ESET Threat Report Q3 2020

A view of the Q3 2020 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts

As the world braces for a pandemic-ridden winter, COVID-19 appears to be losing steam at least in the cybercrime arena. With coronavirus-related lures played out, crooks seem to have gone “back to basics” in Q3 2020.  An area where the effects of the pandemic persist, however, is remote work with its many security challenges.

This is especially true for attacks targeting Remote Desktop Protocol (RDP), which grew throughout all H1. In Q3, RDP attack attempts climbed by a further 37% in terms of unique clients targeted – likely a result of the growing number of poorly secured systems connected to the internet during the pandemic, and possibly other criminals taking inspiration from ransomware gangs in targeting RDP.

The ransomware scene, closely tracked by ESET specialists, saw a first this quarter – an attack investigated as a homicide after the death of a patient at a ransomware-struck hospital. Another surprising twist was the revival of cryptominers, which had been declining for seven consecutive quarters. There was a lot more happening in Q3: Emotet returning to the scene, Android banking malware surging, new waves of emails impersonating major delivery and logistics companies…

This quarter’s research findings were equally as rich, with ESET researchers: uncovering more Wi‑Fi chips vulnerable to KrØØk-like bugs, exposing Mac malware bundled with a cryptocurrency trading application, discovering CDRThief targeting Linux VoIP softswitches, and delving into KryptoCibule, a triple threat in regard to cryptocurrencies.

Besides offering recaps of these findings, this report also brings exclusive, previously unpublished ESET research updates, with a special focus on APT group operations – see the News From the Lab and APT Group Activity sections for updates on TA410, Sednit, Gamaredon and more.

ESET also continued to contribute to the MITRE ATT&CK knowledge base, with four submissions accepted in Q3. Other contributions of our teams include publishing a testing script for KrØØk and a set of tools named Stadeo that facilitate the analysis of the Stantinko malware.

This quarter was bustling with virtual events, with ESET researchers sharing their knowledge at both Black Hat USA and Asia, CARO, Virus Bulletin, DEF CON, Ekoparty, and many others. For the upcoming months, we are excited to invite you to ESET’s talks and workshops at Botconf, AVAR and CODE BLUE.

Follow ESET research on Twitter for regular updates on key trends and top threats.

Similar Articles ESET Threat Report Q2 2020 ESET Threat Report Q1 2020

‘Among Us’ players hit by major spam attack

In-game chats were flooded with messages from somebody who tried to coerce players into subscribing to a dubious YouTube channel

InnerSloth, the developer of the popular whodunnit social deduction game Among Us, has had to fight off a cyberattack affecting its players during their online matches. The incident that started some time on Thursday took the form of a spam attack bombarding players in their in-game chats.

The onslaught of spam messages foisted on game participants in their chats promoted a cryptic “Eris Loris” handle, prompting players to subscribe to its YouTube channel. Some messages took a threatening tone, warning players that unless they subscribe their devices would be hacked. Other messages also included an endorsement for U.S. President Donald Trump in the 2020 elections. Upon inspection, the YouTube channel promoted by the miscreant seems to promote various game cheats and hacks.

Players shared screenshots complaining about the spam attack across multiple social media, including Twitter.

I have found the Hacker His name is Eris Loris. He is a skilled hacker. Do not Join his dicord 😡 #erisloris pic.twitter.com/Sj54CDAnSo

— Sonic The Hedgehog Gamer (@SonicTh09529692) October 26, 2020

Once InnerSloth became aware of the problem, it immediately started investigating the issue while simultaneously working on an emergency server update to remedy the situation. The game studio advised the community to refrain from joining public online games and instead opt for private games with people they could trust.

Reminder!! Please play private games or with people that you trust!!! We’re doing what we can!!

— InnerSloth (@InnerslothDevs) October 23, 2020

Forest Willard one of the developers from InnerSloth, started rolling out the emergency update later that night. However, he also warned that due to the irregularity of the process players who were in matches may get booted.

In a follow-up tweet, he explained the reason why the it took so long to release the update: “Also worth nothing [sic] that the reason I didn’t roll this update out sooner is that I was afraid of false positives: You totally might see the game think you’re hacking when you’re not. I’ve done my best to find this kind of bug, but my hand is forced this time.”

