempting to lure people into making bogus investments using phoney endorsements from celebrities, such as Sir Richard Branson, suggesting they’ve made millions by buying and selling bitcoin or other cryptocurrency.

More on privacy

Links to the scams are promoted in fake news articles on pages designed to look like they’re being published by the real website of an actual newspaper or other legitimate publications. The articles, which are distributed by phishing emails and paid-for digital advertising, aim to trick victims into giving away their money or bank details to cyber criminals.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Over the course of the last few months, the NCSC – the cybersecurity arm of GCHQ – has taken down over 300,000 malicious links to the phoney celebrity-endorsed investment schemes.
Many of the scams were taken down after being reported to the NCSC’s Suspicious Email Reporting Service, which has now received over 1.8 million reports of potentially criminal behaviour since being launched in April this year.
“These investment scams are a striking example of the kind of methods cyber criminals are now deploying to try to con people. We are exposing them today not only to raise public awareness but to show the criminals behind them that we know what they’re up to and are taking action to stop it,” said NCSC CEO Ciaran Martin, who steps down from the role at the end of this month.
“I would urge the public to continue doing what they have been so brilliantly and forward anything they think doesn’t look right to our Suspicious Email Reporting Service.”
The Financial Conduct Authority says investment scams cost the public over £197m in 2018 alone and the NCSC is working with the City of London Police to help warn the public about the dangers posed by the schemes.
“These figures provide a stark warning that people need to be wary of fake investments on online platforms. Celebrity endorsements are just one way criminals can promote bogus schemes online,” said Commander Clinton Blackburn of the City of London Police.
“Criminals will do all they can to make their scams appear legitimate. It is vital you do your research and carry out the necessary checks to ensure that an investment you are considering is legitimate,” he added.
SEE: Google: We’ll test hiding the full URL in Chrome 86 to combat phishing
The NCSC is also working with some of the famous names, that cyber criminals falsely use the identities of to promote scams, in order to help take the schemes down.
“We have dealt with hundreds of instances of fake sites and fraudsters impersonating me or my team online. We are working in partnership with organisations such as NCSC to report these sites and do all we can to get them taken down as quickly as possible,” said Sir Richard Branson, founder of the Virgin Group. 
“Sadly, the scams are not going to disappear overnight, and I would urge everyone to be vigilant and always check for official website addresses and verified social media accounts,” he added. 
People who think they’ve fallen victim to a celebrity scam or any other of form of scam are urged to report it to the authorities.
MORE ON CYBERSECURITY More

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The FBI and NSA have published today a joint security alert containing details about a new strain of Linux malware that the two agencies say was developed and deployed in real-world attacks by Russia’s military hackers.
The two agencies say Russian hackers used the malware, named Drovorub, was to plant backdoors inside hacked networks.
Based on evidence the two agencies have collected, FBI and NSA officials claim the malware is the work of APT28 (Fancy Bear, Sednit), a codename given to the hackers operating out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS).
Through their joint alert, the two agencies hope to raise awareness in the US private and public sectors so IT administrators can quickly deploy detection rules and prevention measures.
Drovorub — APT28’s swiss-army knife for hacking Linux
Per the two agencies, Drovorub is a multi-component system that comes with an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server.
“Drovorub is a ‘swiss-army knife’ of capabilities that allows the attacker to perform many different functions, such as stealing files and remote controlling the victim’s computer,” McAfee CTO, Steve Grobman, told ZDNet in an email today.
“In addition to Drovorub’s multiple capabilities, it is designed for stealth by utilizing advanced ‘rootkit’ technologies that make detection difficult,” the McAfee exec added. “The element of stealth allows the operatives to implant the malware in many different types of targets, enabling an attack at any time.”

