Month: December 2020

The Emotet malware is back after a hiatus of a couple of months, according to new research. The malware is now using updated payloads the operators implemented to avoid detection.

Emotet operators seem to attack in waves, with periods of inactivity in which developers improve and update the malware. Security researchers discovered that Emotet is now active once more after a two-month break. Emails stemming from the Emotet botnet started flowing once more.

The scope of the malware campaign is vast, with infected emails sent in various languages depending on the country, or using different themes, depending on holidays and other significant events. But the main difference is how the malware tells users to enable macros, an essential step in the infection process.

“The document still contains malicious macro code to install Emotet, and still claims to be a ‘protected’ document that requires users to enable macros in order to open it,” say the Cofense researchers.

“The old version would not give any visible response after macros were enabled, which may make the victim suspicious. The new version creates a dialog box saying that ‘Word experienced an error trying to open the file.’ This gives the user an explanation why they don’t see the expected content, and makes it more likely that they will ignore the entire incident while Emotet runs in the background.”

The malware comes with a few updates of its own. The software comes in the form of a DLL initialized by Windows’ rundll32.exe. The communication with the command and control center is also more difficult to detect after the operators switched from plain text to binary.

The new Emotet update makes it clear that the malware is here to stay, and that operators will likely keep it up to date to fool as many people as possible and continue to try to trick security solutions.

Microsoft fixed a zero-day vulnerability in June 2020, but the company did a poor job. Security researchers from Google’s Project Zero showed that attackers could still use the zero-day, despite the patch.

Since zero-day exploits are a serious matter, most of the time, companies quickly release a patch. The June 2020 patch for Windows 8.1 and 10 covered the zero-day CVE-2020-0986 vulnerability, or at least that was the plan.

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory,” reads the vulnerability. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

As results go, a quick fix for such a significant problem is the best possible outcome, but security researchers discovered that the fix wasn’t working. Not only that, but the vulnerability is still unpatched to this day, and the attackers already used the zero-day in at least one incident.

“The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy,” said Google’s Project Zero Maddie Stone. “The ‘fix’ simply changed the pointers to offsets, which still allows control of the args to the memcpy.”

“There have been too many occurrences this year of 0days known to be actively exploited being fixed incorrectly or incompletely. When itw 0days aren’t fixed completely, attackers can reuse their knowledge of vulns& exploit methods to easily develop new 0-days,” she explained.

A new fix is in the works, and it should be available with the January patch. Until that’s out, many Windows machines will be vulnerable.

Motorcycle maker Kawasaki has issued a statement saying it suffered a breach earlier this year that may have compromised “information from overseas offices.” The attackers used advanced techniques to erase their tracks, the Japanese company said.

“Kawasaki Heavy Industries, Ltd. announced that it was subject to unauthorized access from outside the company,” reads the announcement.“As a result of a thorough investigation, the company have discovered that some information from overseas offices may have been leaked to external parties.”

The company claims it found no evidence that information was leaked to the external network. Since the unauthorized access spanned several local and overseas offices, though, the bike maker refrained from making the breach public until it could gather enough data to issue a formal statement.

“We sincerely apologize for this delay and for the inconvenience and concern to customers and other related parties,” the company states.

The first signs of attack emerged in June when “an internal system audit revealed a connection to a server in Japan from an overseas office (Thailand) that should not have occurred,” Kawasaki said in a press release issued yesterday.

Similar connections subsequently emerged from offices in Indonesia, the Philippines and the United States, prompting the company to enhance monitoring to accesses from overseas offices and tighten access restrictions.

“Since then, we have continued to strengthen company-wide security measures,” Kawasaki states, following with a table of events spanning from June to December.

The impact on the firm’s operations seems to have been marginal, but according to the same announcement, the unauthorized access was “carried out with advanced technology that did not leave a trace.”

The company has hired a team of independent security experts and put together its own Cyber Security Group (established in November) to “strengthen security measures, analyze the latest unauthorized access methods [and] prevent recurrence.”