RELATED READING: Why online gaming is the new frontier for cybercrime

Although both the premise and the graphics of the game are very simple, Among Us has become a major hit with players from around the globe. Part of its meteoric success could be chalked up to the COVID-19 pandemic that has left many stranded indoors – and hooked on the game.

In the social deduction game, the players try to keep their spaceship afloat by completing various tasks while one of their Crewmates, who is an imposter, tries to covertly eliminate them. The Crewmates then must try to oust the imposter and remove them from the game using a plurality vote.

The game has been so popular that it has also been used in attempts to mobilize young voters to vote in the 2020 US presidential elections.

Week in security with Tony Anscombe

Security challenges for connected medical devices – Zero-day in Chrome gets patched – How to avoid USB drive security woes

Is your internet-connected medical device vulnerable to cyberattacks and what are the odds that it could be compromised? We look at five chinks in their armor. Google has fixed a vulnerability in the Chrome web browser that was under active exploitation by attackers. USB flash drives are a common sight across homes, offices and schools, but just how secure are they? Are you aware of the underlying risks? All this – and more – on WeLiveSecurity.com.

Securing medical devices: Can a hacker break your heart?

Why are connected medical devices vulnerable to attack and how likely are they to get hacked? Here are five digital chinks in the armor.

There’s virtually no realm in healthcare today that isn’t adopting more technology. From real-time wireless access to your own health parameters through smart watches and wearables to implanted devices inside your body, technology is coming. But can we secure it all?

Several years ago at Black Hat, we saw an insulin pump being hacked. And whether the lion’s share of software on that device was off the shelf, regulators say that the integrator is responsible for security up and down the stack, including the underlying operating system (OS), even if it that OS has a good security track record. In other words: Device manufacturers bear the responsibility, no matter what technology they use.

While that casts the burden of security on the manufacturer, it also steeply increases the cost and complexity of bringing a device to market. As a result, while market pressures lean on companies to produce devices quickly, the road ahead looks rocky and expensive. Also, it can unknowingly put patients on the defense.

And what about patches, who’s responsible for those? According to the FDA, the manufacturer does that too. With some medical devices expected to be around for many years, that’s a long time to pay to support gear in the field.

What makes the devices vulnerable and how likely are they to get hacked? As this week’s theme of Cybersecurity Awareness Month focuses on the security of internet-connected devices in healthcare, here are five digital chinks in the armor:

Many medical devices integrate monitoring and interaction via Bluetooth, which has a long history of vulnerabilities. And while there may be patches, it’s hard to determine the real adoption rate and timeline in the field. Meanwhile, if your blood sugar measurement gets spoofed, you could be in real physical danger if you try to adjust blood glucose levels based on false readings.

Many hospitals have management computers for their medical equipment which run on older, unsupported Windows versions due to lagging updates from the manufacturer that did the integration. A manufacturer can’t simply push the latest Windows patch before extensive testing on their units to see integration issues, so patch vetting can be tricky. A would-be attacker has the advantage here, since they can deploy well-known exploits as soon as they come to light, and long before the manufacturer can react.

Many implanted devices “phone home” to medical clinicians through cloud connectivity to facilitate health status updates and trigger events where patients may need to seek attention. As we saw this year at Black Hat and DEF CON, cloud security can be less than stellar. It’s unlikely the patient would have a way to know about potential vulnerabilities, but attackers are quick to seize on known exploits, pumping them through their attack frameworks quite rapidly. In some cases, patients have opted out of external communications with their pacemakers citing hacking fears, but cloud adoption for implanted devices has strong tailwinds pushing further adoption.

Many medical devices plug into medical TCP/IP networks via Ethernet, but it would be very difficult for many clinicians and patients to notice a network tap placed inline with existing connections. By exfiltrating data across wireless links embedded in such a tap, attackers could snoop traffic and craft exploits. This way, attackers only need one-time physical access, and don’t necessarily have to return to retrieve the device if it’s deemed dangerous, due to their low cost.

Wireless keyboards

Keyloggers have been standard fare for logging keystrokes from wireless keyboards for some time now, posing as fake USB chargers plugged into outlets, while simultaneously snooping for signals and exfiltrating them across industrial 4G wireless cards. This allows the capture of sensitive data like typed passwords, but can also allow attackers to attempt to download and install remote backdoor exploits by bypassing warning prompts from security products.

