Comcast has agreed to be the first home broadband internet provider to handle secure DNS-over-HTTPS queries for Firefox browser users in the US, Mozilla has announced.

This means the ISP, which has joined Moz’s Trusted Recursive Resolver (TRR) Program, will perform domain-name-to-IP-address lookups for subscribers using Firefox via encrypted HTTPS channels. That prevents network eavesdroppers from snooping on DNS queries or meddling with them to redirect connections to malicious webpages.

Last year Comcast and other broadband giants were fiercely against such safeguards, though it appears Comcast has had a change of heart – presumably when it figured it could offer DNS-over-HTTPS services as well as its plain-text DNS resolvers.

At some point in the near future, Firefox users subscribed to Comcast will use the ISP’s DNS-over-HTTPS resolvers by default, though they can opt to switch to other secure DNS providers or opt-out completely.

“Comcast has moved quickly to adopt DNS encryption technology and we’re excited to have them join the TRR program,” Firefox CTO Eric Rescorla said on Thursday.

“Bringing ISPs into the TRR program helps us protect user privacy online without disrupting existing user experiences. We hope this sets a precedent for further cooperation between browsers and ISPs.”

Incredibly, DNS-over-HTTPS was heralded as a way to prevent, among others, ISPs from snooping on and analyzing their subscribers’ web activities to target them with adverts tailored to their interests, or sell the information as a package to advertisers and industry analysts. And yet, here’s Comcast providing a DNS-over-HTTPS service for Firefox fans, allowing it to inspect and exploit their incoming queries if it so wishes. Talk about a fox guarding the hen house.

ISPs “have access to a stream of a user’s browsing history,” Marshall Erwin, senior director of trust and security at, er, Mozilla, warned in November. “This is particularly concerning in light of the rollback of the broadband privacy rules, which removed guardrails for how ISPs can use your data. The same ISPs are now fighting to prevent the deployment of DNS-over-HTTPS.”

DNS interception

DoHn’t believe the hype! You are being lied to by data-hungry ISPs, Mozilla warns lawmakers

READ MORE

Mozilla today insisted its new best buddy Comcast is going to play nice and follow the DNS privacy program’s rules.

That means, according to Moz, Comcast “must not retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser.” Nor can it “combine the data that it collects from queries with any other data in any way that can be used to identify individual end users” nor “sell, license, sublicense, or grant any rights to user data to any other person or entity.”

We’re told Comcast started testing a DNS-over-HTTPS service in October – at the same time it was lobbying on Capitol Hill against the technology. Now it’s rolling out the security mechanism anyway.

If this was TV, this would be the part where Moz turns to the camera, looks straight into the lens, and puts on its best no-really-this-is-a-good-thing voice. “Also in October, Comcast announced a series of key privacy commitments,” the Mozilla team said today, “including reaffirming its longstanding commitment not to track the websites that customers visit or the apps they use through their broadband connections. Comcast also introduced a new Xfinity Privacy Center to help customers manage and control their privacy settings and learn about its privacy policy in detail.”

Well, at least a broadband provider is now signed up for DNS-over-HTTPS with Firefox rather than fighting to outlaw the tech. And subscribers aren’t forced to use Comcast’s secure DNS service, though it will be the default. And it’s better than using plain old DNS that isn’t encrypted. If you trust Comcast to handle your normal plain-text DNS, logically you should trust it for DNS-over-HTTPS.

“We’re proud to be the first ISP to join with Mozilla to support this important evolution of DNS privacy,” said Jason Livingood, Comcast Cable veep of technology policy and standards. “Engaging with the global technology community gives us better tools to protect our customers, and partnerships like this advance our mission to make our customers’ internet experience more private and secure.”

Mozilla launched the TRR program in March, and so far Cloudflare and NextDNS have jumped in to provide DNS-over-HTTPS resolvers. Google rolled out its own flavor of the tech for Chrome users in May.

“Adding ISPs in the TRR Program paves the way for providing customers with the security of trusted DNS resolution, while also offering the benefits of a resolver provided by their ISP such as parental control services and better optimized, localized results,” Team Mozilla concluded this week. “Mozilla and Comcast will be jointly running tests to inform how Firefox can assign the best available TRR to each user.” ®

Sponsored: Ransomware has gone nuclear

Follow me for more information.

The U.S. Justice Department today criminally charged a Canadian and a Northern Ireland man for allegedly conspiring to build botnets that enslaved hundreds of thousands of routers and other Internet of Things (IoT) devices for use in large-scale distributed denial-of-service (DDoS) attacks. In addition, a defendant in the United States was sentenced today to drug treatment and 18 months community confinement for his admitted role in the botnet conspiracy.

Indictments unsealed by a federal court in Alaska today allege 20-year-old Aaron Sterritt from Larne, Northern Ireland, and 31-year-old Logan Shwydiuk of Saskatoon, Canada conspired to build, operate and improve their IoT crime machines over several years.

Prosecutors say Sterritt, using the hacker aliases “Vamp” and “Viktor,” was the brains behind the computer code that powered several potent and increasingly complex IoT botnet strains that became known by exotic names such as “Masuta,” “Satori,” “Okiru” and “Fbot.”

Shwydiuk, a.k.a. “Drake,” “Dingle, and “Chickenmelon,” is alleged to have taken the lead in managing sales and customer support for people who leased access to the IoT botnets to conduct their own DDoS attacks.

A third member of the botnet conspiracy — 22-year-old Kenneth Currin Schuchman of Vancouver, Wash. — pleaded guilty in Sept. 2019 to aiding and abetting computer intrusions in September 2019. Schuchman, whose role was to acquire software exploits that could be used to infect new IoT devices, was sentenced today by a judge in Alaska to 18 months of community confinement and drug treatment, followed by three years of supervised release.

Kenneth “Nexus-Zeta” Schuchman, in an undated photo.

The government says the defendants built and maintained their IoT botnets by constantly scanning the Web for insecure devices. That scanning primarily targeted devices that were placed online with weak, factory default settings and/or passwords. But the group also seized upon a series of newly-discovered security vulnerabilities in these IoT systems — commandeering devices that hadn’t yet been updated with the latest software patches.

Some of the IoT botnets enslaved hundreds of thousands of hacked devices. For example, by November 2017, Masuta had infected an estimated 700,000 systems, allegedly allowing the defendants to launch crippling DDoS attacks capable of hurling 100 gigabits of junk data per second at targets — enough firepower to take down many large websites.

In 2015, then 15-year-old Sterritt was involved in the high-profile hack against U.K. telecommunications provider TalkTalk. Sterritt later pleaded guilty to his part in the intrusion, and at his sentencing in 2018 was ordered to complete 50 hours of community service.

The indictments against Sterritt and Shwydiuk (PDF) do not mention specific DDoS attacks thought to have been carried out with the IoT botnets. In an interview today with KrebsOnSecurity, prosecutors in Alaska declined to discuss any of their alleged offenses beyond building, maintaining and selling the above-mentioned IoT botnets.

But multiple sources tell KrebsOnSecuirty Vamp was principally responsible for the 2016 massive denial-of-service attack that swamped Dyn — a company that provides core Internet services for a host of big-name Web sites. On October 21, 2016, an attack by a Mirai-based IoT botnet variant overwhelmed Dyn’s infrastructure, causing outages at a number of top Internet destinations, including Twitter, Spotify, Reddit and others.

In 2018, authorities with the U.K.’s National Crime Agency (NCA) interviewed a suspect in connection with the Dyn attack, but ultimately filed no charges against the youth because all of his digital devices had been encrypted.

“The principal suspect of this investigation is a UK national resident in Northern Ireland,” reads a June 2018 NCA brief on their investigation into the Dyn attack (PDF), dubbed Operation Midmonth. “In 2018 the subject returned for interview, however there was insufficient evidence against him to provide a realistic prospect of conviction.”

The login prompt for Nexus Zeta’s IoT botnet included the message “Masuta is powered and hosted on Brian Kreb’s [sic] 4head.” To be precise, it’s a 5head.

The unsealing of the indictments against Sterritt and Shwydiuk came just minutes after Schuchman was sentenced today. Schuchman has been confined to an Alaskan jail for the past 13 months, and Chief U.S. District Judge Timothy Burgess today ordered the sentence of 18 months community confinement to begin Aug. 1.

