Hackers could force locked iPhones to make contactless payments

Flaws in Apple Pay and Visa could allow criminals to make arbitrary contactless payments – no authentication needed, research finds

The post Hackers could force locked iPhones to make contactless payments appeared first on WeLiveSecurity

ESET Threat Report T2 2021

A view of the T2 2021 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts

The post ESET Threat Report T2 2021 appeared first on WeLiveSecurity

CISA and NSA release guidance for securing VPNs

What your organization should consider when it comes to choosing a VPN solution and hardening it against attacks

The post CISA and NSA release guidance for securing VPNs appeared first on WeLiveSecurity

Google releases emergency fix to plug zero‑day hole in Chrome

The emergency release comes a mere three days after Google’s previous update that plugged another 19 security loopholes

The post Google releases emergency fix to plug zero‑day hole in Chrome appeared first on WeLiveSecurity

Week in security with Tony Anscombe

ESET unmasks FamousSparrow APT group – Stopping cloud data leaks – European cybercrime ring busted

In this edition of Week in security, Tony looks at these topics:

ESET research that uncovered a new cyberespionage group, FamousSparrow, that has targeted hotels, governments, and private companies worldwide and is another APT group to have leveraged the Microsoft Exchange vulnerabilities known as ProxyLogon. Risks posed by misconfigurations of cloud resources, as these errors contribute to leaks of billions of records every year and the resulting incidents represent a major threat to corporate security, reputation and bottom line. Europol cracking down on a cybercrime operation that was run by a gang linked to the Italian Mob

All this – and more – on WeLiveSecurity.com. Connect with us on Facebook, Twitter, LinkedIn and Instagram.

Bug in macOS Finder allows remote code execution

While Apple did issue a patch for the vulnerability, it seems that the fix can be easily circumvented

Researchers have uncovered a flaw in Apple’s macOS Finder system that could allow remote threat actors to dupe unsuspecting users into running arbitrary commands on their devices. The security loophole affects all versions of the macOS Big Sur operating system and older systems.

“A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands, these files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user,” reads the blog by SSD Secure Disclosure about the bug.

Park Minchan, an independent researcher who was credited with the discovery of the security loophole, commented that the mail application isn’t the only possible attack vector, but that the vulnerability could be exploited using any program that could attach and execute files, naming iMessage and Microsoft Office as viable examples.

The security flaw stems from how macOS processes Internet Location (INETLOC) files, which are used as shortcuts to open up various internet locations, like RSS feeds or telnet locations. These files usually contain a web address and can sometimes contain usernames and passwords for secure shell (SSH) and telnet connections. The way INETLOC files are processed by macOS causes them to run commands that are embedded inside, which allows them to execute arbitrary commands without alerts or prompts from the user.

“The case here inetloc is referring to a file:// “protocol” which allows running locally (on the user’s computer) stored files. If the inetloc file is attached to an email, clicking on the attachment will trigger the vulnerability without warning,” reads the description of how the bug could be exploited.

The Cupertino tech giant was notified of the vulnerability and went on to path the “file://” flaw silently. However, oddly enough it decided to forgo assigning it a common vulnerabilities and exposures (CVE) identifier. Additionally, it also seems the patch hasn’t addressed the bug entirely.

While newer versions of the macOS (Big Sur and later) block the file:// prefix, changing  the case of letters in file:// to e.g., File:// or fIle:// will circumvent the check. SSD Secure Disclosure said that it reached out to Apple and notified the company about the issue; however, it hasn’t received any reply and the vulnerability has yet to be properly patched.

Plugging the holes: How to prevent corporate data leaks in the cloud

Misconfigurations of cloud resources can lead to various security incidents and ultimately cost your organization dearly. Here’s what you can do to prevent cloud configuration conundrums.

Forget shadowy attackers deploying bespoke zero-day exploits from afar. A risk that is far more real for organizations as they embark on ambitious digital transformation projects is human error. In fact, “miscellaneous errors” accounted for 17% of data breaches last year, according to Verizon. When it comes to the cloud, there’s one particular trend that stands out above all others: misconfiguration. It’s responsible for the leak of billions of records every year and remains a major threat to corporate security, reputation and bottom line.

