The IT Privacy & Security Weekly Update for August 24th 2021

Announcements1 posts317 views1 likesLast activity Aug 2021

rpsOP

Aug 2021

Daml’ers,

This is the Jailbreak edition. We start with an example of the quickest way to end up in prison, a story of an inmate made good and of course, we end up right back in the clink in what must be one of the worst hacker “job applications” in history.

In between those rough-and-tumble walls, we have insight on one country’s cyber curriculum, your streaming service’s second income, OnePerCent, the potential post $610 million job offer, and why Amazon could be sold out of Razor gaming mice.

Ducking and diving, dodging and weaving, we are all in this week, so let’s get on the striped shirts and have a quick look inside.

Global: Don’t even think about it

krebsonsecurity.com

Wanted: Disgruntled Employees to Deploy Ransomware – Krebs on Security

Criminal hackers will try almost anything to get inside a profitable enterprise and secure a million-dollar payday from a ransomware infection. Apparently now that includes emailing employees directly and asking them to unleash the malware inside...

Crane Hassold, director of threat intelligence at Abnormal Security, described what happened after he adopted a fake persona and responded to the proposal in an email. It offered to pay him 40 percent of a million-dollar ransom demand if he agreed to launch their malware inside his employer’s network.

This attacker’s approach may seem fairly amateur, but it would be a mistake to dismiss the threat from West African cybercriminals dabbling in ransomware. While multi-million dollar ransomware payments are hogging the headlines, by far the biggest financial losses tied to cybercrime each year stem from so-called Business Email Compromise (BEC) or CEO Scams, in which crooks mainly based in Africa and Southeast Asia will spoof communications from executives at the target firm in a bid to initiate unauthorized international wire transfers.

According to the latest figures (PDF) released by the FBI Internet Crime Complaint Center (IC3), the reported losses from BEC scams continue to dwarf other cybercrime loss categories, increasing to $1.86 billion in 2020.

So what’s the upshot for you? It was bound to happen.

Global: Ransomware Gangs and the Name Game Distraction

krebsonsecurity.com

Ransomware Gangs and the Name Game Distraction – Krebs on Security

It's nice when ransomware gangs have their bitcoin stolen, malware servers shut down, or are otherwise forced to disband. We hang on to these occasional victories because history tells us that most ransomware moneymaking collectives don't go away so...

Isn’t it annoying to track something and then discover someone else has done a much better job? Yes, we found that to be the case with Brian Krebs RaaS group tracking, where he even goes so far as to put dates to the name changes. So in addition to those presented at the start of last week’s update, we add in Vasa Locker morphing into Bsbuk and then Payload.bin, Defray777 becoming RansomExx, Sekhmet becoming Egregor and Hermes updating to Conti and Cerber becoming Revil.

Additionally, Brian has a lovely graphic with all the bad guys’ current logos.

So what’s the upshot for you? Jealous? Who us?

RU: Why So Many Top Hackers Hail from Russia

krebsonsecurity.com

Why So Many Top Hackers Hail from Russia – Krebs on Security

Conventional wisdom says one reason so many hackers seem to hail from Russia and parts of the former Soviet Union is that these countries have traditionally placed a much greater emphasis than educational institutions in the West on teaching...

This might have a higher relevance now, given the Russian based ransomware explosion around us, than when the article originally appeared in 2017: Conventional wisdom says one reason so many hackers seem to hail from Russia and parts of the former Soviet Union is that these countries have traditionally placed a much greater emphasis than educational institutions in the West on teaching information technology in middle and high schools, and yet they lack a Silicon Valley-like pipeline to help talented IT experts channel their skills into high-paying jobs.

Russian students are required to study the subject beginning at a much younger age. Russia’s Federal Educational Standards (FES) mandate that informatics be compulsory in middle school, with any school free to choose to include it in their high school curriculum at a basic or advanced level.

“In elementary school, elements of Informatics are taught within the core subjects ‘Mathematics’ and ‘Technology,” the Perm University research paper notes. “Furthermore, each elementary school has the right to make [the] subject “Informatics” part of its curriculum.”