Image: FBI and NSA
“The United States is a target-rich environment for potential cyber-attacks. The objectives of Drovorub were not called out in the report, but they could range from industrial espionage to election interference,” Grobman said.
“Technical details released today by the NSA and FBI on APT28’s Drovorub toolset are highly valuable to cyber defenders across the United States.”
To prevent attacks, the agency recommends that US organizations update any Linux system to a version running kernel version 3.7 or later, “in order to take full advantage of kernel signing enforcement,” a security feature that would prevent APT28 hackers from installing Drovorub’s rootkit.
The joint security alert [PDF] contains guidance for running Volatility, probing for file hiding behavior, Snort rules, and Yara rules — all helpful for deploying proper detection measures.
Some interesting details we gathered from the 45-page-long security alert:
The name Drovorub is the name that APT28 uses for the malware, and not one assigned by the NSA or FBI.
The name comes from drovo [дрово], which translates to “firewood”, or “wood” and rub [руб], which translates to “to fell”, or “to chop.”
The FBI and NSA said they were able to link Drovorub to APT28 after the Russian hackers reused servers across different operations. For example, the two agencies claim Drovorub connected to a C&C server that was previously used in the past for APT28 operations targeting IoT devices in the spring of 2019. The IP address had been previously documented by Microsoft. More

Google will subject Chrome users to a large-scale test in the next version of its browser to discover how people respond to just seeing a site’s domain name without the full URL for pages on that site. 
The test will be carried out on Chrome 86, which is due for a stable release at the end of this month. 

Chrome 86 is already known to include a feature that detects and unloads heavy ads and throttles JavaScript timers used on websites to deliver better battery life for end-user devices.   
Google’s new experiment will involve some “randomly assigned” users of Chrome 86. These users will have two choices when the full URL (Uniform Resource Locator) is concealed. Those in the experiment would, for example, only see en.wikipedia.org rather than the full address of the specific Wikipedia page.  
As a first step, users in the experiment can hover over the limited URL to display the full URL. The other option is to right-click on the URL, and choose ‘Always show full URLs’ in the context menu. This will make Chrome show the full URL for all future sites being visited.
The purpose of the experiment is to see whether this approach helps people spot phishing URLs.
As Google points out, there are a bunch of ways scammers and attackers can tweak a URL to trick users into thinking they’re opening a legitimate and authentic page.  
Apple Safari is one browser that already only shows the domain name by default and like Chrome, no longer shows the HTTPS part of the URL. 
“In Chrome 86, we’re likewise going to experiment with how URLs are shown in the address bar on desktop platforms. Our goal is to understand – through real-world usage – whether showing URLs this way helps users realize they’re visiting a malicious website, and protects them from phishing and social-engineering attacks,” the Chrome security team states. 
Chrome users can test the approach Google is exploring in the Chrome Canary and Dev channels. Users will need to open chrome://flags in Chrome 86 and enable several flags before relaunching Chrome. 
The flags include:  
#omnibox-ui-reveal-steady-state-url-path-query-and-ref-on-hover
#omnibox-ui-sometimes-elide-to-registrable-domain
Optionally, #omnibox-ui-hide-steady-state-url-path-query-and-ref-on-interaction to show the full URL on page load until you interact with the page.

Those in Google’s Chrome 86 experiment would, for example, only see en.wikipedia.org rather than the full page address.  
Image: Google More

Image: Signal
Secure instant messaging app Signal has rolled out a new feature called Message Requests that lets users approve or block who can contact them via text or voice call, or when they can be added to group chats.
With Signal adoption growing in recent years due to its reputation as a secure communications channel with robust end-to-end encryption (E2EE), the app is bound to see its fair share of spammers in the coming future.
The new Message Requests feature works by prompting users before a new conversation is started — similarly to prompts seen in Facebook Messenger.
Users can block, delete, or accept new messages based on the sender’s number, profile information, avatar, or initial message.
Blocked users won’t be able to see when they’ve been blocked, and Signal says Message Requests won’t be shown for users who are already in another user’s contacts list.
The new message request prompts will not only appear for text messages, but also for voice calls initiated by unknown users.

