Australian Prime Minister Scott Morrison has called a snap press conference to reveal that the nation is under cyber-attack by a state-based actor, but the nation’s infosec advice agency says that while the attacker has gained access to some systems it has not conducted “any disruptive or destructive activities within victim environments.”
Morrison said the attack has targeted government, key infrastructure and the private sector, and was sufficiently serious that he took the courteous-in-a-crisis, but not-compulsory step, of informing the leader of the opposition about the incident. He also said that the primary purpose of the snap press conference was to inform and educate Australians about the incident.
But Morrison declined to state whether Australian defence agencies have identified the source of the attack and said evidence gathered to date does not meet the government’s threshold of certainty to name the attacker.
Nor did he detail the impact of the attack, saying only that he has not received advice that it has resulted in significant breaches of personal information. He also said the attack is not entirely new and that similar attacks are ongoing and to be expected. He did not detail any new peak in activity or incident that made announcing the news today an imperative.
Australia didn’t blame China for parliament hack in case it upset trade relations – report
Australia’s cyber-defence advice agency, the Australian Cyber Security Centre (ACSC), has published an advisory titled “Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks,” that offers a few more details.
Among that document’s observations is “during its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.”
Also revealed is that the attack started with “… number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI.”
“Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.”
The ACSC said attacks on public-facing infrastructure did not succeed so the attacker then moved to spearphishing and gained access to some systems.
“In interacting with victim networks, the actor was identified making use of compromised legitimate Australian web sites as command and control servers,” the advisory says. “Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.”
The ACSC’s advice in the wake of its investigation is to patch internet-facing everything, adopt MFA for email, remote desktops, VPNs and collaboration platforms, follow previous Australian government security advice and enable verbose logging to help triage future attacks.
Journalists in the PM’s press conference immediately asked if China was a suspect, as the nation recently took offence at Australia’s call for an international inquiry into the source of the COVID-19 pandemic and appears to have retaliated with new trade disputes and advice that its citizens should not visit Australia as tourists or students. Morrison stonewalled when asked if China is the actor behind these attacks. ®
US federal authorities said they had arrested Justin Sean Johnson in Detroit, Michigan, on charges associated with the 2014 hacking of a human resources database at the University of Pittsburgh Medical Center and thrown the book at him.
In a 43-count indictment returned last month and just unsealed [PDF], Johnson is charged with multiple counts of conspiracy, wire fraud, and aggravated identity theft for his alleged role in the theft of personal information associated with 65,000 employees from the medical center’s PeopleSoft system.
“Justin Johnson stands accused of stealing the names, Social Security numbers, addresses and salary information of every employee of Pennsylvania’s largest health care system,” said Scott W. Brady, US Attorney for the Western District of Pennsylvania, in a statement.
Brady said Johnson sold the personal data he obtained on dark web markets \between 2014 and 2017. The buyers of this data, according to the indictment, then submitted false tax returns to the IRS to obtain $1.7m in unauthorized federal tax refunds.
These dark web customers asked that their refunds be issued onto Amazon gift cards, which were then used to purchase goods on the e-commerce site. Between February 27, 2014 and March 14, 2014, almost $886,000 worth of merchandise purchased at Amazon.com – such as Apple and Samsung mobile phones and other electronics – was sent to individuals in Venezuela through reshipping services in Miami, Florida. The goods were then resold via online marketplaces in South America.
In 2015, a Cuban national in Venezuela, Yoandy Perez Llanes, was indicted for defrauding the IRS using data obtained from UPMC. He was arrested and extradited to the US the following year. In 2017, he pleaded guilty and was sentenced to time served plus six months, then deported.
The Johnson indictment doesn’t detail the specific means by which he obtained access to the PeopleSoft system, but it suggests he found a way in via online research. The indictment claims that he taught himself to be proficient with the application and “performed over 1,000 Google searches for the word ‘PeopleSoft,’ in order to uncover any vulnerability in the software.”
The court filing further says that he stored his findings in Google Drive documents titled “PEOPLESOFT PERMISSIONS” and “Super User.”
