Cryptocurrency exchange Binance temporarily halted its blockchain network on Thursday in response to a cyberattack that led to the theft of two million BNB tokens, notionally exchangeable for $566 million in fiat currency.
The shutdown, requiring the cooperation of 26 validators to close the decentralized system, occurred around 2200 UTC on October 6, as a result of the exploitation of the BSC Token Hub bridge, which connects the BNB Beacon Chain and the BNB Smart Chain so tokens from different blockchains can be exchanged.
“There was an exploit affecting the native cross-chain bridge between BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20 or BSC), known as ‘BSC Token Hub,'” said Din (Dardania) Havolli, content lead for BNB Chain, in a blog post. “A total of two million BNB was withdrawn. The exploit was through a sophisticated forging of the low level proof into one common library.”
Binance, registered in the Cayman Islands, is the largest cryptocurrency exchange by volume.
Security firm SlowMist says that the crypto-robbers have moved about $110 million off the BNB chain to other blockchains. The suspension of the network kept about $430 million worth of BNB tokens from being transferred and those tokens appear to remain trapped in the thieves’ digital wallet. The BSC Token Hub resumed operations around 0630 UTC on October 7.
The heist is the latest in a long series of hits on blockchain bridges, systems that allow transactions via so-called smart contracts across different blockchains. There was the $191 million looting of Nomad in August. Before that, there was Ronin Bridge ($600 million); Qubit Bridge ($80 million); Wormhole Bridge ($320 million); Meter.io Bridge ($4.4 million); and Poly Network Bridge ($610 million that was returned).
The Ethereum documentation on blockchain bridges warns that bridges are relatively new and carry risks. These include: “the risk of a bug in the code that can cause user funds to be lost,” and the possibility of “software failure, buggy code, human error, spam, and malicious attacks can possibly disrupt user operations.”
The documentation turns out to be correct.
“While investigations are still at a preliminary stage, it appears that the attacker was able to forge proof messages that were then accepted by the BSC Token Hub bridge,” said Ronghui Gu, CEO and co-founder of CertiK, a blockchain security firm, in a statement provided to The Register. “This bug seems to be the result of the bridge not fully verifying the Merkle proof to the root hash, which allowed the attacker to generate forged proofs from a previous, legitimate one and then mint BNB directly to their wallet.”
Paradigm Researcher Sam Sun, who analyzed the attack in a Twitter thread, concluded there was a bug in the way that the Binance Bridge verified proofs that allowed attackers to forge arbitrary messages.
Changpeng Zhao, Binance’s CEO, reiterated the apology in Havolli’s post and claimed everyone’s money is OK. “The issue is contained now,” he said via Twitter. “Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly.”
Avast has released a decryptor for variants of the Hades ransomware known as ‘MafiaWare666’, ‘Jcrypt’, ‘RIP Lmao’, and ‘BrutusptCrypt,’ which can allow the victims of these ransomware strains to recover their files without paying the ransom.
The security firm discovered a bug in the encryption process implemented by the Hades ransomware that can be used to recover the files encrypted by some variants.
“We discovered a vulnerability in the encryption schema that allows some of the variants to be decrypted without paying the ransom. New or previously unknown samples may encrypt files differently, so they may not be decryptable without further analysis.” reads the post published by AVAST.
The experts pointed out that the Hades ransomware affected by the flaw did not exfiltrate any data from the victims. MafiaWare666, for example, is a ransomware strain written in C# which doesn’t contain any obfuscation or anti-analysis techniques. The malicious code encrypts files using AES encryption.
The malware samples analyzed by the researchers append the following extensions the the filename of the encrypted files:
.MafiaWare666
.jcrypt
.brutusptCrypt
.bmcrypt
.cyberone
.l33ch
Once the MafiaWare666 variant completes the encrypted process, it displays a window that provides payment instructions to the victims. The ransom price ranges from $50 to $300, although some of the older samples with different names demand up to one Bitcoin.
Victims of these variants can download the free decryptor from the Avast server along with instructions to use it.
The tool also allows victims that know a valid password for decrypting files, but that are not able to use the decryptor supplied by Hades, to tick the box in the above UI provided by the tool.
In case victims haven’t the password, they can use the Avast tool to crack it.
“Once the password is found, you can proceed to decrypt all the encrypted files on your PC by clicking “Next” concludes AVAST. ” On the final page, you can opt-in to backup your encrypted files. These backups may help if anything goes wrong during the decryption process. This option is on by default, which we recommend. After clicking “Decrypt” the decryption process begins. Let the decryptor work and wait until it finishes decrypting all of your files.”
