News: Security & Privacy News

Company that routes SMS for all major US carriers was hacked for five years

Tue, 05 Oct 2021 22:55:44 +0000

Syniverse and carriers haven't revealed whether text messages were exposed.

Syniverse, a company that routes hundreds of billions of text messages every year for hundreds of carriers including Verizon, T-Mobile, and AT&T, revealed to government regulators that a hacker gained unauthorized access to its databases for five years. Syniverse and carriers have not said whether the hacker had access to customers' text messages.

A filing with the Securities and Exchange Commission last week said that "in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization. Promptly upon Syniverse's detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals."

Syniverse said that its "investigation revealed that the unauthorized access began in May 2016" and "that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer ('EDT') environment was compromised for approximately 235 of its customers."

Syniverse isn’t revealing more details

When contacted by Ars today, a Syniverse spokesperson provided a general statement that mostly repeats what's in the SEC filing. Syniverse declined to answer our specific questions about whether text messages were exposed and about the impact on the major US carriers.

"Given the confidential nature of our relationship with our customers and a pending law enforcement investigation, we do not anticipate further public statements regarding this matter," Syniverse said.

The SEC filing is a preliminary proxy statement related to a pending merger with a special purpose acquisition company that will make Syniverse a publicly traded firm. (The document was filed by M3-Brigade Acquisition II Corp., the blank-check company.) As is standard with SEC filings, the document discusses risk factors for investors, in this case including the security-related risk factors demonstrated by the Syniverse database hack.

Syniverse routes messages for 300 operators

Syniverse says its intercarrier messaging service processes over 740 billion messages each year for over 300 mobile operators worldwide. Though Syniverse likely isn't a familiar name to most cell phone users, the company plays a key role in ensuring that text messages get to their destination.

We asked AT&T, Verizon, and T-Mobile today whether the hacker had access to people's text messages, and we will update this article if we get any new information.

Syniverse's importance in SMS was highlighted in November 2019 when a server failure caused over 168,000 messages to be delivered nearly nine months late. The messages were in a queue and left undelivered when a server failed on February 14, 2019, and finally reached their recipients in November when the server was reactivated.

Syniverse says it fixed vulnerabilities

Syniverse said in the SEC filing and its statement to Ars that it reset or deactivated the credentials of all EDT customers, "even if their credentials were not impacted by the incident."

"Syniverse has notified all affected customers of this unauthorized access where contractually required, and Syniverse has concluded that no additional action, including any customer notification, is required at this time," the SEC filing said. Syniverse told us that it also "implemented substantial additional measures to provide increased protection to our systems and customers" in response to the incident, but did not say what those measures are.

Syniverse is apparently confident that it has everything under control but told the SEC that it could still discover more problems resulting from the breach:

Syniverse did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity... While Syniverse believes it has identified and adequately remediated the vulnerabilities that led to the incidents described above, there can be no guarantee that Syniverse will not uncover evidence of exfiltration or misuse of its data or IT systems from the May 2021 Incident, or that it will not experience a future cyber-attack leading to such consequences. Any such exfiltration could lead to the public disclosure or misappropriation of customer data, Syniverse's trade secrets or other intellectual property, personal information of its employees, sensitive information of its customers, suppliers and vendors, or material financial and other information related to its business.

Syniverse's SEC filing was submitted on September 27 and discussed yesterday in an article in Vice's Motherboard section. According to Vice, a "former Syniverse employee who worked on the EDT systems" said those systems contain information on all types of call records. Vice also quoted an employee of a phone company who said that a hacker could have gained access to the contents of SMS text messages.

Vice wrote:

Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected, but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver's numbers, the location of the parties in the call, as well as the content of SMS text messages.

"Syniverse is a common exchange hub for carriers around the world passing billing info back and forth to each other," the source, who asked to remain anonymous as they were not authorized to talk to the press, told Motherboard. "So it inevitably carries sensitive info like call records, data usage records, text messages, etc. [...] The thing is—I don't know exactly what was being exchanged in that environment. One would have to imagine though it easily could be customer records and [personal identifying information] given that Syniverse exchanges call records and other billing details between carriers."

Company that routes SMS for all major US carriers was hacked for five years

New Study Links Seemingly Disparate Malware Attacks to Chinese Hackers

Tue, 05 Oct 2021 14:54:04 +0000

Chinese cyber espionage group APT41 has been linked to seemingly disparate malware campaigns, according to fresh research that has mapped together additional parts of the group's network infrastructure to hit upon a state-sponsored campaign that takes advantage of COVID-themed phishing lures to target victims in India.

"The image we uncovered was that of a state-sponsored campaign that plays on people's hopes for a swift end to the pandemic as a lure to entrap its victims," the BlackBerry Research and Intelligence team said in a report shared with The Hacker News. "And once on a user's machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic."

APT41 (aka Barium or Winnti) is a moniker assigned to a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in conjunction with financially motivated operations for personal gain as far back as 2012. Calling the group "Double Dragon," citing its twin objectives, Mandiant (formerly FireEye) pointed out the collective's penchant for striking healthcare, high-tech, and telecommunications sectors for establishing long-term access and facilitating the theft of intellectual property.

In addition, the group is known for staging cybercrime intrusions that are aimed at stealing source code and digital certificates, virtual currency manipulation, and deploying ransomware, as well as executing software supply chain compromises by injecting malicious code into legitimate files prior to distribution of software updates.

The latest research by BlackBerry builds on previous findings by Mandiant in March 2020, which detailed a "global intrusion campaign" unleashed by APT41 by exploiting a number of publicly known vulnerabilities affecting Cisco and Citrix devices to drop and execute next-stage payloads that were subsequently used to download a Cobalt Strike Beacon loader on compromised systems. The loader was notable for its use of a malleable command-and-control (C2) profile that allowed the Beacon to blend its network communications with a remote server into legitimate traffic originating from the victim network.

BlackBerry, which found a similar C2 profile uploaded to GitHub on March 29 by a Chinese security researcher with the pseudonym "1135," used the metadata configuration data to identify a fresh cluster of domains related to APT41 that attempt to masquerade Beacon traffic look like legitimate traffic from Microsoft sites, with IP address and domain name overlaps found in campaigns linked to the Higaisa APT group, and that of Winnti disclosed over the past year.

Subsequent investigation into the URLs revealed as many as three malicious PDF files that reached out to one of the newly discovered domains that had also previously hosted a Cobalt Strike Team Server. What's more, the documents themselves act as phishing lures claiming to be COVID-19 advisories issued by the government of India or contain information regarding the latest income tax legislation targeting non-resident Indians.

The spear-phishing attachments appear in the form of .LNK files or .ZIP archives, which, when opened, result in the PDF document being displayed to the victim, while, in the background, the infection chain leads to the execution of a Cobalt Strike Beacon. Although a set of intrusions using similar phishing lures and uncovered in September 2020 were pinned on the Evilnum group, BlackBerry said the compromise indicators point to an APT41-affiliated campaign.

"With the resources of a nation-state level threat group, it's possible to create a truly staggering level of diversity in their infrastructure," the researchers said, adding by piecing together the malicious activities of the threat actor via public sharing of information, it's possible to "uncover the tracks that the cybercriminals involved worked so hard to hide."

Source

Anonymous releases data on Texas GOP in latest Epik hack dump

Tue, 05 Oct 2021 14:08:43 +0000

The new leak is alleged to contain 'private documents' from the Republican Party of Texas.

Hackers operating under the banner of Anonymous have released more data from Epik, the controversial web hosting company known for offering refuge to the far-right.

In a press release titled “You Lost The Game,” the hacktivist group announced on Monday part three of what it has dubbed “Operation EPIK FAIL.”

The latest leak is alleged to contain more bootable disk images of Epik’s servers as well as a data backup linked to the Republican Party of Texas, which is said to include “private documents” and “draft articles that didn’t make the narrative cut.” The Texas GOP website had been defaced by Anonymous in retaliation for the state’s controversial abortion ban on Sept. 11.

The Daily Dot is in the process of verifying the authenticity of the data after receiving it.

The campaign against Epik was first acknowledged on Sept. 13 when Anonymous revealed that it had breached the domain registrar, exposing at least 180GB of sensitive data. The hackers followed up on Sept. 30 with “The /b/ Sides,” a more than 300GB release containing bootable disk images of Epik’s servers.

The leaks have continued to cause widespread fallout for Epik’s customers, which includes websites such as Parler, Gab, 8chan, and TheDonald. The first release exposed everything from passwords and credit card numbers to customer names, email addresses, physical addresses, and phone numbers.

Epik CEO Rob Monster would eventually weigh in on the breach on Sept. 16 in an unorthodox video conference open to the public. The four-hour meeting saw Monster break out into prayer multiple times, issue warnings about “cursed” hard drives bursting into flames, and engage in a back-and-forth with a notorious neo-Nazi.