Mitigating this persistent human-shaped threat will require organizations to focus on gaining better visibility and control of their cloud environments – using automated tooling where possible.

How bad are cloud data leaks?

Digital transformation saved many organizations during the pandemic. And now it’s seen as the key to driving success as they exit the global economic crisis. Cloud investments sit at the heart of these projects – supporting applications and business processes designed to power new customer experiences and operational efficiencies. According to Gartner, global spending on public cloud services is forecast to grow 18.4% in 2021 to total nearly $305 billion, and then increase by a further 19% next year.

However, this opens the door to human error – as misconfigurations expose sensitive data to potentially malicious actors. Sometimes these records contain personally identifiable information (PII), such as the leak affecting millions at a Spanish developer of hotel reservation software last year. However, sometimes it’s arguably even more sensitive. Just last month it emerged that a classified US terrorist watchlist had been exposed to the public internet.

The bad news for organizations is that threat actors are increasingly scanning for these exposed databases. In the past, they’ve been wiped and held to ransom, and even targeted with digital web skimming code.

The scale of these leaks is astonishing: an IBM study from last year found that over 85% of the 8.5 billion breached records reported in 2019 were due to misconfigured cloud servers and other improperly configured systems. That’s up from less than half in 2018. The figure is likely to keep on rising until organizations take action.

What’s the problem?

Gartner predicted that by 2020, 95% of cloud security incidents would be the customer’s fault. So who’s to blame? It boils down to a number of factors, including a lack of oversight, poor awareness of policies, an absence of continuous monitoring, and too many cloud APIs and systems to manage. The latter is particularly acute as organizations invest in multiple hybrid cloud environments. Estimates suggest that 92% of enterprises today have a multi-cloud strategy, while 82% have a hybrid cloud strategy ramping up complexity.

Cloud misconfigurations can take many forms, including:

A lack of access restrictions. This includes the common issue of public access to AWS S3 storage buckets, which could allow remote attackers to access data and write to cloud accounts. Overly permissive security group policies. This could include making AWS EC2 servers accessible from the internet via SSH port 22, enabling remote attacks. A lack of permissions controls. Failure to limit users and accounts to least privilege can expose the organization to greater risk. Misunderstood internet connectivity paths Misconfigured virtualized network functions

Shadow IT can also increase the chances of the above happening, as IT will not know whether cloud systems have been configured correctly or not.

How to fix cloud misconfiguration

The key for organizations is to automatically find and fix any issues as quickly as possible. Yet they’re failing. According to one report, an attacker can detect misconfigurations within 10 minutes, but only 10% of organizations are remediating these issues within that time. In fact, half (45%) of organizations are fixing misconfigurations anywhere between one hour and one week later.

So what can be done to improve things? The first step is understanding the shared responsibility model for cloud security. This denotes which tasks the service provider (CSP) will take care of and what falls under the remit of the customer. While CSPs are responsible for security of the cloud (hardware, software, networking and other infrastructure), customers must take on security in the cloud, which includes configuration of their assets.

Once this is established, here are a few best practice tips:

Limit permissions: Apply principle of least privilege to users and cloud accounts, thereby minimizing risk exposure.

Encrypt data: Apply strong encryption to business-critical or highly regulated data to mitigate the impact of a leak.

Check for compliance before provisioning: Prioritize infrastructure-as-code and automate policy configuration checks as early as possible in the development lifecycle.

Continuously audit: Cloud resources are notoriously ephemeral and changeable, while compliance requirements will also evolve over time. That makes continuous configuration checks against policy essential. Consider a Cloud Security Posture Management (CSPM) tools to automate and simplify this process.

With the right strategy in place, you’ll be able to manage cloud security risk more effectively and free-up staff to be more productive elsewhere. As threat actors get better at finding exposed cloud data, there’s no time to waste.

