Operation StealthyTrident: corporate software under attack

LuckyMouse, TA428, HyperBro, Tmanger and ShadowPad linked in Mongolian supply-chain attack

The post Operation StealthyTrident: corporate software under attack appeared first on WeLiveSecurity

Microsoft Patch Tuesday fixes 58 flaws

The last Patch Tuesday of the year brings another fresh batch of fixes for Microsoft products and while the number may be lower the patches are no less important.

The post Microsoft Patch Tuesday fixes 58 flaws appeared first on WeLiveSecurity

The Internal Revenue Service expands identity protection to all tax‑payers

U.S. tax-payers will be able to enroll in the Identity Protection PIN program that was previously available only to certain users starting mid-January.

U.S. tax-payers will be able to enroll in the Identity Protection PIN program that was previously available only to certain users starting mid-January  

In an effort to battle various flavors of tax fraud and tax-related identity theft, the U.S. Internal Revenue Service (IRS) announced that, as of January 2021, it will be expanding its Identity Protection PIN Opt-In Program to all taxpayers , assuming they can properl verify their identities. 

Previously, the Identity Protection PINs (IP PIN) were issued to eligible taxpayers who had experienced tax refund fraud or had been proven victims of identity theft. The IP PIN is a six-digit code issued by the IRS that prevents someone else beyond the holder to file a tax return in their stead using their social security number. The IRS uses the IP PIN to verify the taxpayer’s identity when accepting their paper or electronic tax return. The PIN itself is always valid only for the calendar year in which it was issued, with the taxpayer having to get a new IP PIN each January. 

“The fastest way to get an Identity Protection PIN is to use our online tool but remember you must pass a rigorous authentication process. We must know that the person asking for the IP PIN is the legitimate taxpayer,” explained IRS Commissioner Chuck Rettig in a press statement announcing the program. 

Using the Opt-In Program an eligible person will be able to apply for an IP PIN by using the IRS’s IP PIN toolThey will be required to pass through IRS’s Secure Access authentication process to verify their identity. The whole process which takes approximately 15 minutes, will require that the taxpayer provides a slew of private information including their email address, social security number, tax filing status and mailing address, mobile phone number registered to their name, and a financial account number linked to their name such as a credit card or mortgage. 

Tax season is an already stressful time for most people. This  added extra layer of protection can be seen as a welcome addition, especially since tax identity fraud has proven to be a persisting problem. If you’d like to learn more about the measures you can take to avoid various forms of banking fraud and identity theft you can also refer to the tips on fraud prevention shared by ESET Chief Security Evangelist Tony Anscombe 

Google patches four high‑severity flaws in Chrome

The new release patches a total of eight vulnerabilities affecting the desktop versions of the popular browser.

The post Google patches four high‑severity flaws in Chrome appeared first on WeLiveSecurity

Week in security with Tony Anscombe

ESET researchers analyze Turla Crutch, Cybersecurity Trends 2021 report is out and how to stay safe when paying with your phone.

This week, ESET researchers discover a new backdoor used by Turla to exfiltrate stolen documents to Dropbox. Our first cybersecurity tips you can implement into your life this Advent season and ultimately gift yourself better online security and privacy. The main risks and best ways for safely using mobile payments and digital wallets. All this – and more – on WeLiveSecurity.com.

Newsletter Newsletter

Submit

Discussion

Cybersecurity Advent Calendar: Let Santa in, keep hackers out!

Santa will soon come down the chimney, but there are potential entry points into your home and digital life that you should never leave open

Many of us associate early December with the first snowfall, Holiday preparations and the beginning of Advent. And what better way to celebrate the preparations for the most wonderful time of the year than mark Advent with special treats, especially after a year like none other?

At WeLiveSecurity, our goal and our wish for you and your loved ones is to be and stay safe online. This is where our Cybersecurity Advent Calendar series comes in. Along with daily tips shared on ESET’s Twitter account, we will, in the run-up to Christmas, publish a series of articles containing advice you can easily implement into your daily routine and ultimately gift yourself better online security and privacy.

Let’s dive right in.

For a whimsical Holiday, make sure none of your passwords appears on the Naughty List, also known as the list of the most popular passwords. If it does, be good and change it!

The first step – protect the entry points. You would not leave your door unlocked and let anyone but Santa come down your chimney, right? Likewise, using safe login details and a good password hygiene is essential.