In cybersecurity, if it isn’t one thing, it’s another 14.4 billion things that’ll get ya. That’s about how many Internet of Things (IoT) devices will proliferate globally by the end of the year, according to some analyst estimates.
As a body, this is arguably one of the most rapidly spreading and poorly secured threat surfaces on the planet — the joke is that in IoT, the “S” stands for security. And for a category of devices that bill themselves as “smart,” it’s full of an awful lot of pretty dumb concepts for objects that don’t really have any business being connected to the Internet.
For every useful IoT platform running things like remote windmills or saving lives in a hospital, there are dozens more connected toilet seats and water bottles cluttering up the world’s networks. What’s more, many of even the most useful IoT devices come with a ton of unintended security and privacy consequences due to a lack of security by design, poorly secured connections, and a lack of consideration or care over how the data produced by them is used and shared.
So, in honor of Cybersecurity Awareness Month, the Dark Reading crew thought it was only fitting to roast the types of IoT devices that are most likely to make security and privacy people cringe. We’ll poke a little fun and maybe even offer a serious take or two on why these devices are insecure, bizarrely impractical, or just downright creepy in the kind of data they collect about our lives and our businesses.
IoT Surveillance Cameras
Whether they’re aimed at city street corners, corporate facilities, or junior’s crib, IoT video cameras have already become a mainstay in our connected and increasingly surveilled lives. Even discounting the myriad of privacy concerns raised by videos of people in both private and public spaces being uploaded to the corporate cloud, the security ramifications of IoT cameras are already surfacing.
The rise of the Mirai botnet and the DDoS damage it caused illustrated some of them pretty early in the game, as attackers especially abused the vulnerability in IoT cameras to create a legion of bots ready for attacking systems.
As one paper published in the journal Internet of Things noted, IoT cameras are frequently riddled with flaws that include a “lack authentication of protocols utilized in streaming video and also the encryption of all communication between the camera, applications, and servers.”
These flaws not only make Mirai-style DDoS attacks possible but open up targeted attacks that can include the remote takeover of cameras to do anything from spying on kids in the sanctity of their rooms to spying on corporate meetings in boardrooms.
Cue the security sarcasm meter for this one: How about a smart toilet equipped with a connected camera? What could possibly go wrong?
While it might sound like an outrageous setup for a prank comedy show, some scientists really are interested in bringing something like this to the underside of our toilet bowls. They say that our backsides have a biometric print as unique as a fingerprint and they can use toilets like these to identify illness and disease in early stages.
And this is actually only one of a number of iterations of features dreamed up by potty innovators to comprise the vision for smart toilets of the future. Others include toilets that would remotely sift through waste and upload data that can be used to find markers of illnesses, those that can monitor the maintenance state of a toilet, and some that use connectivity for fancy lighting.
A study out in 2019 put a number on it, claiming some one in five security pros fear their connected toilets would be hacked. They’re not the only ones to mistrust smart toilets — most people look askance at the idea. In a poll by Thomson Reuters, only half of people surveyed would even be somewhat comfortable using one, and three in 10 people say they’d flat out resist the urge to go on a connected toilet.
Digital License Plates
Digital license plates are the growing new hotness in the IoT hype machine, with companies like Reviver vaunting the benefits of these devices such as smoothing out the process of toll collection, recovering stolen devices, and enforcing license fees for state agencies.
But as the inimitable Bruce Schneier said so succinctly a couple of years ago, “This makes no sense to me. The numbers are static. License plates being low-tech are a feature, not a bug.”
Digital license plates open the door to all sorts of security and privacy issues when it comes to government surveillance or tracking, potential stalking by those who manage to hack devices, and plenty of availability headaches when device malfunction causes the plate to fail to show numbers that don’t need more than a piece of metal to be effectively displayed.
And yet, here we are, with California just this month making a digital plate pilot program permanent and Colorado becoming the fourth state to roll them out to citizens, with many more states exploring their options.
Smart Speakers
“Hey, Smart Speaker, tell me the cybersecurity risks of putting an always-on microphone into my home or place of business that connects and sends recordings to someone else’s cloud?”
Smart speakers from the likes of Google, Amazon, Apple, and many other manufacturers in between may offer a ton of whizbang features that are irresistible to many — even sometimes to the most cynical security people. Anecdotally, we’ve run across plenty of security pros who admit they couldn’t help themselves in getting a Dot or an Alexa. But what we get from being able tp control lighting with a simple voice command we give up in the form of added security and privacy risks.
Smart speakers are a potential risk for everything from creepy eavesdropping by vendors to hyper-targeted ads to consumers to being hijacked by malicious actors to spy on people and businesses.