According to the indictment, Johnson on several occasions “infiltrated the content server of the HR database at UPMC by use of the TOR network and queried the personal information of employees.”
20 months behind bars for IT support worker who nicked £30k worth of crypto-cash
The Register asked UPMC whether it would provide more details about the vulnerability or mechanism that allowed access to its database. A UPMC spokesperson did not answer the questions we asked but instead replied with an emailed statement thanking federal investigators:
“We appreciate the diligent and thorough work of the US Attorney’s Office for the Western District of Pennsylvania, Internal Revenue Service, US Secret Service, US Postal Inspection Service, Department of Homeland Security Office of Inspector General and all authorities who contributed to solving this case.”
The organization’s reluctance to explain the vulnerability that enabled the theft of its data may be because it faces a lawsuit from employees seeking millions in monetary damages. The plaintiffs claim UPMC was negligent for failing to encrypt the data, to maintain an effective firewall, and to implement a robust authentication system.
Since 2014, UPMC has argued it isn’t liable for losing the data, a position lower courts supported. But in November 2018, the Pennsylvania Supreme Court issued an opinion to the contrary, finding that employers do have a duty to safeguard employee data.
That ruling led to the reinstatement of the employee lawsuit through which the claim of negligence will now have to be evaluated by the court hearing the case.
The Pennsylvania Supreme Court’s effort to hold businesses accountable for their data handling could be undone if weaker federal rules get passed. In February 2018, a federal data protection bill that prompted 32 State Attorneys General to co-sign a letter expressing concern that the proposed national legislation would preempt stronger state rules.
The ““Data Acquisition and Technology Accountability and Security Act” appears to have gone nowhere, but this isn’t the first time State AGs have had to urge federal lawmakers not to water-down state consumer protections. The National Association of Attorneys General, aptly known as NAAG, penned similar letters to Congress in 2005 and 2015. ®
Staff records – from social-security and corporate credit card numbers, to passport and bank account details – were siphoned from Cognizant by hackers who then doused the IT contractor in ransomware.
A pair of disclosures [PDF] from Cognizant to the California Attorney General’s office, mandated by US state law, this week shed more light on its Maze ransomware infection. We’re told employee expense card information, along with personal records, were stolen by network intruders over a three-day period from April 9 to 11; the security breach was spotted on April 20.
Here’s what Cognizant’s chief people officer Becky Schmitt told staff yesterday, according to the filings…
A spokesperson for Cognizant further clarified in an email to The Register: “It involved certain personal information related to some current and former Cognizant personnel and individuals involved in corporate transactions.” Said folks are based in and outside the US, we’re told.
A leak of internal info was a definite possibility when Cognizant said back in April it had become the latest victim of the Maze gang. The ransomware-slinging outfit is known for not only encrypting the data of systems it breaks into, but also exfiltrating and occasionally publishing the data to scare victims into paying up.
For what it’s worth, Cognizant – which employs close to 300,000 people and rakes in billions of dollars a year – said it hasn’t heard of any fraud taking place using the records, so employees may be in the clear for now. Still, the IT giant will be ponying up for a year of identity theft monitoring services for its stiffed workforce. Those concerned are being sent letters with activation codes for the monitoring service.
Colleagues would be well-advised to keep a close eye on their bank statements for signs of fraud. ®
An information technology specialist at the Federal Emergency Management Agency (FEMA) was arrested this week on suspicion of hacking into the human resource databases of University of Pittsburgh Medical Center (UPMC) in 2014, stealing personal data on more than 65,000 UPMC employees, and selling the data on the dark web.
On June 16, authorities in Michigan arrested 29-year-old Justin Sean Johnson in connection with a 43-count indictment on charges of conspiracy, wire fraud and aggravated identity theft.
Federal prosecutors in Pittsburgh allege that in 2013 and 2014 Johnson hacked into the Oracle PeopleSoft databases for UPMC, a $21 billion nonprofit health enterprise that includes more than 40 hospitals.
According to the indictment, Johnson stole employee information on all 65,000 then current and former employees, including their names, dates of birth, Social Security numbers, and salaries.