Overused passwords may be easy to remember, but they are just as easy to crack. Commonly used passwords, like the infamous “123456”, “qwerty” or “password”, among many others, provide an easy path for hackers. There’s hardly any comfort in finding out that any of your passwords figures on the Naughty List – do yourself a favor and change it.

Christmas elves are working hard this season, and so are cybercriminals. Protect yourself by using strong passwords – or better yet, passphrases!

The best credentials would be easy for you to remember, while impenetrable for cybercriminals. Hackers will often use brute-force attacks to crack their targets’ passwords. The longer the password, the longer it takes them to crack it. Passphrases, comprised of a succession of words, are ideal, as they can be extremely complicated to brute-force while easy for you to remember.

For example, it takes no time to crack “qwerty” or any infamous password, while my nickname, “Gaby”, can be cracked in the blink of an eye. Hackers could crack a random password like “#a3i5P” in about an hour, which might, however, be also the time it would take you to retrieve it from memory. On the other hand, it would take many years with today’s computing power to crack “GabyHasASuperNiceCat”, which you probably already remember.

This short video can also help you create strong passphrases:



Recycling gift bags can help the planet. However, recycling your passwords will only hurt your safety and privacy.

If you often read WeLiveSecurity, you know that we cover major data breaches almost every week, while many smaller breaches go under the radar. Cybercriminals have more than one tool up their sleeves when it comes to breaking into your accounts. One common tactic is credential-stuffing attacks, where hackers use previously breached credentials from an account or service to try to get into another account or service.

If any of your login credentials have been stolen and you use the same username/password combination for other accounts, criminals could access these with no efforts. Never recycling your login details makes criminals’ lives harder – and keeps your own life safer!

Sharing is caring, and that’s doubly true during the Holiday season. But it’s not a good idea when it comes to passwords.

Do not share your passwords with anyone. Others may not be as careful as you are. Moreover, if you share your credentials with several people, who might then also share them with their friends, roommates, etc., you’ll soon lose track of who has your credentials.

If you absolutely need to share your access with a relative or close friend, a more sensible (and safer) approach might be to log them in directly yourself and ideally only into low-value accounts where you don’t store your most sensitive personal information.

Use a trustworthy password manager solution to keep all your passphrases safe with only one passphrase for you to remember.

You may be thinking about everyone during this season, and all through the year. There is good news. You do not have to spend too much time and energy to remember all your credentials – even passphrases!

A trustworthy password manager will safely store your login data. But what is a password manager? In short, it is an application or service designed to save and store your credentials in an encrypted vault to protect them. Moreover, it can also generate complex, and therefore safer, passwords for you to use – though you can certainly create your own, of course.

To access all your credentials, you will only need to remember one password or passphrase. This unique password – also known as “master password” – enables you to access your vault of login credentials for apps, services, websites, and more.

A safety breach could be the Grinch who stole your Holiday spirit! Regularly check that none of your accounts has been breached.

As mentioned above, breaches are sadly a common theme of our time. Since there are countless online platforms and services and the threats are ever more acute, chances are you won’t be able to shield yourself from a breach affecting your data – even if you implement all the best safety policies.

Therefore, checking out regularly if your credentials have been stolen is important. Services like HaveIBeenPwned can provide you with valuable insights, as they gather lists of emails and passwords which have been compromised in past breaches.

A search on this service will not only turn up a list of breached accounts associated with your email, but also the type of data that were compromised. You should

iPhone hack allowed device takeover via Wi‑Fi

Using a zero-click exploit, an attacker could have taken complete control of any iPhone within Wi-Fi range in seconds

Earlier this year, Apple patched a severe security loophole in an iOS feature that could have allowed attackers to remotely gain complete control over any iPhone within Wi-Fi range. However, details about the flaw, which was fixed months ago, were sparse until now.

In a blog post of no fewer than 30,000 words, Google Project Zero researcher Ian Beer described how, over a six-month period, he created a radio-proximity exploit that would grant him total control over an iPhone in his vicinity. The exploit allowed him to access all the data stored on the device, including photos, emails, private messages, Keychain passwords, as well as monitor everything happening on the device in real time.

The vulnerability was wormable for good measure, hence any attacks exploiting it could have spread from device to device with no need for user interaction. Beer, however, added that there was no evidence to suggest that the vulnerability was ever exploited in the wild.