The data cache allowed the Daily Dot to discover not only websites that had been targeted with subpoenas by the FBI and others but trace the actions of prominent far-right figures such as Ali Alexander, who attempted to scrub his digital ties to dozens of domains relating to election fraud conspiracy theories in the wake of the Jan. 6 Capitol riot.

A real estate agent in Florida who was found to have registered numerous antisemitic domains also lost their job. A man who ran websites relating to the Proud Boys in Canada, where the far-right group is listed as a terrorist organization, was placed under investigation by his employer at a government-owned pipeline and energy company.

The Oath Keepers militia, which began using Epik following the failed insurrection, also had its data leaked on Sept. 27. Although those responsible did not claim affiliation with Anonymous, dates found within the data, which was given by the hackers to the journalism and transparency collective DDoSecrets, suggest the exposure could have been linked to Epik’s breach.

The Daily Dot was able to find at least 160 official government and military email addresses in a membership list compiled by the militia. Multiple investigations have been launched as a result of the leak. The New York Police Department (NYPD) announced last week that it had launched an internal review of two officers whose names were found in the breach.

The second release of Epik data resulted in the exposure of at least 59 API keys, which allow to securely communicate with one another, for services such as Twitter, Coinbase, and PayPal. Monster claimed during his live video conference with the public that someone had attempted to use his API key for Coinbase to steal $100,000.

It remains unclear what fallout will result from the third release as journalists and researchers struggle to sift through the enormous amounts of information already present in the previous two leaks.

The news of the latest leak was first reported by Steven Monacelli.

Source

Over 1.5 billion Facebook records possibly for sale on a hacker forum

Tue, 05 Oct 2021 01:50:17 +0000

According to a report from Privacy Affairs, a hacker is selling the private information of more than 1.5 billion Facebook users. The data was purportedly stolen in a hack earlier this year and is nothing to do with the outage Facebook was suffering from on Monday.

The person claiming to have the data said the records were scraped from Facebook this year and that 100% of the records contain an email address and phone number. The user in question has received several requests for samples from others on the website and is giving away 100 records to those who ask to preview the data. Some of the people commenting on the thread have expressed doubts about the offer but the original poster has said they will submit a review once someone buys the data.

The fields which are included are email addresses, names, user IDs, location, gender, phone numbers, and cities. Luckily, no passwords were stolen but it should remind everyone to review their Facebook settings to ensure that their details are not public-facing as anyone can grab them and sell them.

Following the initial report, Privacy Affairs posted an update to the news stating that a forum user reported that they’d paid the seller but had not received the data in return, hopefully, it stays this way. As for the samples, these are said to hold genuine data.

Source

Creating Wireless Signals with Ethernet Cable to Steal Data from Air-Gapped Systems

Thu, 01 Jan 1970 00:00:00 +0000

A newly discovered data exfiltration mechanism employs Ethernet cables as a "transmitting antenna" to stealthily siphon highly-sensitive data from air-gapped systems, according to the latest research.

"It's interesting that the wires that came to protect the air-gap become the vulnerability of the air gap in this attack," Dr. Mordechai Guri, the head of R&D in the Cyber Security Research Center in the Ben Gurion University of the Negev in Israel, told The Hacker News.

Dubbed "LANtenna Attack," the novel technique enables malicious code in air-gapped computers to amass sensitive data and then encode it over radio waves emanating from Ethernet cables just as if they are antennas. The transmitted signals can then be intercepted by a nearby software-defined radio (SDR) receiver wirelessly, decode the data, and send it to an attacker who is in an adjacent room.

"Notably, the malicious code can run in an ordinary user-mode process and successfully operate from within a virtual machine," the researchers noted in an accompanying paper titled "LANTENNA: Exfiltrating Data from Air-Gapped Networks via Ethernet Cables."

Air-gapped networks are designed as a network security measure to minimize the risk of information leakage and other cyber threats by ensuring that one or more computers are physically isolated from other networks, such as the internet or a local area network. They are usually wired since machines that are part of such networks have their wireless network interfaces permanently disabled or physically removed.

This is far from the first time Dr. Guri has demonstrated unconventional ways to leak sensitive data from air-gapped computers. In February 2020, the security researcher devised a method that employs small changes in LCD screen brightness, which remains invisible to the naked eye, to modulate binary information in morse-code-like patterns covertly.

Then in May 2020, Dr. Guri showed how malware could exploit a computer's power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker to leak data in an attack called "POWER-SUPPLaY."

Lastly, in December 2020, the researcher showed off "AIR-FI," an attack that leverages Wi-Fi signals as a covert channel without requiring the presence of Wi-Fi hardware on the targeted systems.

The LANtenna attack is no different in that it works by using the malware in the air-gapped workstation to induce the Ethernet cable to generate electromagnetic emissions in the frequency bands of 125 MHz that are then modulated and intercepted by a nearby radio receiver. In a proof-of-concept demo, data transmitted from an air-gapped computer through its Ethernet cable was received at a distance of 200 cm apart.

As countermeasures, the researchers propose prohibiting the use of radio receivers in and around air-gapped networks and monitoring the network interface card link layer activity for any covert channel, as well as jamming the signals, and using metal shielding to limit electromagnetic fields from interfering with or emanating from the shielded wires.

"This paper shows that attackers can exploit the Ethernet cables to exfiltrate data from air-gapped networks," the researchers said in the paper. "Malware installed in a secured workstation, laptop, or embedded device can invoke various network activities that generate electromagnetic emissions from Ethernet cables."

"Dedicated and expensive antennas yield better distance and could reach tens of meters with some cables," Dr. Guri added.

Source

Ransomware operators behind hundreds of attacks arrested in Ukraine

Mon, 04 Oct 2021 23:02:00 +0000

Europol has announced the arrest of two men in Ukraine, said to be members of a prolific ransomware operation that extorted victims with ransom demands ranging between €5 to €70 million.

Two arrests in Ukraine

The international law enforcement operation was conducted in coordination with the FBI, the French police (Gendarmerie Nationale), and the Ukrainian National Police (Національна поліція України). In total, the police officers performed seven property searches, seized $375,000 in cash, and two luxury vehicles that cost about $250,000. Furthermore, the investigators froze $1.3 million worth of crypto that is believed to be linked to ransom payments.

Coordinated announcements from Europol and the Ukrainian police describe the suspects as members of a top-tier group, but Europol told BleepingComputer that they could not name the group for operational reasons.

"Both these individuals were part of the same group which focused not only on ransom attacks, but also laundered criminal funds," Europol told BleepingComputer.

Both suspects were arrested in Kyiv City, with one of the individuals described as a 25-year old male "hacker."

The law enforcement agencies attribute approximately a hundred cyberattacks to the gang, starting in April 2020, that targeted North American and European entities. As for the modus operandi, it follows the typical network compromise, malware deployment, data exfiltration, and eventually the encryption of all local files.

The initial points of compromise are the victim's VPN tool or through emails to employees that drop payloads on their computers.

It is estimated that the total damages caused to the victimized organizations are $150 million.

The law enforcement operation took the combined efforts of six French investigators, four from the FBI, one Interpol officer, and two of Europol’s cybercrime specialists.

Disrupting ransomware operations

These arrests will likely not bring down an entire Ransomware-as-a-Service (RaaS) operation. However, law enforcement has been increasingly targeting individual members as a way to disrupt gang's activities.

Furthermore, Successful law enforcement operations tend to have chilling effects on the operation of illegal hacking groups as they spread fear and uncertainty among the other members, commonly leading to the group's shutdown or rebranding.

The announcement from Ukraine's cyber-police says the arrested individuals face up to twelve years in prison for violations of two articles of the criminal code in the country, one for unauthorized interference in computer networks and systems, and one for money laundering.

The Ukrainian police also arrested other individuals this year believed to be members of the Clop and Egregor ransomware operations.

Ransomware operators behind hundreds of attacks arrested in Ukraine

A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries

Mon, 04 Oct 2021 13:42:10 +0000

A previously undocumented threat actor has been identified as behind a string of attacks targeting fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan with the goal of stealing data from compromised networks.

Cybersecurity company Positive Technologies dubbed the advanced persistent threat (APT) group ChamelGang — referring to their chameleellonic capabilities, including disguising "its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google."

"To achieve their goal, the attackers used a trending penetration method—supply chain," the researchers said of one of the incidents investigated by the firm. "The group compromised a subsidiary and penetrated the target company's network through it. Trusted relationship attacks are rare today due to the complexity of their execution. Using this method […], the ChamelGang group was able to achieve its goal and steal data from the compromised network."

Intrusions mounted by the adversary are believed to have commenced at the end of March 2021, with later attacks in August leveraging what's called the ProxyShell chain of vulnerabilities affecting Microsoft Exchange Servers, the technical details of which were first revealed at the Black Hat USA 2021 security conference earlier that month.

The attack in March is also notable for the fact that the operators breached a subsidiary organization to gain access to an unnamed energy company's network by exploiting a flaw in Red Hat JBoss Enterprise Application (CVE-2017-12149) to remotely execute commands on the host and deploy malicious payloads that enable the actor to launch the malware with elevated privileges, laterally pivot across the network, and perform reconnaissance, before deploying a backdoor called DoorMe.

