<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. Tue, 20 Oct 2020 00:00:00 -0400 en-us info@decipher.sc (Amy Vazquez) Copyright 2020 3600 <![CDATA[Enterprises Should Fix These 25 Flaws]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/enterprises-should-fix-these-25-flaws https://duo.com/decipher/enterprises-should-fix-these-25-flaws Tue, 20 Oct 2020 00:00:00 -0400

The United States National Security Agency identified 25 vulnerabilities in software that are most commonly targeted by state-sponsored attackers from China. Setting aside the question of whether or not the enterprise is more likely to be targeted by nation-state attackers or cyber-criminals, the list provides enterprise IT staff with a good starting place on which vulnerabilities to prioritize.

The vulnerabilities on NSA’s list can be used to gain initial access to enterprise networks by targeting systems directly accessible from the Internet. Seven of the flaws are in remote access gateways, three are found in networking equipment, and three impact public-facing servers. Once in the network, the attacker can use other vulnerabilities to find other systems to compromise and carry out their activities. Seven flaws on the list involve internal servers, two affect Active Directory, and one exists in mobile device management.

“We hear loud and clear that it can be hard to prioritize patching and mitigation efforts,” NSA Cybersecurity Director Anne Neuberger said in a statement. “We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems."

The NSA list doesn't show that the nation-state adversaries are relying on exotic or complex attacks. In fact, many of the vulnerabilities have already been incorporated into exploit toolkits and ransomware attacks. For example, Rapid7 identified exploitation activity targeting the issue in Citrix Application Delivery Controller and Gateway (CVE-2019-19781) in Project Heisenberg back in January. There are reports the remote code execution flaw in the configuration utility of F5's BIG-IP 8 proxy/load balancer devices have been used by cryptocurrency miners and botnets (a Mirai variant called DvrHelper).

The interesting thing to note about these flaws are that they affect applications widely used in enterprise networks, including EXIM, Adobe ColdFusion, and networking equipment from major vendors such as Citrix, Cisco, F5, and Pulse Secure. Several components in Microsoft Windows, including Remote Desktop Services (CVE-2019-0708) and Netlogon Remote Protocol (CVE-2020-1472) were also on the list. The vulnerabilities range in severity on the Common Vulnerability Scoring Scale, from 4.8 to 10, but many of them are issues that have been flagged as low complexity, meaning they can be easily exploited.

The list includes the flaw in Pulse Secure VPNs (CVE-2019-11510) which the Cybersecurity and Infrastructure Security Agency has warned about in the past. Rapid7’s AttackerKB database describes this vulnerability as one that is commonly found in enterprises.

“Causes massive damage” the AttackerKB entry said. “If not patched, likely wrecked.”

Attackers frequently stick with older vulnerabilities since many of them can go years without being fixed. The list included a remote code execution flaw in Symantec Messaging Gateway (CVE-2017-6327, CVSS 8.8) from 2017 and a vulnerability affecting the WLS Security components in some versions of Oracle WebLogic Server (CVE-2015-4852) from 2015. At the time the flaw was fixed, Oracle said the complexity was low but could be used to partially compromise the database and the data stored inside. ExploitDB has two entries for ways to exploit the flaw, rated 7.5 on CVSS (2.0).

Remote code execution flaws tend to be the most worrying because that means attackers can target those exploits from outside the network. There were 11 remote code execution flaws on the list, but that doesn't mean the other flaws aren't damanging. The Citrix ADC flaw allows directory traversal, which can lead to remote code execution without credentials. Privilege escalation flaws (there were two) can be used once the attackers are in the network to gain access to systems and data they shouldn't be allowed to reach.

Attackers—even well-funded state-sponsored ones with a lot of time and money at their disposal—don’t pay for expensive zero-day vulnerabilities or complicated exploits when there are plenty of systems with known vulnerabilities that have not yet been patched. Enterprises should patch or mitigate the publicly known vulnerabilities before they worry about zero-day defenses.

<![CDATA[Google Patches Bug Used in Active Attacks Against Chrome]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/google-patches-bug-used-in-active-attacks-against-chrome https://duo.com/decipher/google-patches-bug-used-in-active-attacks-against-chrome Tue, 20 Oct 2020 00:00:00 -0400

Google has discovered and patched a serious vulnerability in Chrome that attackers are actively exploiting at the moment.

The bug is a high-severity heap buffer overflow in FreeType, a free font-rendering engine that Chrome, among many other projects, uses. A member of Google’s Project Zero vulnerability research team discovered the vulnerability and subsequently found that attackers were already exploiting it. Google patched the flaw in Chrome 86.0.4240.111 for desktop browsers and the maintainers of the FreeType Project pushed out an emergency release of the library to fix it, as well.

“I've just fixed a heap buffer overflow that can happen for some malformed .ttf files with PNG sbit glyphs. It seems that this vulnerability gets already actively used in the wild, so I ask all users to apply the corresponding commit as soon as possible,” Werner Lemberg, one of the original authors of the FreeType, said in an email to the FreeType announcement mailing list.

The vulnerability was introduced in FreeType 2.6 and is fixed in 2.10.4, Lemberg said.

The Project Zero team did not release any details about the public exploitation attempts or the exploit itself, except to say that “Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild”. That is standard operating procedure for this kind of situation, especially when there are a number of cascading dependencies and many independent projects involved that need to implement their own fixes.

In addition to Chrome, many other widely used applications and operating systems use FreeType, including iOS, Android, GNU, Linux, and ReactOS. Apple on Tuesday released an update for iOS and iPadOS but did not include any information about security fixes in the descriptions, which is unusual but not unique.

Project Zero typically adheres to a 90-day vulnerability disclosure deadline, but for bugs that are under active attack, the team shifts to a one week timeline. Google was first made aware of the flaw on Monday and pushed out the patch for Chrome today.

“Note that this vulnerability was originally reported to Google Chrome today (2020-10-19) under a 7 day deadline, which is used for vulnerabilities that have been detected in an "in the wild" exploit (e.g. the vulnerability is being actively exploited),” Sergei Glazunov of Project Zero said in an email to the FreeType Project mailing list Monday.

<![CDATA[British Airways GDPR Fine Lower Than Expected]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/british-airways-gdpr-fine-lower-than-expected https://duo.com/decipher/british-airways-gdpr-fine-lower-than-expected Mon, 19 Oct 2020 00:00:00 -0400

British regulators have finalized the fine against British Airways for the 2018 data breach that exposed the personal information of about 430,000 customers. The final amount may be the largest ever, but it is far lower than what had been expected.

The United Kingdom Information Commissioner's Office said British Airways would be fined £20 million ($25 million, €22 million) for infringing on the European Union's General Data Protection Regulation. Even though the privacy watchdog touted the "record" fine, it is far lower than the £183 million fine originally proposed in July 2019. The ICO reduced the fine after considering the impact the pandemic of COVID-19 had on the global economy.

"As part of the regulatory process the ICO considered both representations from BA and the economic impact of Covid-19 on their business before setting a final penalty," the UK ICO said.

British Airways, hit hard by the reduced demand for air travel, had decided to lay off permanently more than a quarter of its 42,000 workforce and to cut the pay of many remaining staff members.

The fact that the final fine was reduced from the initial proposed fine is "of interest," especially since the ICO had announced a proposed fine of £99 million for Marriott International in July 2019, Roisin Cregan, a solicitor with Macfarlanes, wrote on Lexology.

GDPR Violations

British Airways did not have the proper security protocols in place to protect the large amount of personal information it had processed and stored on its customers. Nearly 430,000 customers and staff were potentially affected by the breach, with 244,000 possibly having their names , addresses, payment card numbers, and CVVs stolen. Some employee login credentials and British Airways Executive Club account information were also exposed. Usernames and passwords of employee and administrator accounts were also exposed, as well as usernames and PINs of up to 612 BA Executive Club accounts

"People entrusted their personal details to BA, and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result," said ICO Commissioner Elizabeth Denham.

RiskIQ had previously linked the British Airways breach to the Magecart group, which refers to attackers who have been inserting JavaScript skimmers into the checkout pages of e-commerce systems to scrape customer payment data.

The breach went undetected for two months. British Airways was informed of the June 22, 2018 breach by a third-party on Sept. 5. While the ICO acknowledged that BA acted quickly and notified customers after it learned of the breach, BA should have identified weaknesses in its security and resolved them as part of its general compliance activities. If BA had taken steps to implement those controls, it could have prevented the breach.

It is not clear whether or when BA would have identified the attack themselves," the ICO report said. "This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.

The attackers were able to succeed with the breach because of the deficiencies in BA’s systems. BA did not have user authentication in place, and did not limit access to applications and systems to just what the user needed, the ICO said.

"This is a serious reminder of the importance of having robust compliance and review measures in place to ensure systems are up to date and not waiting to respond to a breach," Cregan said.

The breach happened in June 2018, before the United Kingdom left the European Union. This is why the ICO investigated the breach on behalf of the European Union as the lead supervisory authority. Under GDPR, organizations can face potential fines of up to €20 million euros ($23 million) or 4 of annual global revenue, whichever is greater.

The ICO initially proposed a fine in July 2019. Since then, the regulators worked with other privacy authorities in the EU and the company to finalize the details, consider mitigating factors, and apply discounts. The discounts consider things like the fact that British Airways cooperated with the investigation, notified customers promptly, and has since then improved its security compliance. It's worth noting, that the "discount" because of the impact of COVID-19 on the company's finances amounted only to £4 million.

