Current Events – Malware University

MFA Abuse in Splunk

Posted on August 11, 2022 - August 11, 2022 by admin

With all the MFA bombing/lazy swiping going on, maybe you need to find such abuses in your environment.

Twilio, Cloudflare, and Cisco were all hit recently with 2FA/MFA attacks and valid stolen credentials.

index=okta sourcetype=OktaIM2:log eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH))
| stats count(eval(legacyEventType="core.user.factor.attempt_success")) as successes count(eval(legacyEventType="core.user.factor.attempt_fail")) as failures count(eval(eventType="system.push.send_factor_verify_push")) as pushes by authenticationContext.externalSessionId, user, _time
| stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes by authenticationContext.externalSessionId, user
| eval seconds=lasttime-firsttime
| eval lasttime=strftime(lasttime, "%c")
| search (pushes > 3)
| eval totalattempts=successes+failures
| eval finding="Normal authentication pattern"
| eval finding=if(failures==pushes AND pushes>1, "Authentication attempts not successful because multiple pushes denied", finding)
| eval finding=if(totalattempts==0, "Multiple pushes sent and ignored", finding)
| eval finding=if(successes > 0 AND pushes > 3, "Multiple pushes sent, potential abuse detected", finding)
| where seconds < 300

Repository Poisoning

Posted on March 23, 2022 - March 23, 2022 by admin

This stuff has been going on since at least the middle 2000s with the Debian APT repository getting popped by dikline, installing a backdoored ssh daemon and notifying a remote server when ruby was downloaded and installed.

An activist released several updates to a popular nodejs repository he helps run, which gets about 1 million downloads a week. RIAevangelist thought he could help the current situation in Eastern Europe by wiping all files on disk by renaming them all with a [heart] icon if a web service reported they were geolocated in Russia or Belarus.

He quickly had his Twitter account compromised and had docs dropped on him, alleging infidelity to his Japanese wife, along with other personal and family details and a message from the hacker to not mess around with things bigger than him.

Companies and open source projects around the world are concerned with such behavior as this is, yet again, another example of massive supply chain dependencies in our software world which are taken for granted. All you need is one bad actor to potentially bring your business or community down.

Some companies may be paranoid and resourceful enough to maintain their own repositories if they were not already doing so. Otherwise they will continue to trust the devil they don’t know.

This is a potentially big blow for the open source community and high level interpreted languages everywhere.

Trust is paramount to business.

Bastion

Posted on November 5, 2021 - November 5, 2021 by admin

Not all job scams are the same. Some have you work legitimately and pay a going rate, while in this case you deliver them the expertise needed to steal. Hacking group FIN7 was caught operating Bastion Security, fronting as a British company yet operating out of Russia.

A threat intelligence company had a source join the underground group via the front business. The spy was able to obtain FIN7 tooling once joining. Carbanak and Lizar/Tirion were the tools he found the group using for “pentests”.

Jobs were advertised around $1000 USD per month for 9 – 12 hours of work per day through the week. Rough conditions for Eastern Europeans.

Bastion took cover with their name, trying to pass themselves off as other legitimate security-named companies registered and known to major search engines. Their website looks legitimate yet is mostly copied from Convergent Network Solutions.

Part of the demands of the group is for an operator to install VMs locally with ports to the host unblocked.

OpenSea NFT Bug

Posted on October 14, 2021 - October 14, 2021 by admin

Users are being sent “gifts” with executable photos. Within a browser context. Siphoning off peoples’ JS-powered wallet by communicating within the browser. Requires some social engineering to get an extra click, confirming the siphoning.

Watch your wallets.

Resourceful Fraudster Frees Phones, Gets Prison

Posted on September 21, 2021 - September 21, 2021 by admin

AT&T, world’s largest telecom company, reported losses over $200,000,000 USD after a Pakistani fraudster, Muhammed Fahd, started and managed several unlocking services since the summer of 2012.

Fahd recruited AT&T employees with monetary bribes to allow his companies the ability to unlock tethered cell phones purchased under contract by customers of AT&T. AT&T caught on in April 2013, blocking the ability of certain staff to unlock cell phones.

A malware developer was hired to create software which allowed the fraud team to collect and analyze network data of how AT&T was unlocking customers’ cell phones. This allowed the team to unlock cell phones via their third-party companies from Pakistan.

The bribery continued with asking employees to implant hardware devices such as WiFi access points within the company’s internal network.

At least 1,900,033 cell phones were unlocked by his team, allegedly worth $201,497,430.94 USD to AT&T. His companies included Swif Unlocks Inc, Endless Trading FZE, Endless Connections Inc, and iDevelopment Co.

Hong Kong made the arrest of Fahd in February 2018. August 2019 he was extradited to the US to face judgement. He is now sentenced to 12 years in prison for committing wire fraud, which he admitted to in September 2020.

Atlassian Bug CyberCom

Posted on September 8, 2021 - September 8, 2021 by admin

Atlassian has raised a storm with CyberCom (US Cyber Command) due to a critical flaw discovered in Confluence Server and Confluence Data Center. “Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already—this cannot wait until after the weekend,” said the official CyberCom Twitter account.

On August 25, 2021, Atlassian did issue a patch for this vulnerability, in which the developer stated arbitrary code execution could be reached by an unauthenticated user on a Confluence server or datacenter instance.

Jenkins, the popular CI/CD platform, was hit by attackers exploiting this new flaw. Attackers decided to deploy a Monero cryptominer on the company’s Confluence server. The service immediately took the server offline and rotated all passwords.

Researchers at Kaspersky stated the flaw is only possible to leverage from unauthenticated users if the “Allow people to sign up to create their account” option is enabled by administrators.

Please note Confluence Cloud is not affected.