The stolen data also included federal form W-2 data that contained income tax and withholding information, records that prosecutors say Johnson sold on dark web marketplaces to identity thieves engaged in tax refund fraud and other financial crimes. The fraudulent tax refund claims made in the names of UPMC identity theft victims caused the IRS to issue $1.7 million in phony refunds in 2014.
“The information was sold by Johnson on dark web forums for use by conspirators, who promptly filed hundreds of false form 1040 tax returns in 2014 using UPMC employee PII,” reads a statement from U.S. Attorney Scott Brady. “These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into Amazon.com gift cards, which were then used to purchase Amazon merchandise which was shipped to Venezuela.”
Johnson could not be reached for comment. At a court hearing in Pittsburgh this week, a judge ordered the defendant to be detained pending trial. Johnson’s attorney declined to comment on the charges.
Prosecutors allege Johnson’s intrusion into UPMC was not an isolated occurrence, and that for several years after the UPMC hack he sold personally identifiable information (PII) to buyers on dark web forums.
The indictment says Johnson used the hacker aliases “DS and “TDS” to market the stolen records to identity thieves on the Evolution and AlphaBay dark web marketplaces. However, archived copies of the now-defunct dark web forums indicate those aliases are merely abbreviations that stand for “DearthStar” and “TheDearthStar,” respectively.
“You can expect good things come tax time as I will have lots of profiles with verified prior year AGIs to make your refund filing 10x easier,” TheDearthStar advertised in an August 2015 message to AlphaBay members.
In some cases, it appears these DearthStar identities were actively involved in not just selling PII and tax refund fraud, but also stealing directly from corporate payrolls.
In an Aug. 2015 post to AlphaBay titled “I’d like to stage a heist but…,” TheDearthStar solicited people to help him cash out access he had to the payroll systems of several different companies:
“… I have nowhere to send the money. I’d like to leverage the access I have to payroll systems of a few companies and swipe a chunk of their payroll. Ideally, I’d like to find somebody who has a network of trusted individuals who can receive ACH deposits.”
When another AlphaBay member asks how much he can get, TheDearthStar responds, “Depends on how many people end up having their payroll records ‘adjusted.’ Could be $1,000 could be $100,000.”
2014 and 2015 were particularly bad years for tax refund fraud, a form of identity theft which cost taxpayers and the U.S. Treasury billions of dollars. In April 2014, KrebsOnSecurity wrote about a spike in tax refund fraud perpetrated against medical professionals that caused many to speculate that one or more major healthcare providers had been hacked.
A follow-up story that same month examined the work of a cybercrime gang that was hacking into HR departments at healthcare organizations across the country and filing fraudulent tax refund requests with the IRS on employees of those victim firms.
The Justice Department’s indictment quotes from Johnson’s online resume as stating that he is proficient at installing and administering Oracle PeopleSoft systems. A LinkedIn resume for a Justin Johnson from Detroit says the same, and that for the past five months he has served as an information technology specialist at FEMA. A Facebook profile with the same photo belongs to a Justin S. Johnson from Detroit.
Johnson’s resume also says he was self-employed for seven years as a “cyber security researcher / bug bounty hunter” who was ranked in the top 1,000 by reputation on Hacker One, a program that rewards security researchers who find and report vulnerabilities in software and web applications.
This entry was posted on Thursday, June 18th, 2020 at 6:07 pm and is filed under Data Breaches, Other, Tax Refund Fraud. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.
The Maze ransomware gang has screwed up by targeting a New York design and construction firm instead of the Canadian Standards Association it was intending to hit.
While Google returns plenty of hits for the search term “csa group”, almost all of which refer to Canada’s answer to the British Standards Institute, there is one exception: an architectural practice located in New York.
It happens to share a name and – almost – a web domain name with its northerly namesakes, being online at csagroup-dot-com. The Canadian standards folk, however, have the domain csagroup-dot-org. And just like that, the New Yorkers got caught in the ransomware crossfire when the Maze gang began hunting for their next target.