The Japan Times reported that the attackers managed to get their hands on “the administrator identification and password of the company’s domestic system.”

Sangoma Technologies, a household name in the communications-as-a-service (CaaS) market, has confirmed it suffered a ransomware attack that led to a data breach.

On Christmas eve, Sangoma issued a press release announcing that, “as a result of a ransomware cyber attack on one of the Company’s servers, private and confidential data belonging to the Company was posted online yesterday.”

The PBX vendor summoned third-party cybersecurity experts and started an investigation to assess the extent of the damage, according to the announcement.

While some confidential data has been stolen and leaked in the attack, the company claims the attackers failed to get any customer information – or at least that there is no such evidence yet. On that same optimistic note, Sangoma also says operations are running smoothly, with no impact on products or services.

“There is no initial indication that customer accounts were compromised, nor that any Sangoma products or services were affected as a result of this breach,” according to the press release.

Later that day, the Conti ransomware gang took credit for the attack by publishing over 26 GB worth of Sangoma data on their data leak site.

The firm instructs customers to change the passwords associated with their Sangoma accounts “out of an abundance of caution.”

“We are committed to using all available measures to secure and protect our data, as well as the data of our customers, partners and employees,” said Bill Wignall, President and CEO of Sangoma. “We are working as quickly as we can to complete our investigation. As this work progresses, we plan to provide updates of factual, accurate information as it becomes available.”

Sangoma customers are told they can ask any questions by sending a message to sangoma-security@sangoma.com.

The Maryland US Attorney’s Office announced the seizure of a couple of domain names that imitated the name and design of the official websites of Moderna and Regeneron, two companies at the forefront of COVID-19 research.

Attackers regularly use the current global situation to trick people into opening nefarious links or visiting fake websites designed to steal information. Department of Justice (DOJ) officials said that two fake domain names sought to capitalize on the interest the pandemic has generated in the two companies.

“The U.S. Attorney’s Office for the District of Maryland has seized ‘mordernatx.com’ and ‘regeneronmedicals.com,’ which purported to be the websites of actual biotechnology companies developing treatments for the COVID-19 virus, but instead appears to have been used to collect the personal information of individuals visiting the sites, in order to use the information for nefarious purposes, including fraud, phishing attacks, and/or deployment of malware,” said DOJ officials.

In December, the websites were discovered when Moderna located the spoofed domain and contacted HSI’s Intellectual Property Rights Center (IPRC) and the HSI Cyber Crimes Center (C3). The logos, markings, colors and text of the mordernatx.com domain showed no real differences from the genuine company website’s landing page, except for a small difference in the spelling of the company’s name.

The same goes for the domain copying the Regeneron website. While the first one was registered in Malaysia, the second was registered in Nigeria. Unfortunately, there’s no indication as to who’s behind these fraud attempts.

Spoofing official websites is common in phishing campaigns. These types of domains are rarely accessed directly by users, as they serve as landing pages in phishing attacks. They would most likely have been used in such campaigns, but seizing the domain puts a stop to such attempts.

Nintendo will apparently go to great lengths to keep hackers from messing with its gaming gear, according to an alleged internal leak. The files reveal a chilling surveillance operation targeting a well-known homebrew hacker.

A prominent Nintendo leaker by the name of Eclipse claims to have obtained documents showing the Japanese gaming giant was tracking a homebrew hacker known as Neimod in 2013. The documents purport to show that Nintendo was onto Neimod’s plans to hack the 3DS, the company’s popular handheld console.

As per the leak, a team had been put together to watch Neimod’s every move and even obtain IRC logs (embedded below) from his conversations with fellow Nintendo fans and homebrew hackers.

NEW LEAKED STUFF #4

Nintendo Ninjas in action

Asking for information directly to the hackers and basing their actions to their response.