Despite the size of the breach and impact on victims, the BA fine turned out to be significantly less than the maximum possible. For many companies who have been watching the British Airways case unfold, it seems clear that it is worth pushing back on the ICO after the investigation to see the fine can be reduced.

"Whilst the ICO strongly defended its original assessment, actions and processes, it seems that making a challenge to an ICO enforcement notice or notice of intent is certainly commercially worthwhile." said Claire Edwards, a data protection law specialist at Pinsent Masons.

<![CDATA[Trickbot Up to Its Old Tricks]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/trickbot-up-to-its-old-tricks https://duo.com/decipher/trickbot-up-to-its-old-tricks Fri, 16 Oct 2020 00:00:00 -0400

Just a few days after Microsoft and a coalition of security firms took action against the infrastructure used by the Trickbot malware operators, taking control of command-and-control servers and locking down the malicious content on them, the botnet has bounced back and is humming right along with new C2 servers in several European and South American countries.

On Monday, Microsoft announced a coordinated takedown operation aimed at disrupting the Trickbot botnet, a global malware distribution and operation network that has been operating since at least 2016. The takedown involved Microsoft obtaining court orders to seize control of some Trickbot C2 servers based in the United States and also filing a copyright infringement claim against the operators for misusing Microsoft’s software. The operation follows a familiar road map that security companies and law enforcement agencies have used to target botnets for more than a decade, targeting the C2 infrastructure to cut off communications between infected machines and the Trickbot operators.

This method has worked well in some cases, but cybercrime groups have paid attention and taken steps to ensure that their infrastructure is resilient and can survive a takedown attempt. In the case of Trickbot, the operators have already set up a new fleet of C2 servers outside the U.S., many of them in Germany, and others in the Netherlands, Colombia, Russia, and Indonesia. These are the first layer of command servers that infected machines reach out to, with other layers of control behind them. Unlike other botnets that use virtual private servers on bulletproof hosting services for C2, the current crop of Trickbot control servers are housed on compromised MikroTik consumer routers.

“It was a very well set up network and geographically distributed to make it hard to take down. Microsoft’s action only affected the servers in the U.S., and it didn’t surprise me at all to see new control servers pop up this quickly,” said Mark Arena, CEO of Intel 471, a security firm that tracks Trickbot activity closely.

“They’ve learned from previous takedowns because Microsoft and others have used these tactics before.”

The Trickbot malware is often associated with the Emotet loader and recently, the Ryuk ransomware. The operators of Trickbot sell access to infected machines to other cybercrime groups, especially high-level groups that have established reputations in the cybercrime underground. Those sales are not just limited to underground groups, however. This past summer, Intel 471 published research demonstrating a link between Trickbot and an attack group known as Lazarus that is tied to the North Korean government. In the linked operations, it appears that the Trickbot group sold access to compromised machines and networks to DPRK actors, who then used that access for their own purposes.

“TrickBot certainly appears to be a source of compromised accesses that DPRK threat actors can leverage. The operators or users of TrickBot seem to be well-versed in identifying interesting organizations they’ve compromised for follow-up intrusion activity, be it through Anchor or common intrusion tools (Metasploit, Cobalt Strike, BloodHound, Empire, etc.), or to pass off or sell to other threat actors, i.e., DPRK threat actors,” the research report says.

Within a few days of the Microsoft takedown operation this week, researchers observed the Emotet botnet, which sends malicious spam, delivering new spam templates to infected machines. Those templates included malicious documents that eventually loaded the Emotet trojan, which then contacted a C2 server to download and run Trickbot. Business as usual. But that doesn’t mean the actions by Microsoft and the U.S. Cyber Command, which reportedly has been running its own effort to disrupt Trickbot, were futile.

“From a company perspective, it’s hard for this to be effective unless you’re willing to go on the offensive like Cyber Command,” Arena said. “But it’s good for the U.S. to be seen as a hard target for these groups.”

<![CDATA[FCC Will Clarify Section 230 Rules on Content Moderation]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/fcc-will-clarify-section-230-rules-on-content-moderation https://duo.com/decipher/fcc-will-clarify-section-230-rules-on-content-moderation Thu, 15 Oct 2020 00:00:00 -0400

The Federal Communications Commission said it will clarify the rules on the legal liability protections that exist for social media companies, as pressure grows over how they manage what users post on their platforms.

The agency will clarify the meaning of Section 230 of the Communications Act as it relates to moderating user-generated content on websites, said FCC Commissioner Ajit Pai. The move follows the executive order targeting technology companies such as Google and Facebook signed by the president in May. The executive order came after Twitter labelled two posts by the president about mail-in voting as containing “potentially misleading information.”

As elected officials consider whether to change the law, the question remains: What does Section 230 currently mean?" Pai asked in his statement. "Many advance an overly broad interpretation that in some cases shields social media companies from consumer protection laws in a way that has no basis in the text of Section 230.

A provision of the 1996 Communications Decency Act, Section 230 protects companies that host user-created content on their websites from lawsuits over something a user posted. Under the law, providers and users of interactive computer services shall not be held liable for "any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected." Under the law, there is a difference between being a platform which others may use for content, and a publisher (or speaker), who curates or creates content.

For example, if a user says something about another person on an online platform, the second person cannot hold company responsible for allowing the first person to say something. The law protects speech, not intellectual property claims or illegal content. If the company knowingly allowed users to post illegal content, they are liable and can be sued.

While the current discussion has centered on social media platforms such as Twitter and Facebook, this law protecting free expression online applies to pretty much any online platform that allows users to post. That list includes sites such as YouTube and Wikipedia, as well as internet service providers such as AT&T, Comcast, and Verizon. The protections mean these platforms and sites can’t be sued for taking down content or leaving them up. Technology companies say Section 230 shields them from liability for what users post while giving them the space to moderate harmful content.

Lawmakers have been talking about reforming Section 230, but they are split on their perception of the law. Some would like to see companies take a more active role in moderating content, especially with hate speech and disinformation. Others claim the platforms are abusing the protections and censoring certain types of speech, a claim the companies have strongly denied repeatedly.

“Members of all three branches of the federal government have expressed serious concerns about the prevailing interpretation of the immunity set for in Section 230 of the Communications Act," Pai said. “Social media companies have a First Amendment right to free speech. But they do not have a First Amendment right to a special immunity denied to other media outlets, such as newspapers and broadcasters.”

Depending on the form the "clarification" winds up taking, some platforms may decide to take a more hands-off approach to moderation, which would allow more disinformation and fringe conspiracies (such as QAnon) to proliferate online. Other companies may decide to curate and screen content the way a news publisher would, which would change user experience (and perhaps, the company's business model) since the decision of what to post would shfit to the platform and not the user.

The FCC’s effort to make platforms liable for editorializing and content takedowns “make no sense,” Free Press Senior Policy Counsel Gaurav Laroia said in a statement. Websites have a First Amendment right to disassociate themselves from speech they disapprove of. Pai’s moves against Section 230 could expose websites to liability if they remove lies made by political figures, or provide context to clarify misleading statements (disinformation).

“[Pai] declares himself a champion of the First Amendment and claims he doesn’t want heavy-handed internet regulation — then pushes policies that stifle free expression online,” Laroia said.

Despite the announcement, any decision on how Section 230 should be interpreted would take months since the full commission would need to meet to discuss, and there will likely be a public comment period to collect input from outside the commisison. Depending on the outcome of the presidential election, there's no guarantee that Pai would even remain commissioner long enough to complete the process.

"The timing of this effort is absurd. The FCC has no business being the President's speech police," Jessica Rosenworcel, a Democratic FCC commissioner, posted on Twitter.

Considering that the presidential election is less than 20 days away, the timing of the FCC’s decision to clarify the rules is highly political, especially since Facebook and Twitter decided to restrict how users could share a New York Post story with unverified claims concerning the son of presidential candidate Joe Biden. Facebook said the story was eligible for third-party fact checking while Twitter banned any links to the story, citing a 2018 rule against posting hacked or stolen information.

“It’s no coincidence that this charade is happening during the final weeks of the 2020 presidential election,” Laroia said. “The Trump administration and its FCC allies are trying to bully and intimidate social-media companies into rolling back their content-moderation efforts for election-related disinformation.”

<![CDATA[SonicWall Fixes Critical Flaw in Firewall Appliances]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/sonicwall-fixes-critical-flaw-in-firewall-appliances https://duo.com/decipher/sonicwall-fixes-critical-flaw-in-firewall-appliances Thu, 15 Oct 2020 00:00:00 -0400

UPDATE--There is a critical remotely exploitable vulnerability in several versions of SonicWall’s SonicOS software that could allow an attacker to run arbitrary code on vulnerable appliances.

The recently disclosed vulnerability (CVE-2020-5135) is a stack buffer overflow and it can be used to cause a denial of service condition easily, though the code execution potential is more complicated.

“The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access,” an advisory from Craig Young at Tripwire, who discovered the vulnerability, says.

“An unskilled attacker can use this flaw to cause a persistent denial of service condition. Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible. This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet.”

The vulnerability is particularly worrisome given that the affected appliances often are used for remote access via the SSL VPN functionality. An attacker who is able to compromise a VPN appliance would have a highly privileged position in the target network and the ability to discover other assets and potential targets. This year has seen a steady flow of vulnerabilities in VPNs, the most serious one being a flaw in the Pulse Secure VPN disclosed in April. The company patched the vulnerability, but several months later the Cybersecurity and Infrastructure Security Agency warned that attackers affiliated with the Chinese Ministry of State Security were actively targeting it.

“CISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances—to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance,” the CISA advisory says.

The SonicWall bug affects a number of different versions of the SonicOS software, which runs on the company’s firewall appliances. Affected versions include SonicOS and earlier, SonicOS and earlier, SonicOS and earlier, SonicOSv and earlier, and SonicOS SonicWall has released updated versions of the affected software that include fixes for the vulnerability.

SonicWall officials said they have not seen any indications that the bug has been exploited in the wild yet.

"Immediately upon discovery, SonicWall researchers conducted extensive testing and code review to confirm the third-party research. This analysis lead to the discovery of additional unique vulnerabilities to virtual and hardware appliances requiring Common Vulnerabilities and Exposures (CVE) listings based on the Common Vulnerability Scoring System (CVSS). The PSIRT team worked to duplicate the issues and develop, test and release patches for the affected products. At this time, SonicWall is not aware of a vulnerability that has been exploited or that any customer has been impacted," the company said in a statement.

This story was updated on Oct. 16 to add SonicWall's statement.

<![CDATA[New York Wants Social Media Companies to be Regulated]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/new-york-wants-social-media-companies-to-be-regulated https://duo.com/decipher/new-york-wants-social-media-companies-to-be-regulated Wed, 14 Oct 2020 00:00:00 -0400

New York’s Department of Financial Services called for greater cybersecurity oversight for major technology platforms, especially social media companies.

As one of the regulators for virtual currency, New York's Department of Financial Services launched an investigation into the July attack, where a number of high-profile Twitter accounts were compromised to spread a cryptocurrency scam. Compromised accounts included those belonging to individuals such as former president Barack Obama, Microsoft founder Bill Gates, Tesla CEO Elon Musk, and former vice-president and presidential candidate Joe Biden, as well as companies such as Uber and Apple. About 360 people were scammed out of about $120,000 during the course of the attack. Three people have been arrested in connection with the attack.

The resulting 37-page report from the Department of Financial Services, based on subpoenas, witness interviews, and documentary records, said attackers were able to use "basic techniques" to penetrate the company's network and access internal systems, which "underscores Twitter's cybersecurity vulnerability and potential for devastating consequences." Social media platforms are critical sources of news and information, and there are examples of how manipulating them could affect markets and influence elections. While this attack was focused on cryptocurrency and "garden-variety fraud," a "dangerous adversary" could have caused greater harm. Even though cybersecurity weaknesses at a large social media company can have widespread consequences, there is currently no regulator oversight over social media platforms the way there is for other companies providing critical services in other industries.

In other industries that are deemed critical infrastructure, such as telecommunications, utilities, and finance, we have established regulators and regulations to ensure that the public interest is protected," the DFS said in the report. "We need a comprehensive cybersecurity regulation and an appropriate regulator for large social media companies. The stakes are too high to leave to the private sector alone.

Twitter's Security Missteps

DFS was scathing in its assessment of the attack, noting that the “group of unsophisticated cyber crooks” used techniques of a "traditional scam artist" to gain "extraordinary access" to internal tools which allowed them to take over any user account. There were no malware, exploits, or backdoors involved. The attackers just posed as the company's IT staff and called employees over the phone, offering help with BPN problems. The ruse was successful because “VPN problems were common at Twitter” with the switch to remote work, the report said. Employees were directed to a phishing site that looked identical to Twitter’s legitimate VPN site and was hosted on a similarly-named domain. Attackers used credentials stolen from four employees (via the fake VPN site) to access Twitter’s administrative systems.

Investigators said Twitter didn’t have a CISO at the time of the attack, and the attackers' success was "due in large part to weaknesses in Twitter’s internal cybersecurity protocols." Under New York’s regulations, companies are required to have a CISO or some kind of an executive-level leader responsible for security. The company hired Rinki Sethi, the former CISO of cloud data management company Rubrik, just a few weeks ago.

"The Department’s cybersecurity regulation requires companies to have a CISO, and for good reason," the report said.

The rapid shift to remote work due to the pandemic also stressed the company's technology infrastructure and internal controls for access management and user authentication. Users should have access to systems and applications only to the extent necessary for their job—over 1,000 Twitter employees had access to the internal tools that was abused during the attack, even though their job functions and duties were limited to user account maintenance, content review, and responding to reports of users violating site rules. While Twitter had multi-factor authentication in place, there should have been more authentication layers for high-risk tools, such as requiring approval by a second employee.

Case for Regulation

New York's cybersecurity regulation for the financial services industry requires companies to assess their security risks and develop policies for data governance, access controls, system monitoring, third party security, and incident response and recovery as part of a comprehensive, risk-based cybersecurity program. Social media companies don't really have to worry about regulatory requirements beyond the ones other companies have to deal with, such as the Securities Exchange Commission's regulations for all public companies, the Department of Justice and the Federal Trade Commission's rules on antitrust and competition, and data regulations such as the European Union's General Data Protection Regulation and the California Consumer Privacy Act. While New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act mandates “reasonable” cybersecurity safeguards, it is not comprehensive enough to consider the dangers to social media platforms.

A cybersecurity regulation for large social media companies should be both more detailed and require more security in high-risk areas," the report said. "Regulatory guidance is necessary to ensure large social media companies have proper controls in place to appropriately mitigate ever-evolving risks.

The fact that there are no regulators that can regulate social media platforms and to address their cybersecurity practices was a "regulatory vacuum." The DFC suggested creating a federal regulatory body which would be dedicated to monitoring and supervising the security practices of social media platforms. The expert agency, which could be a brand new agency or an existing regulatory body, would oversee the companies in areas such as technology, cybersecurity, and disinformation. The enhanced regulation would include “stress tests” to evaluate the social media companies’ susceptibility to key threats.

"The risks posed by social media to our consumers, economy, and democracy are no less grave than the risks posed by large financial institutions. The scale and reach of these companies, combined with the ability of adversarial actors who can manipulate these systems, require a similarly bold and assertive regulatory approach," the report said.

Impact on Cryptocurrency

While DFS had a lot to criticize about Twitter's security practices, the department praised the cryptocurrency companies who had been impacted. Four of the companies had their Twitter accounts compromised, and several other cryptocurrency companies were caught up in the attack because customers used their platforms to transfer virtual currency into attacker wallets. Fifteen companies responded quickly to block impacted addresses so that no money could be sent to those addresses, "demonstrating the maturity of New York’s cryptocurrency marketplace and those authorized to engage within it," DFS said.

Coinbase, Gemini, and Square blocked the attacker addresses within 40 minutes of their Twitter accounts being compromised, the department found. Coinbase blocked approximately 5,670 transfers, valued at approximately $1.3 million. Square blocked 358 transfers, valued at approximately $51,000. Gemini blocked two transfers, valued at approximately $1,800. In the time before the addresses were blocked, about $22,000 were successfully sent using Gemini, Square, and Coinbase.

The fact that cryptocurrency companies were able to respond swiftly illustrated that "effective regulation can foster innovation and growth, while also protecting consumers," the report said. DFS regulations required that the companies had robust programs around cybersecurity, fraud-prevention, and anti-money laundering programs. Social media companies, in contrast, are self-regulating. There are no dedicated state or federal regulators ensuring adequate cybersecurity practices to prevent fraud, disinformation, and other threats.

The Twitter Hack demonstrates, more than anything, the risk to society when systemically important institutions are left to regulate themselves," the report concluded. "Protecting systemically important social media against misuse is crucial for all of us–consumers, voters, government, and industry.

<![CDATA[FIN11 Cybercrime Group Uses Ransomware, Extortion to Cash In]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/fin11-cybercrime-group-uses-ransomware-extortion-to-cash-in https://duo.com/decipher/fin11-cybercrime-group-uses-ransomware-extortion-to-cash-in Tue, 13 Oct 2020 00:00:00 -0400

A newly identified group of financially motivated hackers, likely based in a Russian-speaking country, has been running high-volume phishing, ransomware, and extortion campaigns in the United States, Germany, and many other countries for the last four years, using the Clop ransomware and various backdoors in their operations.

Researchers at Mandiant have been tracking the group since 2016 and have responded to a number of intrusions in which the group, known as FIN11, has used initial access to a network to move laterally and either deploy ransomware, steal data, or both. In some cases, the group has threatened to release the stolen data unless the victim organization pays a ransom for the information. This tactic has been used by other attack groups in recent months as cybercriminals continue to look for additional ways to monetize their access to enterprise networks. Some victim organizations have refused to pay when hit by ransomware, relying on backups to restore their systems. But it becomes a different conversation when attackers are threatening to publish customer or employee data.

The group has targeted organizations in various countries somewhat at random for several years, but beginning in the first few months of 2020 the attacks have been more focused, going after companies in the pharmaceutical industry as the pandemic progressed. For most of its campaigns, FIN11 has used phishing emails as its initial contact point, usually with either a malicious Office document or HTML attachment included. Like other cybercrime groups, the goal of FIN11’s operations is to make money, but the group does not appear to be especially good at that.

“Despite the group's widespread high-volume email campaigns, we have only observed evidence of FIN11 successfully monetizing their operations in a handful of cases. In late 2018, Mandiant analysts observed FIN11 attempt to monetize their operations using the point of-sale (POS) memory scraping tool BLUESTEAL. Since then, FIN11 has deployed CLOP ransomware at a variety of organizations,” a new report on FIN11 released by Mandiant today says.