"The infected hosts were controlled by the attackers using the public utility FRP (fast reverse proxy), written in Golang," the researchers said. "This utility allows connecting to a reverse proxy server. The attackers' requests were routed using the socks5 plugin through the server address obtained from the configuration data."

On the other hand, the August attack against a Russian company in the aviation production sector involved the exploitation of ProxyShell flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to drop additional web shells and conduct remote reconnaissance on the compromised node, ultimately leading to the installation of a modified version of the DoorMe implant that comes with expanded capabilities to run arbitrary commands and carry out file operations.

"Targeting the fuel and energy complex and aviation industry in Russia isn't unique — this sector is one of the three most frequently attacked," Positive Technologies' Head of Threat Analysis, Denis Kuvshinov, said. "However, the consequences are serious: Most often such attacks lead to financial or data loss—in 84% of all cases last year, the attacks were specifically created to steal data, and that causes major financial and reputational damage."

Source

Firefox 93 for Android becomes system-wide password manager

Sat, 02 Oct 2021 23:15:53 +0000

The upcoming Firefox 93 web browser for Android may be used as a system-wide password manager by its users. Up until now, passwords saved in the browser were restricted for use in the browser. If you saved a Reddit or Amazon password in Firefox, you could open Reddit's or Amazon's website to sign-in automatically using the saved data.

What you could not do until now was launch the Reddit or Amazon application on the Android device and expect to be signed-in automatically. A password manager was required for that functionality.

Starting in Firefox 93 for Android, out on October 5, 2021, Firefox users may use the browser's password manager to sign-in to any application on the device.

If a password is saved in Firefox 93 or newer, Firefox users may select the account credentials to sign-in to an application on the device. For example: with Instagram credentials saved in Firefox, Firefox may suggest to use the saved credentials when a user opens the sign-in page in the Instagram application.

A small change in the browser's settings is required to enable the new functionality. Select the three-dots menu icon in Firefox and then Settings from the context menu. On the main Settings page, select Logins and password. Locate the "Autofill in other apps" option and toggle it so that it is set to on. Android displays a prompt to pick a compatible application for autofilling passwords on the device system-wide. Select Firefox and you are all set on the device.

Saved passwords may then be used to sign-in to applications on the device. The username field displays account suggestions and also an option to search Firefox; the latter is useful if the correct account was not selected by Firefox automatically.

With sync enabled in Firefox, Firefox will synchronize all user credentials to other Firefox installations, provided that the same account is used on these devices.

Firefox 93 includes a new option to save passwords manually. All it takes is to type the site URL, username and password, to save the credentials in the browser. These may then be used to sign-in on websites in Firefox, but also in applications on the Android device.

Select Menu > Settings > Logins and passwords > Saved logins, type the Android Pin, and use the new "add login" option on the page that opens to add a new site to Firefox's password manager manually.

Check out the full blog post on Mozilla's website.

Closing Words

Firefox is not the only Android browser that can act as a system-wide password manager. Chrome and Edge, among others, may also be set up to fill out passwords automatically on Android.

Firefox 93 for Android becomes system-wide password manager

Buckle up: a novel RaaS group, Ranion, offers 'pay & go' malware

Sat, 02 Oct 2021 14:30:56 +0000

As if there were not enough ransomware-related crimes in the past year, a new ransomware-as-a-service (RaaS) group just made cyber extortion easier.

Even though reports show that ransomware already forms 69% of attacks against businesses, that figure might go further up. Researchers at CyberNews spotted a new RaaS group on the darknet, offering an unusual payment structure, potentially easing access to anyone interested in cybercrime.

Major ransomware cartels like REvil, Conti, or DarkSide usually charge their affiliates a hefty 30% fee per ransom payment. The cartels provide the malware, whereas threat actors carry out the attacks.

Main banner with many multi-language banners created to tell user their files have been encrypted.

However, a new RaaS group that is calling itself Ranion adopts an entirely different payment structure. The group only asks for an upfront payment for its malware without additional service fees.

The Ranion malware uses AES 256 encryption and is almost fully undetectable, with only one enterprise antivirus solution able to detect it, a development that might turn a disastrous year worse.

From threat actors' point of view, Ranion might seem like a more viable malware option since a single fixed payment doesn't require to return the malware provider a third of the cut.

RANION (RaaS) Decrypter.

Different Ranion malware packages are offered from $150 to $1,900, a shockingly low price compared with corporate ransomware losses of several million dollars per attack. The pricier offers are said to guarantee fully undetectable (FUD) status.

Clients are supposedly given a unique stub, making every malware file different and thus hard to detect. The stub is executable and a packer of crypto, giving the malware its impregnable features.

To offer threat actors a greater range of inflicting damage, Ranion added a functionality, creating a delay between infection and encrypter execution. The malware, however, only works on Windows, offering some respite for users of different operating systems.

Somewhat shockingly, for a completely illegal business venture, the RaaS groups also offer real-time customer support services for their clients. However, that is somewhat a 'good practice' within the cybercrime ecosystem, full of supporting personnel.

RaaS seemingly sold as any other service on the internet.

Year in turmoil

Cyberattacks are increasing in scale, sophistication, and scope. In 2020, ransomware payments reached over $400 million, more than four times the level of 2019. This year will likely set another record benchmark for ransomware cartels globally.

The last 12 months were ripe with major high-profile cyberattacks on network management companies such as SolarWinds, the Colonial Pipeline's oil network, meat processing company JBS, and software firm Kaseya. Pundits talk of a ransomware gold rush, with the number of attacks increasing over 90% in the first half of 2021 alone.

Recently, a Russia-linked cyber cartel attacked a major US farm service provider New Cooperative Inc., demanding $5.9 million in ransom.

A recent IBM report shows that an average data breach costs victims $4.24 million per incident, the highest in the 17 years. For example, the average cost stood at $3.86 million per incident last year, putting recent results at a 10% increase.

Some ransomware groups went dark for a while, after carrying out major attacks. A cool-off period is likely meant to regroup, and recent developments show that cybercrime cartels are waking up and will likely be on the prowl for the next major extortion scheme.

Source

FCC Proposal Targets SIM Swapping, Port-Out Fraud

Fri, 01 Oct 2021 23:36:59 +0000

The U.S. Federal Communications Commission (FCC) is asking for feedback on new proposed rules to crack down on SIM swapping and number port-out fraud, increasingly prevalent scams in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s online identity.

In a long-overdue notice issued Sept. 30, the FCC said it plans to move quickly on requiring the mobile companies to adopt more secure methods of authenticating customers before redirecting their phone number to a new device or carrier.

“We have received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud,” the FCC wrote. “Because of the serious harms associated with SIM swap fraud, we believe that a speedy implementation is appropriate.”

The FCC said the proposal was in response to a flood of complaints to the agency and the U.S. Federal Trade Commission (FTC) about fraudulent SIM swapping and number port-out fraud. SIM swapping happens when the fraudsters trick or bribe an employee at a mobile phone store into transferring control of a target’s phone number to a device they control.

From there, the attackers can reset the password for almost any online account tied to that mobile number, because most online services still allow people to reset their passwords simply by clicking a link sent via SMS to the phone number on file.

Scammers commit number port-out fraud by posing as the target and requesting that their number be transferred to a different mobile provider (and to a device the attackers control).

The FCC said the carriers have traditionally sought to address both forms of phone number fraud by requiring static data about the customer that is no longer secret and has been exposed in a variety of places already — such as date of birth and Social Security number. By way of example, the commission pointed to the recent breach at T-Mobile that exposed this data on 40 million current, past and prospective customers.

What’s more, victims of SIM swapping and number port-out fraud are often the last to know about their victimization. The FCC said it plans to prohibit wireless carriers from allowing a SIM swap unless the carrier uses a secure method of authenticating its customer. Specifically, the commission proposes that carriers be required to verify a “pre-established password” with customers before making any changes to their accounts.

According to the FCC, several examples of pre-established passwords include:

-a one-time passcode sent via text message to the account phone number or a pre-registered backup number
-a one-time passcode sent via email to the email address associated with the account
-a passcode sent using a voice call to the account phone number or pre-registered back-up telephone number.

The commission said it was also considering updating its rules to require wireless carriers to develop procedures for responding to failed authentication attempts and to notify customers immediately of any requests for SIM changes.

Additionally, the FCC said it may impose additional customer service, training, and transparency requirements for the carriers, noting that too many customer service personnel at the wireless carriers lack training on how to assist customers who’ve had their phone numbers stolen.

The FCC said some of the consumer complaints it has received “describe wireless carrier customer service representatives and store employees who do not know how to address instances of fraudulent SIM swaps or port-outs, resulting in customers spending many hours on the phone and at retail stores trying to get resolution. Other consumers complain that their wireless carriers have refused to provide them with documentation related to the fraudulent SIM swaps, making it difficult for them to pursue claims with their financial institutions or law enforcement.”