The flaw resides in the Apple Wireless Direct Link (AWDL) protocol, which is used for peer-to-peer network communications between iOS devices and powers features like AirDrop or SideCar. Beer described it as “a fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers.” He also went on to add that the whole exploit uses just a single memory corruption vulnerability which he exploited to compromise a flagship iPhone 11 Pro device.

Beer also shared a video demonstrating the attack:

In a series of tweets, Beer also explained that the range and distance of the attacks could be extended using readily available equipment:

“AWDL is enabled by default, exposing a large and complex attack surface to everyone in radio proximity. With specialist equipment the radio range can be hundreds of meters or more. You don’t need a fancy setup though. This exploit just uses a Raspberry Pi and two off-the-shelf WiFi adaptors for a total cost under $100.” While AWDL is enabled by default, Beer also found a way to remotely enable it even if it was off, utilizing the same attack.

Beer reported the vulnerability to Apple a year ago, almost to the day. The flaw was fixed as CVE-2020-3843 in iOS 13.1.1/MacOS 10.15.3 in January of this year, said Beer. It’s safe to say that a vast majority of iOS users run one of the system’s newer versions, as also confirmed by Apple for The Verge. At any rate, if you haven’t done so far, do yourself a favor and apply the updates as soon as possible.

Apple also patched three actively exploited zero-day flaws last month, which were also, incidentally, reported by Google Project Zero researchers.

Cybersecurity Trends 2021: Staying secure in uncertain times

ESET experts look back at some of the key themes that defined the cybersecurity landscape in the year that’s ending and give their takes on what to expect in 2021

2020 has been a year like no other in living memory. It will go down in history for many things, but they all pale in comparison to the disruption wrought by the gravest public health crisis in a century. The COVID-19 pandemic has upended our lives, laying bare our collective fragility and causing many of us to lose whatever sense of control we had over our lives. Even though we’ll soon step into the new year, the world remains firmly in the grip of the virus, making any projections into the future more difficult than ever.

But difficult doesn’t equate to impossible. One ‘thing’ that’s sure to spill over into 2021 is our reliance on technology for various aspects of our daily lives. The virus has made social distancing a way of life, keeping us tethered to our homes all the while throwing many of our plans out of the window. In so doing, it has made us not only hyper-concerned but also hyper-connected, as technology is now more than ever woven into the fabric of modern life.

This includes the world of work, where some pre-existing trends were kicked into overdrive amid the inevitably pell-mell rush to remote working. Worryingly, this shift helped create a near-perfect storm of cybersecurity challenges, as organizations and their newly distributed workforce had to swim (or sink) in the largely uncharted waters of remote work. It’s only natural, then, that one section of this year’s Trends report should examine the potentially indelible mark that the pandemic has left not only on our working habits, but also on the myriad cyber-risks faced by organizations and their off-site employees.

Elsewhere in the report, we highlight another notable trend – the escalation in the ransomware threat. To be sure, this form of cyber-extortion has been going strong for years. However, ransomware operators continue to look for ways to increase the ‘return on investment’ for their malicious operations, including by deploying new tactics that tighten the screws on victims. Indeed, we ponder whether the latest chapters in the ransomware evolution might warrant changing the definition of ransomware itself.

There have, of course, been other notable developments on the malware scene. So-called ‘living-off-the-land’ techniques, which piggyback on an operating system’s legitimate tools and processes and leverage them for malicious ends, aren’t entirely new. However, they’ve gained more traction of late and have, as also demonstrated by ESET researchers, been deployed in sophisticated campaigns against several high-profile targets.

Lastly, we look at another trend to watch out for – new chapters in the Internet of Things (r)evolution. Not ones to be left behind by the rush to connect any and all objects to the internet, smart sex toys are also looking for a place in the sun. Again, this trend is not entirely new, but this doesn’t make it any less unnerving. That is, with IoT applications come vast privacy and security challenges, and those take on a whole new meaning when vulnerable sex toys enter the scene. As ESET research has also shown, the security and privacy features of smart adult toys leave a lot to be desired, highlighting the generally perilous state of affairs in the IoT space.

Make no mistake, though; these are far from the only insights to be gleaned from this year’s edition of the Trends report. COVID-19 has cast a long shadow on society, but if there’s a silver lining to the crisis, it’s that there are also valuable lessons to be learned from it. Among them, we’re reminded that remaining diligent and vigilant and that arming ourselves with knowledge are powerful first steps towards ‘inoculation’ against various kinds of threats.