The core components of the FES informatics curriculum for Russian middle schools are the following:

Theoretical foundations
Principles of computer’s functioning
Information technologies
Network technologies
Algorithmization
Languages and methods of programming
Modeling
Informatics and Society

“Very few middle schools teach Computational Thinking Practices in the United States,” lan Paller, director of research for the SANS Institute — an information security education and training organization said. “We don’t teach these topics in general and we definitely don’t test them. The Russians do and they’ve been doing this for the past 30 years. Which country will produce the most skilled cybersecurity people?”

So what’s the upshot for you? We’ve always said that if you start with a good Daml language skillset you can work anywhere. We stand by that no matter what nationality you are!

Global: Privacy of Streaming Apps and Devices: Watching the TV That Watches Us

commonsensemedia.org

2021-privacy-report-infographic-final.pdf

342.39 KB

commonsensemedia.org

privacy_of_streaming_apps_and_devices-final.pdf

3.86 MB

Ever wonder what streaming services do with the data collected on you?

YouTube TV received the best privacy rating and at 81% the highest overall numerical score because Google TV had a more transparent policy despite engaging in some worse privacy practices. YouTube TV says they don’t sell users’ data to third parties, but they do target users with advertisements and track users on other apps and services across the internet.

The next best to worst were: Apple, Disney+, Paramount+, HBO Max, Peacock, Amazon Prime, Discovery+, Hulu, and Netflix finishing out with a privacy rating of 46%.

Only Google, Apple, Amazon, and Netflix do not sell your data onward, but apart from Apple they all “track their users on other apps and services across the internet.”

So what’s the upshot for you? “May the streaming service be with you.” It seems even when you are away from your streaming service, your streaming service is not away from you.

Global: Say what?

Apple Newsroom

Apple unveils the next generation of Apple TV 4K

With A12 Bionic and the all-new Siri Remote, the best living room device gets even better.

With the new Apple 4k TV, if you’re watching something but missed a line of dialog, as a nod to function and privacy, you hold down the Siri button on the remote and ask “What did they say?" The TV rewinds to the beginning of the last line of the person or people you’ve specified, turns on captions, and then turns them off again afterward.

That’s pretty cool.

So what’s the upshot for you? The uncool? Pretty much the most expensive dongle on the market, it doesn’t come with the $30 recommended HDMI cable, but the constant, additional upselling of other streaming service subscriptions pushes this over the (far) edge.

Global: 38M Records Were Exposed Online—Including Contact-Tracing Info

Wired – 23 Aug 21

38M Records Were Exposed Online—Including Contact-Tracing Info

Misconfigured Power Apps from Microsoft led to more than a thousand web apps accessible to anyone who found them.

More than a thousand web apps mistakenly exposed 38 million records on the open internet, including data from a number of Covid-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases.

The data included a range of sensitive information, from people’s phone numbers and home addresses to social security numbers and Covid-19 vaccination status.

The incident affected major companies and organizations, including American Airlines, Ford, the transportation and logistics company J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. And while the data exposures have since been addressed, they show how one bad configuration setting in a popular platform can have far-reaching consequences.

The exposed data was all stored in Microsoft’s Power Apps portal service, a development platform that makes it easy to create web or mobile apps for external use. If you need to spin up a vaccine appointment sign-up site quickly during, say, a pandemic, Power Apps portals can generate both the public-facing site and the data management backend.

Beginning back in May, researchers from the security firm Upguard began investigating a large number of Power Apps portals that publicly exposed data that should have been private—including in some Power Apps that Microsoft made for its own purposes. None of the data is known to have been compromised, but the finding is significant still, as it reveals an oversight in the design of Power Apps portals that has since been fixed.

Microsoft itself exposed a number of databases in its own Power Apps portals, including an old platform called “Global Payroll Services,” two “Business Tools Support” portals, and a “Customer Insights” portal.

After years of studying cloud misconfigurations and data exposures, the Upguard researchers were surprised to discover those issues in a platform they’d never seen before. Between Microsoft’s fixes and UpGuard’s own notifications, the vast majority of the exposed portals, and all of the most sensitive ones, are now private.

So what’s the upshot for you? These days the default is to leave ports or services closed or disabled. The fact that Microsoft had not is silly, but the fact that the service was new and no one seemed to know what it was did provide some cover (you are less likely to hack it if you don’t know what it is).