“Several consumer complaints filed with the Commission allege that the wireless carrier’s store employees are involved in the fraud, or that carriers completed SIM swaps despite the customer having previously set a PIN or password on the account,” the commission continued.

Allison Nixon, an expert on SIM swapping attacks chief research officer with New York City-based cyber intelligence firm Unit221B, said any new authentication requirements will have to balance the legitimate use cases for customers requesting a new SIM card when their device is lost or stolen. A SIM card is the small, removable smart card that associates a mobile device to its carrier and phone number.

“Ultimately, any sort of static defense is only going to work in the short term,” Nixon said. “The use of SMS as a 2nd factor in itself is a static defense. And the criminals adapted and made the problem actually worse than the original problem it was designed to solve. The long term solution is that the system needs to be responsive to novel fraud schemes and adapt to it faster than the speed of legislation.”

Eager to weigh in on the FCC’s proposal? They want to hear from you. The electronic comment filing system is here, and the docket number for this proceeding is WC Docket No. 21-341.

FCC Proposal Targets SIM Swapping, Port-Out Fraud

Another Chrome emergency update to patch 0-day vulnerabilities is now available

Fri, 01 Oct 2021 23:34:22 +0000

Google released another security update for the company's Google Chrome web browser that brings the version of the browser to 94.0.4606.71. Google Chrome 94.0.4606.71 is a security update that fixes two vulnerabilities that are actively exploited in the wild according to Google. The update is the third update that Google released this month to address 0-day security issues in Google Chrome that are exploited in the wild.

Google is rolling out the update to all Chrome installations, but users may want to speed up the discovery and installation of the update by loading chrome://settings/help in the browser's address bar, or selecting Menu > Help > About Google Chrome from the menu.

Chrome displays the installed version on the page that is loaded and will run a check for updates. Updates that are discovered during the check are downloaded and installed automatically. The new Extended Stable channel has been updated as well.

Google published information about the update on the Chrome Releases blog:

[$20000][1245578] High CVE-2021-37974 : Use after free in Safe Browsing. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-09-01
[$TBD][1252918] High CVE-2021-37975 : Use after free in V8. Reported by Anonymous on 2021-09-24
[$NA][1251787] Medium CVE-2021-37976 : Information leak in core. Reported by Clément Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero on 2021-09-21

Google notes on the page that it is aware of exploits targeting the vulnerabilities CVE-2021-37975 and CVE-2021-37976.

Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.

Both security issues are rated as high, the second highest severity rating after critical. Google did not provide additional information on the issues, e.g. how they are exploited or how widespread the attacks are.

Google released another emergency security update for Chrome last week, patching another 0-day vulnerability that was actively exploited at the time according to the company. Two additional 0-day security issues were fixed on September 13, both of which were also exploited in the wild.

Chrome users may want to update the browser as soon as possible to secure the system against potential attacks.

Another Chrome emergency update to patch 0-day vulnerabilities is now available

Hackers rob thousands of Coinbase customers using MFA flaw

Fri, 01 Oct 2021 23:31:57 +0000

Crypto exchange Coinbase disclosed that a threat actor stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the company's SMS multi-factor authentication security feature.

Coinbase is the world's second-largest cryptocurrency exchange, with approximately 68 million users from over 100 countries.

In a notification sent to affected customers this week, Coinbase explains that between March and May 20th, 2021, a threat actor conducted a hacking campaign to breach Coinbase customer accounts and steal cryptocurrency.

To conduct the attack, Coinbase says the attackers needed to know the customer's email address, password, and phone number associated with their Coinbase account and have access to the victim's email account.

While it is unknown how the threat actors gained access to this information, Coinbase believes it was through phishing campaigns targeting Coinbase customers to steal account credentials, which have become common. Additionally, banking trojans traditionally used to steal online bank accounts are also known to steal Coinbase accounts.

MFA bug allowed access to accounts

Even if a hacker has access to a Coinbase customer's credentials and email account, they are normally prevented from logging into an account if a customer has multi-factor authentication enabled.

In Coinbase's guide on securing accounts, they recommend enabling multi-factor (MFA) authentication utilizing security keys, Time-based One Time Passwords (TOTP) with an authenticator app, or as a last resort, SMS text messages.

However, Coinbase states a vulnerability existed in their SMS account recovery process, allowing the hackers to gain the SMS two-factor authentication token needed to access a secured account.

"Even with the information described above, additional authentication is required in order to access your Coinbase account," explained a Coinbase notification to customers seen by BleepingComputer.

"However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account."

Once they learned of the attack, Coinbase states that they fixed the "SMS Account Recovery protocols" to prevent any further bypassing of SMS multi-factor authentication.

As the threat actor also had full access to an account, customers' personal information was also exposed, including their full name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balances.

As the Coinbase bug allowed threat actors to access what were believed to be secured accounts, the exchange is depositing funds in affected accounts equal to the stolen amount.

"We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed -- we will ensure all customers affected receive the full value of what you lost. You should see this reflected in your account no later than today," promised Coinbase.

It is not clear if Coinbase will be crediting hacked customers with the cryptocurrency that was stolen or fiat currency. If fiat currency, it could lead to a taxable event for the victims if they had an increase in profits.

Customers who were affected by this attack can contact Coinbase at (844) 613-1499 to learn more about what is being done.

Coinbase shared the following statement when we requested more information about the attacks. However, they did not provide any further info on the SMS MFA flaw that they fixed.

"Between late April and early May, 2021, the Coinbase security team observed a large-scale phishing campaign that showed particular success in bypassing the spam filters of certain, older email services. We took immediate action to mitigate the impact of the campaign by working with external partners to remove phishing sites as they were identified, as well as notifying the email providers impacted. Unfortunately we believe, although cannot conclusively determine, that some Coinbase customers may have fallen victim to the phishing campaign and turned over their Coinbase credentials and the phone numbers verified in their accounts to attackers. Once the attackers had compromised the user’s email inbox and their Coinbase credentials, in a small number of cases they were able to use that information to impersonate the user, receive an SMS two-factor authentication code, and gain access to the Coinbase customer account. We immediately fixed the flaw and have worked with these customers to regain control of their accounts and reimburse them for the funds they lost. These large-scale, sophisticated phishing attacks are on the rise, and we strongly recommend anyone that uses online financial services to remain vigilant and take the necessary steps to protect their online identity." - Coinbase spokesperson.

What Coinbase victims should do

Since the attack required the password of both a customer's Coinbase and email account, it is strongly recommended that victims change their passwords immediately.

Coinbase also recommends users switch to a more secure MFA method, such as a hardware security key or an authentication app.

Finally, victims should be on the lookout for future targeted phishing emails or SMS texts that attempt to steal credentials using information exposed in the breach.

This is not the first time a bug in Coinbase's MFA system caused issues for their customers.

In August, Coinbase accidentally alerted 125,000 customers that their 2FA settings had been changed, causing panic among those receiving the alert.

BleepingComputer has contacted Coinbase with further questions regarding this attack but has not heard back at this time.

Update 10/1/21 11:49 AM EST: Added statement from Coinbase and link to a recent blog about the phishing attacks.

Update 10/1/21 12:26 PM EST: Added phone number for customers impacted by the attacks to find more information.

Hackers rob thousands of Coinbase customers using MFA flaw

Apple Pay Can be Abused to Make Contactless Payments From Locked iPhones

Fri, 01 Oct 2021 15:46:33 +0000

Cybersecurity researchers have disclosed an unpatched flaw in Apple Pay that attackers could abuse to make an unauthorized Visa payment with a locked iPhone by taking advantage of the Express Travel mode set up in the device's wallet.

"An attacker only needs a stolen, powered on iPhone. The transactions could also be relayed from an iPhone inside someone's bag, without their knowledge," a group of academics from the University of Birmingham and University of Surrey said. "The attacker needs no assistance from the merchant and backend fraud detection checks have not stopped any of our test payments."

Express Travel is a feature that allows users of iPhone and Apple Watch to make quick contactless payments for public transit without having to wake or unlock the device, open an app, or even validate with Face ID, Touch ID or a passcode.

The man-in-the-middle (MitM) replay and relay attack, which involves bypassing the lock screen to make a payment to any EMV reader illicitly, is made possible due to a combination of flaws in both Apple Pay and Visa's system, and doesn't impact, say, Mastercard on Apple Pay or Visa cards on Samsung Pay.

The modus operandi hinges on mimicking a transit gate transaction by using a Proxmark device that acts as an EMV card reader communicating with a victim's iPhone and an NFC-enabled Android app that functions as a card emulator to relay signals to a payment terminal.

Specifically, it takes advantage of a unique code — aka Magic Bytes — broadcast by the transit gates to unlock Apple Pay, resulting in a scenario whereby replaying the sequence of bytes, the Apple device is deceived into authorizing a rogue transaction as if it's originated from the ticket barrier, when, in reality, it's been triggered via a contactless payment terminal under the attacker's control.