More: @eclipse_tt pic.twitter.com/C7LwaTKM1d

— Eclipse 𝙁𝘼𝙇𝙄𝙉𝙆𝙎 𝘼𝙎𝙎𝙀𝙈𝘽𝙇𝙀! (@eclipse_tt) December 22, 2020

The leak includes a flow chart (image below) with a Mission Impossible-style plan to approach Neimod and coerce him into giving up hacking the 3DS.

The plan included a proposal to enroll Neimod into a bounty program where he would be compensated for finding bugs in Nintendo’s gaming systems. The team was also instructed to entice the hacker with a trip to Japan to meet Nintendo’s hardware engineers.

Nintendo apparently put together this FBI-like operation to stop Neimod from introducing a jailbreak or mod to the 3DS, which would lead to distribution of pirated content among 3DS owners, resulting in lost sales for the Japanese gaming giant.

It’s not entirely impossible that the leak, which looks suspiciously orchestrated and aggressive, is fake. While tech giants go to great lengths to protect their intellectual property, it’s hard to believe Nintendo risked putting on paper such an intrusive operation – knowing it could get leaked – to merely engage a hacker in verbal communication. It remains to be seen how this story develops.

Attackers set up a network of mobile emulators capable of spoofing devices of real banking customers from the United States and Europe, according to an investigation from IBM Trusteer.

The process of stealing someone’s banking information is not easy, but setting up a system in which attackers use that data in an automated way, permitting them to hit thousands of targets in the course of a few days, is not so common.

The automation process is possible with the help of mobile emulators that act like the real devices. After attackers get their hands on valid customer accounts, in conjunction with compromised devices, they spoof real devices and steal a lot of money in a very short amount of time.

“The scale of this operation is one that has never been seen before, in some cases, over 20 emulators were used in the spoofing of well over 16,000 compromised devices,” said IBM. “The attackers use these emulators to repeatedly access thousands of customer accounts and end up stealing millions of dollars in a matter of just a few days in each case. After one spree, the attackers shut down the operation, wipe traces, and prepare for the next attack.”

To carry out an attack of this magnitude, attackers need a lot of information, usually including the account holders’ usernames and passwords, access to mobile identifiers, and SMS message contents (to bypass two-factor authentication.) These last two conditions imply that spoofed mobile devices are already infected with malware.

Even if the compromised device and the emulator are in different countries, the software could spoof the GPS location.

“When a compromised device operated from a specific country, the emulator spoofed the GPS location. From there, it connected to the account through a matching virtual private network (VPN) service,” IBM also said.

The operation lasted only a few days, then the attackers closed shop and erased all traces. Security researchers say they are likely ramping up for another campaign, so they issued a warning to financial institutions to protect their customers’ information better and implement security solutions to deter this type of fraud.

Customers are not without obligations in this situation. They should be wary of unsolicited SMS messages, never install apps from unknown sources, regularly check banking statements to spot anomalies and use security solutions on mobile devices.

• Operation Nova brings down VPN services “intentionally designed for criminal activity”
• Customers warned that international law enforcement continues to investigate who might have used seized services for past attacks

The FBI, working with law enforcement agencies across Europe, have seized three web domains and the server infrastructure used by a VPN service to allegedly help cybercriminals compromise networks around the world, and evade detect by police.

The VPN service, offered via websites at safe-inet.net, safe-inet.com, and insorg.org, have operated for more than ten years, and was advertised on Russian and English-language cybercrime forums for prices ranging from US $1.30 per day to $190 for a full year’s use.

According to a statement by the US Department of Justice, services offered by the websites were designed to facilitate uninterrupted criminal activities online, allowing hackers to operate while evading detection by law enforcement.

As part of this, according to the United States authorities, the so-called “bulletproof” services might ignore abuse complaints made by their customer’s victims, or make up excuses, and might even move a criminal customer’s accounts and/or data from one system to another to help them evade detection.

“By providing these services, the bulletproof hosts knowingly support the criminal activities of their clients and become co-conspirators in criminal schemes,” said the Department of Justice.

Those schemes involved working with criminals responsible for ransomware, spearphishing, and other attacks.