Global: As Linux grows in use, so does Targeting by Malware.

trendmicro.com

Linux Threat Report 2021 1H: Linux Threats in the Cloud and Security...

Linux powers many cloud infrastructures today. However, it is not immune to threats and risks. We discuss several pressing security issues including malware and vulnerabilities that compromise Linux systems in the first half of 2021.

Many regard Linux as a unique operating system because of its stability, flexibility, and open-source nature. Its stellar reputation is backed by its many notable achievements in recent years.

The good news: 100% of the world’s top 500 supercomputers run on Linux, and 50.5% of the top 1,000 websites in the world use it, according to a survey by W3Techs.

The not so good: TrendMicro’s latest report states that they detected nearly 15 million malware events aimed at Linux-based cloud environments, found coin miners and ransomware to make up 54% of all malware, with web shells accounting for a 29% share.

So what’s the upshot for you? Up until a few years ago the baddies sidestepped Linux, but with it growing in popularity, malware for Linux is set to rage on.

CN: China Propaganda Network Targets BBC Media, UK in Large-Scale Influence Campaign

Recorded Future – 18 Aug 21

China Propaganda Network Targets BBC Media, UK in Large-Scale Influence...

Recorded Future’s Insikt Group has discovered a large-scale, likely state-sponsored influence operation against the BBC and the UK.

Est. reading time: 7 minutes

CHINESE TROLLS AND fake news websites have been attacking the BBC in a bid to undermine its credibility, new research published today claims. The online influence operation, which is being linked to the Chinese Communist Party (CCP), is seemingly a response to the BBC’s reporting on human rights abuses against Uyghur Muslims and state-backed misinformation campaigns.

The new research from analysts at cybersecurity company Recorded Future claims that the “likely state-sponsored” operation used hundreds of websites and social media accounts to attack the BBC’s reporting. Propaganda accounts have taken to social media to criticize BBC’s journalistic integrity, accusing them of using an “underworld filter” or “gloom filter” (阴间滤镜) on photos and video of China to make the country look lifeless, dull, and sad to foreign audiences.

There have been over 11,000 references of the Mandarin-language term for “gloom filter” across open sources in the past 6 months, with over half of them occurring in the last 30 days.

On February 10, 2021, China banned BBC World News from broadcasting within the country. China’s National Radio and Television Administration (NRTA) based the decision on internal findings that BBC World News reports about China “seriously violated” broadcast guidelines, including “the requirement that news should be truthful and fair” and not “harm China’s national interests”. However, BBC World News is largely unavailable to the common Chinese audience, appearing only in international hotels and some diplomatic compounds. British

Foreign Secretary Dominic Raab responded publicly to the move, calling it “an unacceptable curtailing of media freedom”, noting that “China has some of the most severe restrictions on media & internet freedoms across the globe, & this latest step will only damage China’s reputation in the eyes of the world”. The United States (US) State Department also commented on the situation, calling it part of a wider campaign to suppress free media in China.

So what’s the upshot for you? The Research group judges with high confidence that this activity is a CCP-sponsored influence operation targeting the BBC and the UK government. The volume of activity paired with a clearly identifiable narrative, coordination across the Chinese state-sponsored media apparatus, use of both Mandarin and foreign-language content, use of dozens of fringe media outlets, and the campaign’s alignment with the CCP’s objectives create a clear picture of how the CCP is conducting large-scale information operations to counter criticism and censor foreign media. Similar recent campaigns have been set against Canada and the US.

US: Background on a particular IT Security Presenter.

en.wikipedia.org

Kevin Mitnick

Kevin David Mitnick (born August 6, 1963) is an American computer security consultant, author, and convicted hacker. He is best known for his high-profile 1995 arrest and five years in prison for various computer and communications-related crimes. Mitnick's pursuit, arrest, trial, and sentence along with the associated journalism, books, and films were all controversial. He now runs the security firm Mitnick Security Consulting, LLC. He is also the Chief Hacking Officer and part owner of th...

Kevin David Mitnick was a controversial hacker who was arrested in 1995 and sentenced to five years in prison for computer and communications-related crimes. His trial, arrest, and pursuit were all such high-profile that they created a lot of media buzz.