At the same time, the EMV reader is also tricked into believing that on-device user authentication has been performed, thus enabling payments of any amount to be made without the iPhone user's knowledge.

Apple and Visa were alerted to the vulnerability in October 2020 and May 2021, respectively, the researchers said, adding, "both parties acknowledge the seriousness of the vulnerability, but have not come to an agreement on which party should implement a fix."

In a statement shared with the BBC, Visa said this type of attack was "impractical," adding, "Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world."

"This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place," an Apple spokesperson was quoted as saying to the U.K. national broadcaster.

Source

Beware of Fake Amnesty International Antivirus for Pegasus that Hacks PCs with Malware

Fri, 01 Oct 2021 13:02:30 +0000

In yet another indicator of how hacking groups are quick to capitalize on world events and improvise their attack campaigns for maximum impact, threat actors have been discovered impersonating Amnesty International to distribute malware that purports to be security software designed to safeguard against NSO Group's Pegasus surveillanceware.

"Adversaries have set up a phony website that looks like Amnesty International's — a human rights-focused non-governmental organization — and points to a promised antivirus tool to protect against the NSO Group's Pegasus tool," Cisco Talos researchers said. "However, the download actually installs the little-known Sarwent malware."

The countries most affected by the campaign include the U.K., the U.S., Russia, India, Ukraine, Czech Republic, Romania, and Colombia. While it's unclear as to how the victims are lured into visiting the fake Amnesty International website, the cybersecurity firm surmised the attacks could be aimed at users who may be specifically searching for protection against this threat.

The development comes on the heels of an explosive investigation in July 2021 that revealed widespread abuse of the Israeli company's Pegasus "military-grade spyware" to facilitate human rights violations by surveilling heads of state, activists, journalists, and lawyers around the world. The NGO has since also released a Mobile Verification Toolkit (MVT) to help individuals scan their iPhone and Android devices for evidence of compromise.

Besides making use of social engineering tricks by designing a rogue website with an identical look and feel of Amnesty International's legitimate portal, the modus operandi aims to trick the visitor into downloading an "Amnesty Anti Pegasus Software" under the guise of an antivirus tool that features capabilities to enable the bad actor find way a remote way into the compromised machine and exfiltrate sensitive information, such as login credentials.

The Sarwent sample used in the low-volume campaign is a highly-customized variant coded in Delphi and is capable of allowing remote desktop access through VNC or RDP and executing command line or PowerShell instructions received from an attacker-controlled domain, the results of which are sent back to the server.

alos attributed the infections with high confidence to a Russian-speaking actor locating in the country and known for mounting attacks involving the Sarwent backdoor since at least January 2021 sprawling across a variety of victims, noting the level of modifications made to the supposed antivirus as likely evidence that "the operator has access to the source code of the Sarwent malware."

"The campaign targets people who might be concerned that they are targeted by the Pegasus spyware," the researchers said. "This targeting raises issues of possible state involvement, but there is insufficient information […] to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access."

Source

After Google patches two Chrome Zero-day exploits don’t delay updating your browser

Fri, 01 Oct 2021 08:15:57 +0000

If you are like me, you are not too bothered by the Update warning in Chrome and do not rush to close all your tabs and restart your browser when it shows up.

On this occasion, however, it may be a good idea to heed the warning and install the new update Google has just made available, as it addresses two zero-day vulnerabilities which are being actively exploited in the wild.

CVE-2021-37976 is described as an “Information leak in core” with a Medium severity level while CVE-2021-37975 is a use after free bug in the Chrome V8 JavaScript engine with a High severity rating. Use after free bugs can often be used for remote code exploits or to escape the browser sandbox.

“Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild,” Google notes in their advisory.

Google has released Chrome 94.0.4606.71 for Windows, Mac, and Linux to fix the issue.

If you have the update prompt simply pressing the button will update you to the latest, safer version of Chrome, otherwise going to Chrome menu > Help > About Google Chrome will also get you the latest release.

The update is the 13th Zero-day vulnerability Chrome has had to fix this year. Since Edge also uses the Chromium engine it is likely it is affected by the same issue.

via BleepingComputer

After Google patches two Chrome Zero-day exploits don’t delay updating your browser

These antivirus programs are compatible with Windows 11 according to AV Comparatives

Thu, 30 Sep 2021 23:44:28 +0000

AV Comparatives, a site known for its security tests, released a list of antivirus programs that it found to be compatible with Microsoft's Windows 11 operating system.

Microsoft will release Windows 11 on October 5, 2021, officially. New devices with the new operating system preinstalled will become available on that day and Windows 10 devices that meet the system requirements will get upgrade offers in a staged rollout.

Windows 11 includes Windows Defender, a security component that has been improved significantly in recent years. Several third-party antivirus companies have called the integration of Windows Defender anti-competitive in the past. Microsoft claimed in 2019 that Windows Defender has a usage share of over 50%.

Windows 10 users who run third-party antivirus solutions on their devices may wonder whether their products can be run on Windows 11 as well.

AV Comparatives tested popular antivirus programs on a preview build of the Windows 11 operating system. The organization installed each solution on a clean system. The testers updated the database of the solution manually and restarted the device to make sure the software installed correctly and registered itself in Windows Security.

Several other tests were run to find out if the antivirus solutions were working correctly on the device. AV Comparatives shared the following requirements:

Install successfully, without requiring specialist knowledge or workarounds
Activate real-time protection without user intervention
Integrate with Windows Security
Successfully update malware signatures, either automatically or manually
Warn if real-time protection is disabled, and allow the user to reactivate it easily
Provide (at least) the same malware detection as on Windows 10
Take appropriate action when malware is encountered, ensuring that the system is protected
Have no obvious bugs or erroneous notifications
Uninstall cleanly and remove its entry in Windows Security

AV Comparatives published the full list of solutions that it found compatible on its site:

Avast Free Antivirus 21.7.2481
AVG Free Antivirus 21.8.3202
Avira Antivirus Pro 1.1.54.2291
Bitdefender Internet Security 25.0.26.89
ESET Internet Security 14.2.24.0
G Data Total Security 25.5.11.316
K7 Total Security 16.0.0556
Kaspersky Internet Security 21.3.10.391
Microsoft Defender Antivirus, as in Build 22454.1000 of Windows 11
Malwarebytes Premium 4.4.6
McAfee Total Protection 16.0
Norton LifeLock Norton 360 22.21.8.62
Panda Free Antivirus 21.00.00
Total AV Total Security 5.15.69
Total Defense Essential Antivirus 13.0.0.545
Trend Micro Internet Security 17.0.1181
VIPRE Advanced Security 11.0.6.22

AV Comparatives notes that none of the vendors of the listed solutions state that their products support Windows 11 officially. The company suggests that users on Windows 11 devices that were not upgraded from Windows 10 install a trial version of the antivirus solution they are interested in to make sure it is working correctly on the device.

Closing Words

Considering that Windows 10 and Windows 11 are very similar in many regards, it is clear that most software programs that work on Windows 10 devices will also work on Windows 11 devices. Third-party antivirus solution had their fair share of issues on Windows 10, especially during feature upgrades.

These antivirus programs are compatible with Windows 11 according to AV Comparatives

Don't track me Google for Firefox blocks links manipulations by Google when clicking or copying

Thu, 30 Sep 2021 23:40:25 +0000

When you visit Google Search in the Firefox web browser and run a search, search results look similar to how they are displayed in Google's own browser Chrome. When you right-click on a link to copy it, you will notice a difference when you compare the content that is copied.

In Chrome, the target URL is copied. In Firefox, an intermediary page is copied instead, which includes tracking data and is used by Google to track the activity.

If you notice the behavior, you may have several questions about the difference. Why is Google treating Chrome and Firefox differently? What is the purpose of the intermediary page? How can Firefox be configured to copy the "real" link right away?

Chrome supports the Ping feature, also known as Hyperlink Auditing, and has enabled it by default for links. Firefox supports the feature, but it is not enabled in the browser. Tracking in Chrome uses the ping feature, and since it is used, Google does not require the use of the intermediary page. Firefox does not support it, and to track users, Google uses the intermediary page instead.

Firefox users may check the value of the preference browser.send_pings on about:config. False means that the Ping feature is disabled, True that it is enabled.

The Firefox add-on Don't track me Google has been designed to prevent Google from replacing link targets with intermediary pages on its properties. Once installed, links can be copied or clicked on, so that the intermediary tracking page does not get copied or loaded. The extension works automatically on the Google pages that it supports. It works on Google's main site but also on localized search domains.

Tip: Chrome users who use Google Search can't disable the Ping in the browser as there is no option to do so. Extensions like uBlock Origin support blocking Ping on sites.

Closing Words

It takes more and more time to configure browsers to protect against tracking on the Internet. Users who don't want to be tracked may want to avoid Google Chrome and Google properties, and use third-party alternatives instead that offer better protection against tracking.

For browsers, another Chromium-based browser, such as Vivaldi, or a non-Chromium-based browser, such as Firefox, may do. For search, Startpage, Brave Search or DuckDuckGo, are better options when it comes to tracking.