Community confinement in Schuchman’s case means he will spend most or all of that time in a drug treatment program. In a memo (PDF) released prior to Schuchman’s sentencing today, prosecutors detailed the defendant’s ongoing struggle with narcotics, noting that on multiple occasions he was discharged from treatment programs after testing positive for Suboxone — which is used to treat opiate addiction and is sometimes abused by addicts — and for possessing drug contraband.

The government’s sentencing memo also says Schuchman on multiple occasions absconded from pretrial supervision, and went right back to committing the botnet crimes for which he’d been arrested — even communicating with Sterritt about the details of the ongoing FBI investigation.

“Defendant’s performance on pretrial supervision has been spectacularly poor,” prosecutors explained. “Even after being interviewed by the FBI and put on restrictions, he continued to create and operate a DDoS botnet.”

Prosecutors told the judge that when he was ultimately re-arrested by U.S. Marshals, Schuchman was found at a computer in violation of the terms of his release. In that incident, Schuchman allegedly told his dad to trash his computer, before successfully encrypting his hard drive (which the Marshals service is still trying to decrypt). According to the memo, the defendant admitted to marshals that he had received and viewed videos of “juveniles engaged in sex acts with other juveniles.”

“The circumstances surrounding the defendant’s most recent re-arrest are troubling,” the memo recounts. “The management staff at the defendant’s father’s apartment complex, where the defendant was residing while on abscond status, reported numerous complaints against the defendant, including invitations to underage children to swim naked in the pool.”

Adam Alexander, assistant US attorney for the district of Alaska, declined to say whether the DOJ would seek extradition of Sterritt and Shwydiuk. Alexander said the success of these prosecutions is highly dependent on the assistance of domestic and international law enforcement partners, as well as a list of private and public entities named at the conclusion of the DOJ’s press release on the Schuchman sentencing (PDF).

Chief Judge Burgess was the same magistrate who presided over the 2018 sentencing of the co-authors of Mirai, a highly disruptive IoT botnet strain whose source code was leaked online in 2016 and was built upon by the defendants in this case. Both Mirai co-authors were sentenced to community service and home confinement thanks to their considerable cooperation with the government’s ongoing IoT botnet investigations.

Asked whether he was satisfied with the sentence handed down against Schuchman, Alexander maintained it was more than just another slap on the wrist, noting that Schuchman has waived his right to appeal the conviction and faces additional confinement of two years if he absconds again or fails to complete his treatment.

“In every case the statutory factors have to do with the history of the defendants, who in these crimes tend to be extremely youthful offenders,” Alexander said. “In this case, we had a young man who struggles with mental health and really pronounced substance abuse issues. Contrary to what many people might think, the goal of the DOJ in cases like this is not to put people in jail for as long as possible but to try to achieve the best balance of safeguarding communities and affording the defendant the best possible chance of rehabilitation.”

William Walton, supervisory special agent for the FBI’s cybercrime investigation division in Anchorage, Ala., said he hopes today’s indictments and sentencing send a clear message to what he described as a relatively insular and small group of individuals who are still building, running and leasing IoT-based botnets to further a range of cybercrimes.

“One of the things we hope in our efforts here and in our partnerships with our international partners is when we identify these people, we want very much to hold them to account in a just but appropriate way,” Walton said. “Hopefully, any associates who are aspiring to fill the vacuum once we take some players off the board realize that there are going to be real consequences for doing that.”

Tags: , , , , , , , , , , , , , , , , , , , , , ,

Follow me for more information.

Prosecutors in the US have upgraded their case against Julian Assange with a second superseding indictment claiming he sought out the services of a notorious hacker who, unbeknownst to the WikiLeaks boss, was secretly working with the Feds.

The Department of Justice this week added yet more material to its indictment against Assange, which accuses him of 18 counts of espionage and hacking. The latest filing does not add any charges, though it includes evidence of Assange asking hackers to steal sensitive and scandalous dirt from government systems for WikiLeaks to disseminate. This could blow a hole in Jules’ I’m-a-journalist-not-a-spy defense.

In the filing [PDF], it is said Assange worked directly with Anonymous and LulzSec miscreants in a quest to obtain US government documents and publish them on WikiLeaks.

Assange

London court tells Julian Assange: No, coronavirus is not a good reason for you to be let out of prison

READ MORE

In one instance, prosecutors alleged, Assange employed the services of LulzSec to get files out of a server belonging to an unspecified NATO-member government. Among those who Assange was said to have directly contacted was Hector “Sabu” Monsegur.

Monsegur was the head of LulzSec, and a single father from the Bronx. Under threat of losing his children, he turned informant after being collared in 2011, and helped the Feds dismantle the crew. He was still operating in 2012 when Assange is alleged to have asked him to hack organizations for confidential information.

In fact, it is claimed Assange asked both LulzSec hacker Jeremy Hammond and Sabu to help him obtain a number of sensitive documents belonging to various three-letter agencies in Washington DC. The indictment states at one point Hammond and Sabu worried they would not be able to meet the expectations of Assange to exfiltrate and provide material for publication.

“On February 28, 2012, Hammond complained to Sabu that the incompetence of his fellow hackers was causing him to fail to meet estimates that he had given to Assange for the volume of hacked information that Hammong expected to provide WikiLeaks, writing ‘can’t sit on all these targets dicking around when the booty is sitting there, especially when we are asked to make it happen with WL’,” the indictment reads.

Going after journalists

Also in Assange’s crosshairs was the New York Times, which was said to have been listed by the WikiLeaks boss as a priority on par with the top US intelligence agencies. “To focus the hacking efforts of the hackers associated with Sabu, Assange told Sabu that the most impactful release of hacked materials would be from the CIA, NSA, or the New York Times,” the indictment reads.

This all allegedly took place after Sabu’s arrest, so anything he did would have been directly disclosed to the FBI. Hammond was collared in 2012.

Also named in the superseding indictment were a pair of Anonymous-affiliated hackers: the aliases Kayla and Laurelai. With the help of a person the prosecutors would only describe as Teenager, it is alleged Assange sought out both hackers to help swipe material for WikiLeaks. This led to the 2011 hacking of corporate intelligence biz Stratfor and subsequent, highly embarrassing publication of its confidential records and files, it is claimed.

Kayla was later revealed to be the persona used by Brit hacker Ryan Ackroyd, while Laurelai was eventually tracked down to a woman in Iowa. She was not charged with any crimes.

Assange remains in the UK’s Belmarsh Prison awaiting extradition to America to stand trial in an eastern Virginia federal district court. ®

Sponsored: Ransomware has gone nuclear

Follow me for more information.

Researchers from IntSights observed a sharp increase in the use of popular instant messaging apps over the past year among threat groups.

Threat groups are increasingly leveraging popular instant messaging platforms such as Telegram and Discord to buy, sell, and exchange criminal goods, advertise products, and communicate with each other.

Much of the popularity has to do with the secure, encrypted, peer-to-peer communications available with these platforms, allowing criminals to transact business relatively openly while avoiding scrutiny from law enforcement.

The trend highlights the need for organizations to pay closer attention to malicious activity on IM channels, says Etay Maor, chief security officer at IntSights, which this week released a report based on a yearlong study of IM usage among criminals.

“Enterprises should be aware of the changes and trends in threat actor behavior,” Maor says. Organizations that wish to stay ahead of the curve have to know how and where threat actors communicate. “Security is not a static ‘check, we are done here’ process. Enterprises have to make sure they know what the threat landscape looks like, how and what their adversaries are planning,” he says.

IntSights’ researchers observed a substantial increase in IM platform usage among threat actors between January 2019 and January 2020. Data pulled from the company’s proprietary external threat intelligence platform and other sources showed platforms such as Telegram, Discord, and ICQ to be especially popular among criminal actors.

IntSights researchers counted more than 56,800 Telegram invite links and some 223,000 mentions of the application across cybercrime forums during the one-year period, suggesting it was the most widely used platform. It was also the most heavily discussed on non-English language forums.