In closing

The medical field has been on its heels – security wise – for years. And while it may be making important strides, many medical devices have been performing fine all those years, lessening the perceived need to act. It will be a challenge to “modernize the fleet” for some years to come. Even so, medical folk have started to lean into the process and get the technical chops on staff to start moving the needle. Meanwhile, it might be wise to get to know any vulnerabilities that might affect your medical devices, especially if they are critically involved in your health care, as so many are.

Fraudsters crave loyalty points amid COVID‑19

Scammers even run their own dark-web “travel agencies”, misusing stolen loyalty points and credit card numbers

The hospitality, travel, and retail industries, which have been hit particularly hard by the COVID-19 pandemic, have also been increasingly targeted by cybercriminals seeking to profit from the dire situation, a report has found.

“During the lockdowns in Q1 2020, criminals circulated dozens of password combination lists, and targeted each of the commerce industries. It was during this time that criminals started recirculating old credential lists in an effort to identify new vulnerable accounts, leading to an uptick in sales related to loyalty programs,” reads the Loyalty for Sale – Retail and Hospitality Fraud report by content delivery network (CDN) provider Akamai.

These developments contributed to the total tally of more than 100 billion credential-stuffing attacks that Akamai detected between July 2018 and July 2020. No fewer than 63 billion of them targeted the retail, travel, and hospitality sectors. The British health and beauty products retailer Boots is just one notable victim.

Credential stuffing is an automated account-takeover attack during which bad actors leverage bots to hammer websites with login attempts, using stolen or leaked access credentials. Once they stumble upon the right combination of “old” credentials and a new website, they can proceed to exploit the victims’ personal data.

Customer loyalty programs prove to be a juicy target for hackers, since the accounts aren’t perceived as high risk by their holders, who may put more effort into locking down online accounts that they think contain more sensitive data. Such laxity could materialize in the form of password recycling or other common password mistakes people tend to make.

However, the perception of loyalty programs not being high risk isn’t strictly true. “These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft,” reads the report.

RELATED READING: Simple steps to protect yourself against identity theft

The report also outlines a number of examples of how compromised loyalty card accounts could be abused. Hotel reward points, for one, are considered a hot commodity, since these can be used to book free stays, upgrade to better rooms, or used to access various activities. Depending on the number of accumulated points and the hotel chain, loyalty accounts can be sold on cybercrime forums for as much as US$850.

Some cybercriminals venture even further and operate their own dark-web “travel agencies”, using a combination of stolen credit cards and airline and hotel loyalty programs. “Many of the travel listings on the darknet charge a percentage of the overall trip cost, anywhere from 25% to 35% — meaning a US$2,000 booking on a well-known travel comparison/booking website would cost about US$700 on the darknet,” the report said.

Beyond credential-stuffing attacks, threat actors also used SQL Injection and Local File Inclusion attacks to target the retail, hospitality, and travel industries. Akamai recorded almost 4.4 billion web attacks targeting these sectors, which accounted for 41% of overall attacks against all industries. Cybercriminals also deployed Distributed Denial-of-Service (DDoS) attacks, with an average of 125 attacks targeting the commerce industry each week between July 2019 and July 2020.

Google patches Chrome zero‑day under attack

In addition to patching the actively exploited bug, the update also brings fixes for another four security loopholes

Google has rolled out an update to its Chrome web browser that fixes five security flaws, including a vulnerability that is known to be actively exploited by attackers.

“Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild,” said Google about the zero-day flaw in FreeType, a widely used software development library that is also a Chrome component. The bug in this font rendering library affects the browser versions for Windows, macOS, and Linux.

The flaw, classified as high-severity, was reported by Sergei Glazunov, a member of Google’s Project Zero, on October 19th, with the update released soon after. Details about the zero-day remain sparse, although Google did disclose that the memory-corruption flaw causes heap buffer overflow in FreeType.

Heap overflows are known to cause data corruption or unexpected behavior, which can be used to exploit a program in which the memory overflow occurs.

“This is an emergency release, fixing a severe vulnerability in embedded PNG bitmap handling… All users should update immediately,” reads the message on the FreeType website.

