Yanagi Nashi

Cyber Security, Threat Intelligence, Technology, Japan, a dash of photography, and current events

New Ransomware Targets Industrial Control Systems

Proportionally, the amount of malware targeting ICS and SCADA is extremely low compared to traditional operating systems and Android. However, when threat adversaries create tools specifically designed to hit critical infrastructure can be quite dangerous, particularly when it is ransomware:

A ransomware strain discovered last month and dubbed Ekans contains the usual routines for disabling data backups and mass-encrypting files on infected systems. But researchers at security firm Dragos found something else that has the potential to be more disruptive: code that actively seeks out and forcibly stops applications used in industrial control systems, which is usually abbreviated as ICS. Before starting file-encryption operations, the ransomware kills processes listed by process name in a hard-coded list within the encoded strings of the malware.

In all, Ekans kills 64 processes, including those spawned by human-machine interfaces from Honeywell, the Proficy Historian from General Electric, and licensing servers from GE Fanuc. The same 64 processes, it turns out, are targeted in a version of the MegaCortex ransomware. That version first came to light in August.

WhatsApp Accused of Deliberately Planting Security Backdoors

Pavel Durov, found of cross-platform instant messaging application Telegram, has accused WhatsApp of not only confusing its users about its security efficacy, but also deliberately installing backdoors into the application due to pressure from governments around the world:

WhatsApp has had a rocky past year as faith in its privacy and encryption promises continued to falter — especially after the world’s richest man fell victim to an infamous security vulnerability. Now, in a scathing blog post, Telegram Messenger’s founder, Pavel Durov, has added insult to the Facebook-owned instant messaging app’s injury by calling it “dangerous” to use.

Durov has accused WhatsApp of deflecting blame when it should have pledged to improve, and argued that simply encrypting chats end-to-end won’t shield users from breaches. “WhatsApp uses the words ‘end-to-end encryption’ as some magic incantation that alone is supposed to automatically make all communications secure. However, this technology is not a silver bullet that can guarantee you absolute privacy by itself,” Durov said.

More importantly, Durov claims that WhatsApp’s security bugs were in fact, deliberately planted backdoors to comply with and appease local law enforcement agencies so that the social network could do business without interruptions in such countries as Iran and Russia.

While Durov has a vested interest in getting people off WhatsApp and onto Telegram, that does not diminish the validity of his points.

WhatsApp is owned by Facebook. That should be enough to cause the average person to cease using the application.

Threat Actors Breach Japan's Kobe Steel and Pasco in Latest Defense Industry Targeted Cyber Attacks

February has brought an onslaught of breach-related news from Japan. These latest disclosures follow those from Mitsubishi Electric and NEC, two of the largest players in the Japanese defense industry:

Kobe Steel and Pasco found some of their intracompany network terminals were infected with a computer virus, likely from unauthorized outside access in August 2016 and May 2018, respectively, according to the ministry.

Kobe Steel said a total of 250 files -- including information on the ministry, as well as personal data -- might have been leaked. The company has taken measures to beef up cybersecurity.

A Pasco official quoted a third party as saying the attacker may have links to China.

Kobe Steel has been a supplier of submarine parts for the Self-Defense Forces, while Pasco has provided the SDF with satellite data.

Is this a precursor of what is to be expected as Tokyo 2020 approaches?

TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly

TrickBot has switched up its privilege escalation game, and is not leveraging a Windows 10 security vulnerability to do so without showing the normal UAC prompt users expect:

This week, ReaQta discovered that TrickBot has now switched to a different UAC bypass that utilizes the Wsreset.exe program.

Wsreset.exe is a legitimate Windows program used to reset the Windows Store cache.

When executed, Wsreset.exe will read a command from the default value of the HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command key and execute it.

When executing the command it will not display a UAC prompt and users will have no idea that a program has been executed.

TrickBot is now exploiting this UAC bypass to launch itself with elevated privileges, but without the logged in Windows user being notified by a UAC prompt.

TrickBot is particularly evil because it, along with Emotet, is used for deploying the highly evil Ryuk ransomware. If you are into technical details, this analysis of TrickBot using the Wsreset.exe UAC bypass by MorphiSec is a great read.

Creating a Strong Password is Not Difficult; Follow These Simple Rules to Keep Safe

There are so many web sites to visit, so many social media accounts, various email services, passwords to login to our corporate accounts, and much more. Many people find it overwhelming to manage these myriad accounts. That feeling is magnified when they are told to use strong passwords, as well as unique passwords for each service. CNet has compiled a list of nine best practices to be followed:

Strong passwords are of course key to your security. The challenge is to create strong passwords you can actually remember, without stumbling into the bad habits that can harm you -- like reusing the same password for multiple accounts. But how many passwords can you actually remember? You could easily have 85 passwords for all your accounts, from banking to streaming to social media, according to LogMeIn, which makes the LastPass password manager.

