Week in security with Tony Anscombe

New ESET Threat Report is out – Defending against Thunderspy attacks – Thousands of databases wiped in Meow attacks

The ESET research team has released its new quarterly threat report that gives a snapshot of the most prevalent cyber-threats and trends in 2Q 2020, as well as reveals previously unpublished research updates. This week, we also took a deep look at Thunderspy, a set of vulnerabilities in the Thunderbolt interface, and shared comprehensive advice for how to stay defend against attacks exploiting the flaws. In other news, thousands of unprotected internet-facing databases have fallen victim to ‘Meow’ attacks, where attackers destroy data with no explanation. All this – and more – on WeLiveSecurity.com.

Twitter breach: Staff tricked by ‘phone spear phishing’

The attackers exploited the human factor to gain access to Twitter’s internal systems and the accounts of some of the world’s most prominent figures

Twitter – still recovering from the recent brazen breach where miscreants hijacked 130 accounts belonging to prominent figures and used the handles to peddle a bitcoin scam – has now shed some light on the circumstances leading up to the incident.

According to the company’s investigation, the attackers used social engineering to target a handful of its employees via a “phone spear phishing attack”.

In a typical spear phishing attack, a criminal masquerades as a trusted entity and sends a tailored email or instant message to a well-researched target in order to steal their sensitive information, such as login credentials or financial information, or to deliver malware.

In Twitter’s case, the incursion seems to have involved phone calls and happened in multiple phases. “Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools,” said the social media giant.

We’re sharing an update based on what we know today. We’ll provide a more detailed report on what occurred at a later date given the ongoing law enforcement investigation and after we’ve completed work to further safeguard our service. https://t.co/8mN4NYWZ3O

— Twitter Support (@TwitterSupport) July 31, 2020

The attackers then leveraged these credentials to access the tools they needed for their grand scheme – infiltrating 130 accounts, tweeting from 45, accessing the direct messages (DMs) of 36, and downloading data from seven. The company described the attack as a “significant and concerted attempt to mislead certain employees and exploit human vulnerabilities.”

Twitter went on to say that in light of the attack it has revised its security measures and severely limited access to its internal tools and systems, while it investigates the incident further. The company warned that this may lead to a curtailed user experience:

“As a result, some features (namely, accessing the Your Twitter Data download feature) and processes have been impacted. We will be slower to respond to account support needs, reported Tweets, and applications to our developer platform.”

The social media platform also announced that it is working on improving its methods concerning the prevention and detection of inappropriate access and use of its internal tools. Twitter also vowed to continue to conduct company-wide phishing exercises.

RELATED READING: Would you get hooked by a phishing scam? Test yourself

Shortly after the security breach dating back to July 15th, the hijacked account of Tesla CEO Elon Musk fired off a tweet saying “I‘m feeling generous because of Covid-19. I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!”

A spate of similar tweets followed from other hacked accounts, including those of Barack Obama, Joe Biden, Bill Gates and Jeff Bezos, among others. The ploy apparently worked, since one of the cryptocurrency wallets received 12.86 BTC (some US$117,000) over a short span of time.

Shortly after the incident, Motherboard, security journalist Brian Krebs, and the New York Times all published interesting accounts of what led to the breach, complete with testimonies from people allegedly involved in the scheme.

Additional reading

What to do if your Twitter account has been hacked

10 billion records exposed in unsecured databases, study says

The databases contain personal information that could be used for phishing attacks and identity theft schemes

Researchers have found close to 10.5 billion pieces of consumer data that has been left sitting in almost 10,000 unsecured internet-facing databases hosted across 20 countries. The data is said to include email addresses, passwords, and phone numbers.

The study was conducted by NordPass between June 2019 and June 2020 in cooperation with an unnamed white hat hacker, who scanned the web for Elasticsearch and MongoDB libraries in search of misconfigured databases.

It’s worth noting that three countries accounted for most of the exposed records, with France bearing the brunt (5.1 billion detected entries). China followed on 2.6 billion records and the United States came in third with 2.3 billion data points. When it comes to countries with the largest numbers of ill-configured databases, China came first (4,000), followed by the US (3,000) and India (500).