However, Discord — a popular chat and IM platform among gamers — appeared to be the fastest-growing platform within the criminal community based on the over 392,00 mentions of the app in forums used by threat groups. ICQ, a messaging system that’s been around since 1996, ranked third in popularity based on the number of invite links to ICQ chat groups and the number of mentions on criminal forums. Other platforms that cybercriminals are using, but somewhat less widely, include WhatsApp, Skype, IRC, and Signal.

IntSights researchers found that groups engaged in financial fraud — such as selling or buying stolen payment card data, physical goods, and counterfeit products — tended to use IM platforms more heavily than other crooks. Generally, cybercriminals also tended to use these platforms to share news, exchange vulnerability, and exploit information and cite research work from within the cybersecurity community. “Threat actors leverage the real-time communication to inform each other of any fresh cyber landscape news that could impact their future efforts,” IntSights said in its report this week.

Reasons Why IMs are Popular
Maor says there are several reasons for the popularity of IM apps and services among cybercriminals. Chief among them are operational security, relative ease of use, accessibility by mobile users and automation. “While you can install a mobile Dark Web browser, IMs are much easier to access on mobile platforms, giving threat actors the ability to communicate on the go,” Maor says.

The solid, end-to-end encryption available with many modern IM platforms gives attackers a way to conceal their activity from law enforcement more so than possible on the Web. “It is known that law enforcement agencies have the capability to track and attribute Deep and even Dark Web communications on forums,” Maor notes.

As one example, he points to “Operation Bayonet,” the international law enforcement operation that resulted in two of the most notorious Dark Web markets — AlphaBay and Hansa — being taken down. Such takedowns have pushed threat actors to using IM platforms more heavily recently.

Communications on IM are also more challenging to break into, especially on platforms that allow users to create their own servers. IM protocols like Jabber — now known as Extensible Messaging and Presence Protocol (XMPP), for instance — allow cybercriminals to operate their own private networks with no outside interference, Maor says.

IM platforms by nature also have a quick turnaround time, as opposed to forums where criminals first post and then have to wait for a reply. Tools like chatbots allow for automated replies and advertising on chats, helping threat actors achieve more in less time, he notes.

IM applications have been around for some time, and in fact were the go-to platform for criminals in the past. When dark web forums began increasing in popularity, IM apps were used mainly for out-of-channel communications and closing deals. “Now, with rise in popularity of secured, encrypted IMs,” Maor says, “more and more threat actors [are moving] every aspect of their business there.”

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

The right decoys can frustrate attackers and help detect threats more quickly.

Previous

1 of 8

Next

The growing ability of attackers to breach even well-defended enterprise networks has led to increased interest in deception technologies and tactics in recent years.

Deception tools basically use misdirection, false responses, and other tricks to lure attackers away from legitimate targets and point them to honeypots and other decoy systems designed to trap or distract them from their missions. Deception tools — many of which leverage artificial intelligence (AI) and machine learning (ML) — can help organizations detect intrusions early and provide them with an opportunity to observe an attacker’s tools and tactics.

In a recent report, Mordor Intelligence estimated demand for deception tools would hit around $2.5 billion in 2025, from just under $1.2 billion in 2019. Much of the demand will come from within the government sector and from global financial institutions and other targets of frequent cyberattacks, according to the analyst firm.

Deception is an interesting and very old concept that has become quite popular over the past few years says Tony Cole, CTO of Attivo Networks.

“Deception can work on almost any place in an enterprise where potential compromises can take place,” he says, adding it is especially useful where endpoint protection and endpoint detection and response tools may have gaps in protection. “For instance, when an endpoint is comprised and the adversary uses it to query Active Directory, you can provide false information back to the adversary without ever impacting the production environment.”

Rick Moy, chief marketing officer at Acalvio, points to three main use cases for deception: to add an additional layer of protection in mission-critical environments, to shore up detection capabilities in areas with known security weaknesses, and to lure out adversaries hiding in a sea of security information and event management (SIEM) alerts.

“Deploying attractive lures and decoys amid the various network segments works much like the proverbial cheese or peanut butter in a mousetrap that’s strategically placed along the kitchen baseboards,” Moy says.

Here, according to Moy and others, are seven best practices for using deception to detect threats quickly.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Previous

1 of 8

Next

More Insights

Follow me for more information.

How epidemiology can solve the people problem in security.

Like many others, I’ve alternated between a mild obsession with learning everything about COVID-19 and never wanting to hear about it again. I recently watched the governor of Massachusetts on CBS News’ Face the Nation. He spoke of Partners in Health‘s use of contact tracing in Ebola- and Zika-stricken countries, and then said something that struck me: “It’s not theoretical. They’ve done it before. They know how to do it.” His message was: It works.

I began reading about how contact tracing worked for outbreaks like Ebola and researched what other countries are doing. In Israel, the Ministry of Health has released an app that uses cellular GPS data to provide alerts when people nearby are documented carriers of COVID-19. In the private sector, Google and Apple developed a contact-tracing app for the billions of people worldwide who use iOS and Android.

The World Health Organization (WHO) describes a three-step process for contact tracing: Contact ID, then Listing (investigating who individuals with confirmed cases had contact with), and finally, Follow-up. It hit me that this is eerily similar to what I have spent my career as an intel analyst doing.

Identification
Threat intelligence analysts use any number of tools for threat identification, plus additional tools to store these indicators. Traditionally, analysts use their own spreadsheets and Word documents as living workspaces or scratch pads to begin investigations. As they collaborate with others inside the organization, there is an enormous amount of cutting and pasting information from one tool to another. Analysts bounce from TIP to SIEM to instant messages to email in order to collect and stitch together analysis. It sounds crazy, but this is how modern, “digitally transformed” businesses are still identifying and tracking threats today.

Listing
This is where the investigation truly begins — tracing the activity of a malicious actor. Moving from aggregation of indicators to analysis, analysts ask themselves “what does the data tell us?” Unfortunately, collaboration inside and outside the organization is fragmented. Information sharing is happening in pieces, across multiple tools, with no single thread for each investigation. True collaboration, with a single set of unified data, is simply not happening. Analysts must find their own way to piece together the “big picture” and visualize exactly what happened.

Follow-up
This is where the process is completely broken for intel analysts. A malicious threat found a month ago, which was investigated internally and dismissed as low-level, may re-emerge as part of a larger campaign. However, capturing that earlier threat investigation is almost impossible because the analysts would need to search through disparate tools and communication methods. The “chain of custody” for who knew what and when, as well as what was sufficiently analyzed and what was missed, is nonexistent. Other than the final event annotation and a handful of indicators with partial context, there is no collective history of knowledge to build upon. Teams must essentially start their analysis over.

What Contact Tracing for Threat Intel Reveals
While I was impressed by what I learned about contact tracing’s success as a public health tool, I am left with a nagging feeling that in the security business, our own “contact tracing” reveals that our tools and processes are broken; it’s no longer acceptable from an investigation standpoint, for risk management, and especially not from a human resources perspective. Highly capable, skilled, and, frankly, expensive employees are still operating in silos, stuck in the land of a thousand tools, with limited information sharing, and no means for true collaboration. This only increases risk to the business by extending investigations and frustrating all involved.

How can we ever solve the people problem in security when this is the environment we have created for our most experienced, expensive resources? Just like with forensic evidence, start by assessing your business’s capability to maintain a “chain of custody” of analysis. Ask yourself the following questions:

● Where does past analysis live?
● Can our organization reasonably answer “who knew what and when” for intelligence support to investigations?
● Where does cross-team collaboration occur? Does it support easy continuity of knowledge as people enter and leave investigations and teams?

If you find that you’re unable to answer these questions confidently, start small. Discuss and document a process for how multiperson analysis should occur. Identify and use a single location for analysis to be centrally stored — ideally, one that is easily searchable. Be sure this includes analysts’ contemporaneous notes and indicators, as they may be helpful in future investigations. Finally, practice. Have an analyst attempt to re-create another analyst’s work, and assess where gaps in documentation, process, or access to intelligence sources may lie. Over time, improve on this by focusing on efficiency and completeness of analysis.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event. 

Doug Helton is chief strategy officer and VP of Intelligence at King & Union, a cybersecurity company based in Alexandria, VA, that has built and designed Avalon, the industry’s first cyber analysis platform. His passion for intelligence operations began as a signals … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

Even as more code is produced, indirect dependencies continue to undermine security.

