Skimming gangs obfuscate their code snippets, inject them into image files, and masquerade them as popular web applications to evade detection.

This undermines the effectiveness of threat detection products and increases the likelihood that internet users will have their credit card information stolen by malicious actors.

What is skimming

Payment card skimming is a web-based attack where hackers inject malicious JavaScript code onto e-commerce websites by exploiting a vulnerability on the underlying platform (Magento, PrestaShop, WordPress, etc.) or poor security practices.

The code is activated when the site visitor reaches the checkout page and proceeds to enter their credit or debit card details to pay for the placed order.

Anything typed on the forms of that page is stolen by the skimmer and sent to malicious operators who then use these details to make online purchases or sell the data to others.

Stealthier skimmers

Microsoft's analysts report seeing an uptick in the employment of three hiding methods: injecting the scripts in images, string concatenation, and script spoofing.

In the first case, the malicious image files are uploaded to the target server disguised as favicons. Their contents, however, include a PHP script with a base64-encoded JavaScript.

"The insertion of the PHP script in an image file is interesting because, by default, the web server wouldn't run the said code," explains new research from Microsoft.

"...we believe that the attacker used a PHP include expression to include the image (that contains the PHP code) in the website's index page, so that it automatically loads at every webpage visit."

The script runs to identify the checkout page, runs a check to exclude the admin user, and then serves a fake form to legitimate site visitors.

Using string concatenation obfuscation, the attackers load the skimmer from a domain under their control using an implant on the target site.

The domain is base64 encoded and concatenated from several strings, while the skimmer itself doesn't need to be obfuscated since it's not hosted on the targeted platform.

The third, script spoofing, trend is masquerading the skimmers as Google Analytics or Meta Pixel (Facebook Pixel), two widely used visitor tracking tools present on almost every site.

The threat actors inject base64-encoded strings inside a spoofed Google Tag Manager code, tricking admins into skipping inspection, thinking it's part of the website's standard code.

In the case of the Meta Pixel, the threat actors mimic some common parameters of the actual plugin while also keeping the skimmer URL encoded in base64 and split into multiple strings.

Microsoft's analysis revealed that those scripts don't just load the card skimmers but also feature anti-debugging mechanisms but couldn't deobfuscate them to the level required for more details on that function.

How to defend

Common characteristics among all payment card skimmers include the presence of base64-encoded strings and the "atob()" JavaScript function on compromised webpages.

Apart from active scanning and detection, website administrators should ensure they're running the latest available version of their content management system (CMS) and plugins.

From the customers' perspective, minimizing the damage of skimmers is only possible by using one-time private cards, setting strict payment limits, or using electronic payment methods instead.

Microsoft: Credit card stealers are getting much stealthier

“Tough to forge” digital driver’s license is… easy to forge

Andrew Paverd, a researcher at Microsoft Security Response Center, and Avinash Sudhodanan, an independent security researcher, analyzed 75 popular online services and found that at least 35 are vulnerable to account pre-hijacking attacks.

These attacks vary in type and severity, but they all stem from poor security practices on the side of the websites themselves.

As some vulnerable websites run bug bounty programs, it is surprising and worrying to see that such elementary attacks are still possible against their users.

How pre-hijacking works

For a pre-hijacking attack to work, the hacker needs to know a target's email address, which is relatively easy through email correspondence or via the numerous data breaches that plague companies daily.

Next, an attacker creates an account on a vulnerable site using the target's email address and hopes that the victim dismisses the notification that arrives in their inbox, deeming it spam. Finally, the attacker waits for the victim to create an account on the site or indirectly tricks them into doing it.

During this process, there are five different attacks that threat actors can conduct, namely the classic-federated merge (CFM), the unexpired session (US) ID, the trojan identifier (TID), the unexpired email change (UEC), and the non-verifying Identity provider (IdP) attack (NV).

In the first case, CFM, the vulnerable platform uses account merging when the target creates an account with an existing email address and, in some cases, doesn't even inform them of the fact. This attack relies on giving the victim a single-sign-on (SSO) option, so they never change the password set by the attacker.

In the unexpired session attack, the hacker keeps the session active after creating the account using an automated script. When the victim creates an account and resets the password, the active session might not be invalidated, so the attacker can continue accessing the account.

The trojan identifier method combines the Classic-Federated Merge and Unexpired Session attacks.

"The attacker creates a pre-hijacked account using the victim’s email address, but then associates the account with the attacker’s IdP account for federated authentication. When the victim resets the password (as in the Unexpired Session Attack), the attacker can still access the account via the federated authentication route," explains the paper.

In the UEC attack, the attacker creates an account using the victim's email address and then submits a change request for that email but doesn't confirm it. Then, after the victim performs the password reset, the attacker validates the change and assumes control of the account.

Finally, in the NV attack, the threat actor exploits the lack of verifying ownership of an IdP when creating the account, opening up the way to abuse cloud-based login services like Okta and Onelogin.

Bypassing the email verification step

Many services today require new users to validate ownership of the email address, so creating new accounts with other people's email addresses wouldn't work without access to the email account.

To bypass this, the attacker can create the account using their email address and then switch to the victim's email address, abusing a standard functionality available in most online services.

In some cases, the service will not require a second verification for the new email address, allowing the threat actors to mount the attacks described above.

Results and protection

The study shows that the availability of the different attacks are similar, with the unexpired session issue being the most common in the limited dataset.

Some notable examples of vulnerable platforms are Dropbox (UEC), Instagram (TID), LinkedIn (US), Wordpress.com (US and UEC), and Zoom (CFM and NV).

The researchers reported these problems responsibly to the platforms, many of which fixed them after categorizing them as high severity.

However, it is crucial to underline that these findings concern only a handful of sites, and there should be many more following similar lousy security practices.

The main issue with this subcategory of security problems and the root cause of the identified vulnerabilities is the lack of strict verification.

As the analysts explain, the reason behind these flawed systems is that all online platforms want to minimize friction during sign-up as much as possible, which has an adverse effect on account security.

To deal with the risk of pre-hijacked accounts, users can immediately set up MFA (multi-factor authentication) on their accounts, which should also force all previous sessions to be invalidated.

Hackers can hack your online accounts before you even register them

The US capital's attorney general argues that Zuckerberg was closely involved in conceiving the framework that allowed the Britain-based consulting firm to harvest over 70 million US Facebook users data

A whistleblower revealed in 2018 that Cambridge Analytica went on to use that data for political purposes, including trying to rally support for Donald Trump.

"Zuckerberg is not just a figurehead at Facebook; he is personally involved in nearly every decision the company makes," Washington Attorney General Karl Racine wrote in the suit.

He added that Zuckerberg's control is baked into the structure of the company, where the founder and CEO holds a majority of voting shares.
Racine's office sued Facebook over its data privacy practices in 2018 as part of a case that is ongoing.

Facebook's parent company Meta did not immediately respond to the new lawsuit's allegations, but spokesman Andy Stone noted on Twitter that a judge had previously rejected Racine's bid to add Zuckerberg as a defendant in the privacy case.

US authorities imposed what they described as a "historic" $5 billion fine on Facebook in the wake of the scandal, and also required Facebook to ramp up privacy protections, provide detailed quarterly reports on compliance with the deal, and have an independent oversight board.