European police dismantle cybercrime ring with ties to Italian Mafia

The group used phishing, BEC and other types of attacks to swindle victims out of millions

Law enforcement agencies from Europe have cracked down on an organized group that is associated with the Italian Mob and has been involved in all manner of cybercrime, including phishing campaigns, SIM swapping and Business Email Compromise (BEC). The criminal network was also involved in identity theft, money laundering, drug trafficking, property crime, arms dealing and other exceedingly violent crimes.

“The suspects defrauded hundreds of victims through phishing attacks and other types of online fraud such as SIM swapping and business email compromise before laundering the money through a wide network of money mules and shell companies. Last year alone, the illegal profit is estimated at about € 10 million,” reads Europol’s press release.

106 arrested in an operation against online fraud. #Europol supported @policia and @poliziadistato to dismantle this criminal group linked to the Italian mafia.

🏦 118 bank accounts frozen
💳 224 credit cards and point-of-sale terminals seized
More👉 https://t.co/yoiVWkCpAX pic.twitter.com/CzOMJ2n6s6

— Europol (@Europol) September 20, 2021

The operation was spearheaded by the Spanish National Police and backed by the Italian National Police, as well as Europol and Eurojust, the European Union’s law enforcement and judicial agencies, respectively. The operation led to 106 arrests, 16 house searches, 118 bank accounts being frozen, and the seizure of a variety of electronic devices, 224 credit cards, SIM cards, and point-of-sale terminals.

Europol described the group as well-organized, with the network comprised of members with various specializations. “Among the members of the criminal group were computer experts, who created the phishing domains and carried out the cyber fraud; recruiters and organisers of the money muling; and money laundering experts, including experts in cryptocurrencies,” said the European law enforcement agency.

The group operated out of Tenerife in the Canary Islands and used various tactics to dupe unsuspecting victims, usually Italian nationals, out of vast amounts of money, which they would send to bank accounts managed by the criminal organization. Once the money was wired to their accounts, they proceeded to launder it either through a large network of shell companies and money mules.

It’s no wonder that organized crime has taken an increasing interest in cybercrime and especially BEC scams. According to the FBI’s 2020 Internet Crime Report, BEC scams remain top-dog, with losses emanating from them reaching a total of almost US$2 billion last year. And if the FBI’s annual report is any indication the losses from BEC scams can only be expected to grow further in the future.

Week in security with Tony Anscombe

Analysis of Numando banking trojan, steps to mitigate attack surface, and more! – Week in security with Tony Anscombe

In this edition of Week in security, Tony looks at these topics:

ESET Research continues its series on Latin American banking trojans, this time dissecting Numando, which targets mainly Brazil and rarely Mexico and Spain. An overview of what the attack surface is and the best ways to mitigate your organization’s, in order to maximize cybersecurity. The Facebook-owned messaging service WhatsApp announced it plans to roll out end‑to‑end encrypted backups to both iOS and Android users in the coming weeks.

All this – and more – on WeLiveSecurity.com. Connect with us on Facebook, Twitter, LinkedIn and Instagram.

Numando: Count once, code twice

The (probably) penultimate post in our occasional series demystifying Latin American banking trojans.

Before concluding our series, there is one more LATAM banking trojan that deserves a closer look – Numando. The threat actor behind this malware family has been active since at least 2018. Even though it is not nearly as lively as Mekotio or Grandoreiro, it has been consistently used since we started tracking it, bringing interesting new techniques to the pool of Latin American banking trojans’ tricks, like using seemingly useless ZIP archives or bundling payloads with decoy BMP images. Geographically, it focuses almost exclusively on Brazil with rare campaigns in Mexico and Spain.

As with all the other Latin American banking trojans described in this series, Numando is written in Delphi and utilizes fake overlay windows to lure sensitive information out of its victims. Some Numando variants store these images in an encrypted ZIP archive inside their .rsrc sections, while others utilize a separate Delphi DLL just for this storage.

Backdoor capabilities allow Numando to simulate mouse and keyboard actions, restart and shutdown the machine, display overlay windows, take screenshots and kill browser processes. Unlike other Latin American banking trojans, however, the commands are defined as numbers rather than strings (see Figure 1), which inspired our naming of this malware family.