TMobile Hack

Posted on August 23, 2021 - August 23, 2021 by admin

On Saturday, August 21, 2021, TMobile revised their number of customers affected by the recent attack was an addition five million, bringing the total to over 50 million people.

Names, drivers licenses, birth dates, addresses, and social security numbers were among the data stolen in a “highly sophisticated cyberattack”.

The company now faces a class-action lawsuit due to the breach.

This is at least the fourth known hack since 2015 on TMobile. A seller on an underground forum offered six BTC for all the data, which is how the company was made aware of the infiltration.

Does TMobile suffer from a bad organizational structure, the wrong people in security, lack of investment in security, all of the above? Countless other firms will remain wounded sheep so long as the legal and regulatory environment does not incentivize security understanding and investment.

Kaseya Bullseye

Posted on July 12, 2021 - July 12, 2021 by admin

Hackers attributed to the REvil group recently exploited an (internally) known 0day in Kaseya software to demand ransom worth 70,000,000 USD affecting at least 1000 businesses.

On Friday, July 2, 2021, the incident response team from Kaseya became aware of a security incident related to their VSA software. Hackers used the software to deploy the REvil ransomware into many victims’ environment. The malicious code is side-loaded by a fake Windows Defender app, encrypting files in return for ransom. “Kaseya VSA Agent Hot-fix” is the distributed name of the malware, which was also seen attempting to disable Microsoft Defender Real-Time Monitoring via Powershell.

The group sent out a message on July 2:

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour."

How did the REvil group know a patch was forthcoming? Did they? It’s improbable this is a coincidence.

Assuming it is not, how were they alerted to a forthcoming patch which likely spurred an immediate decrease in their attack timeline? Insider alerting them? Prior compromise and a great analysis team?

Anything is possible when tens of millions of dollars, or more, are at stake. The most expensive 0days ($1,000,000+) are a drop in the bucket for groups eyes to rake in millions from one successful operation.

Former employees raised several software security concerns from 2017 through 2020 to company leaders. These concerns were not fully addressed, as sales were the focus of the business at the expense of other priorities. One employee sent a 40-page memo detailing many security concerns related to the software leading to his firing two weeks later. Customer passwords were stored in clear text on third-party platforms, among other bad habits.

Shame on Kaseya. Likely one of many professional software firms and IT management companies which fail to adhere to even basic security and administration best practices.

Ransomware, Insurance, Negligence, and Insiders

Posted on June 6, 2021 - June 6, 2021 by admin

Ransomware is taking the world by storm since the lockdowns of 2020. With record unemployment due to forced halting of economies and movement around the globe, without doubt some programmers with notable skill were negatively affected. Surely some have found homes in the rising number of groups engaging in ransoming of data and service.

Recent cases such as the Colonial Pipeline and Norsk Hydro hacks, with payouts of $4.4 million and $71 million respectively, show how lucrative such operations are. IT security operations are usually underfunded and notoriously understaffed, if not in headcount then certainly in talent. Such teams are classically seen as “cost centers” to financial types. Even in good times, corporate boards are unwilling to spend the necessary cash to find or develop talent necessary to handle such threats.

As explained by a close contact high up in the financial industry, “Why would we pay millions for talent when it’s cheaper for us to have an adequate insurance policy? It’s not like business leaders are under any threat to themselves [legally] or their companies from a hack.” Risk is calculated by actuaries. So long as their risk is perceived as covered, IT security remains a distant concern only insomuch as governance mandates.

Cyber liability insurance is starting to price in the risk of ransomware by utilizing “sub-limits”. For example, such stipulations may only pay out $25,000 for ransomware incidents, despite the insurance having potentially multi-million dollar limits for other cyber incidents. Without such initiatives companies may never have incentive to practice security measures which could prevent such incidents.

Governing bodies, such as the state of New York, may move to ban municipalities from paying out ransom demands, opting for initiatives such as a “Cyber Security Enhancement Fund” which limits ransom payouts to instead focus on upgrading security posture. The US Department of Treasury has warned companies that facilitate ransomware payments as a third party may face future economic sanctions for encouraging crime and future ransomware payment demands.

The astute reader may wonder how mature organizations are still being crippled by having mainline systems disrupted by ransomware, as data backup policies and procedures were well-defined and put in place since at least the 1990s. The current predicament proves the point that many (most?) organizations, even cyber-conscious ones, are failing to adequately cover basic system administration and networking practices. With the “cloud” now opening up perimeters worldwide, the effort for corralling systems and assets are more difficult.

History has cooled worries of executives about negligence and responsibility for data breaches and hacks. Equifax, one of the largest credit bureaus in the USA, received a mere slap on the wrist after hundreds of millions of peoples’ records were stolen. SolarWinds executives blamed a lowly intern for mismanagement of their server credentials. With no incentive for improvement for improvements sake and no pain for neglecting to secure infrastructure digitally, expectations of improved security posture for most organizations seem dire.

How many employees are bribed by outside forces to simply “run a program or command” from their work machines? Russian Egor Kriuchkov was found guilty of bribing a Tesla employee for $1,000,000 to place ransomware in the company’s battery plant network in Nevada. With such large ransoms being paid and the relative ease of insider threat attack models, expect threat actors to increasingly lean on this method in the future.

Yandex Employee Selling Access to Mailboxes

Posted on February 17, 2021 - February 17, 2021 by admin

Email service provider Yandex on Friday, February 12, 2021, disclosed a data breach that compromised 4887 email accounts of its users. The company blamed the incident on an unnamed employee, one of three system administrators with technical support access, for providing unauthorized access to the user’s mailboxes for personal gain. The company said the security breach was identified during a routine audit of its systems by an internal security group.