Since the information is stored in unprotected databases, cybercriminals would have to put in little to no effort to gain access to the data. With the records in hand they could wreak all sorts of havoc on their victims.

For example, the pilfered data could be used for social engineering attacks that are ultimately aimed at draining your bank accounts or at breaking into your other accounts. These attacks pay dividends especially if you recycle your passwords across various online services.

The stolen information could also be used to conduct (spear)phishing attacks that could lead to hundreds of thousands of dollars in losses, as one Premier League club almost found out recently. In other scenarios, miscreants could sell the data on the dark web, extort the victims or, as the recent ‘Meow’ attacks have shown, some data could simply be replaced with random garbage. Passwords are the bare minimum the admins should have used to secure the databases.

RELATED READING: Five tips for keeping your database secure

It’s worthwhile to remind ourselves of some account security basics, which include using unique and strong passwords or passphrases, potentially with the help of a password manager. It’s also highly advisable to use two-factor authentication, which adds an extra layer of security in exchange for very little effort. If you ever suspect that something is amiss with your accounts, you can also check out our handy guide on how to check if your password has been stolen.

Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe

All you need to know about preventing adversaries from exploiting the recently disclosed vulnerabilities in the Thunderbolt interface

In May 2020, Björn Ruytenberg, a computer security researcher at the Eindhoven University of Technology in the Netherlands, announced the discovery of Thunderspy, a series of vulnerabilities in the Thunderbolt technology and interrelated scenarios for changing – including disabling – the security level of the Thunderbolt interface on a computer and allowing an adversary with physical access to it to copy data off of it, even if full disk encryption (FDE) is used and the machine is locked with a password or sleeping in low-power mode.

While Ruytenberg’s research has (quite deservedly) received publicity because of its novel attack vector, not much has been said about how to protect against Thunderspy, or even determine whether you have been a victim. In this article, we will explore practical methods to defend against it, as well as anti-tamper steps that can help ascertain if a computer has been physically compromised.

Note: Attacks such as those described by Ruytenberg are both highly-targeted and very rare compared to the types of attacks reported by ESET’s telemetry on a daily basis, and can sound like something out of a spy novel. Although this may represent a realistic threat to, say, 0.001% of computer users with over 100 million people trusting our software on a daily basis, that is still over 1,000 potential victims. For those people, following some of the admittedly draconian recommendations in this article can help reduce that risk. Regardless of your risk level, we hope you will find this information to be of use.

Background

Figure 1. Two Thunderbolt 3 ports on a MacBook Pro

Thunderbolt is an interface for allowing high-speed connections between computers and peripherals such as external RAID arrays, cameras, high-resolution displays, multi-gigabit network connections, and expansion docks and cages for external video cards. Originally developed by Intel and Apple, it first appeared in the 2011 release of Apple’s MacBook Pro notebook computers. It was followed by Thunderbolt 2 in 2013, and Thunderbolt 3 in 2016.

Table 1. List of Thunderbolt releases

Generation Released Intel Controller Connector type Speed Thunderbolt 2011 Light Peak Mini DisplayPort 20Gbit/s (two 10Gbit/s bonded lanes) Thunderbolt 2 2013 Falcon Ridge Mini DisplayPort 20Gbit/s Thunderbolt 3 2016 Alpine Ridge USB Type-C 40Gbit/s Thunderbolt 3 2018 Titan Ridge (refresh of Alpine Ridge) USB Type-C 40Gbit/s

The technology that enables these types of high-speed connections between computers and peripherals is Direct Memory Access (DMA). Simply put, DMA allows peripherals to read and write directly to any location in a computer’s memory, bypassing CPU management overhead and delays while the CPU processes other interrupts and I/O requests, greatly speeding up the transfer of data. In this case, DMA is something of a two-edged sword: If the interface channel using DMA is not secured, there is the possibility for memory to be read from or written to in ways that impact the confidentiality, integrity or availability of information stored in it.