Image: Signal
Further, the new Message Requests feature also blocks unknown users from adding others to group chats, a tactic that has been common with spammers across rival instant messaging applications and is bound to make its way inside Signal as well.
This new feature is not available by default for all users, but only for those who configure a Signal profile — by adding a name/nickname and an avatar in the app’s settings section. Once users have a profile in place, the Message Requests feature will become active.
The new Message Requests feature has been under testing earlier this year, was formally announced yesterday and is currently being rolled out in multiple phases to the app’s entire userbase.
Earlier this year, Signal also announced plans to move away from using phone numbers as user IDs, and also rolled out profile PINs as a way to sync user contact lists when migrating between devices. More

[embedded content]
Amazon’s Alexa voice assistant could be exploited to hand over user data due to security vulnerabilities in the service’s subdomains. 

The smart assistant, which is found in devices such as the Amazon Echo and Echo Dot — with over 200 million shipments worldwide — was vulnerable to attackers seeking user personally identifiable information (PII) and voice recordings. 
Check Point Research said on Thursday that the security issues were caused by Amazon Alexa subdomains susceptible to Cross-Origin Resource Sharing (CORS) misconfiguration and cross-site scripting (XSS) attacks. 
When Check Point first began examining the Alexa mobile app, the company noticed the existence of an SSL mechanism that prevents traffic inspection. However, the script used could be bypassed using the Frida SSL universal unpinning script. 
See also: Amazon’s Q2: $4 billion spent on COVID-19 and still nets $5.2 billion
This led to the discovery of the app’s misconfiguration of CORS policy, which allowed Ajax requests to be sent from Amazon subdomains.
If a subdomain was found as vulnerable to code injection, an XSS attack could be launched, and this was performed via track.amazon.com and skillsstore.amazon.com. 
According to Check Point, it would only take a victim to click on a malicious link to exploit the vulnerabilities. A victim routed to a domain via phishing, for example, could be subject to code injection and the theft of their Amazon-related cookies. 
An attacker would then use these cookies to send an Ajax request to the Amazon skill store, of which the request would send back a list of all skills installed in the victim’s Amazon Alexa account. 
By launching an XSS attack, researchers were also able to acquire CSRF tokens and, therefore, perform actions while masquerading as the victim. This could include removing or installing Alexa skills, and by using the CSRF token to remove a skill and then installing a new one with the same evocation phrase, this could “trigger an attacker skill,” the team says. 
Should a victim trigger this new skill unwittingly, it may be possible for attackers to access voice history records, as well as abuse skill interactions to harvest personal information. 
CNET: How China uses facial recognition to control human behavior
During tests, Check Point found phone numbers, home addresses, usernames, and banking data history could theoretically be stolen.
“Amazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim’s interaction with the bank skill and get their data history,” the team says. “We can also get usernames and phone numbers, depending on the skills installed on the user’s Alexa account.”
However, Alexa does redact banking information speficially in histories and logs. 
Check Point also provided proof-of-concept (PoC) code.
Skill abuse is an interesting form of attack and a potential way for cyberattackers to enter our homes — although the time window before malicious skills are spotted and removed may be short. 
TechRepublic: How companies are getting employees to take vacation this summer rather than hoard PTO
“It’s important to note that Amazon conducts security reviews as part of skill certification, and continually monitors live skills for potentially malicious behavior,” the researchers say. “Any offending skills that are identified are blocked during certification or quickly deactivated.”
Check Point researchers disclosed their findings privately to Amazon in June, and the security issues have now been patched. 
“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy,” commented Oded Vanunu, Check Point’s Head of Products Vulnerabilities Research. “Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains. We hope manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy.”
“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us,” an Amazon spokesperson told ZDNet. “We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

FireEye has opened the gates of its bug bounty program to the public after running privately for several months. 