Turla Crutch: Keeping the “back door” open

ESET researchers discover a new backdoor used by Turla to exfiltrate stolen documents to Dropbox

ESET researchers found a previously undocumented backdoor and document stealer. Dubbed Crutch by its developers, we were able to attribute it to the infamous Turla APT group. According to our research, it was used from 2015 to, at least, early 2020. We have seen Crutch on the network of a Ministry of Foreign Affairs in a country of the European Union, suggesting that this malware family is only used against very specific targets as is common for many Turla tools..

Turla is a cyberespionage group active for more than ten years. It has compromised many governments, especially diplomatic entities, all around the world, operating a large malware arsenal that we have described in the last years.

Attribution to Turla

During our research, we were able to identify strong links between a Crutch dropper from 2016 and Gazer. The latter, also known as WhiteBear, was a second-stage backdoor used by Turla in 2016-2017. Our analysis is based on the Crutch dropper with SHA-1 A010D5449D29A1916827FDB443E3C84C405CB2A5 and the Gazer dropper with SHA-1 1AE4775EFF21FB59708E8C2B55967CD24840C8D9. We identified the following similarities:

Both samples were dropped at C:Intel~intel_upd.exe on the same machine with a five-day interval in September 2017 Both samples drop CAB files containing the various malware components The loaders, dropped by the aforementioned samples, share clearly related PDB paths:
C:UsersuserDocumentsVisual Studio 2012ProjectsMemoryStarterReleaseExtractor.pdb and
C:UsersuserDocumentsVisual Studio 2012ProjectsMemoryStarterx64ReleaseExtractor.pdb The loaders decrypt their payloads using the same RC4 key:
E8 8E 77 7E C7 80 8E E7 CE CE CE C6 C6 CE C6 68

Given these elements and that Turla malware families are not known to be shared among different groups, we believe that Crutch is a malware family that is part of the Turla arsenal.

Another interesting observation is the presence of FatDuke and Crutch at the same time on one machine. The former is a third-stage backdoor that we attributed to the Dukes/APT29 in our Operation Ghost report. However, we don’t have any evidence of interaction between these two malware families. It is possible that both groups independently compromised the same machine.

Espionage activity

According to ESET LiveGrid® data, Turla used the Crutch toolset against several machines of the Ministry of Foreign Affairs in a country of the European Union. These tools were designed to exfiltrate sensitive documents and other files to Dropbox accounts Turla operators controlled.

We were able to capture some of the commands sent by the operators to several Crutch v3 instances, which is helpful to understand the goal of the operation. The operators were mainly doing reconnaissance, lateral movement and espionage.

The main malicious activity is the staging, compression and exfiltration of documents and various files, as shown in Figure 1. These are commands manually executed by the operators, thus not showing the automated collection of documents by the drive monitor component described in a later section. The exfiltration is performed by another backdoor command and thus not shown in the examples below.

copy /y <redacted>C$users<redacted>progcsrftokens.txt c:programdata & dir /x c:programdata

copy /y <redacted>c$usersuserDownloadsFWD___~1.ZIP %temp%

copy /y <redacted>c$docume~1UserMy DocumentsDownloads8937.pdf %temp%

“C:Program FilesWinRARRar.exe” a -hp<redacted> -ri10 -r -y -u -m2 -v30m “%temp%~res.dat” “d:<redacted>*.*” “d:$RECYCLE.BIN*.doc*” “d:$RECYCLE.BIN*.pdf*” “d:$RECYCLE.BIN*.xls*” “d:Recycled*.doc*” “d:Recycled*.pdf*” “d:<redacted>*.pdf”

Figure 1. Manual commands executed by the operators during the espionage phase

Finally, the operators have a certain sense of humor. At some point, they executed the following command:

mkdir %temp%Illbeback

Operators’ working hours

In order to have a rough idea of the working hours of the operators, we exported the hours at which they uploaded ZIP files to the Dropbox accounts they operate. These ZIP files contain commands for the backdoor and are uploaded to Dropbox by the operators, asynchronously from the time at which the backdoor reads and executes their content. Thus, this should show when the operators are working and not when the victim’s machines are active.

We collected 506 different timestamps and they range from October 2018 to July 2019. They are plotted in Figure 2.

Figure 2. Working hours of Crutch operators based on the uploads to Dropbox

Given the graph, the operators are likely to operate in the UTC+3 time zone.