He gained unauthorized access for the first time into a computer at the age of 16 in 1979 after a friend gave him the phone number for Ark, the computer system used by Digital Equipment Corporation (DEC). He was arrested for this in 1988 for 12 months followed by three years in a supervised release, but Mitnick hacked into another computer system before the supervised release ended and went into hiding.

He used cloned cellular phones to hide his real location and stole valuable software from the United States’ largest cell phone companies. He also read the private e-mails of many people. When arrested, he was found with more than 100 cell phone clone codes and several cloned cell phones along with false identification documents.

Out of the five odd years he served in prison, for four and a half years, he was on trial, and for the rest of his sentence of eight months, he was kept in solitary confinement. This was because a few law enforcement officers told a judge that he could whistle into a payphone and start a nuclear war. This meant that Mitnick somehow knew how to dial into a NORAD modem via payphone and communicate with it through whistling, to launch nuclear missiles.

He now runs a security firm called Mitnick Security Consulting, LLC and is co-owner of KnowBe4, a provider for a platform for simulated phishing testing and security awareness training.

So what’s the upshot for you? If ever Kevin as an IT security instructor was in doubt, we hope we have restored some faith in him. Now you can boast: “I just took a training course from a guy who did 8 months in solitary confinement at a US Federal Penitentiary!”

Global: Windows has a new rodent problem

Naked Security – 24 Aug 21

How a gaming mouse can get you Windows superpowers!

When a helpful feature (that you probably didn’t need) turns into an exploitable vulnerability…

"jonhat. @j0nh4t
Need local admin and have physical access?
the bug goes something like this:

You plug in a Razer gaming mouse for the first time.
Windows detects that this device type has special software and drivers that will make it work Even Better than a regular mouse.
Windows finds Razer’s official addons in the Windows Update cloud.
Windows downloads and launches the offical addons so you don’t have to.
The Razer app helpfully ends with a clickable directory name, showing you what ended up where, in the installation process.

Once you’re in Explorer, you can do a Shift-and-right-click and use the handy option Open PowerShell window here, giving you a command-line alternative to the existing Explorer window.

But that PowerShell prompt was spawned from the Explorer process, which was spawned from Razer’s installer, which was spawned by the automatic device installer process in Windows itself…

…which was running under the all-powerful NT AUTHORITY\SYSTEM account, usually referred to as NTSYSTEM or just System for short.

So the PowerShell window is now running as System too, which means you have almost complete control over the files, memory, processes, devices, services, kernel drivers and configuration of the computer.

So what’s the upshot for you? In other words, if you’re a penetration tester given access to unlocked company laptops to see how long it takes you to promote yourself to get Admin superpowers via a regular user’s account, and if you have a Razer mouse with you, the answer is probably, “Not very long”. … and for only $19.99 on Amazon…

Global: EC2 Cloud budgets are being way overspent.

HashiCorp

HashiCorp State of Cloud Strategy Survey

Multi-cloud has become the de facto standard operations model for IT organizations of all sizes, in all regions, and every industry.

If you want to know what’s really happening in the cloud, you have to follow the money. That’s what Hashicorp did in their first annual “State of the Cloud Report”

75% of those surveyed said they were multi-cloud, within 2 years that number is expected to be 90%

AWS was the leader (and expected to stay so) across all groups but retail.

Open Source tools were the most popular but for Security, commercial tools won out.

The survey revealed the complexity of tracking and controlling cloud spending, as 39% of respondents said their organization overspent their cloud budgets in 2020.

Contrary to conventional wisdom, COVID-19 was not the primary driver of the busted cloud budgets — the biggest reason was shifting priorities.

Further, the bigger the organization’s cloud budget, the more likely the company was to overspend.

So what’s the upshot for you? Reminds us of an old English saying, “Mind the pennies and the pounds will follow”. ← Maybe that needs a refresh!

Global: FBI sends its first-ever alert about a ‘ransomware affiliate’

The Record by Recorded Future – 24 Aug 21

FBI sends its first-ever alert about a 'ransomware affiliate'

The US Federal Bureau of Investigations has published today its first-ever public advisory detailing the modus operandi of a "ransomware affiliate."