On Wednesday, the cybersecurity firm said the scheme is now open to any researcher or bug bounty hunter willing to take a look at in-scope FireEye domains and services. 
Bug bounty programs, hosted on platforms including HackerOne and Bugcrowd, are a way to ‘crowdsource’ the hunt for vulnerabilities. Thousands of organizations now offer bug bounties to researchers who privately disclose security flaws they find through these programs and provide both financial rewards and credit in return. 
See also: HackerOne awards $20,000 bug bounty for private data access vulnerability on its own platform
These programs can free up internal security teams for other jobs and can also provide access to broader talent pools to prevent breaches or successful cyberattackers based on unknown bugs from taking place. 
“We understand that — despite our best efforts — we cannot eradicate all security vulnerabilities,” FireEye says. “The technology landscape is constantly expanding, and as such, there will always be emerging threats. While we’ve been heavily involved with responsible disclosure, including helping other companies set up and modify their own programs, we are taking the next step in this effort.”
The bug bounty program focuses on FireEye’s corporate infrastructure. 
CNET: Facebook, Google, Twitter team up on election security ahead of RNC and DNC
To date, the program — ran via Bugcrowd — has been private, but now, any registered researcher can try their hand at finding vulnerabilities across domains including fireeye.com, fireeyecloud.com, and mandiant.com, as well as existing DNS setups. 
As website domains are the only in-scope targets at present, the rewards on offer could be considered relatively low, with up to $2,500 offered for critical vulnerabilities. However, FireEye intends to expand the program to include products and services “in the coming months.”
Research is conducted under safe harbor principles. 
TechRepublic: Abandoned apps like TikTok pose a security risk in a BYOD world
In January, Google revealed that researchers were paid $6.5 million throughout 2019 by way of the tech giant’s bug bounty program. Since 2010, over $21 million has been awarded through bug bounties. 
During 2019, the highest earner was a researcher who found a one-click remote code execution (RCE) exploit on Pixel 3 devices, netting him over $200,000. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Group-IB

Security researchers have uncovered a new Russian-speaking hacking group that they claim has been focusing on the past three years on corporate espionage, targeting companies across the world to steal documents that contain commercial secrets and employee personal data.
Named RedCurl, the activities of this new group have been detailed in a 57-page report released today by cyber-security firm Group-IB.
The company has been tracking the group since the summer of 2019 when it was first called to investigate a security breach at a company hacked by the group.
Since then, Group-IB said it identified 26 other RedCurl attacks, carried out against 14 organizations, going as far back as 2018.
Victims varied across countries and industry sectors, and included construction companies, retailers, travel agencies, insurance companies, banks, and law and consulting firms from countries like Russia, Ukraine, Canada, Germany, Norway, and the UK.
Spear-phishing and PowerShell
But despite the prolonged three-year hacking spree, the group didn’t use complex tools or hacking techniques for their attacks. Instead, the group heavily relied on spear-phishing for initial access.
“RedCurl’s distinctive feature, however, is that the email content is carefully drafted,” researchers said today. “For instance, the emails displayed the targeted company’s address and logo, while the sender address featured the company’s domain name.
“The attackers posed as members of the HR team at the targeted organization and sent out emails to multiple employees at once, which made the employees less vigilant, especially considering that many of them worked in the same department,” they added.
The emails included links to malware-laced files that victims had to download. Once victims ran the content of the boobytrapped archives, they got infected with a collection of PowerShell-based trojans.

Image: Group-IB
Group-IB said the trojans were unique to the group and allowed RedCurl operators access to basic operations, such as searching systems, downloading other malware, or uploading stolen files to remote servers.
RedCurl hid in hacked networks between two and six months
Where possible, the group also attempted to move laterally through infected networks by accessing network shared drives and replacing original files with boobytrapped LNK (shortcut) files that would infect other employees if they executed the files.
Group-IB researchers say that this phase usually lasted between two and six months.
“The stage of spreading over the network is significantly extended in time as the group strives to remain unnoticed for as long as possible and does not use any active Trojans that could disclose its presence,” the company said.
One particular thing that stood out about RedCurl was the use of the WebDAV protocol as a data exfiltration channel, similar to other hacking groups like CloudAtlas and RedOctober. However, Group-IB said it did not find any other major overlaps between the three, and believes they are separate operations based on the current evidence.

Image: Group-IB More