Understand that this does not mean that Thunderbolt technology, or utilizing DMA for transfers, is inherently insecure, but rather that the risks involved need to be carefully examined and modeled in order to defend against possible attacks. The use of DMA in PCs dates back to the design of the original IBM PC released in 1981 and may have been present in earlier computer designs as well. PCs have had several DMA interfaces over the years, from expansion cards like ISA, EISA, PCI, PCIe and VLB, floppy diskette and hard disk drive controllers, CardBus and ExpressCard on notebook computers, and so forth. DMA is a robust technique and one that can be implemented with security checks and balances.

If any of this sounds vaguely familiar, you may recall a WeLiveSecurity article from 2011, Where there’s Smoke, there’s FireWire, discussing DMA abuse using FireWire (IEEE-1394) interfaces in both PCs and Macs. And, it should be noted, there are other kinds of attacks on hardware as well, such as 2015’s Thunderstrike, which targeted the EFI ROM in Macs, and 2018’s Meltdown and Spectre speculative execution vulnerabilities in CPUs.

For an introduction to Thunderspy attacks, read the Thunderbolt flaws open millions of PCs to physical hacking on WeLiveSecurity. If you have not read that article, I strongly encourage you to read it before proceeding. With that proviso in mind, let’s look at the threat model for Thunderspy, what are realistic targets for an attacker, and perhaps most importantly, realistic defenses against those.

Attacking

Ruytenberg provides two proofs of concept (sample code) for Thunderspy that accomplish two different tasks:

Clone the identities of Thunderbolt devices allowed by the computer. Permanently disable Thunderbolt security.

The first cloning attack is like thieves who steal a key to a lock and then copy it. Afterwards, they can use the copied key repeatedly to open that lock. The second attack is a form of “bricking” a chip. In this case, disabling Thunderbolt’s security levels and then write-protecting the changes made so they cannot be undone.

Cloning requires plugging custom Thunderbolt hardware into the target computer and/or disassembling the target computer in order to attach an SPI programmer to the Thunderbolt chip’s SPI flash ROM chip cabled to an SOIC clip adapter. Bricking the chip requires use of the SPI programmer and cable clip adapter, too.

Additional attack scenarios require running software and/or obtaining information about firmware versions on the target computer.

In case it is not clear from the description above, these types of attacks are not done simply, since actual in-person access to the computer is required, along with the tools to disassemble the physical computer, attach the logic programmer, read the firmware from the SPI flash ROM chip, disassemble and modify its instructions, and write it back to the chip. All without the computer owner noticing this has occurred (and, of course, not accidentally damaging the computer in the process).

Because of the time and complexity of this type of

ESET Threat Report Q2 2020

A view of the Q2 2020 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts

With half a year passed from the outbreak of COVID-19, the world is now trying to come to terms with the new normal. But even with the initial panic settled, and many countries easing up on their lockdown restrictions, cyberattacks exploiting the pandemic showed no sign of slowing down in Q2 2020.

Our specialists saw a continued influx of COVID-19 lures in web and email attacks, with fraudsters trying to make the most out of the crisis. ESET telemetry also showed a spike in phishing emails impersonating one of the world’s leading package delivery services – a tenfold increase compared to Q1 – and targeting online shoppers. The rise in attacks targeting Remote Desktop Protocol (RDP) – the security of which still often remains neglected – continued in Q2, with persistent attempts to establish RDP connections more than doubling since the beginning of the year. 

One of the most rapidly developing areas in Q2 was the ransomware scene, with some operators abandoning the – still quite new – trend of doxing and random data leaking, and moving to auctioning the stolen data on dedicated underground sites, and even forming “cartels” to attract more buyers. 

Ransomware also made an appearance on the Android platform, targeting Canada under the guise of a COVID-19 tracing app. ESET researchers quickly put a halt to this campaign and provided a decryptor for victims. Among many other findings, our researchers uncovered Operation In(ter)ception, which targeted high-profile aerospace and military companies; revealed the modus operandi of the elusive InvisiMole group; and dissected Ramsay, a cyberespionage toolkit targeting airgapped networks. 

Besides offering recaps of these findings, this report also brings exclusive, previously unpublished ESET research updates, with a special focus on APT group operations – see the News From the Lab and APT Group Activity sections! 

Throughout the first half of 2020, ESET has also actively contributed to the MITRE ATT&CK knowledge base in its newly released, revamped version with sub-techniques. The latest ATT&CK update includes four new ESET contributions. 