Smart Kitchen Appliances
If you thought Patch Tuesday sucks in a corporate security job, imagine being the parent of a baby about to warm up a bottle who finds out a bad firmware update bricked their microwave. A decade ago this kind of scenario might have sounded far-fetched, but it’s increasingly becoming common.
This spring, a fat-finger incident from an admin at microwave manufacturer Electrolux caused the company to push out a bad over-the-air firmware update to microwaves across Europe that made them think they were steam ovens. It broke devices to the point where the manufacturer had to physically send technicians to fix them.
Smart kitchen appliances like ovens, microwaves, and refrigerators may not necessarily be the huge enterprise risk that other IoT devices might be, but the above situation warrants asking the appropriate risk assessment question, “Are the rewards really worth the risk for making these appliances ‘smart’ devices?”
Robotic Vacuums
How many years old were you when you realized that the robotic vacuum that roams people’s houses and offices cleaning up the dirt is also mapping the layout of those spaces — and dishing that digital dirt back to the vacuum vendor’s cloud? Many people would be exactly today years old about this one, as most don’t think too deeply about how a vacuum does its job.
But it’s the truth, and just a couple months ago, Amazon paid a mint for one of the biggest companies sitting on this kind of detailed data about people’s physical spaces. Amazon purchased iRobot, maker of the Roomba, for $1.7 billion. This is yet another IoT data collection arrow in Amazon’s massive quiver, and many privacy advocates are growing increasingly alarmed.
“This is not just about Amazon selling another device in its marketplace,” Robert Weissman, president of the consumer advocacy group Public Citizen, told The Guardian when the deal was announced in August. “It’s about the company gaining still more intimate details of our lives to gain unfair market advantage and sell us more stuff. The last thing the world needs is Amazon vacuuming up even more of our personal information.”
Smart Locks
As a class of devices, smart locks sound pretty cool and convenient to the typical person. How nice would it be to open up the door from the driveway when you know you’re going to be bringing in the groceries, or to share a time-limited passcode with the cleaning company, right? But these devices also pave the way for scenarios that would make any security-conscious person’s hair stand on end.
These devices are notoriously insecure — with research uncovering flaws in firmware, authentication, communication protocols, and more that make them vulnerable to hacking by stalkers, burglars, and more. Some recent examples of that research include exhibits A, B, and C amid a whole alphabet of growing research.
What’s more, when these locks don’t have a key and are only operated digitally, they have the same resilience problem that so many IoT devices have when disruptions like Internet outages arise. Case in point was when a widespread Internet outage for Canadian provider Rogers made it impossible for a major concert venue — one incidentally sponsored by Rogers — to open the doors for a concert this summer. Also affected at the venue were other IoT devices like ticket-processing machines and concession point-of-sale machines.
Lazarus is the latest group to pull off “bring your own vulnerable device” attack.
Over the past 15 years, Microsoft has made huge progress fortifying the Windows kernel, the core of the OS that hackers must control to successfully take control of a computer. A cornerstone of that progress was the enactment of strict new restrictions on the loading of system drivers that could run in kernel mode. These drivers are crucial for computers to work with printers and other peripherals, but they’re also a convenient inroad that hackers can take to allow their malware to gain unfettered access to the most sensitive parts of Windows. With the advent of Windows Vista, all such drivers could only be loaded after they’d been approved in advance by Microsoft and then digitally signed to verify they were safe.
Last week, researchers from security firm ESET revealed that about a year ago, Lazarus, a hacking group backed by the North Korean government, exploited a mile-wide loophole last year that existed in Microsoft’s driver signature enforcement (DSE) from the start. The malicious documents Lazarus was able to trick targets into opening were able to gain administrative control of the target’s computer, but Windows’ modern kernel protections presented a formidable obstacle for Lazarus to achieve its objective of storming the kernel.
Path Of Least Resistance
So Lazarus chose one of the oldest moves in the Windows exploitation playbook—a technique known as BYOVD, short for bring your own vulnerable driver. Instead of finding and cultivating some exotic zero-day to pierce Windows kernel protections, Lazarus members simply used the admin access they already had to install a driver that had been digitally signed by Dell prior to the discovery last year of a critical vulnerability that could be exploited to gain kernel privileges.
ESET researcher Peter Kálnai said Lazarus sent two targets—one an employee of an aerospace company in the Netherlands and the other a political journalist in Belgium—Microsoft Word documents that had been booby-trapped with malicious code that infected computers that opened it. The hackers’ objective was to install an advanced backdoor dubbed Blindingcan but to make that happen, they first had to disable various Windows protections. The path of least resistance, in this case, was simply to install dbutil_2_3.sys, the buggy Dell driver, which is responsible for updating Dell firmware through Dell’s custom Bios Utility.