Ben Hawkes, the technical lead at Project Zero, tweeted that although the team only noticed an exploit targeting Chrome, those using FreeType should also patch their systems using the software library’s emergency fix, lest they be targeted by cybercriminals rushing to exploit the loophole. He also addressed concerns about whether the zero-day might also affect Chrome for Android.

The chromium tracking bug has the OS-Android label applied (which means that they think that the bug does affect Android), but this isn’t something that Project Zero has validated. An ASAN build is required if you’re trying to reproduce it with the test font on the upstream bug.

— Ben Hawkes (@benhawkes) October 21, 2020

The update also patched four other vulnerabilities, with three of them considered high- and one medium-severity bugs.

If you have automatic updates enabled, your browser should update to the latest 86.0.4240.111 version by itself. However, if you haven’t enabled this option, you’ll have to do it yourself via the About Google Chrome section, which is located under Help in the side menu.

How safe is your USB drive?

What are some of the key security risks to be aware of when using USB flash drives and how can you mitigate the threats?

Most of you probably own at least one USB thumb drive, which you typically use either to transfer data or as a backup for sensitive documents. Alternatively, you may like to carry your work with you so you can dive into it at a moment’s notice. So, if you only plug the flash drive into machines you trust, most of the time you should be safe.

Unfortunately, if you’re like most people, you may not always use only trustworthy devices. For example, students tend to use flash drives to print out their study materials and other documents at print shops or libraries. They also tend to allow their classmates to borrow them or pass them around. And these practices aren’t just limited to students. Since you can’t tell how either the print shop or your friends manage their devices, or what their approach to cybersecurity is, you can’t be sure about anything.

If any of those devices has been infested with malware, it’s highly possible that your drive is now infested as well, or your files copied from it for nefarious purposes. When you plug your USB stick into your own computer, then the malware will probably spread to it too. This is known as cross-contamination and is a common way for malicious code to spread.

Another thing you have to watch out for is what data you store on your drives. Although you may consider it highly unlikely, there is always a chance that you may misplace it, or it may be stolen. If that happens: at best, the only loss you incur is the flash drive with some useless data; at worst, it may contain data that can be exploited by whoever found it or stole it.

The above-listed examples are just some of the reasons why some companies, such as IBM, opted to ban removable storage devices altogether. The risks are just too high.

What are your options?

Right off the bat, you should draw a clear distinction between your work and personal flash drives, so if either of them gets compromised, you don’t cross-contaminate your devices. You should also avoid storing personal data on your work flash drive and vice versa.

Another thing you might want to do is encrypt all your sensitive data that you want to load onto your flash drive. So, even if it is ever lost or stolen, no one can access the data and the drive essentially becomes nothing more than a fancy paperweight.

To kick it up a notch, you can also purchase a flash drive that has additional security features, like a hardware security solution in the form of a PIN code or a biometric scanner, as well as built-in encryption. Some of the manufacturers even offer multiple levels of protection such as adding additional encryption and dividing your drive into private and public partitions.

We mentioned the following advice in our recent article about USB flash drives, but repetition is the mother of wisdom. You should disable the Autorun feature on your computer to prevent it from opening any USB drives – especially those that may possibly contain any form of malicious threat.

And never underestimate the value of a reputable endpoint solution, which can go a long way in protecting you against various threats including infested USB drives.

Also, don’t forget to keep all your devices patched and your software updated to the latest versions.

Microsoft issues two emergency Windows patches

The flaws, neither of which is being actively exploited, were fixed merely days after the monthly Patch Tuesday rollout

Microsoft has rushed out fixes for two security vulnerabilities affecting Microsoft Windows Codecs Library and Visual Studio Code. The security flaws are classified as Remote Code Execution (RCE) vulnerabilities and if successfully exploited could allow threat actors to take over an affected system entirely.

Both vulnerabilities hold a score of 7.8 on the Common Vulnerability Scoring System (CVSS) scale and are considered “important” by Microsoft. There seems to be no evidence to suggest that either has been under active exploitation.

Indexed as CVE-2020-17022, the security loophole in the Windows Codecs Library does not affect users running Windows 10 in its default configuration. Instead, only users who have installed the optional High Efficiency Video Coding (HEVC) or “HEVC from Device Manufacturer” media codecs and are running Windows 10 version 1709 or above could be vulnerable.