And finally, after a break, this quarter has seen new conference plans take shape – although with packed venues replaced by virtual streams – and we are excited to invite you to ESET’s talks and workshops at BlackHat USA, BlackHat Asia, VB2020 and others. 

Follow ESET research on Twitter for regular updates on key trends and top threats. 

FBI warns of disruptive DDoS amplification attacks

The Bureau expects cybercriminals to increasingly abuse new threat vectors for large-scale DDoS attacks

The Federal Bureau of Investigation (FBI) has issued an alert warning private sector organizations in the United States about a ramp-up in the use of built-in network protocols for large-scale distributed denial-of-service (DDoS) amplification attacks.

“A DDoS amplification attack occurs when an attacker sends a small number of requests to a server and the server responds with more numerous responses to the victim. Typically, the attacker spoofs the source Internet Protocol (IP) address to appear as if they are the victim, resulting in traffic that overwhelms victim resources,” wrote the FBI. The alert has been posted online, including on the website of the the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC).

The FBI highlights recent threat vectors and developments, noting that the first DDoS amplification attacks to abuse the network protocols go back to December 2018, when cybercriminals exploited the multicast and command transmission features of the Constrained Application Protocol (CoAP). Most of the internet-accessible CoAP devices can be found in China and are using peer-to-peer networks.

During the summer of 2019, attackers took aim at the Web Services Dynamic Discovery (WS-DD) protocol to launch more than 130 DDoS attacks, some of which achieved a magnitude of 350 Gigabits per second. Internet of Things (IoT) devices use WS-DD protocols to automatically detect other devices nearby and since there are 630,000 with this protocol enabled, they can be attractive targets used to amplify DDoS attacks. That same year, researchers also reported a rise in the use of misconfigured IoT devices in amplified DDoS attacks.

In October 2019, miscreants abused the Apple Remote Management Service (ARMS), a part of the Apple Remote Desktop (ARD), to conduct DDoS amplification attacks. This protocol is usually employed by large organizations to manage their Apple computers.

Making matters worse, in February 2020 researchers found a vulnerability in the built-in network discovery protocols of Jenkins servers, which could potentially allow attackers to amplify DDoS attack traffic a hundredfold against their victims. There is no record of the flaw being exploited so far, but the FBI highlighted the resulting increase in the attack surface.

“In the near term, cyber actors likely will exploit the growing number of devices with built-in network protocols enabled by default to create large-scale botnets capable of facilitating devastating DDoS attacks,” said the FBI in its private industry notification.

The Bureau also outlined several steps to defend against the threat:

Set up a network firewall that will block access to all unauthorized IP addresses. Ensure all your connected devices are updated to the newest firmware versions and have the newest security patches applied. Change all the default usernames and passwords on your IoT and other devices and use two-factor authentication. Register with a DDoS mitigation service.

DDoS attacks typically involve flooding a target with traffic that came from a large number of devices that have been corralled into a botnet, effectively bringing the victim’s services offline. These onslaughts are often unleashed as a way to extort money from the targets or even as a cover for other attacks. Whatever the motive, DDoS attacks in any of their flavors are known to cost organizations millions in lost revenue.

Almost 4,000 databases now wiped in ‘Meow’ attacks

The attackers and their motivations remain unknown; however, the incidents yet again highlight the risks of careless data security

Thousands of unsecured internet-facing databases have been on the receiving end of automated ‘Meow’ attacks that involve destroying the data without leaving as much as an explanatory note.

A search on Shodan shows that as the Meow attacks have escalated in recent days, with almost 4,000 databases now wiped. While more than 97% of the attacks hit Elasticsearch and MongoDB instances, systems running Cassandra, CouchDB, Redis, Hadoop, Jenkins, and Apache ZooKeeper have been targeted as well, wrote BleepingComputer.

The onslaughts owe their moniker to the fact that the data is overwritten with random characters that include the word ‘meow’. Both the perpetrators and their reasons for the scorched-earth tactics remain unknown.

Meanwhile, a security researcher wrote on Twitter that the attacks have been carried out using ProtonVPN IP addresses.