FIN11 shares some of the same tactics and tools as an existing group known as TA505, a Russian attack team that distributes the Dridex malware and has also used several strains of ransomware over the years. But Mandiant’s researchers say the two are distinct and separate groups.

“FIN11 includes a subset of the activity publicly tracked as TA505, as well as an evolving arsenal of post-compromise tactics, techniques and procedures (TTPs) that have not been publicly reported on TA505. Notably, we have not attributed TA505's early operations to FIN11 and caution against conflation of the two clusters,” Mandiant’s report says.

It’s quite common for tools, malware, and techniques to overlap among several separate cybercrime groups as criminals are quick to adopt whatever is working, regardless of where it comes from. This pragmatism extends to the infrastructure that FIN11 uses for its operations, including commercial malware, hosting providers, and certificates to lend legitimacy to tools installed after the initial compromise. FIN11 takes advantage of the full slate of products and services on offer in the criminal underground.

“More recently, in 2020, FIN11 has evolved to conduct hybrid extortion attacks, combining ransomware with data theft."

“Criminal actors can purchase a wide range of services and tools in underground communities—including private or semi- private malware capabilities, bulletproof hosting providers, various DNS-related services (including registration and fast-flux or dynamic DNS offerings) and code signing certificates—from actors who specialize in a single phase of the attack lifecycle. The outsourcing of tools and services associated with various parts of the attack lifecycle through criminal service providers can frustrate attribution efforts,” the Mandiant report says.

The Clop ransomware deployed by FIN11 isn’t anything special in terms of functionality and the group uses a couple of different methods for deployment, including Group Policy Objects. BUt ransomware is only part of the picture for the group.

“More recently, in 2020, FIN11 has evolved to conduct hybrid extortion attacks, combining ransomware with data theft to pressure their victims into acquiescing to extortion demands. In these cases, the actors accessed several dozen systems, staged data in RAR archives, uploaded the files to MegaSync servers, deployed CLOP ransomware and then sent an email threatening to publish the data,” the Mandiant report says.

The group has followed through on its threats to publish data in some cases, and also have advertised some defensive security services on the same site for $250,000 in Bitcoin.

Mandiant’s researchers said they have moderate confidence that FIN11 is based somewhere in the Commonwealth of Independent States, mostly due to some of the characteristics of the Clop ransomware and the fact that the group’s activity drops sharply during the Russian Orthodox holidays at the beginning of the year.

“Samples of CLOP ransomware check for keyboard layouts commonly used in the CIS countries and for the Russian character set (204) before execution. If both the keyboard layout and character suggest the host is in a CIS country, CLOP will delete itself,” Mandiant’s report says.

<![CDATA[Microsoft Fixes Ping of Death Flaw in Windows]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/microsoft-fixes-ping-of-death-flaw-in-windows https://duo.com/decipher/microsoft-fixes-ping-of-death-flaw-in-windows Tue, 13 Oct 2020 00:00:00 -0400

Microsoft has released a patch for a critical remote code execution vulnerability in Windows 10 and Windows Server 2019 that can be exploited by sending one packet to a vulnerable machine.

While the vulnerability (CVE-2020-16898) is simple to exploit and could result in a full compromise of a target machine, there are some mitigating factors, specifically the fact that it exists in the Windows IPv6 stack and not the IPv4 stack. So, disabling IPv6 if it's not in use is the quickest mitigation. There is a proof-of-concept exploit for the bug that has been shared with members of Microsoft’s Active Protection Program, but Microsoft said in its advisory that the vulnerability has not been exploited in the wild yet to its knowledge,

“It results in an immediate BSOD (Blue Screen of Death), but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations. The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this type of bug could be made wormable,” Steve Povolny and Mark Bereza of McAfee Advanced Threat Research said in an analysis of the flaw.

The flaw is reminiscent of the “ping of death” bug that plagued the TCP/IP implementations in many Windows, Unix, and Linux systems. Like the newer one, it could be exploited with a simple malformed ICMP packet and it was used in DDoS attacks quite often. And this isn’t the first such flaw to affect the Windows IPv6 stack, either. In 2013 Microsoft patched a similar bug, but it only allowed a denial-of-service rather than remote code execution.

The Microsoft advisory for CVE-2020-16898 is short and to the point, but it makes it clear that this vulnerability would not be a hard target for many attackers. MIcrosoft’s Platform Security Assurance and Vulnerability Research team discovered the vulnerability.

“A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client,” the advisory says.

“To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.”

McAfee’s researchers said that the softest targets for attackers are likely individual consumer machines rather than enterprise servers and laptops.

“The largest impact here will be to consumers on Windows 10 machines, though with Windows Updates the threat surface is likely to be quickly minimized,” they said.

The SophosLabs Offensive Security team has a detailed teardown of the vulnerability and also developed its own proof-of-concept exploit.

<![CDATA[Microsoft and Partners Disrupt Trickbot Botnet]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/microsoft-and-partners-disrupt-trickbot-botnet https://duo.com/decipher/microsoft-and-partners-disrupt-trickbot-botnet Mon, 12 Oct 2020 00:00:00 -0400

Microsoft, along with a small cadre of other technology companies and industry groups, took a number of legal and technical actions to disrupt the Trickbot malware infrastructure, including taking control of the command-and-control servers and blocking the operators’ ability to buy or rent new C2 servers.

The botnet takedown is intended not just to prevent the Trickbot operators from distributing the notorious banking trojan but also to disrupt the installation of the Ryuk ransomware, which is often part and parcel of a Trickbot infection. As part of the operation, MIcrosoft obtained a court order that allowed the company to disable specific IP addresses used in the botnet and make the content stored on the botnet’s C2 servers inaccessible. Microsoft also filed a copyright claim against the Trickbot operators for unauthorized use of the company’s software. Trickbot is infamous for using malicious attachments in phishing emails, often Word or Excel documents with malicious macros.

The takedown operation was a joint effort with contributions from ESET, Symantec, Lumen’s Black Lotus Labs, NTT, and the FS-ISAC, and it comes just three weeks before the presidential election in the United States. The Trickbot botnet and the Ryuk ransomware it often brings with it are closely associated with Russian attackers and U.S. officials have warned repeatedly that Russian threat actors are seeking to influence and disrupt the election. Though that threat is significant, the vast majority of Trickbot’s activity has been focused on infecting individual systems, stealing banking credentials, and delivering the Ryuk ransomware when possible.

“People are unaware of Trickbot’s activity as the operators have designed it to hide itself. After Trickbot captures login credentials and personal information, operators use that information to access people’s bank accounts. People experience a normal login process and are typically unaware of the underlying surveillance and theft,” Tom Burt, corporate vice president, customer security and trust, said.

“Ryuk is a sophisticated crypto-ransomware because it identifies and encrypts network files and disables Windows System Restore to prevent people from being able to recover from the attack without external backups. Ryuk has been attacking organizations, including municipal governments, state courts, hospitals, nursing homes, enterprises and large universities.”

“We fully anticipate Trickbot’s operators will make efforts to revive their operations."

Security researchers have been tracking Trickbot since 2016 and the operators have used a number of different tactics over the years. The malware most often shows up in phishing emails, typically with subject lines and body content pegged to a current event. Trickbot-infected emails have used the COVID-19 pandemic as a lure for many months, while other campaigns have used common phishing themes such as invoices or shipping notifications. The malware operators have targeted organizations in many countries, but much of its focus has been on the U.S., and as the attackers have evolved, so have their tactics, moving from mostly banking credential theft to the higher returns of ransomware.

“In these cases, a Trickbot compromise is first leveraged to perform reconnaissance and lateral movement in an organization’s network and then to drop Ryuk ransomware on as many systems as possible. From the data we have collected, it appears that Trickbot’s operators moved from attempting to steal money from bank accounts, to compromising a whole organization with Trickbot and then using it to execute Ryuk and demand a ransom to unlock the affected systems,” an analysis by ESET researchers says.

“We also observed new malware development projects allegedly coming from Trickbot’s operators, which might also explain their sudden disinterest in operating Trickbot as a banking trojan. One of these projects is the so-called Anchor project, a platform mostly geared towards espionage rather than crimeware. They are also likely involved in the development of the Bazar malware — a loader and backdoor used to deploy malware, such as ransomware, and to steal sensitive data from compromised systems.”

The Trickbot takedown is a significant operation, but the malware operators are likely to find new methods for distribution, given how much money is at stake.

“We fully anticipate Trickbot’s operators will make efforts to revive their operations, and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them,” Burt said.

<![CDATA[Morgan Stanley to Pay $60 Million Fine for 2016 Data Breach]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/morgan-stanley-to-pay-usd60-million-fine-for-2016-data-breach https://duo.com/decipher/morgan-stanley-to-pay-usd60-million-fine-for-2016-data-breach Fri, 09 Oct 2020 00:00:00 -0400

Morgan Stanley has agreed to pay a $60 million fine for its repeated failures to adequately protect customer data when disposing of old equipment.

The United States Department of Treasury’s Office of the Comptroller of the Currency said this week that both Morgan Stanley Bank NA and Morgan Stanley Private Bank NA failed to take proper precautions to protect customer data when it shut down two data centers for its U.S. wealth-management operations in 2016. The bank did not maintain inventory of the customer data on those systems, and did not properly oversee the contractors it hired to make sure customer data had been wiped from the old equipment, the OCC said in its consent order. The bank informed affected customers this July, after it was instructed to do so by the OCC, and provided two years of free credit monitoring and fraud detection services with Experian.