Maze’s modus operandi is to infect the target company’s network with ransomware, exfiltrate and encrypt everything within sight, then demand a hefty ransom in return for a promise to unencrypt and delete the data, along with a promise not to reveal the stolen data to others. If companies don’t pay up, the gang begins drip-feeding data online to increase the pressure on them.
Brett Callow, a threat researcher with infosec biz Emsisoft, spotted the Maze gang’s howler after inspecting data they dumped online to try to menace CSA Group Canada into paying up. He told The Register: “This is not the first time ransomware cockwombles have cocked up. In a previous incident, DoppelPaymer incorrectly identified a bank after hitting another bank with a very similar name. But at least they had the decency to post an apology to the wrongly named financial institution.”
Posh Spice’s perfume people pop up in Maze ransomware gang extortion effort
Callow told us that when he checked a data sample dumped online by Maze he found documents referring to the design and construction of buildings in the US island enclave of Puerto Rico. Some files appeared to have been sent from csagroup-dot-com email addresses – pointing to the architects being the actual victims of the ransomware rather than the Canadian standards-setting agency.
Emsisoft’s man opined that “work pressures” had driven Maze’s operatives into making the blunder as the COVID-19 pandemic burns companies’ ready cash and deprives them of the ability to pay ransoms, saying: “In fact, the group hinted at this in one of their so-called press releases stating, ‘We are living in the same economic reality as you are. That’s why we prefer to work under the arrangements and we are ready for compromise.'”
Echoing El Reg‘s sentiments, Callow added: “My heart bleeds.”
So far Maze’s leaks website continues to name the wrong firm next to the data dump.
The Register has continued to try to contact CSA Group (the New York architects), which is proving difficult as the firm has pulled its website offline and appears to be an infrequent user of its social media profiles. We have also contacted the Canadian standards agency for comment. ®
Cisco Webex suffered from a vuln that could have allowed an attacker to access any account by simply copy-pasting a unique session token into a browser string.
Although the attack described by Trustwave relied on the attacker already having access to the victim’s system, which reduces the likelihood that this vuln was deployed in the wild by malicious people, it is, nonetheless, not a good thing.
If a user installed the Webex desktop client and set it to automatically log in, the client saved a so-called “dump file” on the local machine. Within that memory-mapped file, Trustwave found, were plain-text strings containing the email account and URL used to host meetings from that account – along with the user’s unique WebExAccessToken.
No privilege-based controls were applied to the dump file, meaning any user-level account could read it. Once the token was extracted from the dump file, researchers were able to make a crafted HTTP POST request to Webex’s servers, mimicking a genuine connection attempt, which returned a one-time login ticket for live meetings.
And once the attacker had that login ticket, all they needed to do was paste it into a pre-formatted Webex meeting URL.
As Trustwave’s Ziv Mador said: “Simply put, another user can loop over [genuine] sessions and try to open, read and save interesting contents for future inspection.”
Mador continued: “Using the leaked information I was able to access my own account from another machine with a different IP address. It allowed me to see all meetings along with invited parties and meeting password (if set), download past meeting recordings and so on.”
Recent updates to Webex are said to have fixed the problem and admins and users alike are urged to download and install them.
The Register has asked Cisco for comment on Trustwave’s findings, which are due to be published as CVE-2020-3347.
Who’s still using Webex? Not even Cisco: Judge orders IT giant to use rival Zoom for virtual patent trial
Webex, along with other videoconferencing platforms, has come under intense scrutiny since the start of the global COVID-19 pandemic earlier this year forced the entire world into remote working almost overnight.
Updated Researchers at Awake Security have published a report on malicious extensions in the Chrome web store, making both specific claims of over 32 million downloads of one malware family, and general claims of weak security in both domain registration and Google’s store.
The researchers said they have been tracking a “massive global surveillance campaign that affects almost every enterprise we have investigated” linked to a specific Israel-based domain registrar called Communigal Communication Ltd (Galcomm).