The #meow attack is going thru @protonvpn, not sure how many origin IPs there are. From the logs in MongoDB you can see it drops databases first then create new ones with $randomstring-meow @MayhemDayOne @BleepinComputer #infosec pic.twitter.com/49dnVOGyq7

[email protected] (@anthrax0) July 24, 2020

Proton responded by saying, “We are looking into this and will block all usage of ProtonVPN which goes against our terms and conditions.”

One of the first recorded instances of these Meow attacks targeted an Elasticsearch database belonging to a VPN provider. The unsecured database was discovered by security researcher Bob Diachenko and was one of the 7 VPN services that leaked the data of over 20 million users.

Diachenko went on to notify the hosting provider on July 14th, and the database was secured the next day. However, it was exposed the second time on July 20th and then hit with a Meow bot attack that wiped almost all the data stored on the database.

RELATED READING: Five tips for keeping your database secure

The onslaughts have also been observed by researchers from the non-profit GDI Foundation. One of the attacks occurred after a researcher responsibly disclosed an exposed database to its owner. Victor Gevers, the foundation’s chairman, noted that the perpetrator is probably targeting any unsecured database that can be accessed over the internet.

While some researchers debate whether the attackers are trying to ‘educate’ administrators to keep their databases locked down, the fact of the matter remains that administrators should properly secure their assets.

Attacks on misconfigured databases are not a rare occurrence. A mere few weeks ago, we wrote about thousands of unsecured MongoDB databases that were ransacked and held for ransom. However, wiping ill-secured databases without leaving any (ransom) notes whatsoever could be considered unusual.

Week in security with Tony Anscombe

VPN services accused of leaking personal data – Better security in Gmail, Meet and Chat – Data breach reports in 1H2020

Seven VPN providers that claimed to adhere to no-logs policies had left a database with the personal details of more than 20 million users exposed on the open internet, a report released this week said. Google is adding security-enhancing features to Gmail, Meet and Chat. The number of data breaches in the US fell by one-third in the first half of 2020 year-on-year, but the Identity Theft Resource Center doesn’t expect this trend to last. All this – and more – on WeLiveSecurity.com.

Premier League team narrowly avoids losing £1 million to scammers

In another incident, ransomware attackers almost forced the cancellation of a match, a report reveals

Sports organizations from around the United Kingdom have been urged to tighten their cybersecurity after a report revealed a string of attacks against various sports clubs, including an attempt to disrupt a lucrative Premier League transfer deal.

In its first Cyber Threat to Sports Organizations report, the UK’s National Cyber Security Centre (NCSC) singled out Business Email Compromise (BEC) fraud as the biggest threat to sports organizations, with financial gain being the key motivation for BEC attackers. No wonder the sports industry is a lucrative target, contributing £37 billion (US$47 billion) to the UK’s economy each year.

As an example, the NCSC highlighted an incident in which the email account belonging to the managing director of a Premier League club was compromised during a transfer negotiation worth £1 million (US$1.3 million). The attackers used a spear phishing attack involving a malicious email that took the director to a spoofed Office 365 login page where he unwittingly turned over his credentials.

“The attackers assumed the identity of the MD and communicated with the European club. Simultaneously they created a false email account and pretended to be the European club in communications with the real MD,” said the report.  Fortunately, a bank involved in the transfer stepped in at the eleventh hour and thwarted the scheme. In a way, the incident brings echoes of a similar scam where Italian Serie A team Lazio was reportedly duped out of £1.75 million (US$2.2 million).

The NCSC also singled out a ransomware attack that encrypted all end-user devices and several servers belonging to an English Football League club. The attack also cut off its security cameras and turnstiles, which almost led to a match cancellation. The team refused to pay a hefty 400 bitcoin ransom (some US$4 million today) and eventually recovered, but not before incurring losses totaling several hundred thousand pounds.

RELATED READING: Ransomware: Expert advice on how to keep safe and secure

Once it audited its systems, the team found that it lacked sufficient security controls, didn’t invest enough in cybersecurity infrastructure, and didn’t have an emergency response plan in place. Regularly patching and updating systems as well as having backups are just some of the recommendations organizations should implement; for more advice on defending against ransomware, be sure to check out this white paper.