Since the Cambridge Analytica scandal broke, Facebook has removed access to its data from thousands of apps suspected of abusing it, restricted the amount of information available to developers in general, and made it easier for users to calibrate restrictions on personal data sharing.

Source

Also:  D.C. attorney general sues Zuckerberg over Cambridge Analytica scandal.

Clickjacking, also called UI redressing, refers to a technique wherein an unwitting user is tricked into clicking seemingly innocuous webpage elements like buttons with the goal of downloading malware, redirecting to malicious websites, or disclose sensitive information.

This is typically achieved by displaying an invisible page or HTML element on top of the visible page, resulting in a scenario where users are fooled into thinking that they are clicking the legitimate page when they are in fact clicking the rogue element overlaid atop it.

"Thus, the attacker is 'hijacking' clicks meant for [the legitimate] page and routing them to another page, most likely owned by another application, domain, or both," security researcher h4x0r_dz wrote in a post documenting the findings.

h4x0r_dz, who discovered the issue on the "www.paypal[.]com/agreements/approve" endpoint, said the issue was reported to the company in October 2021.

"This endpoint is designed for Billing Agreements and it should accept only billingAgreementToken," the researcher explained. "But during my deep testing, I found that we can pass another token type, and this leads to stealing money from [a] victim's PayPal account."

This means that an adversary could embed the aforementioned endpoint inside an iframe, causing a victim already logged in a web browser to transfer funds to an attacker-controlled PayPal account simply on the click of a button.

Even more concerningly, the attack could have had disastrous consequences in online portals that integrate with PayPal for checkouts, enabling the malicious actor to deduct arbitrary amounts from users' PayPal accounts.

"There are online services that let you add balance using PayPal to your account," h4x0r_dz said. "I can use the same exploit and force the user to add money to my account, or I can exploit this bug and let the victim create/pay Netflix account for me!"

(Update: The story has been rectified to mention that the bug is still unpatched and that the security researcher was not awarded any bug bounty for reporting the issue. The error is regretted. We have also reached out to PayPal for more details.)

Source

Currently, different domain names are considered third-parties in most cases, even if they belong to the same company. With the new technology in place, Google could group all of its properties together to improve communication and data flows between them.

Brave believes that first-party sets are harmful to user privacy, as companies may use the feature to track users across their properties. Third-party cookies, which are used for the same tracking purpose, will be a thing of the past soon.

Google explains that first-party sets "define a more realistic 'privacy boundary' by reflecting the real-world organization of websites, which often span multiple registrable domains".  Google points out that the feature would standardize functionality for the entire Web.

Mozilla, the organization that is making the Firefox web browser, declared First-Party Sets harmful back in 2020. Feedback from Apple was positive, according to this Chrome Status page.

Brave Software, maker of the Brave browser, joined Mozilla recently in declaring first-party sets an anti-privacy feature. Brave Senior director of privacy, Peter Snyder, pointed out on the official blog that the adoption of the feature would make it harder for "user-respecting browsers to protect their users' privacy".

First-Party Sets will allow more sites to track more of your behavior on the Web, and make it more difficult for users to predict how their information will be shared.

Snyder believes that Chrome's dominance will likely lead to the implementation of the feature in other browsers to "maintain compatibility with the Web". Chrome has a market share of over 60% and many browsers are using the same source as Chrome already. The two main exceptions are Apple's Safari and Mozilla's Firefox web browser. Other browsers, including Microsoft Edge, Brave, Vivaldi or Opera, use Chromium as the source.

First-party sets enable the tracking of users across properties that organizations and individuals own. Google could declare most of its properties a first-party set; this would mean that if a user is known on google.com, it is also known on any other site of the first-party set, even if that site was never visited or is visited for the first time.

Google would know about the user who visits YouTube, Blogger, or Alphabet.com for the first time, provided that these domains would be in the same first-party set.  Worse still, according to Snyder, users would have no control over the mechanism.

Google is arguing that first-party sets is improving privacy, as it paves the way for removing support for third-party cookies in the browser. Snyder argues that first-party sets is not a privacy feature, but one designed to "ensure companies can continue to identify and track people across sites".

Google is continuing its work on its Privacy Sandbox project. The company dropped support for the controversial FLoC in January 2022 to replace it with the equally-controversial Topics system. The company is running advertising system trials in Chrome currently.

Chrome's dominance makes it difficult to oppose features. While browser makers may choose to ignore certain features that Google implements in Chromium and Chrome, it could result in web compatibility issues, as many developers look at Chrome first when it comes to web standards and support.

Now You: what is your take on first-party sets?

Brave joins Mozilla in declaring Google's First-Party Sets feature harmful to privacy

The first attempt of the day targeting Microsoft Teams failed after Team DoubleDragon could not demo their exploit within the allotted time.

All other contestants hacked their targets, earning $160,000 after taking down Windows 11 three times and Ubuntu Desktop once.

The first to demonstrate a Windows 11 escalation of privilege zero-day (via Integer Overflow) on the third day of Pwn2Own was nghiadt12 from Viettel Cyber Security.

Bruno Pujos from REverse Tactics and vinhthp1712 also escalated privileges on Windows 11 using Use-After-Free and Improper Access Control vulnerabilities, respectively.

Last but not least, STAR Labs' Billy Jheng Bing-Jhong hacked a system running Ubuntu Desktop using a Use-After-Free exploit.

Pwn2Own 2022 Vancouver ended with 17 competitors earning a total of $1,155,000 for zero-day exploits and exploits chains demoed over three days after 21 attempts, between May 18 and May 20.

On the first day of Pwn2Own, hackers won $800,000 after successfully exploiting 16 zero-day bugs to hack multiple products, including Microsoft's Windows 11 operating system and the Teams communication platform, Ubuntu Desktop, Apple Safari, Oracle Virtualbox, and Mozilla Firefox.

On second day, contestants earned $195,000 after demoing flaws in the Telsa Model 3 Infotainment System, Ubuntu Desktop, and Microsoft Windows 11.

Security researchers demonstrated six Windows 11 exploits during the contest, hacked Ubuntu Desktop four times, and demoed three Microsoft Teams zero-days. They also reported several flaws in Apple Safari, Oracle Virtualbox, and Mozilla Firefox.

After vulnerabilities are exploited and reported during Pwn2Own, vendors have 90 days to release security fixes until Trend Micro's Zero Day Initiative publicly discloses them.

In April, hackers also earned $400,000 for 26 zero-day exploits targeting ICS and SCADA products demoed during the 2022 Pwn2Own Miami contest between April 19 and April 21.

Windows 11 hacked three more times on last day of Pwn2Own contest

Here is the list of products with updates:

• Firefox 100.0.2
• Firefox ESR 91.9.1
• Firefox for Android 100.3
• Thunderbird 91.9.1

The updates are available already, and most user installations will be updated automatically. Desktop users who don't want to wait until that happens may run a manual check for updates to speed up the installation.

• Firefox: select Menu > Help > About Firefox. Firefox runs a manual check for updates. Any update that is found will be downloaded and installed.
• Thunderbird: select Help > About Thunderbird. Thunderbird will also check for updates and install any that it finds.

Note: Firefox for Android is updated via Google Play. There is no option to speed up the delivery of updates on Android via Google Play.