“For the first time in the wild, the attackers were able to leverage CVE-2021-21551 for turning off the monitoring of all security solutions,” Kálnai wrote, referring to the designation used to track the vulnerability in the Dell driver. “It was not just done in kernel space, but also in a robust way, using a series of little- or undocumented Windows internals. Undoubtedly this required deep research, development, and testing skills.”
In the case involving the journalist, the attack was triggered but was quickly stopped by ESET products, with just one malicious executable involved.
While it may be the first documented case of attackers exploiting CVE-2021-21551 to pierce Windows kernel protections, it’s by no means the first instance of a BYOVD attack. A small sampling of previous BYOVD attacks include:
Malware dubbed SlingShot that hid on infected systems for six years until it was discovered by security firm Kaspersky. Active since 2012, SlingShot exploited vulnerabilities that had been found as early as 2007 in drivers including Speedfan.sys, sandra.sys, and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0824. Because these drivers had been digitally signed at one time, Microsoft had no viable way to prevent Windows from loading them, even though the vulnerabilities were well known.
LoJax, the first UEFI rootkit known to be used in the wild. To gain access to targets’ UEFI modules, the malware installed a powerful utility called RWEverything that had a valid digital signature.
This BYOVD primer, authored by ESET’s Michal Poslušný, lists a host of other known vulnerable drivers that have been used to break Microsoft’s DSE.
Given the history, you might think that Microsoft would have created a viable defense to stop BYOVD attacks, but sadly there’s no evidence that’s the case. The company claims that Windows users can enable a feature that automatically blocks known vulnerable drivers, but I was unable to make it work on my ThinkPad running the latest version of Windows 10, and as I’ll get to shortly, Microsoft has no interest in helping me.
The company also suggests elsewhere that turning on the combination of memory integrity and Hypervisor-protected code integrity will offer protection against BYOVD attacks, but at my request, Kálnai enabled both on a system running Windows 10 Enterprise, 10.0.19044 and then attempted to load the vulnerable Dell driver exploited by Lazarus. As the screenshot below shows, the driver loaded just fine.
In fairness to Microsoft, blocking a set of signed drivers from loading in Windows is a complicated process. At first blush, revoking the certificates used to sign the drivers may sound viable, but it’s not. The Internet servers that make certificate revocation work aren’t reliable enough. There are other complications as well, including the volume of drivers Microsoft must support through its massive ecosystem.
“Unfortunately, [blocking] signed drivers is complicated problem since it’s already trusted and [a] black/white listing approach will not work at such scale,” Alex Matrosov, founder and CEO of security firm Binarly and an expert in BYOVD attacks wrote in a private chat. “MS [is] trying to create some runtime prevention over blocking known vulnerable or malicious drivers but it doesn’t solve [the] industry-wide problem. You can block one, two or ten drivers but it’s thousands of them which can be used in such a way.”
Vulnerable drivers have been abused by the game-cheating community and malware authors alike for a long time. It is still an ongoing battle. The vendors are trying to fix the vulnerabilities; Microsoft is trying to strengthen the operating system from the inside and third-party security vendors are trying to detect such drivers themselves. But still, the industry doesn’t have a unified way of handling the problem and there’s no guarantee that [one] even exists.
Kálnai concurred, writing in an email:
Hear no evil, speak no evil
I also sent an email to people at WE Communications, the PR gatekeeper for all things Microsoft. “Is there anything Microsoft, Dell or anyone else can do to prevent these so-called bring your own vulnerable driver techniques from working?” I asked. “Maybe a blocklist or driver certificate revocation? If these remedies ARE in place, why didn’t it work in this case, and in past cases of BYOVD (e.g. Slingshot and InvisiMole APT groups, the RobbinHood, and LoJax)?”
I also asked for some basic history of Windows DSE to make sure my understanding was accurate.
A few hours later, I got a response: “Hi Dan, Heard from Microsoft on this and nothing to share here at this time.”
Contrast this curt response to tweets like this one, from Microsoft’s VP of OS Security and Enterprise, claiming “Windows has everything you need to block” buggy signed drivers.
PSA @surface book 3 and all new Surface devices have HVCI and VBS on by DEFAULT which enforces a driver block policy that blocks RWET and other bad drivers. Security vendors are going to tell you need to buy their stuff, but Windows has everything you need to block it. https://t.co/FBoApbNA3F
Even if an enterprise with experienced admins gets driver blocking to work, ESET reports the protection may result in a performance hit of anywhere from 5 percent to 25 percent. For the time being, it would appear that BYOVD attacks are a fact of life for many Windows users. Microsoft declined to say if new Windows 11 protections will make any difference.