The story begins with some heuristic malware detection by Awake, looking for things like signs of uploads going to rare or known bad destinations. This led them to a bunch of malicious browser extensions, 111 in total, which “were found to upload sensitive data or not perform the task they’re advertised to perform (generally, they surveil user activity and device properties.”
FYI: There are thousands of Chrome extensions with so, so many fake installations to trick you into using them
Of these, Awake reported, 79 were available in the Chrome store, the official source for Chrome browser extensions (and also now usable by Microsoft’s Chromium-based Edge). A common technique, they said, is that the developer gets a clean version of an extension approved, and later updates it with the malicious payload.
Some of the suspicious extensions have a reassuring number of reviews and downloads, in one case more than 22,000 reviews and 10 million downloads, presumably achieved by bot activity.
Another popular approach is to clone a genuine extension and bundle it with malware. “Awake has since worked with Google to take down these extensions from the Chrome Web Store,” said the report, but no doubt more are on the way.
The browser can reveal ‘keys to the kingdom’
A point made by the researchers is that widespread enterprise migration to the cloud often also implies that business activity is frequently done within the browser. “Rogue access to the browser therefore frequently means rogue access to the ‘keys to the kingdom’ – from email and corporate file sharing to customer relationship management and financial databases,” they said, dubbing browser extensions “the new rootkit.”
After all, there is no need to break into the operating system if valuable data can be extracted via the browser alone.
If the user can be tricked into allowing it, a browser extension can have considerable power. “When the permission requires access to all data on your computer and the websites you visit, it means that the app or extension can access almost anything. This could be your webcam or personal files, inside or outside of your browser,” notes Google. Many dodgy extensions pose as security utilities, which typically do require a high level of permission to work.
A developer on Hacker News said: “I’ve been developing Chrome extensions full-time for about a year now, and it’s honestly terrifying just how much access extensions have to sensitive user data.”
The problem, he said, is that “on more established platforms like iOS and Android, all sensitive permissions have to be requested at runtime rather than at install-time, which forces developers to explain why they need the permissions they ask for. With browser extensions, there’s no such requirement, which leads many developers to ask for all the permissions they can get, because there’s no downside to doing so.
“That’s why over 80 per cent of the top 1,000 extensions ask for access to ALL domains, which means they have the power to steal any of your data (emails, passwords, etc) on any site if they wanted or became compromised.”
The Chrome team is improving this by requiring permissions to be requested at runtime in a forthcoming update, he said, but right now “the extension ecosystem is pretty broken.”
Dodgy extensions in Chrome Store with millions of downloads (now removed)
The most disturbing part of the report is the claim that there have been 32,963,951 downloads of extensions that “advertise one function (like security) but actually do nothing other than send information about the endpoint or user-activities to Galcomm-registered domains.”
The browser is becoming the soft underbelly in many organisations’ security infrastructure, particularly during the COVID-19 pandemic with many users working remotely…
Some of these downloads will be artificial, but the researchers said: “We believe the actual number of endpoints with these extensions is not substantially less, and quite likely more.” The possibility of an underestimate comes about because the extensions can also be loaded from websites which bypass the Chrome Store, “making it difficult to get an install count for these.”
In general, the Awake team said the security industry is complacent about malware that extracts data, which is often labelled as “PUPs, Adware or Greyware” by most antivirus products, understating the risk it poses. “Security teams think of PUPs/Adware as the type of apps that annoyingly popup coupons, and many times security teams do not remediate PUP detections because of resource constraints. This is a dangerous strategy.”
Awake also presents some data on Galcomm, the registrar that links the various extensions and other malware in the report. “Our analysis shows that almost 60 per cent of the domains we have observed registered with this registrar are high risk for organizations,” the research team claimed.
The researchers pointed the finger at ICANN, which oversees the accreditation of registrars, for doing little to enforce requirements such as responding quickly to “well-founded reports of illegal activity.”
“Even these minimal requirements from ICANN … are not being followed by Galcomm. This lack of oversight by ICANN seems to point towards a general indifference to the implementation and execution of these rules,” they said.