The official release notes list a single entry, that confirm the security nature of the update. Mozilla published a security advisory for all affected versions of the web browser that provide additional details on the issues:

There, users find out that two security issues have been patched in the update. Both issues have the severity rating of critical, the highest rating that is available. They were reported to Mozilla by Manfred Paul via Trend Micro's Zero Day Initiative.

CVE-2022-1802: Prototype pollution in Top-Level Await implementation

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.

CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution

An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.

The linked bug reports are restricted. Mozilla makes no mention of attacks in the wilds that target these vulnerabilities.

Firefox and Thunderbird users may want to update their applications quickly to protect them against attacks targeting these issues.

Now You: when do you update your applications?

Mozilla patches two critical security issues in Firefox and Thunderbird

Google Chat has replaced Hangouts and will now display banners warning you against potential phishing and malware attacks coming from personal accounts, Google announced on Thursday. This tweak for Google Chat is the latest expansion of Google’s attempts to prevent phishing.

During its 2022 I/O developer conference, Google discussed several security measures it has implemented to enhance user safety, including warnings against potential security issues and recommendations to fix them. Google also laid out other plans for security measures, like expanded two-step verification, ad customization, and more data security.

Warning labels about suspicious links in Google Chat. Image: Google

Google’s new warning banners first appeared in Gmail on Workspace accounts to point out attempts to lure someone with a link that could be used for malware, phishing, or ransomware. At the end of April, Google expanded the banners to Google Docs, warning users against suspected malicious files in several Google Workspace apps (Docs, Sheets, Slides, and Drawing) no matter where they opened the link from.

This new feature is rolling out over the next couple of weeks, and it will be available for both personal Google accounts and for all Google Workspace customers.

Google Chat adds warning banners to protect against phishing attacks

The first demonstration of the day came from the @Synacktiv team, who successfully demoed two unique bugs (Double-Free & OOBW) and a sandbox escape collision while targeting the Tesla Model 3 infotainment system, earning $75,000 for their efforts.

@Jedar_LZ also failed to demo a zero-day exploit against Tesla's car. Although the bug wasn't exploited within the allotted time, Trend Micro's Zero Day Initiative (ZDI) acquired the exploit details and disclosed them to Tesla. 

A third Windows 11 elevation of privileges zero-day caused by an improper access control bug was demoed on the second day by T0, with namnp failing to demonstrate a second Windows 11 privilege escalation zero-day within the time allotted.

Two more local privilege escalation vulnerabilities in Windows 11 were successfully demoed by the STAR Labs team and Marcin Wiązowski during the first round of the Pwn2Own contest.

Ubuntu Desktop was also hacked twice, with Bien Pham (@bienpnn) and Team TUTELARY from Northwestern University escalating privileges using two Use After Free bugs and earning $40,000 each.

On the first day of Pwn2Own, hackers won $800,000 after successfully exploiting 16 zero-day bugs to hack multiple products, including Microsoft's Windows 11 operating system and the Teams communication platform, Ubuntu Desktop, Apple Safari, Oracle Virtualbox, and Mozilla Firefox.

On the third day of the contest, Pwn2Own competitors will attempt to exploit more zero-days in Windows 11, Microsoft Teams, and Ubuntu Desktop.

Vendors have 90 days to develop and release security fixes for all reported flaws after demoed security vulnerabilities are disclosed during Pwn2Own.

Security researchers will target products in multiple product categories between May 18 and May 20 at Pwn2Own Vancouver 2022, including web browsers, virtualization, local escalation of privilege, servers, enterprise communications, and automotive.

They can earn more than $1,000,000 in cash and prizes throughout the three days of the contest after successfully exploiting previously unknown bugs.

Windows 11 hacked again at Pwn2Own, Telsa Model 3 also falls

Using artificial intelligence in a completely novel way, the method has been shown to successfully prevent up to 92 percent of files on a computer from being corrupted, with it taking just 0.3 seconds on average for a piece of malware to be wiped out.

Publishing their findings in the journal Security and Communications Networks, the team say this is the first demonstration of a method that can both detect and kill malicious software in real-time, which could transform approaches to modern cybersecurity and avoid instances such as the recent WannaCry cyberattack that hit the NHS in 2017.

Using advances in artificial intelligence and machine learning, the new approach, developed in collaboration with Airbus, is based on monitoring and predicting the behavior of malware as opposed to more traditional antivirus approaches that analyze what a piece of malware looks like.

"Traditional antivirus software will look at the code structure of a piece of malware and say 'yeah, that looks familiar'," co-author of the study Professor Pete Burnap explains.

"But the problem is malware authors will just chop and change the code, so the next day the code looks different and is not detected by the antivirus software. We want to know how a piece of malware behaves so once it starts attacking a system, like opening a port, creating a process or downloading some data in a particular order, it will leave a fingerprint behind which we can then use to build up a behavioral profile."

By training computers to run simulations on specific pieces of malware, it is possible to make a very quick prediction in less than a second of how the malware will behave further down the line.

Once a piece of software is flagged as malicious the next stage is to wipe it out, which is where the new research comes into play.

"Once a threat is detected, due to the fast-acting nature of some destructive malware, it is vital to have automated actions to support these detections," continued Professor Burnap.

"We were motivated to undertake this work as there was nothing available that could do this kind of automated detecting and killing on a user's machine in real-time."

Existing products, known as endpoint detection and response (EDR), are used to protect end-user devices such as desktops, laptops, and mobile devices and are designed to quickly detect, analyze, block, and contain attacks that are in progress.

The main problem with these products is that the collected data needs to be sent to administrators in order for a response to be implemented, by which time a piece of malware may already have caused damage.

To test the new detection method, the team set up a virtual computing environment to represent a group of commonly used laptops, each running up to 35 applications at the same time to simulate normal behavior.

The AI-based detection method was then tested using thousands of samples of malware.

Lead author of the study Matilda Rhode, now Head of Innovation and Scouting at Airbus, said: "While we still have some way to go in terms of improving the accuracy of this system before it could be implemented, this is an important step towards an automated real-time detection system that would not only benefit our laptops and computers, but also our smart speakers, thermostats, cars and refrigerators as the 'Internet of Things' becomes more prevalent."

Source

This malware (active since at least 2014) is known as XorDDoS (or XOR DDoS) due to its use of XOR-based encryption when communicating with command-and-control (C2) servers and being employed to launch distributed denial-of-service (DDoS) attacks.

As the company revealed, the botnet's success is likely due to its extensive use of various evasion and persistence tactics which allow it to remain stealthy and hard to remove.

"Its evasion capabilities include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis," Microsoft 365 Defender Research Team said.

"We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte."

XorDDoS is known for targeting a multitude of Linux system architectures, from ARM (IoT) to x64 (servers), and compromising vulnerable ones in SSH brute-force attacks.

To propagate to more devices, it uses a shell script that will attempt to log in as root using various passwords against thousands of Internet-exposed systems until it finally finds a match.

Besides launching DDoS attacks, the malware's operators use the XorDDoS botnet to install rootkits, maintain access to hacked devices, and, likely, drop additional malicious payloads.

"We found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner," Microsoft added.

"While we did not observe XorDdos directly installing and distributing secondary payloads like Tsunami, it's possible that the trojan is leveraged as a vector for follow-on activities."