Compromise / Malware delivery

We believe that Crutch is not a first-stage backdoor and is deployed after the operators have first compromised an organization’s network.

The first method consists in using a first-stage implant such as Skipper. In 2017, we saw Crutch being deployed a few months after the computer was compromised by Skipper. Then, the malware operators also compromised other machines on the local network by moving laterally.

The second method we have witnessed is the use of PowerShell Empire. We were not able to uncover how the malicious script arrived on the machine, but we believe it was through another implant although a phishing document cannot be excluded. It should be noted that the PowerShell Empire scripts were using OneDrive and Dropbox.

Crutch version 1 to 3

From 2015 to mid-2019, the malware architecture used a backdoor communicating with Dropbox and a drive monitor without network capabilities.

Figure 3 outlines the architecture of Crutch version 3. It includes a backdoor that communicates with a hardcoded Dropbox account using the official HTTP API. It can execute basic commands such as reading and writing files or executing additional processes. It persists via DLL hijacking on Chrome, Firefox or OneDrive. In some variants, we noticed the presence of recovery C&C channels using either GitHub or a regular domain.

The second main binary is a removable-drive monitor that searches for files that have an interesting extension (.pdf, .rtf, .doc, .docx). It then stages the files in an encrypted archive.

Figure 3. Architecture of Crutch v3

Crutch version 4

In July 2019, we found a new version of Crutch. While we don’t have the developer’s version number, we believe it has evolved enough to qualify as version 4. This new

Cyberattackers could trick scientists into producing dangerous substances

Without ever setting foot in the lab, a threat actor could dupe DNA researchers into creating pathogens, according to a study describing “an end-to-end cyber-biological attack”

Researchers have described a theoretical cyberattack that could be used to dupe unsuspecting scientists into producing dangerous biological substances, toxins and synthetic viruses.

The paper, authored by researchers from Israel’s Ben-Gurion University of the Negev, sheds light on the potential risks of cyberattackers leveraging malware to subvert a scientist’s computer and interfere with the DNA synthesis process.

“As DNA synthesis becomes more widespread, concern is mounting that a cyberattack intervening with synthetic DNA orders could lead to the synthesis of nucleic acids encoding parts of pathogenic organisms or harmful proteins and toxins,” the team told the Nature Biotechnology science journal.

According to the researchers, the attack would exploit a weakness in the design of the Screening Framework Guidance for Providers of Synthetic Double-Stranded DNA and its successor, the Harmonized Screening Protocol v2.0, which allows bypassing these protocols through a generic obfuscation procedure. Combining this with inadequate cybersecurity measures protecting the synthetic gene engineering pipeline, a remote threat actor could meddle with biological processes.

“Together, these weaknesses facilitate an end-to-end cyberbiological attack, in which a remote attacker may inject obfuscated pathogenic DNA into an online order of synthetic genes, using a malicious browser plugin,” the researchers explained.

RELATED READING: Malware coded into synthetic genomes

The research paper demonstrates a potential attack scenario that makes use of this combination of weaknesses and allows a remote actor to dupe the target into creating a dangerous substance without any physical interaction needed from the attacker’s side.

The attacker would have to start by compromising the target’s computer via a man-in-the-browser attack. When the mark designs a DNA experiment and goes on to order synthetic DNA online from a DNA synthesis company, the attacker replaces part of it with a fragment of the pathogenic DNA that is obfuscated and sequenced for future de-obfuscation.

Since the malicious DNA is obfuscated, it’s undetected by the screening process. The order is delivered to the target, and even though it is checked after sequencing, the inspection is done using compromised computers, which won’t flag the DNA. In the end, a harmful substance would be produced.

The research team was able to prove the viability of the threat by conducting a proof-of-concept attack, where they successfully encoded the DNA of a toxic peptide and moved it to the production phase, all the while avoiding detection by the screening software. They went on to disclose the threat to the International Gene Synthesis Consortium and shared advice on how to mitigate it.

The countermeasures involve beefing up cybersecurity protocols, including by adding electronic signatures to sequence orders and providing intrusion detection approaches, all the while using machine learning to identify malicious code.

In closing, they shared some words of caution: “Cyber dangers are spilling over to the physical space, blurring the separation between the digital world and the real world, especially with increasing levels of automation in the biological lab. Best practices and standards must be woven into operational biological protocols to combat these threats.”