I tried to make the case to WE Communications that there’s no benefit to Microsoft or its customers to stay mum in cases like these, and that if there are no meaningful mitigations for this particular threat, the company would receive points for transparency and honesty by simply saying that.
Unfortunately, the “nothing to share” response is increasingly the dominant approach Microsoft and many of its competitors take to discussing unpleasant security realities in 2022. As enlightening as last week’s report from ESET is, it may be that its biggest takeaway is that people can’t count on the companies they trust to provide transparent, actionable security advice and instead willfully leave reporters in the dark.
The firm’s former chief information security officer was found guilty of hiding a massive data breach from federal investigators.
A federal jury has convicted Uber’s former security chief of charges related to a 2016 cover-up involving the ride-share giant, according to journalists present in the courtroom.
Joe Sullivan, who was found guilty of one count of obstruction and one count of misprision of a felony on Wednesday, helped to conceal a massive 2016 data breach from authorities, while also obstructing a Federal Trade Commission investigation.
Sullivan’s troubles began in the fall of 2016, when two cybercriminals managed to compromise an Amazon data storage server operated by the company and stole personally identifying information on some 600,000 Uber drivers, as well as approximately 57 million users of the ride-share app. The hackers then contacted Sullivan via email in an attempt to extort the company for $100,000.
To complicate matters, Uber was being investigated by the FTC for a previous hacking incident at the time of the breach. Sullivan secretly paid off the hackers via the company’s bug bounty program and then later misled federal investigators about what had occurred.
Under Sullivan’s watch, the public was never notified about the incident, despite the fact that the criminals had stolen users’ names, phone numbers, and email addresses. Uber drivers’ license numbers were also stolen.
Federal prosecutors alleged that Sullivan subsequently attempted to “conceal, deflect, and mislead the Federal Trade Commission about the breach.” Sullivan’s charges stem from the cover-up, not paying the hackers. The latter has become increasingly common in the cybersecurity industry in recent years.
A former federal prosecutor turned corporate cybersecurity guru, Sullivan took over security at Uber after working a similar stint at Facebook and other high-level positions in Silicon Valley. Sullivan helmed operations at the global ride-share firm until November of 2017, when Uber’s new CEO, Dara Khosrowshahi, took over. After Khosrowshahi discovered what had occurred, Sullivan was subsequently fired, along with other members of the security team.
The hackers behind the episode were ultimately arrested and charged in connection with the incidents. They pled guilty to related crimes in 2019.
The case has decidedly split those in the cybersecurity community. The New York Times reports that this could be the first time that a security executive was held liable for a hacking incident in this way. The episode could ultimately set a new precedent for future cases in which CISOs must face legal consequences over data breaches. Some security professionals have suggested that Sullivan was “scapegoated” for the incident.
And note to his crime pals – he said he would sing like a canary
An ex-Canadian government worker who extorted tens of millions of dollars from organizations worldwide using the NetWalker ransomware has been sent down for 20 years, the register reports
Sebastian Vachon-Desjardins, 35, of Gatineau, Quebec, was also ordered to pay back $21.5 million bagged from his cyberattacks against dozens of organizations globally, from corporations and municipalities to hospitals, law enforcement, emergency services, school districts, colleges, and universities.
“The defendant in this case used sophisticated technological means to exploit hundreds of victims in numerous countries at the height of an international health crisis,” said Roger Handberg, US Attorney for the Middle District of Florida, in a statement yesterday.
NetWalker ransomware affiliates – losers who rent the malware to use against victims – specifically attacked hospitals during the height of the COVID-19 pandemic, using the global crisis to extort healthcare organizations.
Now a federal district court judge in Florida has sentenced [PDF] Vachon-Desjardins to 240 months behind bars for conspiracy to commit computer and wire fraud, intentionally damaging a protected computer, and transmitting a demand in relation to damaging a protected computer.
A US judge will give a detailed order covering restitution at a later date.
Vachon-Desjardins pleaded guilty to all four counts in a US court in June, and his plea agreement described him as “one of the most prolific NetWalker Ransomware affiliates.”
At that time, while facing up to 40 years in the slammer, Vachon-Desjardins said he would “cooperate fully with the United States” as American prosecutors worked to bring others slinging the ransomware to justice. This included testifying against his former NetWalker affiliates.
If this cooperation qualified as “substantial assistance,” the Justice Department said he may get off with a lighter sentence. Since his jail sentence was two decades rather than the full four, we’re guessing he coughed up at least some info.