The huge boost in XorDDoS activity Microsoft detected since December lines up with a report by cybersecurity firm CrowdStrike which said that Linux malware had seen a 35% growth during 2021 compared to the previous year.

XorDDoS, Mirai, and Mozi were the most prevalent families, accounting for 22% of all malware attacks targeting Linux devices observed in 2021.

Of the three, CrowdStrike said that XorDDoS saw a notable year-over-year increase of 123%, while Mozi had an explosive activity growth, with ten times more samples detected in the wild throughout last year.

A February 2021 report from Intezer also revealed that Linux malware families increased by roughly 40% in 2020 compared to 2019.

Microsoft detects massive surge in Linux XorDDoS malware activity

Hector "p3rro" Peralta was the first to get into Microsoft Teams. He demonstrated an improper configuration against Microsoft's corporate messenger and earned $150,000 for his findings. Later, Teams fell victim again when Masato Kinugawa executed a 3-bug chain of infection, misconfiguration, and sandbox escape. The beatings continued with Daniel Lim Wee Soong, Poh Jia Hao, Li Jiantao, and Ngo Wei Lin demonstrating zero-click exploits of two bugs.

Windows 11 was not immune to hackers either. Despite Microsoft's strong emphasis on security in its latest OS, Marcin Wiązowski executed an out-of-bounds write escalation of privilege in Windows 11. For that, Marcin netted $40,000 and high praise from Microsoft.

Microsoft's products were not the only software hackers broke during the first day of Pwn2Own Vancouver 2022. Contestants managed to earn points and money by cracking Oracle Virtualbox, Mozilla Firefox, Ubuntu Desktop, and Apple Safari. Events like this help Microsoft and other companies improve the security of their products and incentivize skilled hackers to stay on the right side of cyber laws.

In total, hackers earned $800,000 on day one by exploiting 16 zero-day bugs in multiple products. On days two and three, contestants can make more than $1,000,000 in rewards by breaking into other software, gadgets, and cars (Tesla Model 3 and Model S).

Source: Zero Day Initiative via Bleeping Computer

Windows 11 and Teams got hacked several times during the first day of Pwn2Own 2022

This approach automates the process for attackers and gives a sense of legitimacy to visitors of the malicious sites, as chatbots are commonly found on websites for legitimate brands.

This new development in phishing attacks was discovered by researchers at Trustwave, who shared the report with Bleeping Computer before publication.

It starts with an email

The phishing process begins with an email claiming to contain information about the delivery of a parcel, masquerading as the DHL shipping brand.

Clicking on the 'Please follow our instructions' button in the email loads a PDF file that contains links to the phishing site. The threat actors display the phishing links in the PDF document to bypass email security software.

However, the URL button (or the link) in the PDF takes the victim to a phishing site (dhiparcel-management[.]support-livechat[.]24mhd[.]com) where they are supposed to resolve issues causing a package to be undeliverable.

This is where the chatbot takes over.

A chatbot steals your credentials

When the phishing page loads, visitors are greeted with a web chat explaining why the package could not be delivered instead of being shown a fake login form commonly used to steal credentials.

This webchat explains that the package's label was damaged, preventing its delivery. The webchat also displays a photo of the alleged package to add more legitimacy to the scam.

This virtual assistant offers pre-defined responses for the visitor, so the conversation is fixed, always leading to showing a photograph of the alleged package featuring a damaged label.

Due to this problem, the chatbot requests the victim to give their personal details such as home or business address, full name, phone number, etc.

After that, the delivery is supposedly scheduled, and a bogus CAPTCHA step is displayed to act as one more false send of legitimacy to the phishing page.

Next, the victim is redirected to a phishing page that requires entering DHL account credentials and finally, leading to a payment step, supposedly to cover the shipping costs.

The final "Secure Pay" page contains the typical credit card payment fields, including cardholder name, card number, expiration date, and the CVV code.

When the details are entered and the "Pay Now" button is clicked, the victim receives a one-time password (OTP) on the provided mobile phone number via SMS, which adds to the sense of legitimacy.

Trustwave's analysts tested entering random characters, and the system returned an error about an invalid security code, so the implementation of the OTP verification is real.

If the correct code is entered, the fake page serves a "Thank you!" message and confirms that the submission has been received.

Campaigns are getting more "genuine"

Threat actors are increasingly using mechanisms generally found in real websites, like CAPTCHAs, OTPs, and now even chatbots, making it hard for victims to spot attempts to steal their information.

This calls for greater vigilance when receiving unsolicited communications that request your immediate action, especially if these messages contain embedded buttons and URL links.

If DHL or any other shipping service requires your action, you should always open the actual website on a new browser tab instead of clicking on the provided links.

Then Log in to your account on the trusted platform, and check for any pending items or alerts. Alternatively, contact a customer support agent yourself.

As always, the best way to spot a phishing page is to examine the URL for the website. If it looks suspicious or does not match the legitimate domain, do not enter any personal information into the page.

In this case, the spoofed DHL URL ends with the domain "24mhd.com," which is clearly not the DHL website and is a clear sign of a phishing attempt.

Phishing websites now use chatbots to steal your credentials

A team of researchers has found that biometric tests used by banks and cryptocurrency exchanges to verify users’ identities can be fooled by deepfake technology.

In a report published on Wednesday, researchers with Sensity, a security firm focused on deepfake detection, demonstrated how it was able to bypass an automated “liveness test” by using AI-generated faces.

Commonly known as “know your customer” or KYC tests, such verification processes often ask users to provide photographs of their identification as well as their face. A “liveness test” is then used to capture the users’ face in real-time in order to match it to their selfie and identification photo with facial recognition.

KYC verification is utilized in a wide array of industries including banking, fintech, insurance, crypto, and gambling. Sensity tweeted out footage of its demonstration a week before it released its report, detailing how 9 of the top 10 KYC vendors were highly vulnerable to deepfake attacks.

On Wed, May 18, we will publish our latest research about how fraudsters are leveraging #deepfakes to spoof identity verification on digital banks and crypto platforms pic.twitter.com/xIKCdkpOd5

— Sensity (@sensityai) May 13, 2022

“Despite its widespread adoption, active liveness checks are weak against attacks by Deepfakes,” the report states. “The reason is that real-time Deepfakes can reproduce faithfully facial landmark movements of the attackers.”

Even with such a glaring vulnerability, KYC vendors do not appear concerned about the potential for misuse. In a statement to the Verge, which first covered the report on Wednesday, Francesco Cavalli, Sensity’s chief operating officer, claimed that vulnerable companies did not appear to care.

“We told them ‘look you’re vulnerable to this kind of attack,’ and they said ‘we do not care,’” he said. “We decided to publish it because we think, at a corporate level and in general, the public should be aware of these threats.”

With massive crypto heists becoming common, it seems likely such vulnerabilities will be exploited more and more by cybercriminals as deepfake technology becomes more realistic and easier to use.

Source

Jupiter is a powerful high-quality theme builder for WordPress sites used by over 90,000 popular blogs, online mags, and platforms that enjoy heavy user traffic.

The vulnerability, tracked as CVE-2022-1654, and given a CVSS score of 9.9 (critical), allows any authenticated user on a site using the vulnerable plugins to gain administrative privileges.