Weak passwords, or overusing the same password, can have serious consequences if your data is compromised -- even if that password is strong. For example, companies reported 5,183 data breaches in 2019 that exposed personal information like login credentials and home addresses that someone could use to defraud you or steal your identity. And since 2017, hackers published 555 million stolen passwords on the dark web that criminals can use to crack into your accounts.

Bank of Japan Warns Cyber Attack Forthcoming During Tokyo 2020 Olympics

Japan has a lot of work to do to finish preparing for the Olympics in approximately 170 days. There is a seemingly insurmountable amount of effort remaining to secure the country from Olympics-related cyber attacks. Now the Bank of Japan is warning the Financial Services Industry to take appropriate measures to prepare for the inevitable:

In a BOJ survey conducted in September, nearly 40% of respondents said they had experienced cyber-attacks, and more than 10% had suffered disruptions to their business.

Over 70% believed the threat of cyber-attacks has increased since 2017 - the last time the BOJ conducted a similar survey - while nearly 60% said they have departments specializing in cyber incidents, the survey showed.

Still, about 60% of the 402 financial institutions surveyed said they were not able to secure enough staff to oversee measures to deal with cyber-attacks.

Cyber Security Does Not Warrant Special Naming

Cyber Security Does Not Warrant Special Naming

What makes the cyber security domain so important as to warrant its own word? Even though cyber has permeated almost every aspect of modern human culture, should it be rewarded with pedestal-like status above other security specialties, and therefore its own special word?

South Carolina Water Company Cyber Attack, CEO "Fairly Certain" No Comprise Occurred

If the CEO is only "fairly certain" no corporate data has been compromised there is a major problem. Approximately ten days have elapsed since the attack occurred so there should be no uncertainty at this point:

The cyber-attack on Greenville Water triggered a payment system outage that began on Wednesday, January 22. Company spokesperson Emerald Clark said 500,000 customers were affected by the incident.

An investigation has been launched into the cyber-attack, the exact nature of which is yet to be revealed by Greenville Water. It's not yet known who targeted the water company or from where the attack was launched.

Greenville Water CEO David Bereskin said he was "fairly certain" that the utility's data had not been compromised as a result of the incident.

This sounds reassuring:

In the statement, Clark said that the incident "has not and will not impact or compromise the safety and delivery of water that is treated and maintained by our facilities."

When asked for comment on the cyber-attack by the Greenville News, Greenville County government affairs coordinator Bob Mihalic stated only that "Greenville County uses multiple methods of protecting data, hardware, and infrastructure from potential cyber-attacks."

The statement is mere obfuscation. It would be easy to state unequivocally the operational network where the industrial control systems and SCADA for the water treatment facility reside are air-gapped, and therefore not physically connected to the business network - a security best practice for sensitive, mission critical networks. Since Bob Mihalic failed to mention this point it makes me wonder if, in fact, the networks are connected and therefore lateral movement to the OT network is possible.

Hackers Targeting Japan by Leveraging Coronavirus Scare to Spread Emotet

e-Crime threat actor Mummy Spider has been observed capitalizing on the current Coronavirus scare by using the outbreak as a phishing attack theme. The attackers have crafted official looking emails in an attempt to lure unsuspecting victims into opening a document infected with Emotet:

The emails falsely claims that there are reports of coronavirus patients in the Gifu, Tottori and Osaka prefectures in Japan, urging victims to read an attached Microsoft Word document which contains the Emotet trojan. The messages are particularly dangerous because they were made to look like official government emails, equipped with legitimate addresses, phone numbers and emails.

The emails have predominantly been composed in native Japanese language, and have spoofed a number of prefectural governments across Japan, to include the Kyoto Prefectural Yamashiro Minami Public Health Center.

Malicious actors, especially e-crime adversaries, often use current events in spear-phishing campaigns. Playing on peoples fears is quite common, and leveraging official-looking communications make these campaigns difficult for the average citizen to discern between what is true and what is fake.

If you are a recipient of these types of emails, before opening any attachments ask yourself the following question: did I provide my email address to the Ward Office or City Hall?

If the answer is no, then quite obviously do not open the attachment because it is most likely malicious.

If the answer is yes, then cross-reference the communication with what is listed on their web site, or even call to check if this is valid. Local governments will generally not inform their inhabitants via email with a requirement to open an attachment. They will generally post important information on their web site, and social media accounts, as email cannot be trusted. Even in Japan.