Driven by growth in the JavaScript, Java, and Python ecosystems, the number of open source software packages more than doubled in 2019, but the number of vulnerabilities fell by 20%, suggesting that developers are weeding out simple vulnerabilities, a new report shows. 

While the decrease is undoubtedly good news, most development teams still fail to adequately inventory their software dependencies — a point of concern because indirect dependencies, meaning libraries used by imported code — can account for the majority of vulnerabilities. More than 70% of vulnerabilities in Node.js, Ruby, and Java, for example, occur in indirect dependencies, not in the original imported open source library, according to the “State of Open Source Security 2020” report, published today by software security firm Snyk.

In one case, a Java application comprised 80 lines of code with seven dependencies, but when all of the code was imported, the code base expanded to 59 sub-dependencies and more than 700,000 lines of code, says Alyssa Miller, application security advocate at Snyk.

“You don’t even necessarily know that all those dependencies are there, but they are undermining your security,” she says.

As open source software components have become arguably the most important part of software development, managing the vulnerabilities posed by those components has become a major task for companies. Almost every software program uses open source software, with the average application using 445 open source components, according to a recent study by Synopsys.

Acknowledging this, the Internet Security Forum (ISF) released its “Deploying Open Source Software: Challenges and Rewards” report today, highlighting best practices for companies using open source software in development.

“Many organizations are adopting agile and DevOps methodologies, which is driving an increased uptake of OSS [open source software] and, in turn, the creation of new mixed-source applications,” stated Paul Holland, principal research analyst at the ISF,. “The growing prevalence of OSS needs to be balanced by a concerted effort to manage its use appropriately and effectively.”

Different programming languages and their associate application frameworks have different considerations when it comes to securing the software. PHP applications tend to use a relatively low number of open source libraries — 34, on average — but have a higher number of vulnerabilities, according to data analyzed by application security firm Veracode.

In the latest report by Snyk, the company found that the popularity of JavaScript-based web-application frameworks continued to grow as more developers relied on JavaScript and Node.js. The survey component of the study found 73% of developers used JavaScript-based platforms. The popularity drove Node.js applications managed by the NPM platform to more than double to 13 million packages. 

The wide reliance of JavaScript programs on imported code — the average applications has 377 dependencies, according to Veracode — means more indirect dependencies. In its analysis, Snyk found 86% of JavaScript vulnerabilities occurred in indirect dependencies. 

“There is a lot of factors that can come into play here. NPM has a pretty significant drop in the number of vulnerabilities, but they also have a solid backlog of vulnerabilities that they are investigating, which is causing delayed fixes,” Miller says.

Two classes of vulnerability demonstrate the unique nature of open source software and dependencies, where vulnerability types tend to result in a lot of reported issues or are widespread, but generally not both.

A significant number of open source software project suffered attacks in the form of malicious changes to the project, according to the report. A malicious change typically happens when a rogue developer — often an agent of a nation-state or cybercriminal gang — joins a project to introduce a vulnerability. Yet, while critical in severity, such malicious changes did not impact very many projects.  

On the other hand, with a class of JavaScript vulnerabilities known as prototype pollution, thousands of packages can be affected by a single vulnerability. Two prototype pollution vulnerabilities affected the security of more than 25% of scanned projects, Snyk said in its report. Prototype pollution can allow code in a malicious object to overwrite the prototype class behavior, polluting all other classes that rely on that behavior. The vulnerability class is not well-known, but a single issue can often have widespread impact.

“They are difficult to find,” Miller says. “I think that is the reason we see a low number of them. It is not a well-understood vulnerability at this point.”

Finally, software container images — Docker being the most popular example — often pool together vulnerable software and should be investigated, Snyk said. The most recent version of the Node server, at the time of the report, had more than 642 known vulnerabilities in the software contained in the image, including 17 high vulnerabilities, the company said.

“Companies need to try to minimize the software footprint of these images,” Miller says. “If you pull Node-Slim [the stripped down version of the Node server], then you lose 95% of the vulnerabilities. So if you don’t need the full-blown image, choose the minimal version.”

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event. 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

Web traffic to the servers of the notorious Dutch-German Cyberbunker hosting biz was filled with all kinds of badness, including apparent botnet command-and-control and denial-of-service traffic, says SANS Institute.

Cyberbunker, aka CB3ROB, was raided last September by 600 German police gunmen who forced entry to the outfit’s Traben-Trarbach HQ.

Following the raid, infosec biz SANS was able to set up a honeypot on former Cyberbunker IPs to analyse traffic passing through them – and the results shed light on just what kind of dubious traffic was passing through the servers.

CB3ROB’s HQ was located inside a Cold War-era underground military bunker around 60 miles west of Frankfurt. Police boasted at the time of seizing 200 servers as well as CB3ROB’s dot-org domain, which for a while after the raid bore a US-style “domain seized” banner.

After the inevitable arrests, CB3ROB’s personnel had to sell some of their assets to generate a legal defence fund. Sold-off assets included three IPv4 subnets: 185.103.72.0/22; 185.35.136.0/22; and 91.209.12.0/24. Those were sold to Legaco Networks, which agreed to let SANS’ Internet Storm Centre erect a honeypot behind them for one week in April 2020.

armed raid

600 armed German cops storm Cyberbunker hosting biz on illegal darknet market claims

READ MORE

Karim Lalji, SANS’ community instructor in the Penetration Testing curriculum, recounted in a paper about his findings: “Close to 2,000 unique computer names and over 7,000 unique source IPs that follow a similar request pattern are present in the traffic sample collected.” He added that if single computer names were isolated within this traffic, “the intervals between requests were exactly 1min and 30sec – indicating automation and potential C2 [command and control].”

Lalji also observed apparent phishing traffic passing through the honeypot, with impersonated services including the Royal Bank of Canada, Apple, Paypal, Chase Bank and others. He also found traffic that appeared be linking to extreme sex abuse “involving animals”, as well as what appeared to have been a criminal-oriented ad network.

His detailed findings included 171,000 TCP retransmissions “with no payload data and different sequence numbers”, which Lalji concluded “likely indicates an error in crafted communication or a portion of a reflected Denial of Service (DoS) attack.”

The research “explicitly filtered out” likely port-scanning traffic as well as “web directory brute forcing, SQL injection discovery, DNS zone transfer attempts, VoIP scans (primarily with SIPVicious), Telnet, SSH, FTP, and web-form brute force login attempts”. Lalji added: “Several of these events can be attributed to internet-wide scans that are not specific to the IP address space under examination.” Email traffic was also excluded as prosecutors were potentially interested in it.

CB3ROB’s leading lights were charged last year by prosecutors in Rheinland-Pfalz with hosting: a darknet market called Cannabis Road; a drugs, stolen data and malware souk called Wall Street Market; an “underground economy forum” imaginatively named Fraudsters; a Swedish drugs marketplace called Flugsvamp; various clearnet drug-peddling websites; various “fraudulent bitcoin lotteries, darknet marketplaces for narcotics, weapons, counterfeit money, murder orders” and child abuse images; and C2 servers for the Mirai botnet.

Sven Olaf Kamphuis of CB3ROB said in a Facebook post shortly after the bunker raid last year: “ISPs do not need to know who the customer is, ISPs do not need to know what the customer does (and even if they do know, it doesn’t make them liable – as long as there is no ACTIVE cooperation in the activity).” ®

Sponsored: Ransomware has gone nuclear

Follow me for more information.

Malicious botnet sources explode in new attacks that push boundaries in terms of volume and duration.

The past month has seen a spate of record-breaking and intensely long distributed denial-of-service (DDoS) attacks leveled at hosting providers and enterprises, suggesting a shift in tooling and botnet sourcing among the most advanced professional threat actors. 

The latest attack was revealed by researchers at Akamai, who today reported another high-water mark. On June 21 its team mitigated the largest-ever packet-per-second DDoS attack that they’d ever recorded on their platform, one that was double the volume of the previous packets-per-second peak.  