The OnePercent Group got its name, according to the FBI alert, because it threatens to leak 1% of the data if rapid ransom payment is not made. To get inside companies they:

Used phishing email campaigns to infect victims with the IcedID trojan.
Used the IcedID trojan to deploy additional payloads on infected networks.
Used the Cobalt Strike penetration testing framework to move laterally across a victim’s network.
Used RClone to exfiltrate sensitive data from a victim’s servers.
Encrypted data and demanded a ransom.
Phoned or emailed victims to threaten to sell their stolen data on the dark web if they didn’t pay on time.

So what’s the upshot for you? If OnePercent don’t get a response, this group has a tendency to hand off to the REvil Malware team. Reassuring right?

BH: Bahraini Activists Targeted Using a New iPhone Zero-Day Exploit From NSO Group

The Citizen Lab – 24 Aug 21

From Pearl to Pegasus: Bahraini Government Hacks Activists with NSO Group...

We identified nine Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware between June 2020 and February 2021. The hacked activists included three members of Waad (a secular Bahraini political society), three...

Est. reading time: 33 minutes

The Hacker News

Bahraini Activists Targeted Using a New iPhone Zero-Day Exploit From NSO Group

Activists in Bahrain were targeted by Pegasus Spyware using a zero-day iPhone exploit devised by the NSO Group.

A previously undisclosed “zero-click” exploit in Apple’s iMessage leveraged by NSO Group to circumvent iOS security protections allowed the government of Bahrain to target nine Bahraini activists, researchers from University of Toronto’s Citizen Lab said in a report published today.

The latest disclosure is significant, not least because the “FORCEDENTRY” zero-click attack successfully works against the latest versions of iOS, but also for the fact that it bypasses a new software security feature called BlastDoor that Apple built into iOS 14 to prevent such intrusions by filtering untrusted data sent over iMessage.

So what’s the upshot for you? This is amazing because only last month 17 media organizations revealed the widespread use of NSO Group’s Pegasus “military-grade spyware” by authoritarian regimes to facilitate human rights violations by surveilling heads of state, activists, journalists, and lawyers around the world, and here is another tool from the NSO group being used for the same thing.

Global: Poly Network says it’s got pretty much all of that $610m in stolen crypto-coins back

theregister.com

Poly Network says it's got pretty much all of that $610m in stolen...

'I'm quitting the show' says mystery thief

Virtually all of the crypto-currency funds, valued at $610m, stolen from Poly Network by a thief have been returned.

The mysterious crook siphoned off the dosh earlier this month by exploiting a vulnerability in the Chinese exchange’s smart contracts that handle the movement of tokens between blockchains.

The thief, dubbed Mr. White Hat by Poly Network, promised to hand the funds back, claiming it was just done for fun and to highlight the security flaw.

"I’m quitting the show. "

So what next for the mystery miscreant? Well, even though the money has been returned, a crime was committed and the police may be keen to unmask the person as well as businesses. Blockchain security outfit Slowmist boasted earlier it had discovered “the attacker’s mailbox, IP, and device fingerprints through on-chain and off-chain tracking. There are certainly plenty of blockchain clues to start from if they decide to pursue the person involved.”

So what’s the upshot for you? Well certainly the upside for this person is this quote: “Building secure decentralized applications is very challenging, and this person could be a very valuable resource. We’re sure many people would be keen to employ them… in the right circumstances.”

***HU: Hungarian Citizen Pleads Guilty to Hacking into Marriott to Extort Employment ***

justice.gov – 23 Nov 11

Hungarian Citizen Pleads Guilty to Hacking into Marriott Computers and...

Attila Nemeth, 26, pleaded guilty in the District of Maryland before U.S. District Judge J. Frederick Motz.

Back in 2010, a hacker attempted to threaten Marriott International into giving him a job. The person in question was 26-year-old Attila Nemeth from Hungary.

Attila transmitted malicious code to the company’s network. Then threatened to do more damage unless he was given a job.

Marriott responded to the hacker by setting up a fake employee account with the promise of a job.
Nemeth responded by sending over his CV, passport, and other identification.
Marriott passed it all to the Police

So what’s the upshot for you? Well, he didn’t get the job, but he did get a nice record and 30 months of free room and board.

That’s it for this week!

We are releasing you until next week when we hope to have you captive once again!

Until then, be kind, stay safe, stay secure and see you in se7en!

← Back to Discussions