“Exploitation of the vulnerability requires that a program process a specially crafted image file,” Microsoft said, explaining the attack vector a cybercriminal could use. The flaw – for which there are no known mitigations or workarounds – has to do with how Windows Codecs Library handles objects in memory.

It’s worth noting that instead of the usual Microsoft Update channel, the patch is being delivered via Microsoft Store. Since both HVEC versions are optional apps or components that are offered to customers via the Store, the updates are offered through the same channel.

“Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” said Microsoft. The company also offered this guidance for users who want to expedite the process or check if the updates have been implemented on their systems.

Meanwhile, the flaw in Visual Studio Code tracked as CVE-2020-17023 could be exploited if a user was duped into opening a malicious JSON file. As is the case with the previous vulnerability, there are no workarounds or mitigating factors. Users are, therefore, advised to apply the patch.

The United States Cybersecurity and Infrastructure Agency (CISA) urged people to make sure their systems are updated.

Microsoft has released security updates to address remote code execution vulnerabilities in Windows Codecs Library and Visual Studio Code. Read more at https://t.co/YE2qzBbz4e. #Cyber #Cybersecurity #InfoSec

— US-CERT (@USCERT_gov) October 16, 2020

The security patches were released within days of Microsoft’s Patch Tuesday, which addressed 87 vulnerabilities, 12 of which were classified as critical on the CVSS scale. Out-of-band patch releases are usually reserved for unexpected, wide-ranging, or severe vulnerabilities.

Week in security with Tony Anscombe

ESET joins global effort to disrupt the infamous Trickbot botnet – Criminals claim to have hijacked thousands of security cameras – Five ways to secure your home office

ESET has joined a global coordinated operation to disrupt Trickbot, the infamous botnet that has compromised at least a million computers. A hacker group is selling access to people’s private footage after allegedly hijacking more than 50,000 home security cameras. What are some of the ways to secure your home office – without having to rely on an expert’s help? All this – and more – on WeLiveSecurity.com.

Child abductors may use social media to lure victims, FBI warns

School closings and more screen time can ultimately put children at an increased risk of being kidnapped by strangers they met online

With the pandemic-forced closure of schools and a surplus of free time on their hands, minors are currently at greater risk of encountering all manner of criminals online, warns the FBI’s Internet Crime Complaint Center (IC3). The offenders may even pose as minors in an attempt to lure their targets into a trap and abduct them.

“While criminals exploit social media and social networks to commit crimes involving child sexual abuse material, sex trafficking of a minor, and child sex tourism, the use of these platforms to facilitate child abductions is lesser-known,” said the Bureau. Indeed, the FBI recently warned that human traffickers were luring victims using dating apps.

The modus operandi of child abductors involves creating accounts on various social media networks and dating platforms, where they search for their prospects. The offenders will then contact and attempt to groom the targets, eventually convincing them to meet up with the aim of abducting them. Using these platforms proves to be an attractive method of initiating contact since it’s not as risky as trying to lure the victims in person.

While the number of kidnappings where social media platforms were used to establish contact account for just a small part of the FBI’s child abduction investigations, the proliferation and availability of the internet in combination with the time minors spend on it are likely to exacerbate the problem.

According to a survey by YouGov, 2 in 5 children aged 8-12 years spend two hours and more online, with almost half of those aged 13-17 saying that they spend a similar amount of time online with at least some of it dedicated to using social media. Although most social media apps require account holders to be at least 13, it’s safe to say that many children set up their profiles sooner than that – with or without their parents’ knowledge or consent.

RELATED READING: The best social networks for younger children

The Bureau also described three cases where victims were abducted after being contacted by criminals on social media apps. All three children were eventually reunited with their families, but the incidents clearly make a case for monitoring children’s social media use.

For starters, parents should actively discuss social media use with their children. By having these discussions early and clearly explaining the risks, parents can lower the chances of their children using these platforms in ways that may hurt them. If you’d like to take an even more active role in your children’s social media journey, you can use parental controls such as TikTok’s Family pairing or Facebook’s Messenger Kids.

Importantly, comprehensive parental control tools are often integrated into security software and can be very helpful when it comes to keeping an eye on what your offspring are up to online

To learn more about more dangers faced by children online as well as about how not only technology can help, head over to Safer Kids Online.