In March, Vachon-Desjardins was extradited to the US after being detained by Canadian authorities in January 2021. Canadian law enforcement, who searched Vachon-Desjardins’s home in Gatineau, discovered and seized C$742,840 ($546,386) and 719 Bitcoin, valued at about $21.85 million at the time of seizure and $14.46 million today.
Around the time of Vachon-Desjardins’ arrest, the US Justice Department, working with the Bulgarian National Investigation Service and the Bulgarian General Directorate Combating Organized Crime, announced a takedown of NetWalker’s infrastructure, including the seizure of about $454,530.19 in cryptocurrency from ransom payments, and the disablement of a dark-web site used to communicate with NetWalker ransomware victims.
We are often asked how targets are infected with malware. Our answer is nearly always the same: (spear) phishing. There will be exceptions, naturally, as we will encounter RCE vulnerabilities every now and then, or if the attacker is already on the network, they will use tools like PsExec. But that’s it — most of the time, anyway.
Last month, we focused on infection methods used in various malware campaigns: methods that we do not see used very often. In this blog post, we provide excerpts from these reports.
BlackBasta: a new propagation method
BlackBasta, the notorious ransomware we have written about before, recently received an update. It now has a second optional command line parameter: “-bomb”.
When that parameter is used, the malware does the following:
сonnect to the AD using the LDAP library and obtain a list of machines on the network,
using the list of machines, copy itself to each machine,
using the Component Object Model (COM), run remotely on each machine.
Code snippet showing the LDAP functionality
The benefit of using an in-built propagation method is that it leaves fewer traces in the system and it is stealthier than using public tools. For example, one of the attackers’ favorite tools, PsExec, is easily detected on the network. The new method leaves the network defenders with fewer possibilities of detecting the malicious activity.
CLoader: infection through malicious torrents
Cybercriminals seldom use malicious torrents to infect their targets. Nevertheless, it is an infection method that should not be ruled out, as evidenced by CLoader.
CLoader was discovered in April 2022. It used cracked games and software as bait to trick users into installing malware. The downloaded files were NSIS installers, containing malicious code in the installation script.
The malicious script: the parts in red indicate the malware download code
In total, we observed six different payloads that were downloaded:
Microleaves malicious proxy: works as a proxy on the infected machine,
Paybiz malicious proxy: works as a proxy on the infected machine,
MediaCapital downloader: may install further malware in the system,
CSDI downloader: may install further malware in the system,
Hostwin64 downloader: may install further malware in the system,
Inlog backdoor: installs the legitimate NetSupport application for remote access to the machine.
When we look at victimology, we see that users all over the world are infected, but mostly in the US, Brazil, and India.
OnionPoison: infections through a fake TOR Browser
In August 2022, we discovered a campaign that had been running since at least January, focusing on Chinese-speaking users. A popular Chinese-language YouTube channel on online anonymity published a video with instructions for installing the Tor browser. That is hardly odd in itself, as the Tor browser is blocked in China. However, if the user clicks on the link in the description, an infected version of the Tor browser is downloaded.
The infected version is almost identical to the original, so that the user does not notice any difference. The difference from the benign version is:
The installer lacks a digital signature;
One of the DLLs that comes with the original version (freebl3.dll) is completely different, as it contains backdoored code;
A new file is included (freebl.dll), which is the same as the original freebl3.dll;
The Firefox binary that comes bundled with TOR differs by one byte from the original, namely one character in the URL used for updates. This way the attackers prevent the browser from updating itself;
The browser configuration file is changed to provide less anonymity. For example, browsing history is now stored on disk.
The functionality of the backdoored Freebl3.dll is quite simple. It proxies all the functionality to the original DLL and also downloads an additional DLL from the C2.
The downloaded DLL contains most of the malicious functionality. Among other things, it is capable of:
executing commands in the system,
sending TOR browsing history to the C2,
sending the victim’s WeChat and QQ account IDs to the C2.
AdvancedIPSpyware: backdoored and signed benign tool
Adding malicious code to benign software in order to hide illegal activity and trick the user is a technique we encounter more often. What we do not see that often is the backdoored binary being signed. This is precisely the case with AdvancedIPSpyware, which is a backdoored version of the legitimate Advanced IP Scanner tool used by network admins to control LANs. The certificate used to sign the malware is most likely stolen. The malware was hosted on two sites, whose domains were almost identical to the legitimate Advanced IP Scanner website, differing only by one character in the URL. Furthermore, the websites look the same. The only difference is the “free download” button on the malicious websites.
The legitimate vs malicious signed binary
Another uncommon feature of AdvancedIPSpyware is its architecture which is modular. Typically, a modular architecture is seen with nation state-sponsored, not with criminal malware. We observed the following three modules that communicate with one another via IPC:
main module: updates or deletes itself, or spawns another instance,
command execution module: typical spyware functionality, such as information gathering, command execution, etc.,
network communication module: handles all network-related functionality (heartbeat messages, etc.).