After exploiting the vulnerability, attackers may perform unlimited actions on the site, including altering its content, injecting malicious scripts, or completely deleting it.

The attacker can be a simple subscriber or customer on the site to exploit this vulnerability, so the attack doesn't have very restrictive prerequisites.

Discovery and fix

According to Wordfence, which discovered the flaw, the problem lies in a function named "uninstallTemplate," which resets the site after a theme is removed.

This function elevates the user's privileges to admin, so if a logged-in user sends an AJAX request with the action parameter to call the function, they will elevate their privileges without going through nonce or any other checks.

The Wordfence Threat Intelligence team discovered the issue on April 5, 2022, and notified the plugin developer with full technical details.

On April 28, 2022, the vendor released a partial fix for the impacted plugins. Then, on May 10, 2022, Artbees released another security update that addressed the issues thoroughly.

The versions impacted by CVE-2022-1654 are Jupiter Theme version 6.10.1 and older (fixed in 6.10.2), JupiterX Theme version 2.0.6 and older (fixed in 2.0.7), and JupiterX Core Plugin version 2.0.7 and older (fixed in 2.0.8).

The only way to address the security problems is to update to the latest available versions as soon as possible or deactivate the plugin and replace your site's theme.

During this security investigation, Wordfence discovered additional, albeit less severe flaws, that got fixed with the mentioned security updates on May 10, 2022. These flaws are:

• CVE-2022-1656: Medium severity (CVSS score: 6.5) arbitrary plugin deactivation and settings modification.
• CVE-2022-1657: High severity (CVSS score: 8.1) path traversal and local file inclusion.
• CVE-2022-1658: Medium severity (CVSS score: 6.5) arbitrary plugin deletion.
• CVE-2022-1659: Medium severity (CVSS score: 6.3) information disclosure, modification, and denial of service.

These additional four vulnerabilities require authentication to be exploited, and they too are accessible to site subscribers and customers, but their consequences aren't as damaging.

Critical Jupiter WordPress plugin flaws let hackers take over sites

While this isn't necessarily the first time MSSQL servers have been targeted in such attacks, Redmond says that the threat actors behind this recently observed campaign are using the legitimate sqlps.exe tool as a LOLBin (short for living-off-the-land binary).

"The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem," the Microsoft Security Intelligence team revealed.

"The attackers also use sqlps.exe to create a new account that they add to the sysadmin role, enabling them to take full control of the SQL server. They then gain the ability to perform other actions, including deploying payloads like coin miners."

Using sqlps, a utility that comes included with the Microsoft SQL Server and allows loading SQL Server cmdlets, as a LOLBin, enables the attackers to execute PowerShell commands without worrying about defenders detecting their malicious actions.

It also helps ensure that they don't leave any traces to be found while analyzing their attacks since using sqlps is an effective way to bypass Script Block Logging, a PowerShell capability that would otherwise log cmdlet operations to the Windows event log.

Similar attacks against MSSQL servers were reported in March when they were targeted to deploy Gh0stCringe (aka CirenegRAT) remote access trojans (RATs).

In a previous campaign from February, threat actors compromised MSSQL servers to drop Cobalt Strike beacons using the Microsoft SQL xp_cmdshell command.

However, for years, MSSQL servers have been targeted as part of massive campaigns where malicious actors attempt to hijack thousands of vulnerable servers daily for various end goals.

In one such series of attacks (dubbed Vollgar) spanning almost two years, threat actors backdoored between 2,000 and 3,000 servers with RATs after brute-forcing publicly exposed servers to deploy Monero (XMR) and Vollar (VDS) cryptominers.

To defend their MSSQL servers against such attacks, admins are advised not to expose them to the Interne, use a strong admin password that can't be guessed or brute-forced, and place the server behind a firewall.

Admins are advised not to expose them to the Internet to defend their MSSQL servers against such attacks.

You should also:

• use a strong admin password that can't be guessed or brute-forced easily and place the server behind a firewall
• enable logging to monitor for suspicious or unexpected activity or recurring login attempts
• apply the latest security updates to decrease the attack surface and block attacks leveraging exploits that target known vulnerabilities

Microsoft warns of brute-force attacks targeting MSSQL servers

KrebsOnSecurity recently heard from a reader — we’ll call him “Mark” because he wasn’t authorized to speak to the press — who works in IT for a major government defense contractor and was issued a Personal Identity Verification (PIV) government smart card designed for civilian employees. Not having a smart card reader at home and lacking any obvious guidance from his co-workers on how to get one, Mark opted to purchase a $15 reader from Amazon that said it was made to handle U.S. government smart cards.

The USB-based device Mark settled on is the first result that currently comes up one when searches on Amazon.com for “PIV card reader.” The card reader Mark bought was sold by a company called Saicoo, whose sponsored Amazon listing advertises a “DOD Military USB Common Access Card (CAC) Reader” and has more than 11,700 mostly positive ratings.

The Common Access Card (CAC) is the standard identification for active duty uniformed service personnel, selected reserve, DoD civilian employees, and eligible contractor personnel. It is the principal card used to enable physical access to buildings and controlled spaces, and provides access to DoD computer networks and systems.

Mark said when he received the reader and plugged it into his Windows 10 PC, the operating system complained that the device’s hardware drivers weren’t functioning properly. Windows suggested consulting the vendor’s website for newer drivers.

So Mark went to the website mentioned on Saicoo’s packaging and found a ZIP file containing drivers for Linux, Mac OS and Windows:

Out of an abundance of caution, Mark submitted Saicoo’s drivers file to Virustotal.com, which simultaneously scans any shared files with more than five dozen antivirus and security products. Virustotal reported that some 43 different security tools detected the Saicoo drivers as malicious. The consensus seems to be that the ZIP file currently harbors a malware threat known as Ramnit, a fairly common but dangerous trojan horse that spreads by appending itself to other files.

Ramnit is a well-known and older threat — first surfacing more than a decade ago — but it has evolved over the years and is still employed in more sophisticated data exfiltration attacks. Amazon said in a written statement that it was investigating the reports.

“Seems like a potentially significant national security risk, considering that many end users might have elevated clearance levels who are using PIV cards for secure access,” Mark said.

Mark said he contacted Saicoo about their website serving up malware, and received a response saying the company’s newest hardware did not require any additional drivers. He said Saicoo did not address his concern that the driver package on its website was bundled with malware.

In response to KrebsOnSecurity’s request for comment, Saicoo sent a somewhat less reassuring reply.

“From the details you offered, issue may probably caused by your computer security defense system as it seems not recognized our rarely used driver & detected it as malicious or a virus,” Saicoo’s support team wrote in an email.

“Actually, it’s not carrying any virus as you can trust us, if you have our reader on hand, please just ignore it and continue the installation steps,” the message continued. “When driver installed, this message will vanish out of sight. Don’t worry.”

The trouble with Saicoo’s apparently infected drivers may be little more than a case of a technology company having their site hacked and responding poorly. Will Dormann, a vulnerability analyst at CERT/CC, wrote on Twitter that the executable files (.exe) in the Saicoo drivers ZIP file were not altered by the Ramnit malware — only the included HTML files.