At its height, the attack sought to overwhelm its target, a large European bank, with 809 million packets per second. The attack ramped up very quickly, moving from normal traffic patterns to its peak volume within two minutes and lasting just under 10 minutes. Packet-based DDoS attacks work on the same general principle as more common bits-per-second attacks, as both try to overwhelm the target company’s infrastructure, just in slightly different ways. Whereas bits-per-second volumetric attacks try to overload the inbound pipeline, packets-per-second volumetric attacks work to exhaust internal network resources. 

“One way to think about the difference in DDoS attack types is to imagine a grocery store checkout. A high-bandwidth attack, measured in bps, is like a thousand people showing up in line, each one with a full cart ready to check out,” explains Tom Emmons in a blog post today. “However, a PPS-based attack is more like a million people showing up, each to buy a pack of gum. In both cases, the final result is a service or network that cannot handle the traffic thrown at it.”

According to his colleague Roger Barranco, vice president of global security operations at Akamai, for just over a year now attackers have been starting to mildly shift toward attacks with lower bits per second and higher packets per second, likely looking for weak spots in enterprise DDoS mitigation measures, which are often best-equipped for frequent bandwidth attacks. 

“Since bps-focused attacks were historically more commonplace, more defenses were built to defend that vector, resulting in comparatively fewer pps attack defensive postures being built, which in some cases was a chink in the armor of many enterprises,” he says. “Related, the recent 809-million-pps attack we mitigated set a new bar for enterprises to consider when performing a risk assessment.” 

The truth is that criminals have been turning up the heat with higher and higher volumes of both varieties of attack lately. The announcement of this packet-based DDoS comes just a week after Akamai came forward with news that it had recently rebuffed the largest-ever bandwidth attack as well. Targeted against a website of a major hosting provider, that attack in early June clocked in at 1.44 terabits per second. That particular attack had actually closely followed up on a 500 gigabits-per-second attack against a different website hosted by the same provider, which may not have been as groundbreaking for many well-equipped organizations like that provider, but it was massive in its own right. 

“Context is important here. For example, those with a massive infrastructure and associated skilled resources may not get too excited about a 500-Gbps attack, but I guarantee you that it is an infinitesimal percentage of enterprises that have the pipe and gear in place that can block a 500-Gbps attack while allowing healthy traffic to still reach them,” Barranco says. “We may be looking at a new normal where a terabit-plus attack is no longer considered an extreme exception.” 

Like the packet-based attack revealed today, the landmark bandwidth attack lasted just around 10 minutes. This is de riguer for most DDoS attacks of all volume size. According to research from Imperva, approximately 26% of all attacks last just under 10 minutes and 29% last only one to six hours. In May some 70% of attacks lasted less than 24 hours. This is mostly a function of the fact that it usually only takes that long for the bad guys to achieve their DDoS attack objectives. 

“As methods to carry out DDoS have become more advanced, leading to increased accessibility to those with no technical skills, we have historically seen that most attackers would rather not waste time and resources on achieving their proof of impact,” explains Nadav Avital, head of security research at Imperva. 

However, Avital’s team this week highlighted findings of some exceptionally long application DDoS attacks Imperva mitigated in May that have some striking similarities to the high-volume attacks found by Akamai. Imperva Research Labs reported that two unusually long attacks last month lasted five to six days in duration. 

“Longer attacks — such as the ones conducted in May — suggest they are the work of more professional bad actors who use their own botnets to carry out persistent assaults,” Avital says.

Imperva reported that these two very long attacks were perpetrated by botnets using as many as 10 times the number of malicious IP sources as found in average attacks recently. This echoes Akamai findings about the malicious sources of traffic fueling the record-breaking attack announced today, which used 600 times the number of source IPs per minute than what it normally sees.

“Over the last couple years, while DDoS frequency has been increasing, it has not increased in size and complexity at the same rate as IoT being added to the Internet,” explains Barranco, who says that after the Mirai Internet of Things (IoT) attack was disabled, a lot of the most intense DDoS started to dry up. These recent attacks indicate that this lull could be coming to an end.

“This leads me to believe there is newly leveraged DDoS tooling available – possibly to a smaller group of bad actors, but those tools always end up being generally available to a wider audience which, understandably, is concerning to many,” he says.

Barranco says his team is still investigating the tooling used in both record-breaking attacks, but they suspect they aren’t necessarily brand new —  they’re just being used in more organized and focused fashion.

“I think the tools themselves may not have been novel, but the coordinated use of the tools and, of high importance, the dramatic increase in attack sources being leveraged by the tool is novel,” he says. “The fact that many of these attacks are at full power within a couple minutes is impressive.” 

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

Do you think you have found a vulnerability in the Sony PlayStation 4 or the PlayStation Network?If so, you could be heading towards a sizeable sum of money. That’s because Sony announced details of a new bug bounty program that it is running in co-ordination with vulnerability-reporting platform HackerOne.Sony is inviting security researchers, gamers and anyone else who is interested to “test the security of PlayStation 4 and PlayStation Network.”Before now, Sony has been running a private invitation-only bug bounty program with some security researchers, but it says that it now believes the best way to enhance security is to embrace the wider community.To encourage testing by more people, the bug bounty program will be offering rewards for different levels of responsibly disclosed vulnerabilities, reaching over $50,000 for previously unknown critical vulnerabilities on the PS4.Of course, there are some rules.Bounty rewards will differ in size depending on the severity of the vulnerability and the quality of the report (both of which will be determined by Sony). For a low-severity vulnerability on PlayStation Network, for instance, you might only receive a reward of $100, ramping up to a minimum of $3,000 for details of a high-severity security problem.On the PlayStation 4 itself, the numbers increase rapidly to in excess of $50,000 for the most critical reports.If you fancy your chances reporting a PlayStation Network vulnerability, then you need to be aware that only the following domains are in scope for a reward:*.playstation.net*.sonyentertainmentnetwork.com*.api.playstation.commy.playstation.comstore.playstation.comsocial.playstation.comtransact.playstation.comwallets.api.playstation.comThat doesn’t mean you have free reign to spam those sites or to launch distributed denial-of-service (DDoS) attacks against them. Intentionally disrupting Sony’s operations or causing any harm is not going to win you any friends, let alone financial rewards.And don’t think that you’ll be able to report vulnerabilities in Sony’s older gaming hardware (such as earlier versions of the PlayStation, the PS Vita, or the PSP) or flaws found on the PlayStation 4 if it is not running the current beta version of its system software.Sony does not want you to be testing its corporate IT infrastructure. I imagine that it has internal security teams and expert third-party firms who help it with that kind of work. The last thing they would want is every man and his dog trying to hack into their corporate email servers.That’s not to say that Sony might not be interested if you find vulnerabilities that aren’t covered by the rules of the PlayStation bug bounty program. It’s just that you will have to report them via a separate bug bounty process and play by its rules.But if you do find a critical vulnerability in PlayStation 4 or the PlayStation Network, you could find yourself on the receiving end of a substantial reward – provided you are prepared to work together with Sony, giving them time to remediate any problems before you go public about it.For full details of what you can do, what you can’t do, and how you might be rewarded for it, go check out the Sony PlayStation bug bounty page at HackerOne.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.Follow me for more information.

Security and development teams must make it clear why their segment of the development life cycle is relevant to the other teams in the pipeline.

For more than 10 years, I’ve been preaching the idea that collaboration between security and development teams is critical. This is especially true for teams that have different stakeholders and work across time zones and geographic regions. Despite my efforts in evangelizing the message, I continue to see examples of poor communication that hurt teams’ constant pursuit of organizational security.

Over the last decade, I’ve continued to see a large number of security teams use PDF documents as their standard mode of communication to highlight vulnerabilities for remediation by development teams, but this archaic practice lacks the context that is necessary for the development team’s buy-in and understanding. This results in vulnerabilities being improperly fixed or completely ignored by development teams as they field a growing list of tasks and promises to customers. That doesn’t mean that developers don’t care about security; rather, communication is the problem.

Bringing teams together to collaborate isn’t enough if they don’t understand how to effectively communicate. Each team must make an effort to communicate why their segment of the development life cycle is relevant to the other teams in the pipeline. So, what can the security team members do if they want development to work with them in fixing vulnerabilities? A good start would be providing developers with context regarding the vulnerabilities that are being identified, in addition to communicating what tools they’ve been using to identify these vulnerabilities, avoiding the exported PDF at all costs.