The AdvancedIPSpyware campaign has a broad victimology. We have detected several victims in Latin America, Africa, Western Europe, South Asia, Australia, and the CIS. The overall count of victims infected over the course of the campaign is about 80.
Conclusion
Even though malicious actors rely on email as the primary infection vector, other methods should not be ruled out. Domain typosquatting and cracked software downloadable via torrents are just two of the alternative tricks that criminals use to lure victims into installing the malware on their systems.
Ransomware developers keep updating their malware. This time, BlackBasta added functionality that makes forensics and detection more difficult, as the malware can now propagate through the network itself.
On Tuesday, regulators received a letter from Elon Musk’s legal team offering to proceed with the $44 billion Twitter buyout. The agreement would preempt a trial scheduled for October, related to Musk’s allegations of rampant bot accounts and security misgivings on the platform. The deal hinges on the receipt of debt financing, as well as the Delaware Chancery Court ceasing all other legal proceedings related to the deal. Twitter responded Tuesday, signaling their intent to close the original deal, however Twitter’s board indicates it will take its time to review the offer over fears of it being a legal ploy.
Republicans are criticizing the Biden administration for dragging its feet reviewing risks associated with TikTok potentially sharing US user data with the Chinese government. Republicans are vowing to conduct hearings on the matter should they win House or Senate majorities in the November midterm elections. James Lewis, head of the technologies program at the Center for Strategic and International Studies, called the risk TikTok poses debatable but agrees the White House response “has not been on a fast track.” TikTok has denied sharing any user data with the Chinese government and said it won’t do so, even if requested. Sources say the administration is close to finalizing a deal with TikTok that would include implementing a series of safeguards including storing all US user data on Oracle servers located in the US. Republicans say they will contest any agreement that doesn’t impose stringent safeguards.
Netwalker ransomware affiliate sentenced to 20 years in prison
On Tuesday, a court in Tampa, FL sentenced former Netwalker ransomware-as-a-service affiliate, Sebastien Vachon-Desjardins, to 20 years in prison and ordered him to forfeit $21.5 million.The 34-year-old Canadian man was extradited from Quebec and plead guilty to a series of computer and wire fraud related crimes. After serving his prison sentence, Vachon-Desjardins will have to serve three years of supervised release and will not be permitted to use any device capable of connecting to the Internet. Back in February, Vachon-Desjardins was sentenced to 6 years and eight months for similar charges in a court in Ontario.
Hackers breach scam sites to hijack crypto transactions
In July, the FBI warned of a scam, dubbed ‘dApps’ (decentralized applications), that stole victims’ crypto investments by impersonating crypto mining services. A threat actor named ‘Water Labbu’ has been spotted injecting malicious JavaScript into the dApps scam sites. When an investor connects their wallet to the site, Labbu’s script detects whether the wallet contains a large amount of crypto holdings, and if so, attempts to steal it. Labbu has compromised at least 45 scam websites, making off with over $316,000.
According to Secureworks, exploitation of internet-facing vulnerabilities accounted for 52% of ransomware incidents over the past 12 months. That makes bug exploits the number one initial access vector for ransomware, overtaking use of credentials, which is often associated with malicious emails and compromise of remote desktop protocol (RDP). Secureworks’ report states, “The process of patching a vulnerability in an enterprise environment is far more complex and slower than the process for threat actors or OST developers of weaponizing publicly available exploit code.”
CISA directive improves asset visibility and vuln detection
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Binding Operational Directive (BOD) which will take effect on April 03, 2023. The new directive requires federal civilian executive branch (FCEB) agencies to perform automated asset discovery within the entire IPv4 space every seven days. Further, the directive calls for agencies to initiate vulnerability enumeration across all discovered assets every 14 days, and automatically load vuln data into the agency’s Continuous Diagnostics and Mitigation (CDM) dashboard within 72 hours of discovery. CISA’s latest directive comes on the heels of last month’s guidance aimed at helping developers improve software supply chain security.
According to a recent report from RipRap Security, 59% of nonprofits have no cybersecurity training for their staff and 42% do not monitor their IT environment for security events. On Tuesday, DeVry University announced the launch of its Nonprofit Cyber Grant program which will provide cybersecurity training to a cohort of three professionals from Atlanta-area nonprofit organizations. DeVry will waive tuition and fees for its Cybersecurity Certificate program which includes 14 courses covering Infrastructure and Network Security, Ethical Hacking, Business Continuity, Data Privacy and Security and Risk Management.