Dormann said it’s bad enough that searching for device drivers online is one of the riskiest activities one can undertake online.

“Doing a web search for drivers is a VERY dangerous (in terms of legit/malicious hit ratio) search to perform, based on results of any time I’ve tried to do it,” Dormann added. “Combine that with the apparent due diligence of the vendor outlined here, and well, it ain’t a pretty picture.”

But by all accounts, the potential attack surface here is enormous, as many federal employees clearly will purchase these readers from a myriad of online vendors when the need arises. Saicoo’s product listings, for example, are replete with comments from customers who self-state that they work at a federal agency (and several who reported problems installing drivers).

A thread about Mark’s experience on Twitter generated a strong response from some of my followers, many of whom apparently work for the U.S. government in some capacity and have government-issued CAC or PIV cards.

Two things emerged clearly from that conversation. The first was general confusion about whether the U.S. government has any sort of list of approved vendors. It does. The General Services Administration (GSA), the agency which handles procurement for federal civilian agencies, maintains a list of approved card reader vendors at idmanagement.gov (Saicoo is not on that list). [Thanks to @MetaBiometrics and @shugenja for the link!]

The other theme that ran through the Twitter discussion was the reality that many people find buying off-the-shelf readers more expedient than going through the GSA’s official procurement process, whether it’s because they were never issued one or the reader they were using simply no longer worked or was lost and they needed another one quickly.

“Almost every officer and NCO [non-commissioned officer] I know in the Reserve Component has a CAC reader they bought because they had to get to their DOD email at home and they’ve never been issued a laptop or a CAC reader,” said David Dixon, an Army veteran and author who lives in Northern Virginia. “When your boss tells you to check your email at home and you’re in the National Guard and you live 2 hours from the nearest [non-classified military network installation], what do you think is going to happen?”

Interestingly, anyone asking on Twitter about how to navigate purchasing the right smart card reader and getting it all to work properly is invariably steered toward militarycac.com. The website is maintained by Michael Danberry, a decorated and retired Army veteran who launched the site in 2008 (its text and link-heavy design very much takes one back to that era of the Internet and webpages in general). His site has even been officially recommended by the Army (PDF). Mark shared emails showing Saicoo itself recommends militarycac.com.

“The Army Reserve started using CAC logon in May 2006,” Danberry wrote on his “About” page. “I [once again] became the ‘Go to guy’ for my Army Reserve Center and Minnesota. I thought Why stop there? I could use my website and knowledge of CAC and share it with you.”

Danberry did not respond to requests for an interview — no doubt because he’s busy doing tech support for the federal government. The friendly message on Danberry’s voicemail instructs support-needing callers to leave detailed information about the issue they’re having with CAC/PIV card readers.

Dixon said Danberry has “done more to keep the Army running and connected than all the G6s [Army Chief Information Officers] put together.”

In many ways, Mr. Danberry is the equivalent of that little known software developer whose tiny open-sourced code project ends up becoming widely adopted and eventually folded into the fabric of the Internet.  I wonder if he ever imagined 15 years ago that his website would one day become “critical infrastructure” for Uncle Sam?

When Your Smart ID Card Reader Comes With Malware

The security update fixes vulnerabilities that can lead to denial of service, information disclosure, elevation of privileges, code execution, etc.

The updates have been made available for Tesla, RTX/Quadro, NVS, Studio, and GeForce software products, covering driver branches R450, R470, and R510.

Interestingly, apart from the current and recent product lines that are actively supported, NVIDIA’s latest release also covers GTX 600 and GTX 700 Kepler-series cards, whose support ended in October 2021.

The GPU maker previously promised to continue providing critical security updates for these products until September 2024, and this driver update honors that promise.

The four high-severity flaws fixed this month are:

• CVE-2022-28181 (CVSS v3 score: 8.5) - Out-of-bounds write in the kernel mode layer caused by a specially crafted shader sent over the network, potentially leading to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
• CVE-2022-28182 (CVSS v3 score: 8.5) – Flaw in DirectX11 user mode driver allowing an unauthorized attacker to send a specially crafted shared over the network and cause denial of service, escalation of privileges, information disclosure, and data tampering.
• CVE-2022-28183 (CVSS v3 score: 7.7) - Vulnerability in the kernel mode layer, where an unprivileged regular user can cause an out-of-bounds read, which may lead to denial of service and information disclosure.
• CVE-2022-28184 (CVSS v3 score: 7.1) - Vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a regular unprivileged user can access administrator-privileged registers, which may lead to denial of service, information disclosure, and data tampering.

These vulnerabilities require low privileges and no user interaction, so they could be incorporated into malware, allowing attackers to execute commands with higher privileges.

The first two are exploitable over the network, while the other two are exploited with local access, which could still be helpful for a malware infecting a system with low privileges.

Cisco Talos, which discovered CVE-2022-28181 and CVE-2022-28182, has also published a post today detailing how they triggered the memory corruption flaws by supplying a malformed compute shader.

As threat actors can use a malicious shader in the browser by WebAssembly and WebGL, Talos warns that threat actors may be able to trigger this remotely.

For more details on all of the fixes and every software and hardware product covered this month, check out NVIDIA's security bulletin.

All users are advised to apply the released security updates as soon as possible. Users can download the latest driver for their GPU model from NVIDIA’s download central section, where they can select the specific product and OS they are using.

The updates can also be applied through NVIDIA’s GeForce Experience suite. 

However, if you don’t specifically need the software to save gaming profiles or use its streaming features, we recommend against using it as it introduces unnecessary security risks and the use of resources.

NVIDIA fixes ten vulnerabilities in Windows GPU display drivers

BLE technology is used in a wide spectrum of products, from electronics like laptops, mobile phones, smart locks, and building access control systems to cars like Tesla Model 3 and Model Y.

Pushing out fixes for this security problem is complicated, and even if the response is immediate and coordinated, it would still take a long time for the updates to trickle to impacted products.

How the attack works

In this type of relay attacks, an adversary intercepts and can manipulate the communication between two parties, such as the key fob that unlocks and operates the car and the vehicle itself.

This places the attacker in the middle of the two ends of the communication, allowing them to relay the signal as if they were standing right next to the car.

Products that rely on BLE for proximity-based authentication protect against known relay attack methods by introducing checks based on precise amounts of latency and also link-layer encryption.

NCC Group has developed a tool that operates at the link layer and with a latency of 8ms that is within the accepted 30ms range of the GATT (Generic ATTribute Profile) response.

“Since this relay attack operates at the link layer, it can forward encrypted link layer PDUs. It is also capable of detecting encrypted changes to connection parameters (such as connection interval, WinOffset, PHY mode, and channel map) and continuing to relay connections through parameter changes. Thus, neither link layer encryption nor encrypted connection parameter changes are defences against this type of relay attack.” - NCC Group

According to Sultan Qasim Khan, a senior security consultant at NCC Group, it takes about ten seconds to run the attack and it can be repeated endlessly.

Both the Tesla Model 3 and Model Y use a BLE-based entry system, so NCC’s attack could be used to unlock and start the cars.

While technical details behind this new BLE relay attack have not been published, the researchers say that they tested the method on a Tesla Model 3 from 2020 using an iPhone 13 mini running version 4.6.1-891 of the Tesla app.