In my past experience, I’ve seen it proven time and time again that collaboration has a direct impact on organizational success, and there is data that supports these observations. In fact, effective collaboration has the ability to reduce the mean time to fix (MTTF) vulnerabilities by up to 44%, in Denim Group’s experience, proving that this need has not changed over the last decade. While some security professionals believe that the responsibility of fixing vulnerabilities is completely up to the development team, they must remember that security isn’t their only task. By reducing the development team’s workload through more effective communication of vulnerabilities, security teams can help foster stronger working partnerships, all while speeding up vulnerability remediation.

This proposition then raises the question: How can disparate teams cultivate stronger collaboration? First, security teams must develop a clean set of vulnerabilities to provide to developers. Doing things such as culling false positives, reprioritizing vulnerabilities, and capturing sufficient context are all steps that must be taken into account when creating a streamlined and easy-to-understand list. Once the security team drafts a clean list of vulnerabilities, they then need to determine which ones the development team must address. As I noted earlier, developers are often inundated with tasks such as writing new features and functions, or fixing non-security-related bugs, and in order to increase collaboration, they should not be forced to fix things that don’t actually need to be fixed. This places more responsibility on the security teams by making them prioritize the vulnerabilities they want to deliver and ensure that the development teams can fix them.

Next, after determining what vulnerabilities are worth the developers’ time, security teams should bundle vulnerabilities into software defects, being sure to avoid creating a new software defect for every vulnerability they identify, as this can easily begin to overwhelm the development teams they work with. This holds especially true because a majority of technical vulnerabilities are easily fixed with a small code change, and by sending too many defects, security teams are actually slowing down what should be a relatively easy process. By bundling like vulnerabilities together, security teams are minimizing the steps that developers need to take, minimizing their workload which can assist in bringing these teams closer.

Increased collaboration between security and development teams is critical — and necessary if a business wants to be successful. By streamlining communication, teams can address vulnerabilities faster, and more efficiently. Maintaining collaboration is an ongoing effort for organizations that must be prioritized, and while there are tools that can assist, it is not solely a technological issue. Teams working with — not in competition of — one another must be a goal of the security industry in order to maintain success. This need has grown increasingly important, as threat actors are constantly finding new ways to infiltrate security systems, so strong team collaboration is your first and best defense.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event. 

A globally recognized application security expert, Dan Cornell holds over 20 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

The recent spread of the distributed denial-of-service tool attempts to exploit a dozen web-framework flaws, uses credential stuffing, and is intended to work against a variety of operating systems.

A cybercriminal operation aiming to spread among web-application servers has had moderate success, using compromised systems for Monero cryptomining, to create a botnet for denial-of-service attacks and to further spread into enterprise networks, researchers with Palo Alto Networks said on Wednesday.

The developers of the attack tool appear to be aiming to create a general-purpose platform for a wide variety of attacks, from distributed denial-of-service (DDoS) attacks to cryptomining to the creation of botnets, the company warned. Called Satan DDoS by the developers, the tool will likely not only target Windows computers and Linux servers but Internet of Things devices and systems that run on the ARM and MIPS processors, according to messages found in the code.

So far, the malware has had some success, especially in the Asia-Pacific region, says Ken Hsu, senior security researcher at Unit 42 for Palo Alto Networks.

“Because it’s able to monetize its attacks, as well as establish a command-and-control operation, it appeals to a wide variety of attackers,” he says. “The number of alerts we observed suggests that companies should step up their security measures, not just via patching software but also by strengthening security policy and compliance, [such as] password strengthening.”

The spread of the DDoS and cryptojacking malware highlights that cybercriminals do not have to use the most recent exploits to successfully compromise servers on the Internet. The Palo Alto researchers initially discovered the malware after it repeatedly compromised web applications using an exploit for a 16-month-old vulnerability (CVE-2019-9081) in the Laravel PHP framework. 

Among the vulnerabilities exploited by the software are a single vulnerability reported in 2020 and another from 2019, but mainly older issues — three vulnerabilities from 2018, five from 2017, and a single flaw from 2014. The exploits target the Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel framework, and Microsoft Windows. All issues are considered high or critical severity, Palo Alto researchers stated in the advisory. The malware also uses credential stuffing on remote-access and Microsoft SQL ports, using a short list of usernames and passwords.

Once on a server, the software loads and runs several well-known exploits taken from the trove of cyberattack tools leaked from the National Security Agency, including EternalBlue, EternalRomance, and the DoublePulsar backdoor. While the vulnerabilities are old, the software has successfully spread in the wild, the report said. 

“While the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it’s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance,” the researchers stated in the advisory.

The researchers discovered two versions of the malware: one that started spreading on May 29, and the other that became active on June 11. The developer of the malware refers to it as Satan DDoS, but due to other malware families using a similar name, the Palo Alto researchers decided to brand the malware “Lucifer.”

The second version of the software continues its focus on cryptomining, attempting to install a component called XMRig for mining. In addition, the developer added rudimentary anti-sandbox functionality to stymy reverse engineers from analyzing the code. The newer software adds functions for infecting through four other protocols — the File Transfer Protocol (FTP), for example — and checks to see if the default language is Chinese.

The malware has not been particularly successful at mining Monero, amassing only 0.49 XMR, about US$32. However, cryptomining has become a big focus of cybercriminals looking for an easy way to monetize compromised systems. In October, for example, some 2,000 Docker hosts were infected by a relatively basic worm that exploited misconfigurations to download and run cryptojacking software as a container. The program, dubbed Graboid by the attackers, looks for unprotected Docker daemons and then sends commands to install malicious images from Docker Hub.

Far more pernicious is the malware’s ability to use a variety of methods — such as Windows exploits and dictionary attacks — to move laterally inside of a network, Hsu says. Many of these are old, but malware authors don’t need to use the latest exploits, because they know the old ones should suffice, he says.

“Lucifer is capable of self-propagation and credential brute-forcing, so attackers can have a tremendous impact on their victims once they gain a foothold,” Hsu says.

Companies should keep systems up to date, implement strong password policies, and have threat intelligence to adapt to the latest attacks, Hsu says. For the most part, holes in firms’ cybersecurity coverage continue to provide opportunity for attackers, even using older exploits.

“Not all companies have strong cybersecurity awareness,” he says. “Doing cybersecurity properly requires non-trivial resource allocation, and cybersecurity isn’t always their No. 1 priority for companies.”

Related Content

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event. 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

Advanced persistent threat (APT) campaign aims to steal intelligence secrets from foreign companies operating in China.

A newly discovered attack campaign infiltrated a UK-based technology company via tax payment software required by a Chinese bank in order to conduct business in China.

Researchers at Trustwave found the so-called GoldenSpy malware during a threat-hunting operation on behalf of the victim UK company in mid-April. The UK company, which Trustwave did not disclose in its newly published research, has strong ties to the defense industry and does significant business in the US, Australia, and the UK; it recently opened operations in China.

Brian Hussey, Trustwave’s vice president of cyber threat detection and response, says the attackers used a backdoor to take control of the UK company’s network. To date, Trustwave has confirmed other such incidents at a software/technology company as well as at a major global financial institution.

“They [the attackers] could run Windows commands, create new users, move laterally and upload code to execute malware,” Hussey says. “They could also potentially use the network access to exfiltrate data.”

Hussey would not confirm the attackers were agents of the Chinese government, but did say they were motivated more by intelligence than financial gain. 

“Companies need to understand that there are risks to doing business in China and these kinds of attacks are possible,” he says. “Once the attack was discovered, we segmented the network so the UK company could use the tax payment software to pay its local taxes, but the attackers no longer had access to the full network.”