“Among other things, the banks failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices,” the OCC said.

Ongoing Carelessness

The OCC said that Morgan Stanley’s failures to make sure adequate protections were in place was “part of a pattern of misconduct,” noting that the bank had a similar situation in 2019 when servers in some branch locations were replaced. Morgan Stanley told some state attorneys general it couldn’t locate the older equipment containing unencrypted customer data.

Many data breaches occur because an outside adversary bypassed security defenses or somehow compromised a system. Human error, however, was the second most common cause of data breaches in 2019 (22 percent), according to the 2020 Verizon Data Breach Investigations Report. Security missteps by contractors can turn into a data breach, which is why organizations have to be vigilant about what their partners are doing. Risk Based Security said earlier this year that there were 368 incidents involving third-party vendors in 2019, a 35 percent increase from 2017.

Morgan Stanley is reportedly considering “appropriate legal action” against the outside contractor, AdvisorHub reported over the summer.

No Consequences

Morgan Stanley paying the fine does not mean the financial services giant admits, or denies, the OCC’s allegations. “Nothing in this Order is a release, discharge, compromise, settlement, dismissal, or resolution of any actions,” the OCC said.

The OCC also did not impose additional business restrictions on Morgan Stanley on top of the fine because Morgan Stanley had "undertaken initial corrective actions and is committed to taking all necessary and appropriate steps to remedy the deficiencies," according to the consent order.

The OCC's role is to regulate and supervise all national banks and federal savings associations, but this fine—$60 million—doesn’t even qualify as a slap on the wrist for the bank, who reported net revenues of $13.4 billion in the second quarter of 2020 ending June 30 and full year net revenue of $41.4 billion in 2019. It is in line with the p$80 million fine Capital One agreed to pay in connection the 2019 data breach that affected approximately 106 million people. Capital One reported $28.6 billion in total revenue in 2019.

At least in the case of Capital One, the OCC required Capital One to improve its security practices and update its risk management processes.

The OCC has imposed large fines before, but not for data security violations or breaches. Just a day earlier, OCC assessed a $400 million civil money penalty against Citibank for failing "to implement and maintain an enterprise-wide risk management and compliance risk management program, internal controls, or a data governance program commensurate with the Bank’s size, complexity, and risk profile." Under the terms of the order, Citibank has to receive the OCC's "non-objection" before significant new acquisitions. OCC also reserved the authority to implement additional restrictions if Citibank does not make the necessary improvements.

The enforcement action against Citibank revolved around the bank's governance/risk/compliance activities, or to be more specific, the lack of them. OCC called out Citibank's failure to "address data governance deficiencies, including data quality errors and failures to produce timely and accurate management and regulatory reporting."

The Federal Reserve Board announced its own enforcement actions (no fine) against Citibank this week. The Fed's order requires Citibank to perform a number of actions, including conducting "a gap analysis of its enterprise-wide risk management framework and internal controls systems" and making improvements improvements to "the management information systems, data, and reports provided to Citigroup’s board of directors and senior management concerning compliance risks."

Pending Lawsuits

The agreement doesn’t mean Morgan Stanley is done dealing with the aftermath of the 2016 breach as the bank is facing at least two class-action lawsuits alleging negligence and invasion of privacy. The plaintiffs, former and current Morgan Stanley customers (including Smith Barney account-holders), claimed the data left on the decommissioned equipment—including Social Security numbers, passport information and other account numbers—were everything criminals would need to steal identities and make fraudulent purchases. One of the lawsuits is asking for $5 million in damages.

One of the lawsuits said plaintiffs were injured by “lost or diminished value” of their personal identification data, and the continued uncertainty and risk of identity theft.

“In addition to Morgan Stanley’s failure to prevent the Data Breach, Defendant failed to detect the Data Breach for years, and when they did discover the Data Breach, it took them over a year, possibly longer, to report it to the affected individuals and the states’ Attorneys General,” the lawsuit said.

Morgan Stanley said in a statement that it had found no evidence during its investigation or in the subsequent monitoring that anyone had improperly accessed or used the information that was on the old hardware.

“We have continuously monitored the situation and we do not believe that any of our clients’ information has been accessed or misused,” Morgan Stanley told Bloomberg. “Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information.”

Morgan Stanley previously agreed to pay the Securities and Exchange Commission $1 million after a broker downloaded client data onto his personal computer. At the time, the FTC had chalked the breach, which affected up to 350,000 accounts, up to a “glitch” and did not impose sanctions.

<![CDATA[New Android Ransomware Variant Shows Constant Evolution]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/new-android-ransomware-variant-shows-constant-evolution https://duo.com/decipher/new-android-ransomware-variant-shows-constant-evolution Fri, 09 Oct 2020 00:00:00 -0400

Microsoft has identified a new ransomware variant targeting Android devices that uses a variety of innovative techniques to get around the protections that Google has implemented to prevent malicious apps from taking over the home screen and making devices unusable.

The ransomware is a new iteration of a family that has been targeting Android for some time, and Microsoft researchers say the operators behind it have been updating and evolving the malware continuously. Known as AndroidOS/MalLocker.B, the new variant has the ability to respawn the ransom note overlaid on the home screen when the device owner performs certain actions, including pushing the home button. Microsoft researchers said that the variant also contains a small machine-learning module that gives the ransomware the ability to adapt quickly as new defensive techniques arise.

Traditionally, Android ransomware has abused a permission called SYSTEM_ALERT_WINDOW in order to draw a window on the home screen that can’t be removed. That permission is meant to be used by legitimate Android functions to display system alerts, but ransomware operators use it to display the ransom note indefinitely until the victim acquiesces and pays the ransom. Google made some changes to recent versions of Android to prevent malware from using this permission, but malware authors have adapted to employ other tactics.

“For example, some strains of ransomware abuse accessibility features, a method that could easily alarm users because accessibility is a special permission that requires users to go through several screens and accept a warning that the app will be able to monitor activity via accessibility services. Other ransomware families use infinite loops of drawing non-system windows, but in between drawing and redrawing, it’s possible for users to go to settings and uninstall the offending app,” Dinesh Venkatesan of Microsoft Defender Research wrote in a post on the new MalLocker.B ransomware.

But the variant that Microsoft identified does not use any of those techniques. Rather, it uses a special “call” notification that demands the user’s attention immediately, as well as a callback method that is called when the ransomware note is about to be sent to the background.

“The malware connects the dots and uses these two components to create a special type of notification that triggers the ransom screen via the callback,” Venkatesan said.

“The function onUserLeaveHint() is called whenever the malware screen is pushed to background, causing the in-call Activity to be automatically brought to the foreground. Recall that the malware hooked the RansomActivity intent with the notification that was created as a “call” type notification. This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing infinite redraw or posing as system window.”

Along with those techniques, the MalLocker.B ransomware variant also includes some code that has been forker from a machine-learning library that is used in legitimate apps to resize windows to fit specific screen sizes. The module isn’t yet active in the ransomware code, but it could add some new functionality once it is.

“In the case of this ransomware, using the model would ensure that its ransom note—typically fake police notice or explicit images supposedly found on the device—would appear less contrived and more believable, increasing the chances of the user paying for the ransom,” Venkatesan said.

“The library that uses tinyML is not yet wired to the malware’s functionalities, but its presence in the malware code indicates the intention to do so in future variants.”

<![CDATA[Cybercrime Victims Are Not Calling the Police]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/cybercrime-victims-are-not-calling-the-police https://duo.com/decipher/cybercrime-victims-are-not-calling-the-police Thu, 08 Oct 2020 00:00:00 -0400

Ransomware, business email compromise, and social engineering are among the top threats facing organizations, but the magnitude of the problem is not well-understood, Europol said in its threat assessment report.

There are plenty of signs suggesting that cybercrime is growing, but organizations don’t always involve law enforcement, making it difficult to quantify the number of incidents, Europol said in its Internet Organised Crime Threat Assessment 2020 report. One reason to not report security incidents to law enforcement is to avoid public disclosure, since the news may damage its brand and reputation.

Victim organizations “appear to be reluctant to come forward to law enforcement authorities or the public when they have been victimised,” Europol said in the report. Since victims aren’t reporting the attacks, investigators have a harder time identifying and investigating the cases.

For many organizations, involving law enforcement is simply not a priority because the focus is on business continuity and recovery. That is especially true in the case of a ransomware attack. The victim organization may be more interested in restoring the data and getting the systems back up and running, in which case they would prefer to just pay the ransom and be done. Calling in law enforcement could potentially slow down getting back to normal. It may make more sense for these organizations to work with privacy security companies or insurers offering specific services to recover from these attacks.

"By using such companies, victims will not file an official complaint, which increases the lack of visibility and awareness concerning real figures of ransomware attacks among law enforcement," Europol said.

Another reason is that the victim organization may not know that these incidents should be reported, or have an idea on how to reach out to the appropriate authority. Over the years, law enforcement authorities in different countries have begun streamlining their processes to make it easier for organizations to file a report after an attack. There are still some obstacles, as some local entities may not have systems capable of accepting these reports, Europol noted in its report. In at least one country, ransomware was not considered a separate category and would be rolled into a general data breaches category. Local and national authorities also need to improve their coordination, so that information is available to investigators.