Awake said its threat researchers “made several attempts to contact Galcomm by phone, email (abuse@, security@, and support@), and the contact form on their website, asking questions like ‘Given these domains account for approximately 60 per cent of the total domains Galcomm currently has on the internet, how could this go unnoticed by the company?'”
The researchers added that “we have received no response from Galcomm at publishing time of this paper, nor have we observed any decrease in malicious activity associated with their domains.”
Galcomm refutes claims
The Register had better luck. Galcomm owner Moshe Fogel told us: “We are aware of this report. The report is at least irresponsible, if not worse. It is based on an incorrect data, where 25 per cent of the domains they claimed to have checked are either not at Galcomm or deleted.
“From those that are with Galcomm, almost all are parked domains, mostly with the largest domain parking companies worldwide. The rest are still being investigated.” He went on to claim: “Moreover, Awake have not even asked for our quote or response on that issue before publishing a report. I got the domains in question via a third party who was asking me about this.”
Is the situation as bad as Awake says? “It is unclear from the report as to what impact the detected malicious extensions could have on the affected organisations,” security consultant Brian Honan told The Register.
“However, this is not the first time campaigns have been identified that take advantage of malicious extensions for web browsers and highlights enterprises need to be more proactive in how they manage the security of browsers. Allowing end users to install whatever browser extensions they want can expose an enterprise to potential harm.
“Given that more and more of our online communications are happening via browsers, such as email, messaging, collaboration platforms, and other corporate tools, the browser is becoming the soft underbelly in many organisations’ security infrastructure, particularly during the COVID-19 pandemic with many users working remotely and relying more and more on their browsers to work.”
Honan suggests using Google’s Chrome Browser Cloud Management tools to control extensions.
Ex-Sophos consultant Graham Cluley concurred. “Browser extensions have a scary amount of power, and if you happen to be running one that has gone rogue you should consider everything you do in your browser to be compromised.”
We have approached Google and ICANN for comment and will update this piece accordingly if they respond. ®
Updated to add
A Google spokesperson has since told us: “We appreciate the work of the research community, and when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses.
“In addition to disabling the accounts of developers that violate our policies, we also flag certain malicious patterns we detect in order to prevent extensions from returning.”
Google also pointed us toward posts here and here about its efforts to strengthen security in the Chrome Web Store, one from 2018 and the other from May 2019. If Awake’s report is correct though, there is still work to do.
Fraudsters stole more than $3.2 million from the banking division of South Africa’s post office, after – in a catastrophic breach of security – employees printed out the bank’s master key.According to South African media reports, the security breach occurred in December 2018 when a copy of Postbank’s digital master key was printed out at a data center in Pretoria.According to internal documents acquired by journalists, employees stole the 36-digit master encryption key, which “allows anyone who has it to gain unfettered access to the bank’s systems, and allows them to read and rewrite account balances, and change information and data on any of the bank’s 12-million cards.”The security breach went unnoticed for months, giving fraudsters free reign to steal millions of dollars. In the nine months up to December 2019, the fraudsters are thought to have used the copied master key to access accounts without authorisation, and make over 25,000 fraudulent transactions, mostly from cards used by people receiving social benefits from the government.A problem for Postbank is that all of the cards were generated with the compromised master key. The bank believes that replacing all of the cards will cost in the region of $58 million.The bank has conducted an internal security audit following the breach, and suspects that rogue employees are responsible.According to news reports, South Africa’s Reserve Bank last year gave Postbank an 18 month deadline to replace the compromised cards. The bank has also responded to the breach by prohibiting contactless offline transactions for cardholders.Many questions remain unanswered regarding how the master key was secured, such as whether the key had been divided into separate parts stored separately – requiring collusion between different people to reveal it in its entirety, and what measures Postbank (not to be confused with the German bank of the same name) had taken to keep tight control of such a critical asset.But clearly something went very wrong at the very heart of the bank if it was possible for someone to make off with a copy of such an essential part of its security as its master key, and then exploit it to make fraudulent transactions. The natural suspicion has to be that the fraud was orchestrated with the assistance or knowledge of privileged insiders within the bank, rather than tech-savvy hackers just happened to stumble across a piece of paper containing a printout of the bank’s master key.All too often organisations are more focused on the threat posed by external hackers and ignoring the risks presented by partners, contractors, and rogue members of staff.Insiders have advantages over malicious external hackers for a variety of reasons. An insider threat can be tough to detect and remain undetected for years, sometimes indistinguishable from regular work activities.An insider has often been given special privileges to work alongside sensitive data, making it harder to know if what they are doing is malicious or not. Furthermore, it’s much easier for a rogue employee to cover their tracks than an external hacker, destroying evidence that otherwise might later be used against them, or blaming incompetence rather than malicious intent for any breach that occurs.Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.Follow me for more information.