Landing Page: https://addons.mozilla.org/en-US/firefox/addon/dont-track-me-google1/

Don't track me Google for Firefox blocks links manipulations by Google when clicking or copying

Chinese espionage group deploys new rootkit compatible with Windows 10 systems

Thu, 30 Sep 2021 17:43:33 +0000

At the SAS 2021 security conference today, analysts from security firm Kaspersky Lab have published details about a new Chinese cyber-espionage group that has been targeting high-profile entities across South East Asia since at least July 2020.

Named GhostEmperor, Kaspersky said the group uses highly sophisticated tools and is often focused on gaining and keeping long-term access to its victims through the use of a powerful rootkit that can even work on the latest versions of Windows 10 operating systems.

“We observed that the underlying actor managed to remain under the radar for months,” Kaspersky researchers explained today.

The entry point for GhostEmperor’s hacks were public-facing servers. Kaspersky believes the group used exploits for Apache, Oracle, and Microsoft Exchange servers to breach a target’s perimeter network and then pivoted to more sensitive systems inside the victim’s network.

According to a technical report [PDF] released during the conference today, GhostEmperor used an assortment of different scripts and tools to deploy backdoors inside a victim’s network.

IMAGE: KASPERSKY

This backdoor (an in-memory implant) was then used to download and run Cheat Engine, a tool used by online gamers to introduce cheats in their favorite video games.

Kaspersky said GhostEmperor used Cheat Engine’s powerful drivers to bypass the Windows PatchGuard security feature and install a rootkit inside the victim’s Windows OS.

Called Demodex, researchers said the rootkit was extremely advanced and allowed the group to maintain access to the victim’s device even after OS reinstalls and even on systems running recent versions of the Windows 10 OS.

IMAGE: KASPERSKY

But this wasn’t GhostEmperor’s only trick. Kaspersky also noted that the group’s malware was full of “a broad set of unusual and sophisticated anti-forensic and anti-analysis techniques” that tried to prevent or hinder security researchers trying to analyze their malware.

In addition, GhostEmperor used another clever trick that consisted in modifying the communications between infected hosts to its command and control servers by re-packaging data as fake multimedia formats.

Security apps that spotted traffic from GhostEmperor’s malware would have normally classified it as RIFF, JPEG, or PNG files hosted on an Amazon server, researchers explained.

While Kaspersky did not reveal the name of the group’s targets, they said GhostEmperor went after governmental entities and telecommunication companies across South East Asia (Malaysia, Thailand, Vietnam, and Indonesia), with outliers in Egypt, Afghanistan, and Ethiopia.

Source

Assess and Secure Your Linux Footprint – Now!

Thu, 30 Sep 2021 14:27:51 +0000

As the popularity of Linux continues to increase, so does its attack surface. For organizations, this brings to light a pressing question: Who is responsible for the security of all the Linux instances running your cloud environment?

The vast majority of cloud environments are built using Linux as their foundation, and most of the major cloud providers have founded their services on Linux. The public cloud is migrating to become an open-source operating environment, and Linux is proving to be the dominating force.

Linux's strength originates in its open-source design and network of supporters. The value of Linux is that it’s the most available and reliable solution for critical workloads in data centers and cloud computing environments.

Linux is modular and scalable and can therefore support many use cases. Its ubiquity in use is a natural consequence of its development process. Decades of community development on Linux has resulted in a platform that is stable and configurable enough for everyone. It’s also resulted in many variants, and a single enterprise could have multiple ‘flavors’, including Ubuntu, Redhat, Amazon and others.

All of this begs the question: Who at your organization specializes in Linux? And as mentioned earlier, who is responsible for the security of all the Linux instances running your cloud environment?

Unfortunately, many organizations do not have a good answer for this. I reviewed job postings at the top 10 publicly known enterprise cloud adopters in early August 2021. Only a few of them had Linux admins listed on their job boards.

"Decades of community development on Linux has resulted in a platform that is stable and configurable enough for everyone"

I then used Discover.org, a third-party tool to find technologies used at companies, to dig deeper. Only four of the top 10 listed Linux as being in their environment or had job postings open. None of them were for cloud security of the Linux environment — all were on-premises roles.

Some of this could be bias in data, in addition to job openings at the time of the search, so I talked to a few of our customers. The trend was the same: the internal expertise does not exist or isn’t as strong as it needs to be.

The Linux Threat Landscape

The lack of talent in Linux specific roles contrasts starkly with the Linux threat landscape. Recently Trend Micro released a research report on the state of Linux threats in the first half of 2021, highlighting the most critical security issues. Some of the key findings include:

Over 100,000 unique Linux hosts reported security events, showcasing a concerning amount of criminal activity targeting them
In 2020 there were approximately 20,000 vulnerabilities reported, however, only 200 (1%) have publicly known exploits. This gives a clear path forward for security teams who should prioritize patching known vulnerabilities
Detections were found from end-of-life versions of Linux. These unsupported systems are no longer receiving critical security patches leaving them significantly more vulnerable to future exploits and attacks
Over 13 million malware events were detected, including coin miners (the largest group at 24.6%), web shells, ransomware, trojans and other attacks

Additionally, in July 2021, there were almost 14 million exposed Linux servers detected by Censys.io, and Shodan detected almost 19 million Linux servers with port 22 exposed, leaving plenty of openings for attackers to target.

These misconfigurations are a prime example of why having strong internal expertise is important to ensure the proper security set-up is in place.

What Does This Mean?

In one way or another, more than 65% of the malware families found by Trend Micro exist in — and run on — Linux.

So let’s add it up: Many enterprises run on Linux, as do their clouds. Yet few organizations have the expertise in house to understand, govern and control their cloud implementations. Personally, I think that sounds like a recipe for disaster.

These are broad brush strokes, but ask yourself as you’re reading this: do you know what your cloud security is in relation to Linux? Do you know how much Linux is even in your cloud environment? Do you and your company have meaningful knowledge of the cloud footprint at your organization?

If not, take time now to begin to implement the foundation for identifying and securing your Linux footprint. Some security best practices to follow are using the security by design approach, deploying multilayered virtual patching or vulnerability shielding, employing the principle of least privilege, and adhering to the shared responsibility model.

Work with your cloud providers, cloud architects, and technology partners to gain an understanding of your cloud environment, and then create a plan to assess and secure it. Considering today’s threat landscape as it pertains to critical Linux assets, this should be an imperative for any organization today.

Source

RansomExx ransomware Linux encryptor may damage victims' files

Thu, 30 Sep 2021 14:21:11 +0000

Cybersecurity firm Profero has discovered that the RansomExx gang does not correctly lock Linux files during encryption, leading to potentially corrupted files.

In a new report by Profero, Senior Incident Responder Brenton Morris says the RansomEXX decryptor was failing on various files encrypted by the threat actor's Linux Vmware ESXI encryptor for one the victims who paid the ransom.

After reverse-engineering the RansomExx Linux encryptor, Profero discovered that the problematic decryption was caused by Linux files not being adequately locked while they were encrypted.

Without the file being locked, if the ransomware attempted to encrypt a Linux file simultaneously as another process wrote to it, the encrypted file would contain both encrypted data and unencrypted data appended after it, as shown below.

Encrypted file with a mix of encrypted and unencrypted data

"Some strains of Linux ransomware will attempt to acquire a file lock using fcntl while others will often not attempt to lock files for writing, and instead either knowingly choose to take the risk of corrupting the files or do so unknowingly due to lack of Linux programming experience," Morris told BleepingComputer.

"The Linux version of RansomEXX did not attempt to lock the file at all."

When RansomExx encrypts a file, it will append an RSA encrypted decryption key to the end of each encrypted file.

If a victim pays a ransom, the threat actor supplies a decryptor that can decrypt each file's encrypted decryption key and then use it to decrypt the file's contents.

However, as these problematic encrypted files had unencrypted data appended to the end of the file, the decryptor could not read the encrypted key properly and would fail to decrypt the file.

Fixed decryptor released

To aid their clients and the greater cybersecurity community, Profero has released an open-source RansomEXX decryptor that can decrypt files encrypted with this file locking issue.

Profero's RansomEXX decryptor

Victims still need to have acquired a decryptor key from the threat actor, but they can now use a decryptor created by a cybersecurity firm rather than having to take the time to vet one provided by threat actors.

"Because the attackers provide paying victims with a decryption tool they must run to decrypt their files there is a risk that the decryption tool may be malicious. This requires affected victims to reverse engineer the provided decryption tool to ensure there is no hidden payload or malicious features, a time investment that can be problematic for some organizations during a ransomware incident," explains Profero's blog post.

You can find complete instructions and command-line usage for using the decryptor in Profero's post and on the decryptor's GitHub page.

Source

The Rise of One-Time Password Interception Bots

Wed, 29 Sep 2021 20:52:26 +0000

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. That service quickly went offline, but new research reveals a number of competitors have since launched bot-based services that make it relatively easy for crooks to phish OTPs from targets.