"NCC Group was able to use this newly developed relay attack tool to unlock and operate the vehicle while the iPhone was outside the BLE range of the vehicle" - NCC Group

During the experiment, they were able to deliver to the car the communication from the iPhone via two relay devices, one placed seven meters away from the phone, the other sitting three meters from the car. The distance between the phone and the car was 25 meters.

The experiment was also replicated successfully on a Tesla Model Y from 2021, since it uses similar technologies. Below is a demonstration of the attack:

These findings were reported to Tesla on April 21st. A week later, the company responded by saying "that relay attacks are a known limitation of the passive entry system."

The researchers also notified Spectrum Brands, the parent company behind Kwikset (makers of the Kevo line of smart locks).

What can be done

NCC Group's research on this new proximity attack is available in three separate advisories, for BLE in general, one for Tesla cars, and another for Kwikset/Weiser smart locks, each illustrating the issue on the tested devices and how it affects a larger set of products from other vendors.

The Bluetooth Core Specification warns device makers about relay attacks and notes that proximity-based authentication shouldn’t be used for valuable assets.

This leaves users with few possibilities, one being to disable it, if possible, and switch to an alternative authentication method that requires user interaction.

Another solution would be for makers to adopt a distance bounding solution such as UWB (ultra-wideband) radio technology instead of Bluetooth.

Tesla owners are encouraged to use the ‘PIN to Drive’ feature, so even if their car is unlocked, at least the attacker won't be able to drive away with it.

Additionally, disabling the passive entry functionality in the mobile app when the phone is stationary would make the relay attack impossible to carry out.

If none of the above is possible on your device, keep in mind the possibility of relay attacks and implement additional protection measures accordingly.

Hackers can steal your Tesla Model 3, Y using new Bluetooth attack

The pledge was made during a meeting in Washington DC last week, which saw open source leaders, headed up by the Linux Foundation and the Open Source Software Security Foundation (OpenSSF), share their plans for enhancing the security of the software supply chain.

The industry gathering, which was attended by government leaders and over 90 executives from 37 companies, is a follow up to the historic White House summit in January convened in the wake of the Log4Shell zero-day vulnerability in January. The flaw affected the Apache’s Log4j library, a ubiquitous logging software, which put millions of devices worldwide at risk. But according to a study from March, almost a third of instances remain unpatched.

During last week’s meeting, companies including Amazon, Ericsson, Google, Intel, Microsoft, and VMware pledged a collective $30 million to fund a 10-point plan that aims to boost the security of open source software. Designed by the Linux Foundation and OpenSSF, the first-of-its-kind initiative aims to secure the production of open source code, improve vulnerability detection and remediation, and shorten patching response time. This will include the creation of a software bill of materials, known as an SBOM, allowing companies to gain visibility of the software that they are using in their tech stack.

The so-called Software Supply Chain Security Mobilization Plan also calls for security education for everyone working in the open source community, the elimination of non-memory safe programming languages like C+ and COBOL, and for annual third-party code reviews of 200 of the most critical open source software components.

The ultimate goal is to find and fix vulnerabilities like Log4Shell faster in an effort to better protect the U.S. from malicious cyberattacks that exploit insecure software platforms and devices.

“What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it,” said Brian Behlendorf, executive director of OpenSSF. “The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action."

Google Cloud also announced during the summit that it would launch an open source maintenance crew, a team of dedicated engineers that will work with upstream maintainers in order to boost the security of various open source projects.

Source

The mechanism takes advantage of the fact that wireless chips related to Bluetooth, Near-field communication (NFC), and ultra-wideband (UWB) continue to operate while iOS is shut down when entering a "power reserve" Low Power Mode (LPM).

While this is done so as to enable features like Find My and facilitate Express Card transactions, all the three wireless chips have direct access to the secure element, academics from the Secure Mobile Networking Lab (SEEMOO) at the Technical University of Darmstadt said in a paper.

"The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM," the researchers said.

"Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model."

The findings are set to be presented at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022) this week.

The LPM features, newly introduced last year with iOS 15, make it possible to track lost devices using the Find My network even when run out of battery power or have been shut off. Current devices with Ultra-wideband support include iPhone 11, iPhone 12, and iPhone 13.

A message displayed when turning off iPhones reads thus: "iPhone remains findable after power off. Find My helps you locate this iPhone when it is lost or stolen, even when it is in power reserve mode or when powered off."

Calling the current LPM implementation "opaque," the researchers not only sometimes observed failures when initializing Find My advertisements during power off, effectively contradicting the aforementioned message, they also found that the Bluetooth firmware is neither signed nor encrypted.

By taking advantage of this loophole, an adversary with privileged access can create malware that's capable of being executed on an iPhone Bluetooth chip even when it's powered off.

However, for such a firmware compromise to happen, the attacker must be able to communicate to the firmware via the operating system, modify the firmware image, or gain code execution on an LPM-enabled chip over-the-air by exploiting flaws such as BrakTooth.

Put differently, the idea is to alter the LPM application thread to embed malware, such as those that could alert the malicious actor of a victim's Find My Bluetooth broadcasts, enabling the threat actor to keep remote tabs on the target.

"Instead of changing existing functionality, they could also add completely new features," SEEMOO researchers pointed out, adding they responsibly disclosed all the issues to Apple, but that the tech giant "had no feedback."

With LPM-related features taking a more stealthier approach to carrying out its intended use cases, SEEMOO called on Apple to include a hardware-based switch to disconnect the battery so as to alleviate any surveillance concerns that could arise out of firmware-level attacks.

"Since LPM support is based on the iPhone's hardware, it cannot be removed with system updates," the researchers said. "Thus, it has a long-lasting effect on the overall iOS security model."

"Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation."

Source

Some top 100,000 websites collect everything you type—before you hit submit

Investigators said that hackers tapped into the country's finance ministry computer system a month ago and the attack quickly spread to other areas, including government science, technology and telecommunications infrastructure and Costa Rica's National Meteorological Institute.

"The government has been really, really affected," Leon Weinstok, director of Costa Rican law firm BLP, said according to NBC News. "It is impossible to quantify the losses at this time."

New Costa Rican President Rodrigo Chaves Robles, who took office this week, said that there are many cybercriminals and cyberterrorists in the Central American nation.

The hackers who breached the systems had attempted to extort the Costa Rican government and former President Carlos Alvarado out of $10 million, officials said.

Authorities said that a user linked to Conti, one of the world's most active ransomware gangs, claimed responsibility for the attack on a dark web site. Last week, the U.S. State Department offered a $10 million reward for information leading to perpetrators associated with Conti.

"[This] ransomware group has been responsible for hundreds of ransomware incidents over the past two years," department spokesman Ned Price said in a statement.

Price added that federal investigators believe there have been more than 1,000 cyberattacks worldwide worth $150 million associated with Conti, and that the group is behind the "costliest strain of ransomware ever documented."

Source

BPFdoor is a Linux/Unix backdoor that allows threat actors to remotely connect to a Linux shell to gain complete access to a compromised device.

The malware does not need to open ports, it can’t be stopped by firewalls, and can respond to commands from any IP address on the web, making it the ideal tool for corporate espionage and persistent attacks.

Parsing 'magic' packets

BPFdoor is a passive backdoor, meaning that it can listen on one or more ports for incoming packets from one or more hosts, that attackers can use to send commands remotely to the compromised network.