Cybersecurity researchers today uncovered the modus operandi of an elusive threat group that hacks into the high-profile military and diplomatic entities in Eastern Europe for espionage.
The findings are part of a collaborative analysis by cybersecurity firm ESET and the impacted firms, resulting in an extensive look into InvisiMole’s operations and the group’s tactics, tools, and procedures (TTPs).
“ESET researchers conducted an investigation of these attacks in cooperation with the affected organizations and were able to uncover the extensive, sophisticated tool-sets used for delivery, lateral movement, and execution of InvisiMole’s backdoors,” the company said in a report shared with The Hacker News.
Cooperation with the Gamaredon Group
First discovered in 2018, InvisiMole has been active at least since 2013 in connection with targeted cyber-espionage operations in Ukraine and Russia. After slipping under the radar, the threat actor returned late last year with an updated toolset and previously unreported tactics to obfuscate malware. “InvisiMole has a modular architecture, starting its journey with a wrapper DLL, and performing its activities using two other modules that are embedded in its resources,” ESET researchers had previously noted in a June 2018 report. “Both of the modules are feature-rich backdoors, which together give it the ability to gather as much information about the target as possible.”
The feature-rich spyware, dubbed RC2FM and RC2CL, was found to be capable of making system changes, scanning wireless networks to track the geolocation of victims, gathering user information, and even uploading sensitive files located in the compromised machine. But the exact mechanism of malware delivery remained unclear until now.
Not only did ESET find evidence of “living off the land” techniques that exploited legitimate applications to stealthily carry out malicious operations, but they also discovered ties to a second threat actor called the Gamaredon group, which has a long history of cyberattacks against Ukrainian institutions.
“Gamaredon is used to pave the way for a far stealthier payload – according to our telemetry, a small number of Gamaredon’s targets are ‘upgraded’ to the advanced InvisiMole malware, likely those deemed particularly significant by the attackers,” the researchers said, adding the malware is deployed only after the attackers gained administrative privileges, as many of InvisiMole’s execution methods require elevated permissions.
Once the initial compromise takes place, InvisiMole exploits BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) vulnerabilities in RDP and SMB protocols or makes use of trojanized documents and software installers to propagate laterally across the network.
In addition to employing updated versions of the RC2CL and RC2FM backdoors, the malware leverages a new TCS downloader to download additional modules and a DNS downloader, which, in turn, leverages DNS tunneling to mask communications to an attacker-controlled server.
“With DNS tunneling, the compromised client does not directly contact the C&C server; it only communicates with the benign DNS server(s) the victim machine would normally communicate with, where it sends requests to resolve a domain to its IP address,” the researchers said. “The DNS server then contacts the name server responsible for the domain in the request, which is an attacker-controlled name server, and relays its response back to the client.”
RC2CL and RC2FM: Fully-Featured Spyware
What’s more, the final payloads, RC2CL and RC2FM, were delivered via no less than four different execution chains that were put together by combining malicious shellcode with legitimate tools and vulnerable executables.
The improved RC2CL backdoor supports as many as 87 commands, with capabilities to turn on webcam and microphone devices to take photos, record video, and sound, capture screenshots, collect network information, list installed software, and monitor recently accessed documents by the victim. Although not used prominently, RC2FM comes with its own set of document exfiltration commands, along with new features to log keystrokes and bypass user access control (UAC).