Figure 1. Numando command processing – part of command 9321795 processing (red)

Strings are encrypted by the most common algorithm among Latin American banking trojans (shown in Figure 5 of our Casbaneiro write-up) and are not organized into a string table. Numando collects the victimized machine’s Windows version and bitness.

Unlike most of the other Latin American banking trojans covered in this series, Numando does not show signs of continuous development. There are some minor changes from time to time, but overall the binaries do not tend to change much.

Numando is distributed almost exclusively by spam. Based on our telemetry, its campaigns affect several hundred victims at most, making it considerably less successful than the most prevalent LATAM banking trojans such as Mekotio and Grandoreiro. Recent campaigns simply add a ZIP attachment containing an MSI installer to each spammed message. This installer contains a CAB archive with a legitimate application, an injector, and an encrypted Numando banking trojan DLL. If the potential victim executes the MSI, it eventually runs the legitimate application as well, and that side-loads the injector. The injector locates the payload and then decrypts it using a simple XOR algorithm with a multi-byte key, as in the overview of this process illustrated in Figure 2.

Figure 2. Numando MSI and its contents distributed in the latest campaigns

For Numando, the payload and injector are usually named identically – the injector with the .dll extension and the payload with no extension (see Figure 3) – making it is easy for the injector to locate the encrypted payload. Surprisingly, the injector is not written in Delphi – something very rare among Latin American banking trojans. The IoCs at the end of this blogpost contain a list of legitimate applications we have observed Numando abuse.

Figure 3. Files used for executing Numando. Legitimate application (Cooperativa.exe), injector (Oleacc.dll), encrypted payload (Oleacc) and legitimate DLLs.

Decoy ZIP and BMP overlay

There is one interesting distribution chain from the recent past worth mentioning. This chain starts with a Delphi downloader downloading a decoy ZIP archive (see Figure 4). The downloader ignores the archive’s contents and extracts a hex-encoded encrypted string from the ZIP file comment, an optional ZIP file component stored at the end of the file. The downloader does not parse the ZIP structure, but rather looks for the last { character (used as a marker) in the whole file. Decrypting the string results in a different URL that leads to the actual payload archive.

Figure 4. The decoy is a valid ZIP file (ZIP structures highlighted in green) with an encrypted URL included in a ZIP file comment at the end of the archive (red)

The second ZIP archive contains a legitimate application, an injector and a suspiciously large BMP image. The downloader extracts the contents of this archive and executes the legitimate application, which side-loads the injector that, in turn, extracts the Numando banking trojan from the BMP overlay and executes it. The process is illustrated in Figure 5.

Figure 5. Numando distribution chain using a decoy ZIP archive

This BMP file is a valid image and can be opened in a majority of image viewers and editors without issue, as the overlaly is simply ignored. Figure 6 shows some of the decoy images the Numando threat actor uses.

Figure 6. Some BMP images Numando uses as decoys to carry its payload

Like many other Latin American banking trojans, Numando abuses public services to store its remote configuration – YouTube and Pastebin in this case. Figure 7 shows an example of the configuration stored on YouTube – a technique similar to Casbaneiro, though much less sneaky. Google took the videos down promptly based on ESET’s notification.

Figure 7. Numando remote configuration on YouTube

The format is simple – three entries delimited by “:” between the DATA:{ and } markers. Each entry is encrypted separately the same way as other strings in Numando – with the key hardcoded in the binary. This makes it difficult to decrypt the configuration without having the corresponding binary, however Numando does not change its decryption key very often, making decryption possible.

Numando is a Latin American banking trojan written in Delphi. It targets mainly Brazil with rare campaigns in Mexico and Spain. It is similar to the other families described in our series – it uses fake overlay windows, contains backdoor functionality and utilizes MSI.

We have covered its most typical features, distribution methods and remote configuration. It is the only LATAM banking trojan written in Delphi that uses a non-Delphi injector and its remote configuration format is unique, making two reliable factors when identifying this malware family.

For any inquiries, contact us at [email protected] Indicators of