An ad for the OTP interception service/bot “SMSRanger.”

Many websites now require users to supply both a password and a numeric code/OTP token sent via text message, or one generated by mobile apps like Authy and Google Authenticator. The idea is that even if the user’s password gets stolen, the attacker still can’t access the user’s account without that second factor — i.e. without access to the victim’s mobile device or phone number.

The OTP interception service featured earlier this year — Otp[.]agency — advertised a web-based bot designed to trick targets into giving up OTP tokens. This service (and all others mentioned in this story) assumes the customer already has the target’s login credentials through some means.

OTP Agency customers would enter a target’s phone number and name, and then the service would initiate an automated phone call that alerts that person about unauthorized activity on their account. The call would prompt the target to enter an OTP token generated by their phone’s mobile app (“for authentication purposes”), and that code would then get relayed back to the bad guy customers’ panel at the OTP Agency website.

OTP Agency took itself offline within hours of that story. But according to research from cyber intelligence firm Intel 471, multiple new OTP interception services have emerged to fill that void. And all of them operate via Telegram, a cloud-based instant messaging system.

“Intel 471 has seen an uptick in services on the cybercrime underground that allow attackers to intercept one-time password (OTP) tokens,” the company wrote in a blog post today. “Over the past few months, we’ve seen actors provide access to services that call victims, appear as a legitimate call from a specific bank and deceive victims into typing an OTP or other verification code into a mobile phone in order to capture and deliver the codes to the operator. Some services also target other popular social media platforms or financial services, providing email phishing and SIM swapping capabilities.”

Intel471 says one new Telegram OTP bot called “SMSRanger” is popular because it’s remarkably easy to use, and probably because of the many testimonials posted by customers who seem happy with its frequent rate of success in extracting OTP tokens when the attacker already has the target’s “fullz,” personal information such as Social Security number and date of birth. From their analysis:

“Those who pay for access can use the bot by entering commands similar to how bots are used on popular workforce collaboration tool Slack. A simple slash command allows a user to enable various ‘modes’ — scripts aimed as various services — that can target specific banks, as well as PayPal, Apple Pay, Google Pay, or a wireless carrier.

Once a target’s phone number has been entered, the bot does the rest of the work, ultimately granting access to whatever account has been targeted. Users claim that SMSRanger has an efficacy rate of about 80% if the victim answered the call and the full information (fullz) the user provided was accurate and updated.”

Another OTP interception service called SMS Buster requires a tad more effort from a customer, Intel 471 explains:

“The bot provides options to disguise a call to make it appear as a legitimate contact from a specific bank while letting the attackers choose to dial from any phone number. From there, an attacker could follow a script to trick a victim into providing sensitive details such as an ATM personal identification number (PIN), card verification value (CVV) and OTP, which could then be sent to an individual’s Telegram account. The bot, which was used by attackers targeting Canadian victims, gives users the chance to launch attacks in French and English.”

These services are springing up because they work and they’re profitable. And they’re profitable because far too many websites and services funnel users toward multi-factor authentication methods that can be intercepted, spoofed, or misdirected — like SMS-based one-time codes, or even app-generated OTP tokens.

The idea behind true “two-factor authentication” is that the user is required to present two out of three of the following: Something they have (mobile devices); something they know (passwords); or something they are (biometrics). For example, you present your credentials to a website, and the site prompts you to approve the login via a prompt that pops up on your registered mobile device. That is true two-factor authentication: Something you have, and something you know (and maybe also even something you are).

The 2fa SMS Buster bot on Telegram. Image: Intel 471.

In addition, these so-called “push notification” methods include important time-based contexts that add security: They happen directly after the user submits their credentials; and the opportunity to approve the push notification expires after a short period.

But in so many instances, what sites request is basically two things you know (a password and a one-time code) to be submitted through the same channel (a web browser). This is usually still better than no multi-factor authentication at all, but as these services show there are now plenty of options of circumventing this protection.

I hope these OTP interception services make clear that you should never provide any information in response to an unsolicited phone call. It doesn’t matter who claims to be calling: If you didn’t initiate the contact, hang up. Don’t put them on hold while you call your bank; the scammers can get around that, too. Just hang up. Then you can call your bank or whoever else you need.

Unfortunately, those most likely to fall for these OTP interception schemes are people who are less experienced with technology. If you’re the resident or family IT geek and have the ability to update or improve the multi-factor authentication profiles for your less tech-savvy friends and loved ones, that would be a fabulous way to show you care — and to help them head off a potential disaster at the hands of one of these bot services.

When was the last time you reviewed your multi-factor settings and options at the various websites entrusted with your most precious personal and financial information? It might be worth paying a visit to 2fa.directory (formerly twofactorauth[.]org) for a checkup.

The Rise of One-Time Password Interception Bots

New FinSpy Malware Variant Infects Windows Systems With UEFI Bootkit

Wed, 29 Sep 2021 16:06:21 +0000

Commercially developed FinFisher surveillanceware has been upgraded to infect Windows devices using a UEFI (Unified Extensible Firmware Interface) bootkit using a trojanized Windows Boot Manager, marking a shift in infection vectors that allow it to elude discovery and analysis.

Detected in the wild since 2011, FinFisher (aka FinSpy or Wingbird) is a spyware toolset for Windows, macOS, and Linux developed by Anglo-German firm Gamma International and supplied exclusively to law enforcement and intelligence agencies. But like with NSO Group's Pegasus, the software has also been used to spy on Bahraini activists in the past allegedly and delivered as part of spear-phishing campaigns in September 2017.

FinFisher is equipped to harvest user credentials, file listings, sensitive documents, record keystrokes, siphon email messages from Thunderbird, Outlook, Apple Mail, and Icedove, intercept Skype contacts, chats, calls and transferred files, and capture audio and video by gaining access to a machine's microphone and webcam.

While the tool was previously deployed through tampered installers of legitimate applications such as TeamViewer, VLC, and WinRAR that were backdoored with an obfuscated downloader, subsequent updates in 2014 enabled infections via Master Boot Record (MBR) bootkits with the goal of injecting a malicious loader in a manner that's engineered to slip past security tools.

The latest feature to be added is the ability to deploy a UEFI bootkit to load FinSpy, with new samples exhibiting properties that replaced the Windows UEFI boot loader with a malicious variant as well as boasting of four layers of obfuscation and other detection-evasion methods to slow down reverse engineering and analysis.

"This way of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks," Kaspersky's Global Research and Analysis Team (GReAT) said in a technical deep dive following an eight-month-long investigation. "UEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence."

UEFI is a firmware interface and an improvement over basic input/output system (BIOS) with support for Secure Boot, which ensures the integrity of the operating system to ensure no malware has interfered with the boot process. But because UEFI facilitates the loading of the operating system itself, bootkit infections are not only resistant to OS reinstallation or replacement of the hard drive but are also inconspicuous to security solutions running within the operating system.

This enables threat actors to have control over the boot process, achieve persistence, and bypass all security defences. "While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy, as the malicious module was installed on a separate partition and could control the boot process of the infected machine," the researchers added.

Source

Apple AirTag Bug Enables ‘Good Samaritan’ Attack

Tue, 28 Sep 2021 23:37:04 +0000

The new $30 AirTag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner’s phone number if the AirTag has been set to lost mode. But according to new research, this same feature can be abused to redirect the Good Samaritan to an iCloud phishing page — or to any other malicious website.

The AirTag’s “Lost Mode” lets users alert Apple when an AirTag is missing. Setting it to Lost Mode generates a unique URL at https://found.apple.com, and allows the user to enter a personal message and contact phone number. Anyone who finds the AirTag and scans it with an Apple or Android phone will immediately see that unique Apple URL with the owner’s message.

When scanned, an AirTag in Lost Mode will present a short message asking the finder to call the owner at at their specified phone number. This information pops up without asking the finder to log in or provide any personal information. But your average Good Samaritan might not know this.

That’s important because Apple’s Lost Mode doesn’t currently stop users from injecting arbitrary computer code into its phone number field — such as code that causes the Good Samaritan’s device to visit a phony Apple iCloud login page.

A sample “Lost Mode” message. Image: Medium @bobbyrsec

The vulnerability was discovered and reported to Apple by Bobby Rauch, a security consultant and penetration tester based in Boston. Rauch told KrebsOnSecurity the AirTag weakness makes the devices cheap and possibly very effective physical trojan horses.

“I can’t remember another instance where these sort of small consumer-grade tracking devices at a low cost like this could be weaponized,” Rauch said.

Consider the scenario where an attacker drops a malware-laden USB flash drive in the parking lot of a company he wants to hack into. Odds are that sooner or later some employee is going to pick that sucker up and plug it into a computer — just to see what’s on it (the drive might even be labeled something tantalizing, like “Employee Salaries”).

If this sounds like a script from a James Bond movie, you’re not far off the mark. A USB stick with malware is very likely how U.S. and Israeli cyber hackers got the infamous Stuxnet worm into the internal, air-gapped network that powered Iran’s nuclear enrichment facilities a decade ago. In 2008, a cyber attack described at the time as “the worst breach of U.S. military computers in history” was traced back to a USB flash drive left in the parking lot of a U.S. Department of Defense facility.