Furthermore, the new versions of both RC2CL and RC2FM come with their own means to escape antivirus detection, including injecting themselves into other innocuous processes and suppressing specific features, such as keylogging.
“The targets considered particularly significant by the attackers are upgraded from relatively simple Gamaredon malware to the advanced InvisiMole malware,” ESET researcher Zuzana Hromcová said. This previously unknown cooperation between the two groups “allows the InvisiMole group to devise creative ways of operating under the radar,” she added.
Industry veterans, chatting about computer security and online privacy.
A TV gameshow with cash prizes if you’re obeying Coronavirus lockdown rules, ex-Ebay staff charged in crazy cyberstalking case, and when the wrong cyclist was accused by the internet bearing pitchforks.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
People are the key to minimizing your Cyber Security risk posture. Create a more security-conscious workforce with MetaCompliance’s Cyber Security Awareness for Dummies book. Download it for free at smashingsecurity.com/cyberaware now.
Ubuntu has launched its Appliance Portfolio, an initiative designed to enable secure smart devices linked to cloud services. All Ubuntu appliances are “free to download and install” but may include an up-sell to paid-for services.
The idea of the Ubuntu Appliance Portfolio is to “enable secure, self-healing, single-purpose devices,” according to Canonical product manager Rhys Davies. You could probably build this software yourself by hand, though the appliances are supposed to be convenient self-maintaining packages of programs to save you the bother.
An “appliance” is a system disk image for a Intel NUC PC or a Raspberry Pi, based on Ubuntu Core, a stripped-down variant of the popular Linux distro. Once installed, an appliance requires configuration on first startup, after which it is meant to be self-maintaining, with a daily check for updates.
There is a built-in app store for adding features, based on the controversial snap packaging format, and snap is also used for the applications pre-installed in each image.
Currently your choice of Ubuntu appliances is limited to five devices. These are openHAB, an open source smart home solution which you can find on GitHub; Plex which is a well-known media server; NextCloud which is a system for a “private cloud at home”, in this case meaning a simple collaboration platform; Mosquitto which in contrast to the other offerings is an application service aimed at developers, an open source message broker managed by the Eclipse Foundation; and AdGuard which is a security device.
A screen from openHAB, an open source smart home solution
That is not much to launch on, and most of these offerings are already available from their respective web sites as Pi images, so what is distinctive about the new Ubuntu offering? The main theme is that a curated range of images should reduce the chance of bad things happening with your IoT setup.
Canonical says appliances will “meet consistent criteria for security, privacy, maintenance and operations.” These criteria include secure boot protocols, the snap application sandboxing and transactional updates, and full disk encryption.
In an enterprise context, there is the possibility of of a local corporate code store. But it does appear that Canonical will permit closed-source software in appliances, since it states that “commercial software appliances reuse the same mechanisms” as open source appliances; but the level of scrutiny cannot be the same.
BT adopts Ubuntu OpenStack as core brains for its 5G, fibre-to-the-premises rollout
How are Appliance images vetted though? Canonical has three categories of device. Certified appliances have “continuous testing by Canonical on all certified hardware.” Maintained simply means “a commitment from the appliance maintainers to update the underlying snaps for a declared period” and to do their own testing, and Experimental means no commitment at all.
What this means is that only the “Certified” devices come with meaningful reassurance. Even a certified device could have a commitment to support for only five years after the release date of the underlying version of Ubuntu Core. That means you could have a certified appliance based on Ubuntu Core 18 and it might only be kept updated until 2023 (though the OS itself has updates at least until 2028).
A disappointment is that currently only Intel NUC devices are listed as certified hardware on the PC side. That said, Canonical lists Dell, Lenovo, HP and component supplier Avnet as “appliance hardware partners,” suggesting that the list might grow. Diverse hardware and the appliance concept do not go together though, which is another reason why the Pi is the key target here.
Will Canonical win enough momentum for its Appliance initiative to have long-term value? That is the question; and a moribund community forum is not a good start – zero replies to three thread topics at the time of writing. Still, the official launch was only yesterday so that could change.®