The Trustwave report goes on to lay out a pattern of suspicious behavior by GoldenSpy:

  • Continues to propagate even after deleted. GoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart. In addition, it uses an EXEProtector module that monitors for the deletion of either iteration of itself. If deleted, the malware will download and execute a new version. Trustwave believes that this triple-layer protection makes it exceedingly difficult to remove this kind of file from an infected system.
  • Hard to uninstall. The Intelligent Tax software’s uninstall feature will not remove GoldenSpy. It leaves GoldenSpy running as an open backdoor into the environment, even after the tax software gets fully removed.
  •  Does not fully install for two hours. GoldenSpy does not download and install until a full two hours after the tax software installation process finishes. When it finally downloads and installs, it does so silently, with no notification. Trustwave considers this highly unusual and a method to hide from the victim.
  • Reaches out to suspicious domains. GoldenSpy does not contact the tax software’s network infrastructure (i-xinnuo[.]com), rather, it reaches out to ningzhidata[.]com, a domain known to host other variants of the GoldenSpy malware. After the first three attempts to contact its command and control server, it randomizes beacon times to avoid network security technologies designed to identify beaconing malware. 

“They showed a lot of patience and discipline, which leads me to believe that this was an operation to gather intelligence,” says Jake Williams, founder and president of Rendition Infosec. “Financially motivated attackers wouldn’t look to play the long game by creating malware that slowly infiltrates the customers of the tax software company. Of course, once the news comes out, there are people who will believe that it was the Chinese [government] no matter what new information comes out, so I think it will be damaging to” them, he says.

Williams says it also could be another nation-state made to appear as if it’s operating out of China. It’s also interesting that tax software was used to infiltrate the UK company’s systems, he notes, since tax software was also used in the NotPetya attack, which in the end caused more than $10 billion in damages. 

On the Hunt

Trustwave’s Hussey said while doing routine threat analysis for its UK client, his research team found an executable file that displayed highly unusual behavior that sent system information to a suspicious Chinese domain. The processes were part of the bank’s required software for paying local taxes, called Intelligent Tax, which  was developed by the Golden Tax Department of Aisino Corporation.

As Trustwave continued its investigation, it found that the tax software worked as advertised, but it also installed the hidden backdoor.

“Basically, it was a wide open door into the network with SYSTEM level privileges that connected to a command and control server completely separate from the tax software’s network infrastructure,” the report said. “Based on this, and several other factors we determined this file to have sufficient characteristics to be malware. We’ve since fully reverse-engineered the files and named the family GoldenSpy.”

Related Content

 

 

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event. 

 

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

The inside story of the Maersk NotPetya ransomware attack

The inside story of the Maersk NotPetya ransomware attack

The shipping conglomerate Maersk, hit by the NotPetya ransomware in June 2017, estimated that it cost them as much as $300 million in lost revenue.

Gavin Ashton was an IT security guy working at Maersk at the time of the attack. He’s now written an in-depth article about what happened.

I want to help protect other folks from making these same mistakes, because there’s a lot of what seems to be defeatist wisdom out there; Yes, it is inevitable that you will be attacked. It is inevitable that one day, one will get through. And obviously, you should have a solid contingency plan in place in case of the worst. But that’s not to say you don’t attempt to put up a damn good fight to stop these attacks in the first case. Just because you know the bad actors are coming, doesn’t mean you leave your front door open and make them a cup of tea when they walk in. You could just lock the door.

Staying with the home analogy; Yes, there’s security cameras and wizard cloud-connected ‘Internet of Things’ (IoT) devices and all kinds of expensive measures and widgets, but a lot of organisations fail simply on the basics. Lock the damn door.

It’s a good read, and strongly recommended if you’re responsible for securing your enterprise from malware attack.

And make sure to check out this “Smashing Security” podcast we recorded back in June 2017, at the time of the outbreak:

Email

Email

Sign up to our newsletter
Security news, advice, and tips.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

The United States government has filed a superseding indictment against WikiLeaks founder Julian Assange accusing him of collaborating with computer hackers, including those affiliated with the infamous LulzSec and “Anonymous” hacking groups.

The new superseding indictment does not contain any additional charges beyond the prior 18-count indictment filed against Assange in May 2019, but it does “broaden the scope of the conspiracy surrounding alleged computer intrusions with which Assange was previously charged,” the DoJ said.

In May 2019, Assange was charged with 18 counts under the old U.S. Espionage Act for unlawfully publishing classified military and diplomatic documents on his popular WikiLeaks website in 2010, which he obtained from former Army intelligence analyst Chelsea Manning.

Assange has been alleged to have obtained those classified documents by conspiring with Manning to crack a password hash to a classified U.S. Department of Defense computer.

According to the new superseding indictment [PDF] unsealed Wednesday, Assange and others at WikiLeaks also recruited hackers at conferences in Europe and Asia and conspired with them to commit computer intrusions to benefit WikiLeaks.

Since the early days of WikiLeaks, Assange has spoken in conferences about his own history as a “famous teenage hacker in Australia” and encouraged others to hack to obtain information for WikiLeaks.

“In 2009, for instance, Assange told the Hacking At Random conference that WikiLeaks had obtained nonpublic documents from the Congressional Research Service by exploiting “a small vulnerability” inside the document distribution system of the United States Congress, and then asserted that “[t]his is what any one of you would find if you were actually looking.”,” the DoJ said.

Not just that, the indictment also accused Assange of gaining unauthorized access to a government computer system of a NATO country (30 member states from North America and Europe) in 2010.

Two years later, “Assange communicated directly with a leader of the hacking group LulzSec (who by then was cooperating with the FBI),” and provided him a list of targets to hack.

“With respect to one target, Assange asked the LulzSec leader to look for (and provide to WikiLeaks) mail and documents, databases, and pdfs. In another communication, Assange told the LulzSec leader that the most impactful release of hacked materials would be from the CIA, NSA, or the New York Times,” the DoJ said.

Assange also obtained and published on WikiLeaks emails from a data breach committed against a U.S. intelligence consulting company by a hacker affiliated with “Anonymous” and LulzSec. According to that hacker, Assange indirectly asked him to spam that victim company again.”

Assange was arrested in April 2019 in London after Ecuador abruptly withdrew his asylum, and was later sentenced to 50 weeks in U.K. prison for breaching his bail conditions in 2012.

The 48-year-old is currently in prison in the U.K., where he is currently awaiting possible extradition to the United States, pending a September hearing.

If convicted for all counts, Assange could face a total maximum sentence of 175 years in the U.S. prison for his alleged role in “one of the largest compromises of classified information in the history of the United States.”

Follow me for more information.

With Docker gaining popularity as a service to package and deploy software applications, malicious actors are taking advantage of the opportunity to target exposed API endpoints and craft malware-infested images to facilitate distributed denial-of-service (DDoS) attacks and mine cryptocurrencies.

According to a report published by Palo Alto Networks’ Unit 42 threat intelligence team, the purpose of these Docker images is to generate funds by deploying a cryptocurrency miner using Docker containers and leveraging the Docker Hub repository to distribute these images.

“Docker containers provide a convenient way for packaging software, which is evident by its increasing adoption rate,” Unit 42 researchers said. “This, combined with coin mining, makes it easy for a malicious actor to distribute their images to any machine that supports Docker and instantly starts using its compute resources towards cryptojacking.”

Docker is a well-known platform-as-a-service (PaaS) solution for Linux and Windows that allows developers to deploy, test, and package their applications in a contained virtual environment — in a way that isolates the service from the host system they run on.

The now taken down Docker Hub account, named “azurenql,” consisted of eight repositories hosting six malicious images capable of mining Monero, a privacy-focused cryptocurrency.

The malware author behind the images used a Python script to trigger the cryptojacking operation and took advantage of network anonymizing tools such as ProxyChains and Tor to evade network detection.

The coin mining code within the image then exploited the processing power of the infected systems to mine the blocks.

The images hosted on this account have been collectively pulled over ​two million times​ since the start of the campaign in October 2019, with one of the wallet IDs used to earn more than 525.38 XMR ($36,000).

Exposed Docker Servers Targeted With DDoS Malware

That’s not all. In a new mass-scanning operation spotted by Trend Micro researchers, unprotected Docker servers are being targeted with at least two different kinds of malware — XOR DDoS and Kaiji — to collect system information and carry out DDoS attacks.

“Attackers usually used botnets to perform brute-force attacks after scanning for open Secure Shell (SSH) and Telnet ports,” the researchers said. “Now, they are also searching for Docker servers with exposed ports (2375).”