In the modern telling of this caper, a weaponized AirTag tracking device could be used to redirect the Good Samaritan to a phishing page, or to a website that tries to foist malicious software onto her device.

Rauch contacted Apple about the bug on June 20, but for three months when he inquired about it the company would say only that it was still investigating. Last Thursday, the company sent Rauch a follow-up email stating they planned to address the weakness in an upcoming update, and in the meantime would he mind not talking about it publicly?

Rauch said Apple never acknowledged basic questions he asked about the bug, such as if they had a timeline for fixing it, and if so whether they planned to credit him in the accompanying security advisory. Or whether his submission would qualify for Apple’s “bug bounty” program, which promises financial rewards of up to $1 million for security researchers who report security bugs in Apple products.

Rauch said he’s reported many software vulnerabilities to other vendors over the years, and that Apple’s lack of communication prompted him to go public with his findings — even though Apple says staying quiet about a bug until it is fixed is how researchers qualify for recognition in security advisories.

“I told them, ‘I’m willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout’,” Rauch said, noting that he told Apple he planned to publish his findings within 90 days of notifying them. “Their response was basically, ‘We’d appreciate it if you didn’t leak this.'”

Rauch’s experience echoes that of other researchers interviewed in a recent Washington Post article about how not fun it can be to report security vulnerabilities to Apple, a notoriously secretive company. The common complaints were that Apple is slow to fix bugs and doesn’t always pay or publicly recognize hackers for their reports, and that researchers often receive little or no feedback from the company.

The risk, of course, is that some researchers may decide it’s less of a hassle to sell their exploits to vulnerability brokers, or on the darknet — both of which often pay far more than bug bounty awards.

There’s also a risk that frustrated researchers will simply post their findings online for everyone to see and exploit — regardless of whether the vendor has released a patch. Earlier this week, a security researcher who goes by the handle “illusionofchaos” released writeups on three zero-day vulnerabilities in Apple’s iOS mobile operating system — apparently out of frustration over trying to work with Apple’s bug bounty program.

Ars Technica reports that on July 19 Apple fixed a bug that llusionofchaos reported on April 29, but that Apple neglected to credit him in its security advisory.

“Frustration with this failure of Apple to live up to its own promises led illusionofchaos to first threaten, then publicly drop this week’s three zero-days,” wrote Jim Salter for Ars. “In illusionofchaos’ own words: ‘Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would.'”

Rauch said he realizes the AirTag bug he found probably isn’t the most pressing security or privacy issue Apple is grappling with at the moment. But he said neither is it difficult to fix this particular flaw, which requires additional restrictions on data that AirTag users can enter into the Lost Mode’s phone number settings.

“It’s a pretty easy thing to fix,” he said. “Having said that, I imagine they probably want to also figure out how this was missed in the first place.”

Apple has not responded to requests for comment.

Update, 12:31: Rauch shared an email showing Apple communicated their intention to fix the bug just hours before — not after — KrebsOnSecurity reached out to them for comment. The story above has been changed to reflect that.

Apple AirTag Bug Enables ‘Good Samaritan’ Attack

Microsoft Warns of FoggyWeb Malware Targeting Active Directory FS Servers

Tue, 28 Sep 2021 12:35:50 +0000

Microsoft on Monday revealed new malware deployed by the hacking group behind the SolarWinds supply chain attack last December to deliver additional payloads and steal sensitive information from Active Directory Federation Services (AD FS) servers.

The tech giant's Threat Intelligence Center (MSTIC) codenamed the "passive and highly targeted backdoor" FoggyWeb, making it the threat actor tracked as Nobelium's latest tool in a long list of cyber weaponry such as Sunburst, Sunspot, Raindrop, Teardrop, GoldMax, GoldFinder, Sibot, Flipflop, NativeZone, EnvyScout, BoomBox, and VaporRage.

"Once Nobelium obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools," MSTIC researchers said. "Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components."

Microsoft said it observed FoggyWeb in the wild as early as April 2021, describing the implant as a "malicious memory-resident DLL."

Nobelium is the moniker assigned by the company to the nation-state hacking group widely known as APT29, The Dukes, or Cozy Bear — an advanced persistent threat that has been attributed to Russia's Foreign Intelligence Service (SVR) — and believed to have been behind the wide-ranging attack targeting SolarWinds that came to light in December 2020. The adversary behind this campaign is also being monitored under a variety of codenames like UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).

FoggyWeb, installed using a loader by exploiting a technique called DLL search order hijacking, is capable of transmitting sensitive information from a compromised AD FS server as well as receive and execute additional malicious payloads retrieved from a remote attacker-controlled server. It's also engineered to monitor all incoming HTTP GET and POST requests sent to the server from the intranet (or internet) and intercept HTTP requests that are of interest to the actor.

"Protecting AD FS servers is key to mitigating Nobelium attacks," the researchers said. "Detecting and blocking malware, attacker activity, and other malicious artifacts on AD FS servers can break critical steps in known Nobelium attack chains. Customers should review their AD FS Server configuration and implement changes to secure these systems from attacks."

Source

Bandwidth.com is latest victim of DDoS attacks against VoIP providers

Tue, 28 Sep 2021 05:12:10 +0000

Bandwidth.com has become the latest victim of distributed denial of service attacks targeting VoIP providers this month, leading to nationwide voice outages over the past few days.

Bandwidth is a voice over Internet Protocol (VoIP) services company that provides voice telephony over the Internet to businesses and resellers.

Starting September 25th at 3:31 PM EST, Bandwidth began reporting that they were experiencing unexpected failures with their voice and messaging services.

"Bandwidth is investigating an incident impacting Voice and Messaging Services. Calls and Messages may experience unexpected failures. All teams are actively engaged," reported Bandwidth on their status page.

Beginning of the outage messages reported by Bandwidth.com
Source: BleepingComputer

Since then, Bandwidth has been providing frequent status updates detailing outages affecting voice, Enhanced 911 (E911) services, messaging, and access to the portal.

As Bandwidth is one of the leading telephony providers for US voice over IP companies, many other VoIP vendors reported outages over the past few days, including Twilio, Accent, DialPad, Phone.com, and RingCentral.

While it has not been confirmed if these outages are related to Bandwidth's service disruption, all of the above carriers stated that another upstream provider has caused their outages.

"The upstream provider has indicated that service has returned to normal operation. We will continue to monitor this situation and report any new information as it becomes available. Customers should be prepared for potential impairments of inbound services within 12-16 hours as the potential exists for this DDoS attack to return. We will not close this issue until services have returned to the normal operation for a period of 72 hours." - Accent's status page.

Twilio initially told BleepingComputer that they were not affected by Bandwidth's attack, but their status page states that they had issues with Bandwidth today.

"Monitoring - We are observing recovery in Twilio Voice call quality and connection issues. Bandwidth is reporting the issue resolved as well. We will continue monitoring the service to ensure a full recovery. We will provide another update in 2 hours or as soon as more information becomes available." Twilio's status page.

Bandwidth.com hit with a DDoS attack

Earlier this month, VoIP provider VoIP.ms suffered a catastrophic week-long DDoS attack that took down almost all of their services and portals, leaving their customers without voice services.

The VoIP.ms attack was an extortion DDoS attack where threat actors impersonating the ransomware group 'REvil' initially demanded one bitcoin ($45,000) to halt their attacks but later increased it to 100 bitcoins ($4.5 million).

VoIP.ms ransom note
Source: BleepingComputer

Due to this recent attack, Bandwidth customers immediately suspected that Bandwidth was also suffering from a similar DDoS attack.

As VoIP services are commonly routed over the Internet and require their servers and endpoints to be publicly accessible, they are prime targets for DDoS extortion attacks.

To conduct these DDoS attacks, threat actors will overwhelm servers, portals, and gateways by sending more requests than can be handled and thus making the targeted devices and servers inaccessible to anyone else.

At this time, Bandwidth has not publicly disclosed the cause of its outage and has not responded to our queries.

However, Bandwidth customers have told BleepingComputer that employees said a DDoS attack caused the outages.

Another customer shared a screenshot on Reddit of a customer support message allegedly from a Technical Assistance Center manager who states that a DDoS attack is responsible for the outages.

"Bandwidth continues to experience a DDoS attack which is intermittently impacting our services. Our network operations and engineering teams continue active mitigation efforts to protect our network," reads a screenshot shared on Reddit.

Source: Reddit

At this time, Bandwidth is reporting that their services are restored, and it is not clear if the threat actors stopped their attacks or were paid an extortion demand.

Unfortunately, it is common for threat actors to briefly halt attacks while they push extortion attempts, so we will not know for sure if the DDoS attack is over until tomorrow.

When we hear back from Bandwidth, we will update our story.

This is a developing story.

Bandwidth.com is latest victim of DDoS attacks against VoIP providers