As a general rule, never open an unsolicited email attachment unless you are one-hundred percent sure of its authenticity.

e-Skimming: FBI Warns of New Online Threat to Personal and Credit Card Information

Never heard of e-skimming until today? It is when threat adversaries compromise an e-commerce web site, whether through a vulnerability in the web server or the e-commerce software, and then introduce malicious code into the checkout process. The code is designed to send both the buyers personal and credit card details to the attackers, which is then later used for fraudulent purchases. What makes e-skimming terrible is users have no way of knowing the web site has been compromised until it is too late:

This new type of skimming is called e-skimming or Magecart.

Cybercriminals[sic] can gain access to your personal and credit card information in a number of ways. They can break into a web server directly or break into a common server that supports many online shopping websites to compromise them all and once a site has been compromised, the shopper can’t spot the difference.

“It’s nearly impossible for a consumer to detect that this has happened to them before the actual occurrence. The site that they would look at, which is already infected, would look no different to a consumer,” Stapleton said.

How do you avoid being the victim of e-skimming? There are a few important things to do:

  • Utilize reputed web sites for online purchases, such as the Amazon's and Rakuten's of the world, to name a couple examples.
  • Use a credit card, not debit card, when shopping online. Credit cards generally have fraud protection whereas debit cards do not. A bank account can be drained quite rapidly through debit card loss, and in most cases the funds are not replaceable. Contrast that with a credit card which has safety mechanisms built-in.
  • Use a specific credit card only for online purchases, and one with a very low credit limit. This can restrict the amount of damage an attacker can do with a stolen card.
  • Check credit card and bank account balances often. If either have applications with push notifications, ensure those are configured to alert on large purchase and failed transactions.

At the end of the day this is all about paying attention to detail and limiting risk by taking some specific actions. Catching e-skimming is nearly impossible as a customer, which is why the above is exceedingly important.

Severe Microsoft Flaw is Major Cloud Security Nightmare

Two new major security vulnerabilities were found in Microsoft Azure that could lead to disastrous consequences if left unpatched (CVE-2019-1234 and CVE-2019-1372):

There are two vulnerabilities here. The first is a modest software bug that can be pushed hard to crash a system and escalate that crash to secure user privileges. And the second in a lack of security on a relatively arbitrary shared service that can be manipulated to break out of a user’s own part of the cloud infrastructure and onto the common shared hardware. That great advantage of the cloud, using only what you need, just when you need it, means you are a tenant in a server version of an apartment block. Check Point’s exploit built a master key for all the other apartments in that block.

Balmas fills in the gaps in terms of what this means. “We can break the isolation of Azure’s functions—now I can see everybody else’s functions. Anyone using Azure will be impacted—that means millions of users.” In addition to storing vast volumes of data in those isolated chambers, the cloud also runs countless programs. As a user, or “tenant,” you drop your code onto your cloud resource and it does the rest, running the program to order. Breaking that isolation enabled Check Point to access other tenants’ code running on any shared Azure server on which it was a tenant.

It is vital for any Azure users to ensure they patch their virtual machines. Failure to do so could lead to fatal consequences, a severe data breach, data destruction, being locked out of the VM, and more. Do not waste any time and apply the patches ASAP.

Lessons Learned from Losing $13,103.91 to Hackers

It is hard to admit, and potentially quite embarrassing, after being tricked by attackers who end up stealing a not so insignificant amount of money. It can happen to anyone, even the current richest man on the planet can be successfully hacked. This well written lessons learned story from a Recode data privacy reporter outlines how even the most innocuous activity may be indicative of a much greater threat:

Because I didn’t take a few basic internet security precautions, hackers robbed me of $13,103.91 worth of cash and prizes from three of my accounts over the next six months. And while this doesn’t make me, your Recode data privacy reporter, look very smart, I’m sharing my story with you in the hope that it will help you avoid a similar fate.

The person who hacked my Grubhub account last March ordered a black fungus salad with celery, a five-spice-marinated beef entree, and 12 pork dumplings (with chives) for a total of $26.84. At first, it was annoying but didn’t seem like that big of a deal: I notified Grubhub about the fraudulent charge and got a refund. Then I changed my password, sent an angry text to the phone number on the food order, and went about my life, foolishly thinking that this was an isolated incident. It was not.

Five months later, I logged into my bank account to find a substantially smaller number in my savings account than I expected. Sure enough, $9,000 had been wired away two days previously. During the subsequent, frantic call to my bank, I looked at my checking account and saw that $4,000 had been wired away from there, too — a discovery I declared with a variety of curse words. The woman on the other end of the line had a pleasant Southern drawl, which made her promises that I would get the money back seem extra reassuring.