“Information reported to local police may not find its way to national or central units, meaning law enforcement at is unable to connect the dots on a national scale and with their respective international partners,” Europol said.

Victim organizations may also have the perception that there is no value to reporting the attack because law enforcement entity won’t have the resources to investigate. It’s a circular argument, since many of these entities don’t have the resources because it isn’t clear that there is a problem. If more victims notified law enforcement, then the authorities would be able to ask for more resources to investigate.

“Under-reporting prevents law enforcement from forming the bigger picture and gathering reliable data, and monitoring whether cybercrime has been increasing or decreasing in reality,” Europol said.

If more victims reported cybercrimes, law enforcement would have more information and could uncover connections across different incidents. That would help with education outreach to warn other organizations on what to look out for and avoid becoming victims. Law enforcement authorities may also be able to use the information from other incidents to help organizations recover if they were already compromised.

Criminals are evolving their tactics to adjust to changing circumstances and available tools. For example, cybercriminals are “employing a more holistic strategy” in their social engineering campaigns as they cooperate with other criminals and incorporate new tools, systems, and vulnerabilities. As for business email compromise, cybercriminals “have shown a significant understanding of internal business processes and systems’ vulnerabilities.”

"Not reporting cases to law enforcement agencies will obviously hamper any efforts, as important evidence and intelligence from different cases can be missed," Europol said.

<![CDATA[California Voters Asked to Amend Privacy Law]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/california-voters-asked-to-amend-privacy-law https://duo.com/decipher/california-voters-asked-to-amend-privacy-law Wed, 07 Oct 2020 00:00:00 -0400

California voters will vote this Election Day on Proposition 24, on whether to expand the groundbreaking privacy law that was passed just two yeras ago. Proposition 24, or the California Privacy Rights Act of 2020, builds on the California Consumer Privacy Act of 2018 which just took effect this year. Early voting has already begun in the state.

CCPA limits how companies gather personal data and how they could monetize it, and gives consumers the right to know what information a company has collected about them, opt-out of data collection and sale of their data, and to request the data to be deleted. Voters will vote on CPRA, which would allow consumers to prevent businesses from sharing their personal information and also give them the ability to correct errors in any of the collected information.

Considering that enforcement for CCPA began just this summer, it is a startling that there already is an attempt to change the law. Part of the reason is to push California’s privacy law to be more like GDPR, and that way bring parts of the United States closer to the protections that already exist for Europeans under the European Union's General Data Privacy Regulation. While CCPA is considered to be the most comprehensive privacy law currently in the United States, privacy advocates say it is not as robust as GDPR. The idea is that CPRA will add GDPR-elements to the law.

CPRA is full of "nuances" to privacy law that doesn't currently exist in CCPA, said Heather Federman, vice-president of privacy and policy at BigID. It is really difficult to predict right now how the privacy landscape will change (or not change) if the proposition passes and CPRA becomes law.

Proposed Changes

CPRA refers to data sharing, in order to close a perceived loophole based on the CCPA's use of selling data. Many companies have justified their data collection policies or said CCPA doesn't apply to them because they aren't selling or otherwise monetizing the data. The wording change in the CPRA means the privacy law applies to any kind of data exchange, regardless of any money or other service that may be offered.

This isn't just semantics, because the switch in vocabulary would expand the pool of organizations that would have to comply with the law. Adtech would be possibly the most impacted, although the law could potentially apply to non-profits and other organizations that have data-sharing arrangements with other entities.

Another subtle change that sounds positive but will really depend on how businesses respond is the rule around data minimization, Federman said. The idea is that businesses cannot collect personal information just for the sake of having the information; the business should collect only what is necessary to provide the requested good or service. That is the direction privacy laws have been moving, by restricting businesses from rampant collection. Proposition 24 allows businesses to define "necessary" to encompass a whole range of activities even if they aren't actually being used, and that may not match what the consumer is expecting. Whether or not minimization works will depend on how businesses handle this rule.

Another change is the ability to correct the data. CCPA gave consumers the right to ask their data be deleted, but there was no mechanism for correcting the information that had been collected. GDPR gives consumers the right to correct the data, and CPRA's language also includes that right. If Proposition 24 passes, businesses would have to add that mechanism to their current data management workflow.

Being compliant with CCPA does not automatically mean the company is complaint with GDPR, and vice versa, because there have different requirements. The law also affected organizations differently. GDPR applies to all firms, regardless of size, handling personal data of European Union residents. CCPA is limited to companies with gross annual revenues in excess of $25 million that handle the personal data of more than 50,000 consumers— or derive more than half of annual revenue from selling consumer data. And the right is given only to California residents.

For organizations who have spent the few years preparing for GDPR, adding on the new elements required by CPRA won’t be that difficult, said Dan Clarke, president of IntraEdge. However, the changes prposed would be considered a big change for all the companies who would be affected by CPRA but didn't previously have to have to worry about GDPR.

For example, CPRA also creates a new category of data, the "sensitive" information, which refers to precise geolocation, race, ethnicity, and health information. Consumers would have the right to opt-out of sensitive data being collected, which would need to be treated differently from personal information. The new classification would pose a "material operational change" for businesses, Clarke said.

The most intriguing part of Proposition 24 is the creation of a California Privacy Protection Agency to enforce privacy law and issue fines to companies for violating the regulations. Currently, enforcement authority is with the state's Attorney General's office, and Attorney General Xavier Becerra has said the office's limited resources would mean actions taken on only a handful of cases each year. If Proposition 24 passes, a well-funded agency—with an annual budget of $10 million and staffed by 40 people—would have the authority to act against more violaters. Even though the law itself wouldn't be fully in effect until 2022, the agency would be up and running by summer of 2021, which means the agency would be able to take on the workload of enforcing CCPA, as well.

The CCPA originally had language regulating data collection of minors under the age of 13, and those between 13 and 16 years old. Companies trying to collect data of 13-years-old-and-younger crowd would need parental authorization, such as a signed document provided by postal mail, fax, or electronic scan. Minors between the ages of 13 and 16 must separately be informed of their right to opt-out at a later date. CPRA would triple the fine on companies that violate kids’ privacy or illegally collect and share information about minors.

Against the Law

One of the reasons for putting forward CPRA as a ballot measure is to block future lobbying attempts to weaken provisions of the law with exemptions for businesses or proposals to change enforcement rules which seem to change the spirit of the law. As a ballot initiative, the language of the law would be final once passed, and the only way to tinker with the law is to introduce another proposition on the ballot.

“Business is actively seeking to undermine the protections that were just put in place,” Alastair Mactaggart, a San Francisco real estate developer who advocated for CCPA and supports CPRA, told the Associated Press.

There are several big names who have come out in support of Proposition 24, including Common Sense Media and Consumer Watchdog. Former Democratic presidential candidate Andrew Yang is chairing the advisory board. There are just as prominent voices on the other side urging voters to reject the ballot initiative, including the ACLU of Northern California and Electronic Frontier Foundation. The San Francisco Chronicle's editorial board, recommended voters reject the proposition.

The Electronic Frontier Foundation, interestingly, said it "does not support it; nor does EFF oppose it."

It [Prop 24] is a mixed bag of partial steps backwards and forwards. It includes some but not most of the strengthening amendments urged by privacy advocates," EFF's Lee Tien, Adam Schwartz, and Hayley Tsukayama said in a post back in July. In that same post, the writers concluded, "we won’t be supporting Prop 24.

An issue with the CPRA is that it continues to put the onus of privacy on the consumer, Federman said. CCPA places the burden on consumers to opt-out of collection and sale and to request deletions. CPRA adds yet more tasks, to opt-out of sharing and to request corrections. Most people will not be able to go through the requests for every single organization. This means, that regardless of which version of the privacy law is in place, many businesses will be able to retain and sell/share user data, even though many consumers wish otherwise. Privacy should be by default.

Proposition 24 also changes how businesses handle deletion requests, as a business could refuse to delete the data even if a consumer makes the request if keeping the data would “help to ensure security and integrity.” The changes would also reduce the business's responsibility to communicate the consumer's deletion request to all the other companies who got that data. It isn't really reasonable to expect a consumer to identify all the entities the business shared the data with and make individual requests to have the data deleted.

The biggest opposition appears to be around the perception of a loyalty program, as the law would allow businesses to charge customers higher prices (or withold a discount)—“pay for privacy”—if they refuse data collection. There have been echoes of that in the past, such as when AT&T piloted a program that offered different privacy policies for those members, Federman noted. Privacy advocates have pushed back on the perception that privacy is possible only for some people.

"Unfortunately, pay-for-privacy schemes pressure all Californians to surrender their privacy rights," the EFF wrote. "Worse, because of our society’s glaring economic inequalities, these schemes will unjustly lead to a society of privacy “haves” and “have-nots.”

<![CDATA[Global Privacy Control Protocol Aims to Pick Up Where Do Not Track Left Off]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/global-privacy-control-protocol-aims-to-pick-up-where-do-not-track-left-off https://duo.com/decipher/global-privacy-control-protocol-aims-to-pick-up-where-do-not-track-left-off Wed, 07 Oct 2020 00:00:00 -0400

A small group of powerful web companies, privacy organizations, and publishers is forwarding a new privacy protocol called Global Privacy Control (GCP) that is designed to send a signal from browsers to websites that individuals do not want their personal data sold to third parties.