The malware uses a Berkeley Packet Filter (the BPF in the backdoor’s name), that works at the network layer interface being able to see all network traffic and send send packets to any destination.

Because of its positioning at such a low level, BPF does not abide by any firewall rules.

It has versions for Linux and Solaris SPARC systems but it could be ported to BSD as well, BleepingComputer learned from Craig Rowland, the founder of Sandfly Security, a company that offers an agentless solution to protect Linux systems.

Security researcher Kevin Beaumont, who published a blog post on BPFdoor, told BleepingComputer that the operators use a “magic” password to control the implant’s actions.

BPFdoor parses only ICMP, UDP, and TCP packets, checking them for a specific data value, and also a password for the latter two types of packets.
What makes BPFDoor stand out is that it can can monitor any port for the magic packet, even if those ports are used by other legitimate services, such as webservers, FTP, or SSH.

If the TCP and UDP packets have the right “magic” data and a correct password, the backdoor springs into action executing a supported command, such as setting up a bind or reverse shell.

source: Sandfly Security

Beaumont told us that ICMP packets don’t need a password, which allowed him to scan the internet for running BPFdoor implants using the ping function.

“The ping function allows you to specify an IP address and port for it to reply on - so I was able to get victim implants to reply to a completely different IP I controlled” - Kevin Beaumont

The researcher was able to find BPFdoor activity on networks of organizations in various geographies, most notably the U.S., South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar.

Surprisingly, he discovered 11 Speedtest servers infected with BPFdoor. The researcher said that it is unclear how these machines were compromised, especially since they run on closed-source software.

Bypassing the local firewall

Rowland notes in a comprehensive technical report on BPFdoor that the malware employs some clever anti-evasion tactics:

•  Resides in system memory and deploys anti-forensics action (wipes the process environment, albeit unsuccessfully as it leaves it empty)

•  Loads a Berkeley Packet Filter (BPF) sniffer allowing it to work in front of any locally running firewalls to see packets

•  Modifies ‘iptables’ rules when receiving a relevant packet to allow attacker communication through the local firewall

•  Masquerades the binary under a name similar to a common Linux system daemon

•  Renames and runs itself as /dev/shm/kdmtmpflush

•  Changes the date of the binary (timestomping) to October 30, 2008, before deleting it

Rowland believes an explanation for timestomping, as an anti-forensics technique in this case, could be that the attacker may try to protect the binary in case its deletion fails.

The researcher says that the purpose of the fake date could be to hide the malware from a search looking for new files on the system.

Changing firewall rules is of particular importance because it allows attackers to communicate with the backdoor via traffic that firewalls can’t flag as suspicious.

Rowland explains that when the infected host receives a special BPFdoor packet, the malware “will spawn a new instance and change the local iptables rules to do a redirect from the requesting host to the shell port.”

“For instance, the implant can redirect all traffic from the attacker using TCP port 443 (encrypted web) to the shell. Externally, the traffic will look like TLS/SSL traffic but in fact the attacker is interacting with a remote root shell on the system” - Craig Rowland, Sandfly Security

To clarify even more, Rowland says that for a local shell, the malware modifies the ‘iptables’ configuration to redirect all traffic coming from the attacker through a legitimate port to a port range defined in the malware.

This way, the attacker can choose a connection over any port because it would be routed to the shell behind the firewall.

source: Craig Rowland, Sandfly Security

Commands and detection

Another technical analysis on BPFdoor from Tristan Pourcelot of threat intelligence and incident response company ExaTrack, notes that the malware comes with several hardcoded names that match command strings inside relevant packets:

•  justtryit, justrobot, and justforfun to establish a bind shell on ports 42391 through 42491
•  socket or sockettcp to set up a reverse shell to an IP address present in the packet

Part of BPFdoor's techniques to evade detection is to rename the binary to appear as a normal Linux daemon using the choices below:

/sbin/udevd -d
/sbin/mingetty /dev/tty7
/usr/sbin/console-kit-daemon --no-daemon
hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event
dbus-daemon --system
hald-runner
pickup -l -t fifo -u
avahi-daemon: chroot helper
/sbin/auditd -n
/usr/lib/systemd/systemd-journald

Pourcelot says that the threat actor updated BPFdoor regularly, improving each release with different names for commands, processes, or files.

For instance, newer variants of the implant switched from using command keywords to MD5 hashes, likely in an attempt to avoid trivial detection.

There are at least 21 versions of BPFdoor currently detected on the Virus Total scanning platform, the earliest ones submitted in August 2018.

While the detection rate for this implant improved, especially after Beaumont, Rowland, and Pourcelot published their findings, the malware went virtually invisible for a long time.

One BPFdoor variant for Solaris from 2019 went undetected until at least this May 7. Today, 28 antivirus engines flag it as malicious.

source: Kevin Beaumont, BleepingComputer

In some cases, the detections are generic and inaccurately flag the above Solaris variant as Linux malware, although it is not a Linux binary.

Tristan Pourcelot says that while BPFdoor does not use novel or complicated techniques it still managed to stay stealthy for an extended period.

This could be explained by the fact that malware monitoring technology is not as common in Linux environments as in Windows. Also, “vendors have significantly less visibility,” Beaumont told BleepingComputer.

Craig Rowland agrees that this is a big problem. Even if there is monitoring in place, people don’t know what to look for or use the wrong approach to find Linux malware.

The researcher told us that some administrators use cryptographic hashes to scan the system for malware or malicious files. This doesn’t work well because the smallest change in the file results in a new hash.

“Plus then EDR [Endpoint Detection and Response] wants to load agents all over and agents break Linux so they are often not a good choice. So people fly naked with Linux often and stuff like this happens” - Craig Rowland, referring particularly to older Linux systems

Rowland says that hunting for BPFdoor is easy, at least for the Linux version he analyzed, since its tactics clearly show that they “are just malicious out of the box.”

source: Craig Rowland, Sandfly Security

The source code for an older version of BPFdoor from 2018 has been found by Florian Roth, the creator of Nextron Systems THOR APT scanner. The code is now publicly available on Pastebin.

Made in China?

The researchers BleepingComputer talked to about BPFdoor did not attribute the malware to any threat actor. But in a yearly report on cyberthreats, researchers from PricewaterhouseCoopers (PwC) note that they found the BPFdoor implant during an incident response engagement.

PwC attributed the intrusion to a China-based actor they track as Red Menshen (formerly Red Dev 18), who has been using BPFdoor on "telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors."

During the investigations, PwC researchers discovered that in the post-exploitation stage of their attacks Red Menshen used custom variants of the Mangzamel backdoor and the Gh0st remote access tool (RAT) along with open-source tools like Mimikatz (to extract credentials) and Metasploit penetration testing suite, for lateral movement on Windows systems.

"We also identified that the threat actor sends commands to BPFDoor victims via Virtual Private Servers (VPSs) hosted at a well-known provider, and that these VPSs, in turn, are administered via compromised routers based in Taiwan, which the threat actor uses as VPN tunnels" - PwC

The researchers note that Red Menshen's activity is taking place within a nine-hour time interval, between 01:00 and 10:00 UTC, which may align with local working hours.

Source