It’s worth noting that both XOR DDoS and Kaiji are Linux trojans known for their ability to conduct DDoS attacks, with the latter written entirely from scratch using Go programming language to target IoT devices via SSH brute-forcing.

The XOR DDoS malware strain works by searching for hosts with exposed Docker API ports, followed by sending a command to list all the containers hosted on the target server, and subsequently compromising them with the XORDDoS malware.

Likewise, the Kaiji malware scans the internet for hosts with exposed port 2375 to deploy a rogue ARM container (“linux_arm”) that executes the Kaiji binary.

“While the XOR DDoS attack infiltrated the Docker server to infect all the containers hosted on it, the Kaiji attack deploys its own container that will house its DDoS malware,” the researchers said, noting the difference between the two malware variants.

In addition, both the two pieces of malware gather details such as domain names, network speeds, process identifiers of running processes, and CPU and network information that are needed to mount a DDoS attack.

“Threat actors behind malware variants constantly upgrade their creations with new capabilities so that they can deploy their attacks against other entry points,” the researchers concluded.

“As they are relatively convenient to deploy in the cloud, Docker servers are becoming an increasingly popular option for companies. However, these also make them an attractive target for cybercriminals who are on the constant lookout for systems that they can exploit.”

It’s advised that users and organizations who run Docker instances immediately check if they expose API endpoints on the Internet, close the ports, and adhere to recommended best practices.

Follow me for more information.

camera security

GeoVision, a Taiwanese manufacturer of video surveillance systems and IP cameras, recently patched three of the four critical flaws impacting its card and fingerprint scanners that could’ve potentially allowed attackers to intercept network traffic and stage man-in-the-middle attacks.

In a report shared exclusively with The Hacker News, enterprise security firm Acronis said it discovered the vulnerabilities last year following a routine security audit of a Singapore-based major retailer.

“Malicious attackers can establish persistence on the network and spy on internal users, steal data — without ever getting detected,” Acronis said. “They can reuse your fingerprint data to enter your home and/or personal devices, and photos can be easily reused by malicious actors to perpetrate identity theft based on biometric data.”

In all, the flaws affect at least 6 device families, with over 2,500 vulnerable devices discovered online across Brazil, US, Germany, Taiwan, and Japan, aside from thousands of other devices capable of being remotely compromised.

The first issue concerns a previously undocumented root password that permits an attacker backdoor access to a device by simply using the default password (“admin”) and remotely log in to the vulnerable device (e.g., https://ip.of.the.device/isshd.htm).

A second flaw involves the use of hardcoded shared cryptographic private keys when authenticating via SSH, while a third vulnerability makes it possible to access system logs on the device (e.g., at https://ip.of.the.device/messages.txt and at https://ip.of.the.device/messages.old.txt) without any authentication.

Lastly, there exists a buffer overflow vulnerability in the firmware impacting GeoVision’s fingerprint readers that allows attackers to run unauthorized code on the devices. It requires no prior authentication. Even more troublingly, it has a CVSS rating of 10, making it a critical flaw.

Acronis said it initially approached GeoVision last August, subsequently twice in September and December, in addition to contacting SingCERT with their findings. But it wasn’t until early this month that GeoVision issued fixes for three of the flaws (version 1.22) while leaving the buffer overflow vulnerability unpatched.

The flaws were also acknowledged by Taiwan’s Computer Emergency Response Team (TWCERT), which published advisories for the three bugs — CVE-2020-3928, CVE-2020-3929, and CVE-2020-3930 — confirming the firmware fixes and the availability of the new version.

Besides this, without disclosing technical information on the fourth critical remote code execution flaw that the company left unpatched, we can mention that it could let attackers leverage a vulnerable parameter to overwrite memory structures responsible for memory management.

The flaw eventually overwrites the pointers in particular structures, allowing attackers to redirect the program’s execution flow to their own malicious code and perform different commands.

We have reached out to GeoVision to ask for their comment on the disclosures, but we did not receive a response before this article’s publication.

“Once the attacker gets full control over the device, he/she is free to install their own malicious firmware — after which it will be almost impossible to evict them from the network,” Acronis CISO CISO Kevin Reed and Security Researcher Alex Koshelev said.

“It’s quite surreal seeing some vendors not rushing to fix critical vulnerabilities — in addition to the low quality of the initial source code, the presence of back doors is concerning. It shows that IoT security is flawed, and each company must understand that using such devices can leave them exposed to prolonged unmitigated risks.”

Follow me for more information.

Akamai reckons it blocked what may be the largest distributed denial-of-service attack ever, in terms of packets per second.

The content delivery network today said it successfully warded off the mammoth traffic flood, even as it was hit with a peak load of 809 million packets per second (PPS).

The attack, which began on 21 June, was directed at an unspecified European bank. The security team told The Register it is the largest such attack Akamai has ever encountered, let alone blocked, and the CDN believes that it is likely the largest DDoS attack to hit any network, in terms of packets per second.

“We believe this is a new industry record for PPS-focused attacks, and well over double the size of the previous high-water mark on the Akamai platform, just one week after Akamai announced another massive DDoS attack,” Akamai said in its report on the digital tsunami. “Looking holistically at DDoS activity since the onset of 2020, it is clear that large, sophisticated DDoS attacks are still a significant attack vector.”

Akamai could not say if there was any ulterior motivation behind the barrage (ie, to use the DDoS as a distraction) but the security team told El Reg that the bank in question has had to deal with fairly frequent attacks, so it might just be the latest (and largest) of a number of attempts to knock the institution offline.

Hand emerges from wave - help

DNS this week stands for Drowning Needed Services: Design flaw in name server system can be exploited to flood machines offline

READ MORE

What was unusual to the Akamai researchers was how the attack began and ended (or was mitigated) with extraordinary speed.

“The attack grew from normal traffic levels to 418Gbps in seconds, before reaching its peak size of 809Mpps in approximately two minutes,” Akamai said. “In total, the attack lasted slightly less than 10 minutes.”

For what it’s worth, Amazon Web Services claimed in May it mitigated a 2.3Tbps flood against a target, though Akamai claims it stopped a larger attack, in terms of packets per second.

The assault was not only large in volume, but also in source. It is believed that the botnet wrangler behind the flood was in command of a massive number of infected PCs, many of them being used as part of a DDoS attack for the first time.

“It was highly unusual that 96.2 per cent of source IPs were observed for the first time (or at a minimum, were not being tracked as being part of attacks in recent history),” the Akamai team explained.

“We had observed a number of different attack vectors coming from the 3.8 per cent of remaining source IPs, both matching the single attack vector seen in this attack and aligned to others. In this case, most of the source IPs could be identified within large internet service providers via autonomous system (AS) lookups, which is indicative of compromised end-user machines.”

Unfortunately, Akamai believes that these sort of high-volume DDoS operations are only going to continue, and possibly even grow further. The CDN noted that it had tracked another massive attack in the week prior to the June operation, and financial services (along with internet and telecoms) are among the most popular targets. ®

Sponsored: Webcast: Simplify data protection on AWS

Follow me for more information.

Industry veterans, chatting about computer security and online privacy.

Smashing Security podcast #184: Vanity Bitcoin wallets, BlueLeaks, and a Coronavirus app conspiracy

Smashing Security podcast #184: Vanity Bitcoin wallets, BlueLeaks, and a Coronavirus app conspiracy

A conspiracy spreads on social media about Coronavirus tracing apps, US police find decades’ worth of sensitive data leaked online, and is there a Bitcoin bonanza to be had from watching Elon Musk YouTube videos?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by BBC technology reporter Zoe Kleinman.

Hosts:

Graham Cluley – @gcluley
Carole Theriault – @caroletheriault

Guest:

Zoe Kleinman – @zsk

Show notes:

Sponsor: LastPass

LastPass Enterprise makes password security effortless for your organization.

LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.

But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.

Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.

Sponsor: MetaCompliance

People are the key to minimizing your Cyber Security risk posture. Create a more security-conscious workforce with MetaCompliance’s Cyber Security Awareness for Dummies book. Download it for free at smashingsecurity.com/cyberaware now.

Follow the show:

Follow the show on Twitter at @SmashinSecurity, on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

Product categories

Post

June 2020
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
282930 
X