In another incident, a member of staff at a UK racecourse wanted to purchase a piece of grounds keeping equipment on eBay, ultimately agreeing with a seller to pay £15,000 (some US$19,000) for one such listed item. “At this point the seller sent the member of staff bank transfer details via an eBay message, this diverted the member of staff to a spoofed version of eBay ,” reads the report. The buyer made the payment and while they later realized their mistake the money couldn’t be recovered.

RELATED READING: Common eBay scams and how to avoid them

The big picture

The NCSC report also revealed that at least 70% of the surveyed sports organizations experienced some form of cyber-incident or breach every year, with 3 in 10 incidents ending up causing direct financial damage to the targeted clubs. The average cost of such an incident was more than £10,000 (some US$12,700) while the biggest single loss incurred was worth an astounding £4 million (approx. US$5.1 million).

“While cybersecurity might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber criminals cashing in on this industry is very real,” said Paul Chichester, Director of Operations at the NCSC. He also went on to urge sports organizations to improve their cybersecurity in order to protect themselves – as well as millions of fans. For example, to mitigate the risk of successful BEC attempts, organizations would be well advised to implement some form of multi-factor authentication.

Meanwhile, Sir Hugh Robertson, the Chair of the British Olympic association, acknowledged the importance of the report, saying, “The British Olympic Association sees this report as a crucial first step, helping sports organizations to better understand the threat and highlighting practical steps that organizations should take to improve cybersecurity practices.”

Google adds security enhancements to Gmail, Meet and Chat

The tech giant introduces its own version of verified accounts in Gmail, rolls out increased moderation controls in Meet, and enhances phishing protection in Chat

Google has announced a host of new features for its G Suite family of applications that are aimed at bolstering the security of Gmail, Meet and Chat users. The company is also introducing new ways for IT administrators to manage and secure devices using the Admin Console.

The search engine giant is piloting a new feature that will display the logo of an organization or brand in the avatar slot of the Gmail user interface. That should give people more confidence that the email message is from a legitimate sender and ultimately thwart phishing attacks that spoof genuine companies.

The new functionality uses the Brand Indicators for Message Identification (BIMI) standard and allows organizations that use the DMARC technology to validate the ownership of their logos and securely transmit them to Google. The BIMI standard is being developed by the AuthIndicators Working Group, which Google joined a year ago.

“BIMI provides benefits to the whole email ecosystem. By requiring strong authentication, users and email security systems can have increased confidence in the source of emails, and senders will be able to leverage their brand trust and provide their customers with a more immersive experience,” said Google.

Source: Google Cloud blog

The videoconferencing platform Google Meet also received a security boost in the form of new controls that allow the host to manage who can join meetings and how. Uninvited guests who have been ejected out of a meeting won’t be able to re-join unless the host re-invites them. Meanwhile, attendees who’ve had their knocking requests denied multiple times will be automatically banned from sending more requests.

Additionally, hosts are also receiving advanced safety lock capabilities that let them decide on the method through which people can join meetings and what level of participation they are allowed once they join. While safety locks are engaged, anonymous users, i.e. those not logged into their Google accounts, will be blocked from joining the meeting.

Google has also bolstered phishing protection in Google Chat. Previously launched on Gmail, the new safeguard checks links sent in Chat against real-time data from Safe Browsing and warns users if it finds anything suspicious. Blocking and reporting Chat Rooms if anything malicious is afoot is another feature that is being rolled out to users over the coming weeks. Google also added a filter that automatically detects and limits abusive content, such as spammy invites across G Suite.

RELATED READING: Would you get hooked by a phishing scam? Test yourself

IT admins will get a slew of new and enhanced tools to manage G Suite, including a redesigned devices page for better device management as well as Apple Business Manager integration allowing them to easily manage their organization’s iOS devices. Google has also introduced some new tools to its Data Loss Prevention feature.

The updates are being released to respond to the needs of people working remotely after COVID-19 has forced a lot of companies to shift to teleworking. If working from home is starting to feel demoralizing, ESET Chief Security Evangelist Tony Anscombe has some advice on how to overcome the associated challenges.