GCP is the latest effort to give people a mechanism to communicate their privacy preferences to the sites they visit, following in the wake of the Do Not Track system. DNT, which allows people to enable an option to send a signal to sites that they do not want to be tracked across third-party sites, has never fully caught on, due mainly to the fact that it has no legal or regulatory authority behind it. As a result, many sites simply ignore the signal and do whatever they want. While the major browsers all support DNT, it has not had the effect that its developers had hoped it would when it debuted more than 10 years ago.

The GCP protocol is a proposed upgrade to DNT, though it is not a direct replacement. While the DNT signal communicates the individual’s preferences about tracking, GCP is focused on the collection and sale of personal data. It uses the same mechanism for communicating the individual’s preference--an HTTP header--and several major publishers and web companies support it already, including Mozilla, Duck Duck Go, Brave, The New York Times, and the EFF. The browser vendors will communicate the signal from their products, and others, such as the EFF, will support it with the Privacy Badger extension.

“Getting privacy online should be simple and accessible to everyone, period. Global Privacy Control (GPC) takes us one step closer to making this vision a reality by creating a simple universal setting for users to express their preference for privacy,” Gabriel Weinberg, CEO of Duck Duck Go, the privacy focused browser, said in a statement.

“The CCPA and other laws are not perfect, and many of our users continue to live in places without strong legal protections."

GCP, announced Wednesday, debuts at a time when privacy legislation is taking center stage both nationally and in several key states. There are numerous privacy related bills pending on Capitol HIll, with the most recent being the SAFE DATA Act introduced last month. The most prominent state privacy regulation is the California Consumer Privacy Act (CCPA), which mandates that consumers have the ability to opt out of the sale of their data, and the GCP signal would give them a simple way to communicate that to websites.

“The CCPA and other laws are not perfect, and many of our users continue to live in places without strong legal protections. That’s why Privacy Badger continues to use both approaches to privacy. It asks websites to respect your privacy, using GPC as an official request under applicable laws and DNT to express what our users actually want (to opt out of all tracking). It then blocks known trackers, who refuse to comply with DNT, from loading at all,” Bennett Cyphers, staff technologist at the EFF, said.

“Starting this release, Privacy Badger will begin setting the GPC signal by default. Users can opt out of sending this signal, along with DNT, in their Privacy Badger settings.”

Among the other platforms supporting GCP are The Washington Post and Automattic, which owns both Tumblr and WordPress.

<![CDATA[UHS Recovering From Malware Infection]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/uhs-recovering-from-malware-infection https://duo.com/decipher/uhs-recovering-from-malware-infection Tue, 06 Oct 2020 00:00:00 -0400

A week after a malware infection hit the networks of Universal Health Services, which operates more than 400 facilities in the U.S., the company has restored much of its network operations and in the process of reconnecting many of its applications.

The attack began on Sept. 27 and began having a cascading effect across the UHS networks over the next couple of days. After the company’s IT staff noticed the intrusion, it shut down the corporate networks and shut off connectivity among the facilities to prevent the malware from spreading. As a result, some of the company’s hospitals were forced to divert patients to other facilities and staff had to do paperwork, charts, and records by hand. The incident was reportedly a ransomware attack, though company officials have not confirmed that.

On Monday, the company said that much of its networks are back up and running, though some challenges remain.

“The UHS IT Network has been restored and applications are in the process of being reconnected. The recovery process has been completed for all servers at the corporate data center and connectivity has been re-established for all U.S.-based inpatient facilities. Our major information systems such as the electronic medical record (EMR) were not directly impacted; we are in the process of restoring connections to these systems and back-loading data from the past week,” the statement says.

“More than half of our Acute Care hospitals are live already or scheduled to be live by the end of today. UHS has deployed a significant number of IT and clinical resources to the hospitals, to support the resumption of online operations. The go-lives will continue on a rolling basis; in the meantime, those working toward go-live are continuing to use their established back-up processes including offline documentation methods.”

Since the incident first occurred, UHS officials have said that they have no indication that patient or employee data had been accessed or copied.

<![CDATA[Visa Reports POS Malware Infected Two Hospitality Companies]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/visa-reports-pos-malware-infected-two-hospitality-companies https://duo.com/decipher/visa-reports-pos-malware-infected-two-hospitality-companies Tue, 06 Oct 2020 00:00:00 -0400

Two hospitality merchants in North America were compromised by point-of-sale malware in May and June of this year, Visa said in a recent technical report.

The report from Visa Payment Fraud Disruption team didn’t name the affected companies or provide specifics about the breach, such as what was stolen or how many consumers were affected. Instead, the breach focused on the malware, tactics, and indicators of compromise. The report did not suggest that the two compromises were related.

With the shutdown of many businesses and restrictions on travel and retail due to the pandemic, there are more transactions involving non-cash payment methods, such as mobile wallets and contactless "tap and go" transactions, according to PSCU's weekly transaction analysis reports. Payment Systems for Credit Unions is the largest credit union service organization in the United States. PSCU said 40.9 percent of credit card transactions were card-not-present transactions (such as online shopping) as of the end of September, which means there are still plenty of cards being inserted into point-of-sale systems or swiped.

"The recent attacks exemplify threat actors’ continued interest in targeting merchant POS systems to harvest card present payment account data," the report said.

A hospitality company was infected with a variant of TinyPOS malware and Track 1 and Track 2 payment account data was stolen, the report said. The memory scraper gathered the data and wrote them to logfiles and a separate batch file handled the process of sending the files outside the network.

POS malware infects point-of-service applications and scrapes payment card details from system memory as the application processes the data. Track 1 and Track 2 refers to the data that is stored on the magnetic stripe on payment card, and includes the account number, expiration date, the three-digit code to verify card is present, and the name of the cardholder.

The actors gained access to the network after a successful phishing campaign compromised credentials for several user accounts and an administrator account. The actors used the stolen credentials and PowerShell to access the cardholder data environment within the merchant's network. The memory scraper malware used was a variant of TinyPOS—and the attack code was appended to a manipulated image file. The file is displayed correctly in an image viewer, but the hidden code runs in the background to scrape data and prepare it for exfiltration.

The investigation team was not able to determine how the attackers initially got into the second merchant's networks, or how the stolen data was exfiltrated. The team found clues suggesting the attackers "employed remote access tools and credential dumpers to gain initial access, move laterally, and deploy the malware in the POS environment." The evidence collected suggested that the attackers relied on a cocktail of POS malware, including MMon (also known as Картоха on crimeware forums), PwnPOS, and RtPOS.

RtPOS gained persistence on the point-of-service terminal by installing itself as a service. The malware iterated all the processes running on the compromised system and then scraped memory for any Track 1 and Track 2 data. MMon scraped memory. PwnPOS established persistence, checked to make sure the account had administrator-level privileges, and also scraped data from memory.

The report reiterated the security best practices to patch vulnerable systems, monitor network traffic for suspicious activities, and restricting privileges on user accounts to only what is necessary. The report emphasized enabling two-factor authentication on remote session, disabling remote access when not in use, and segmenting networks so that even if one part is compromised, the attacker can't easily move to other parts of the network. Organizations should also enable EMV technology, such as contactless, mobile, and chip, for point-of-sale applications since they are more secure than the older systems.

<![CDATA[China-Linked Hackers Found Using UEFI Rootkit]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/china-linked-hackers-found-using-uefi-rootkit https://duo.com/decipher/china-linked-hackers-found-using-uefi-rootkit Mon, 05 Oct 2020 00:00:00 -0400

An attack group likely based in China has recently been using a new malicious framework called MosaicRegressor in operations against diplomatic and NGO targets, one of which involved the installation of malicious UEFI firmware images on a compromised machine. The framework repurposes tools built by Hacking Team that were leaked several years ago.

Attacks involving malicious UEFI firmware are quite rare, for a number of reasons, and researchers at Kaspersky who discovered this most recent one said it’s unclear how the attackers gained initial access to the compromised computer. But the use of a modified firmware image, albeit one based on an existing tool, as part of the attack chain suggests that the operation is the work of a competent and proficient attacker. The malicious firmware images were one part of the attacks that the researchers investigated, attacks that also involved the installation of various other pieces of malware, all aimed at data theft and espionage.

There were several indications in the tools’ code and elsewhere that led the researchers to conclude that the attacks were the work of a Chinese-speaking group, however they did not pin the operations on any specific team. The targets identified by Kaspersky include NGOs and diplomatic organizations in several countries in Europe, Africa, and Asia, many of which are focused on work related to North Korea. The new UEFI rootkit, though low in terms of infection numbers, demonstrates that top level attackers have not slowed their development of tools, especially those that grant them long-term access to target environments.

“We can obviously say that by deploying a UEFI rootkit the attackers were aiming for the highest level of persistence on those machines. They probably thought they could get away with it because they’re very hard to detect. Because the firmware resides on a separate chip it makes it probably the most persistence malware there is,” said Mark Lechtik, a senior security researcher at Kaspersky.

"They aimed on being on target machines for as long as they could. They’re aiming for constant access to victims’ environments regardless of if the victim remediates the machine.”

Unified Extensible Firmware Interface (UEFI) is a modern replacement for the old BIOS, the software that runs at the beginning of a computer’s boot process and helps interface with the main operating system. The firmware is installed during the manufacturing process and because of its privileged placement in the boot chain, it is a prized target for attackers. The challenge is that reaching the firmware and being able to modify it are difficult tasks, by design. Modern Windows machines employ a process known as UEFI Secure Boot that’s meant to ensure that no malicious or unsigned components are loaded during the boot process. Some computers also have other hardware protections against low-level firmware attacks, so modifying or replacing a target machine’s firmware is no mean feat.