Kim Kardashian should keep up with cyber fraud regulations
The SEC has fined reality TV star, Kim Kardashian, $1.26 million for failing to disclose earnings related to promotion of cryptocurrency products. Kardashian endorsed EMAX Tokens from EthereumMax and allegedly hid related earnings. Gary Gensler, the Chairperson of the SEC, confirmed the penalty and urged investors to do their own investment risk research instead of simply following the advice of influencers.
For the past few years, DataBreaches has called out victims of cyberattacks who do not fully disclose how bad a breach was. Weasel words such as something “may have” happened when a victim knows damned well that it wasn’t just “may have” but did happen are just one example. Another example involves victims who claim that they have no evidence of misuse of patients’ data or expectation that data will be misused. Still, they never tell the patients that the data wasn’t just accessed, but it was acquired, and not only was it acquired, but it has now been dumped on the internet where anyone and everyone can freely access it.
Today’s case involves Family Medicine Centers (FMC) in Texas. On or about September 23, they issued a disclosure notice sent to state regulators and patients. The letter was issued in various forms by FMC Services, LLC depending on whether the individual was a patient or an employee, and if a patient, whether an adult or a minor or a deceased patient.
After the comprehensive forensic investigation into this incident concluded, we discovered that your name, mailing address, date of birth, Social Security number, and/or health information may have been exposed to the unauthorized party during the network compromise. We have had no reports of related identity theft as a result of this incident.
On September 23, FMC reported to HHS that 233,948 patients were affected by the incident they detected on July 26. Between detection and September 23, there were developments of note:
On August 21, the Vice Society ransomware team added FMC to their leak site. DataBreaches reached out to FMC but received no replies. DataBreaches reported on the incident on August 26, noting:
FMC has not replied to repeated inquiries despite acknowledging receipt of the questions. There are no reports from either entity on HHS’s public breach tool or the Texas Attorney General’s breach site. DataBreaches has also sent an inquiry to BSA Hospice of the Southwest, but no reply was immediately received.
DataBreaches also reported that Vice Society informed this site that their attempt to encrypt or lock FMC’s files was blocked and that they abandoned efforts to encrypt and just exfiltrated data.
Approximately one month later, FMC sends notifications that omit any mention that 272,000 files were acquired and then dumped on the dark web for anyone to grab.
And they will likely get away with it because, so far, HHS has not come out with any strong statements urging or demanding entities to be more transparent about the situation when there has been a breach resulting in exfiltration.
How can patients assess their risk and make informed decisions about what steps they may need to take to protect themselves if entities withhold information like the fact that (1) data was exfiltrated and (2) data was leaked publicly?
DataBreaches realizes that entities and their lawyers may disagree with the opinions expressed here. If one or more would like to write a reasoned explanation to justify not informing patients, DataBreaches will post it.
Trustwave researchers discovered two XSS flaws in Canon Medical’s Vitrea View tool that could expose patient information.
During a penetration test, Trustwave Spiderlabs’ researchers discovered two reflected cross-site scripting (XSS) vulnerabilities, collectively as CVE-2022-37461, in third-party software for Canon Medical’s Vitrea View. The Vitrea View tool allows viewing and securely share medical images through the DICOM standard.
An attacker can trigger the flaws to access/modify patient information (i.e. stored images and scans) and obtain additional access to some services associated with Vitrea View.
“If exploited an attacker could access patient information and obtain additional access to various services associated with Vitrea View.” reads the report published by Trustwave Spiderlabs.
The first issue is an unauthenticated Reflected XSS that resides in an error message at /vitrea-view/error/ which reflects all input after the /error/ subdirectory back to the user, with minor restrictions. The experts noticed that single and double quotes, and space characters can break the reflection. The use od backticks (`) and base64 encoding could allow avoiding these restrictions, however, and importing remote scripts.
The second issue is another Reflected XSS in the Vitrea View Administrative panel. An attacker can access the panel by tricking the victims into clicking on a specially crafted link. The experts discovered that search for ‘groupID’, ‘offset’, and ‘limit’ in the ‘Group and Users’ page of the administration panel all reflect their input back to the user when text is entered instead of the expected numerical inputs.
“Like the previous finding, the reflected input is slightly restricted, as it does not allow spaces. Once an authenticated admin is coerced into visiting the affected URL, it is possible to create and modify the Python, JavaScript and Groovy scripts used by the Vitrea View application.” continues the report.
The experts also published a proof of concept for both vulnerabilities.
Canon Medical addressed both vulnerabilities with the release of Vitrea View version 7.7.6.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of the cookies. Cookie & Privacy Policy
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