In an operation dubbed “Operation Nova”, Europol, the FBI, and law enforcement agencies from Germany, Switzerland, and France, have now seized the websites’ domains, replacing their homepages with a banner.

A message on the seized sites warns past users that the investigation into the site’s operators and users is ongoing:

The analysis of the seized data and the international investigations regarding the operators and users of the network will be continued.

Europol has said that it will use the information collected from the seized servers to build cases against some of the service’s past users.

Obviously there are many legitimate uses of VPN services – it is far from the case that all users are criminals. What appears to have caused law enforcement to take action against these websites is law enforcement’s belief that they were intentionally designed to provide web hosting and VPN services for criminal activity – and facilitating cybercrime is a federal crime.

The US Department of Homeland Security (DHS) this week issued an advisory warning American businesses of cybersecurity risks associated with data services and equipment from firms linked to the People’s Republic of China (PRC).

Noting that the PRC has “both the intent and ability to covertly access data directly through entities under the influence or jurisdiction of PRC laws,” the DHS pegs China-issued IT products and services as “a grave threat to the data security of the U.S. government and U.S. businesses.”

“For too long, U.S. networks and data have been exposed to cyber threats based in China which are using that data to give Chinese firms an unfair competitive advantage in the global marketplace,” said Acting Secretary of Homeland Security Chad F. Wolf. “Practices that give the PRC government unauthorized access to sensitive data – both personal and proprietary – puts the U.S. economy and businesses at direct risk for exploitation. We urge businesses to exercise caution before entering into any agreement with a PRC-linked firm.”

The DHS says the Chinese legislature can compel Chinese companies to collect, transmit and store data that violates international law, and runs counter to US interests.

“Such activities include requiring companies to store data within PRC borders and turning over routine data to the PRC government under the pretense of national security,” according to the agency.

The advisory also claims China has “a history of manipulation, misuse, and exploitation of that data to serve PRC business and economic goals,” and includes a compelling list of such practices over the years.

The notice ends on a negative note, saying that anyone who chooses to ignore these warnings may face legal repercussions.

“Any person or entity that chooses to procure data services and equipment from PRC-linked firms, or store data on software or equipment developed by such firms, should be aware of the economic, reputational, and, in certain instances, legal, risks associated with doing business with these firms,” says the DHS.

The full business advisory can be found here (PDF).

Mozilla is preparing to launch a major privacy feature, named network partitioning, with Firefox 85 that’s scheduled for release in January, to reduce websites’ access to gathered data.

Despite all the features added by Internet browsers over the years to prevent websites from tracking users and gathering data that doesn’t belong to them, there’s still a lot to be done. Whether based on Chromium or Gecko, the measures implemented by browsers don’t seem to be enough.

To be fair, some form of network partitioning has been implemented already in some ecosystems, like iOS, but it’s not complete. The network partitioning feature lets the browser separate the stored data for each website. Until now, much of that data was stored in the same location, which meant websites had access to them.

According to a ZDNet report, Firefox will store resources such as cache, favicons, CSS files, images and others separately. In theory, this would make it much more difficult for advertisers and other third-party organizations to track people and their habits, since they no longer have access to the same pool of data.

Since data gathered by the browser is a highly sought off commodity by advertisers, it remains to be seen how this particular marker will adapt. Firefox doesn’t have the same market share as before, but Google Chrome and other browsers already segregate some of the data, and will likely follow Firefox in 2021.

The report also covers all potential network resources that the browser will segregate starting with version 85:

• HTTP cache
• Image cache
• Favicon cache
• Connection pooling
• StyleSheet cache
• DNS
• HTTP authentication
• Alt-Svc
• Speculative connections
• Font cache
• HSTS
• OCSP
• Intermediate CA cache
• TLS client certificates
• TLS session identifiers
• Prefetch
• Preconnect
• CORS-preflight cache

Users shouldn’t notice anything different in their daily use, as the rest of the browser functionality remains the same.