Lechtik said that the researchers were not able to determine whether the machines compromised by the UEFI rootkit had Secure Boot enabled.

Known attacks that have succeeded in doing this are few and far between and the one that Kaspersky came across included a modified firmware image with several separate malicious modules in it.

"They aimed on being on target machines for as long as they could. They’re aiming for constant access to victims’ environments."

“During an investigation, we came across several suspicious UEFI firmware images. A deeper inspection revealed that they contained four components that had an unusual proximity in their assigned GUID values, those were two DXE drivers and two UEFI applications. After further analysis we were able to determine that they were based on the leaked source code of HackingTeam’s VectorEDK bootkit, with minor customizations,” Lechtik and Igor Kuznetsov of Kaspersky wrote in an analysis of the attacks.

“The goal of these added modules is to invoke a chain of events that would result in writing a malicious executable named ‘IntelUpdate.exe’ to the victim’s Startup folder. Thus, when Windows is started the written malware would be invoked as well. Apart from that, the modules would ensure that if the malware file is removed from the disk, it will be rewritten. Since this logic is executed from the SPI flash, there is no way to avoid this process other than eliminating the malicious firmware.”

The researchers found several separate components used by MosaicRegressor, each with individual capabilities. One of the modules is used to load the other components, another walks through the file system, and a third marks the firmware on the machine as compromised. But the real action comes from “SmmAccessSub”, the actual bookit that writes the IntelUpdate executable to the startup directory on the disk. The bootkit is what handles the persistence on the disk and ensures that the attackers have continued access to the machine. The MosaicRegressor framework uses several different downloaders that can communicate with the command-and-control infrastructure through a variety of methods, including email, which is unusual for this kind of malware.

“The mail boxes used for this purpose reside on the ‘mail.ru’ domain, and are accessed using credentials that are hard-coded in the malware’s binary. To fetch the requested file from the target inbox, MailReg enters an infinite loop where it tries to connect to the ‘pop.mail.ru’ server every 20 minutes, and makes use of the first pair of credentials that allow a successful connection,” the analysis says.

How the attackers behind MosaicRegressor were able to gain the position necessary to install the UEFI rootkit remains a mystery, but Lechtik said there were several possibilities. The simplest explanation is physical access to the computers, with which an attacker could install the modified firmware from a USB drive. That’s the vector that HackingTeam documentation had as a requirement for its custom malware.

“Another option is to push a rogue firmware update. But that would require the previous firmware to not check digital signatures. Or there could have been a vulnerability in the firmware. But if this was true we’d anticipate we’d find some evidence of exploitation and we haven’t seen anything like that,” Lechtik said.

<![CDATA[House Version of EARN IT Act Introduced]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/house-version-of-earn-it-act-introduced https://duo.com/decipher/house-version-of-earn-it-act-introduced Fri, 02 Oct 2020 00:00:00 -0400

The EARN IT Act, which was introduced in the Senate in March and would have some negative effects on encrypted services, now has a companion in the House of Representatives that is nearly identical.

The House version of the bill was introduced Wednesday by Reps. Sylvia Garcia (D-Texas) and Ann Wagner (R-Mo.) and includes virtually all of the same language as the Senate bill. Both bills are intended to curb the spread of child exploitation material by placing some new responsibilities on platform providers to identify and report such material. Providers already have a legal obligation to report that kind of material on their platforms, but the EARN IT Act would establish a new commission to create a set of best practices that providers would be encouraged to follow or risk losing their immunity from prosecution under Section 230 of the Communications Decency Act.

The original version of the Senate bill made those best practices mandatory, but that, along with some other language, was changed by a couple of amendments over the summer. The bill now contains an explicit reference to encrypted services and devices, where the original version made no direct reference to encryption at all. An amendment added in July by Sen. Patrick Leahy says that platform providers could not be held liable for offering encrypted services or not having the ability to decrypt users’ communications.

The House bill has similar language, with one significant change that spells out that none of the following factors can be used as the sole basis for liability: “The provider utilizes full end-to-end encrypted messaging services, device encryption, or other encryption services. The provider does not possess the information necessary to decrypt a communication. The provider fails to take an action that would otherwise undermine the ability of the provider to offer full end-to-end encrypted messaging services, device encryption, or other encryption services.”

While the language in Leahy’s amendment provides some cover for platform providers that offer encrypted services, the House version does not.

“But even the limited protection offered by the Leahy amendment is undermined by the House version’s only substantive change: while offering encryption could not be an ‘independent basis for liability,’ it could be considered with other evidence. If this becomes law, this risk will discourage companies from offering encryption to protect user communications. That’s not surprising, because undermining encryption has always been a key purpose of this legislation,” said Berin Szóka, senior fellow at TechFreedom, a non-profit that focuses on technological progress.

In addition to the effect it would have on encrypted services, the EARN IT Act also would create room for state legislatures to write their own legislation to regulate certain aspects of online speech.

“The EARN IT Act would allow all 50 state legislatures, as well as U.S. territories and Washington D.C., to pass laws that would regulate the Internet. By breaking Section 230 of the Communications Decency Act, the EARN IT bill would allow small website owners to be sued or prosecuted under state laws, as long as the prosecution or lawsuit somehow related to crimes against children,” Joe Mullin, a policy analyst at the Electronic Frontier Foundation said.

“We know how websites will react to this. Once they face prosecution or lawsuits based on other peoples’ speech, they’ll monitor their users, and censor or shut down discussion forums.”

The Senate version of the bill was passed out of the Judiciary Committee in July.

<![CDATA[ESET Identifies 11 Latin American Malware Families]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/eset-identifies-11-latin-american-malware-families https://duo.com/decipher/eset-identifies-11-latin-american-malware-families Thu, 01 Oct 2020 00:00:00 -0400

There are multiple distinct banking Trojan families in Latin America, rather than one large group as has been previously believed, ESET researchers said at the Virus Bulletin 2020 conference.

ESET has been researching various Latin American banking Trojans and has “unmasked” Amavaldo, Casbaneiro, Mispadu, Guildma, Grandoreiro, and Mekotio over the past year. Analysis of Krachulka, Lokorrito, Numando, Vadokrist, and Zumanek are expected. These Trojans were originally considered as being part of one group of malware because of all the similarities, ESET said in its whitepaper published by Virus Bulletin. Evidence suggests that there are actually 11 malware families and the authors are in close cooperation with each other as they rely on the same attack techniques, make identical coding decisions, and employ similar distribution methods, ESET said.

“Since we don’t believe it to be possible that independent malware authors would come up with so many common ideas – and, moreover, since we don’t believe one group to be responsible for maintaining all these malware families – we must conclude that these are multiple threat actors closely cooperating with each other.” said Jakub Souček, one of the researchers working on Latin American financial cybercrime.

These malware families have also expanded their target region beyond Latin America to include Spain and Portugal.

ESET mapped the common techniques using the MITRE ATT&CK framework, and highlighted that phishing is the most common attack vector for Latin American banking Trojans, and they tend to use either fake pop-up windows or keyloggers to steal credentials. The authors rely on scripting languages, mainly VBScript, favor custom encryption algorithms over established ones, and obfuscate payloads and configuration data in some way. The malware uses DLL side-loading to execute additional payloads, maintains persistence on the infected systems by modifying the Registry Run key or using the Startup folder, and devotes “considerable effort” to collect screenshots and scan for security software. Finally, the malware does not exfiltrate all the data to a command and control server, but sends it to other locations, as well.

From a code perspective, these malware families share third-party libraries, “uncommon” string encryption algorithms, and string and binary obfuscation techniques. The vast majority of the families recently shifted from using binary obfuscation tool VMProtect to Themida, the researchers said.

“Most Latin American banking trojans use very simple, custom encryption schemes that are generally unknown in the broader programming community, and yet we see the same algorithm being used in six different families,” ESET wrote in its whitepaper.

The core functionality of these banking Trojan families are “practically identical,” as the malware collects information about the infected system, sends the information to a location distinct from the command-and-control server, and periodically scans active windows based on name or title looking for the one to attack. When that window is detected, the malware displays a fake pop-up window to lure victims into providing sensitive information.

“The binaries are so similar in their core functionality that it almost seems like they were built from one set of blueprints,” ESET said. “[We] also don’t believe there is one group of malware authors willingly maintaining 11 different pieces of malware with exactly the same logic and goal.”

The method of distribution was also similar across families, as the Trojans checked for a marker as to whether the machine had already been compromised before downloading Zip archives of data. Identical distribution chains distribute multiple banking Trojans, and the vast majority of them have started utilizing Windows Installer (MSI files) as their initial download method.

“We have never observed any of these chains distribute anything else other than the Latin American banking trojans we have analyzed. That is why we believe the authors of the families write the chains themselves and share information with each other,” ESET said.

The execution methods were also similar across families, as these Trojans “tend to bring their own tools” in the ZIP archives and use DLL side-loading to execute those applications, ESET said, dubbing the practice “Bring Your Own Vulnerable Software.” This means these tools don’t need to already be installed on the compromised system. ESET observed 22 legitimate applications being abused this way, such as security tools from G Data, Avast, Avira, and AVG as well as various Microsoft, Java, VirtualBox, and VMWare executables.

Such “tight collaboration between malware families that share the same goal, are region-specific and are in fact expected to be competitors,” was not expected, ESET said.