Being aware of the threat, paying attention to detail, and being cognizant of your online actions can go a long way in preventing a loss like this from occurring.

US Defense Contractor Hit with Ransomware Infection

In the United States, contractors with the Department of Defense are required to maintain a minimum baseline of security controls to protect defense related information. Either those controls are not strong enough, or EWA did not implement the correct measures to prevent the ransomware infection:

Electronic Warfare Associates (EWA), a 40-year-old electronics company and a well-known US government contractor, has suffered a ransomware infection, ZDNet has learned.

The infection hit the company last week. Among the systems that had data encrypted during the incident were the company's web servers.

Signs of the incident are still visible online. Encrypted files and ransom notes are still cached in Google search results, even a week after the company took down the impacted web servers.

If you are unfamiliar with with Ryuk, it is one of the nastier ransomware strains:

Making matters worse is that Ryuk is not your regular ransomware strain. This type of ransomware is solely used in targeted attacks on high-profile companies.

It is usually installed on infected networks after a victim is infected with the Emotet/TrickBot trojans, two well-known cybercrime-as-a-service platforms.

The Ryuk gang uses the Emotet/TrickBot-infected machine as entry point and launch pad to scan and spread inside a company's internal network, exfiltrate data, and then deploy their ransomware.

Contagion Hits Top 10 on iTunes Movie Chart Amid Coronavirus Outbreak

Speaking of the Wuhan Coronavirus outbreak, the exceptionally well written and directed Steven Soderbergh movie Contagion has hit the top 10 on iTunes as people become interested in learning about a potential pandemic:

A woman, played by Oscar winner Gwyneth Paltrow, returns home to Minnesota from a business trip in Hong Kong. Though she exhibits fatigue and cold-like symptoms, she dismisses it as jet lag. Within 24 hours, she's dead, alongside her young son. Her husband, played by Matt Damon, is somehow immune and survives.

Thus begins Steven Soderberg's 2011 movie Contagion. Over the next hour and 46 minutes, the movie tracks what happens when a deadly China-born virus goes global and leads to mass chaos as epidemiologists race to find a vaccine.

On Tuesday, the thriller rocketed to No. 10 on the iTunes movie rental chart, where it shares space with such of-the-moment titles as Joker (No. 1), Once Upon a Time in Hollywood (No. 3), Parasite (No. 4) and Hustlers (No. 8).

Notwithstanding the literal batshit craziness known as the Wuhan Coronavirus, Contagion is an outstanding movie. The pacing is amazing, and the story is entirely believable. Even if this outbreak had not occurred I would be recommending this movie.

Epidemics Like the Wuhan Coronavirus are Human-made

The current Wuhan Coronavirus issue has not reached a Contagion-level epidemic but there is a chance the virus could shift towards such a trajectory. I suspect things are going to get substantially worse before getting better. I fly all over the Asia-Pacific region on business, and this outbreak has me quite spooked. At the end of the day, unfortunately, we need to turn around and look at ourselves. Humans are largely responsible for these types of diseases and here are some of the reasons:

Current circumstances include a perilous trade in wildlife for food, with supply chains stretching through Asia, Africa and to a lesser extent, the United States and elsewhere. That trade has now been outlawed in China, on a temporary basis; but it was outlawed also during SARS, then allowed to resume — with bats, civets, porcupines, turtles, bamboo rats, many kinds of birds and other animals piled together in markets such as the one in Wuhan.

Current circumstances also include 7.6 billion hungry humans: some of them impoverished and desperate for protein; some affluent and wasteful and empowered to travel every which way by airplane. These factors are unprecedented on planet Earth: We know from the fossil record, by absence of evidence, that no large-bodied animal has ever been nearly so abundant as humans are now, let alone so effective at arrogating resources. And one consequence of that abundance, that power, and the consequent ecological disturbances is increasing viral exchanges — first from animal to human, then from human to human, sometimes on a pandemic scale.

We invade tropical forests and other wild landscapes, which harbor so many species of animals and plants — and within those creatures, so many unknown viruses. We cut the trees; we kill the animals or cage them and send them to markets. We disrupt ecosystems, and we shake viruses loose from their natural hosts. When that happens, they need a new host. Often, we are it.

Agent Smith said it best in The Matrix:

Every mammal on this planet instinctively develops a natural equilibrium with the surrounding environment but you humans do not. You move to an area and you multiply and multiply until every natural resource is consumed and the only way you can survive is to spread to another area. There is another organism on this planet that follows the same pattern. Do you know what it is? A virus. Human beings are a disease, a cancer of this planet. You're a plague and we are the cure.