New Ransomware Targets Industrial Control Systems

Proportionally, the amount of malware targeting ICS and SCADA is extremely low compared to traditional operating systems and Android. However, when threat adversaries create tools specifically designed to hit critical infrastructure can be quite dangerous, particularly when it is ransomware:

A ransomware strain discovered last month and dubbed Ekans contains the usual routines for disabling data backups and mass-encrypting files on infected systems. But researchers at security firm Dragos found something else that has the potential to be more disruptive: code that actively seeks out and forcibly stops applications used in industrial control systems, which is usually abbreviated as ICS. Before starting file-encryption operations, the ransomware kills processes listed by process name in a hard-coded list within the encoded strings of the malware.

In all, Ekans kills 64 processes, including those spawned by human-machine interfaces from Honeywell, the Proficy Historian from General Electric, and licensing servers from GE Fanuc. The same 64 processes, it turns out, are targeted in a version of the MegaCortex ransomware. That version first came to light in August.

WhatsApp Accused of Deliberately Planting Security Backdoors

Pavel Durov, found of cross-platform instant messaging application Telegram, has accused WhatsApp of not only confusing its users about its security efficacy, but also deliberately installing backdoors into the application due to pressure from governments around the world:

WhatsApp has had a rocky past year as faith in its privacy and encryption promises continued to falter — especially after the world’s richest man fell victim to an infamous security vulnerability. Now, in a scathing blog post, Telegram Messenger’s founder, Pavel Durov, has added insult to the Facebook-owned instant messaging app’s injury by calling it “dangerous” to use.

Durov has accused WhatsApp of deflecting blame when it should have pledged to improve, and argued that simply encrypting chats end-to-end won’t shield users from breaches. “WhatsApp uses the words ‘end-to-end encryption’ as some magic incantation that alone is supposed to automatically make all communications secure. However, this technology is not a silver bullet that can guarantee you absolute privacy by itself,” Durov said.

More importantly, Durov claims that WhatsApp’s security bugs were in fact, deliberately planted backdoors to comply with and appease local law enforcement agencies so that the social network could do business without interruptions in such countries as Iran and Russia.

While Durov has a vested interest in getting people off WhatsApp and onto Telegram, that does not diminish the validity of his points.

WhatsApp is owned by Facebook. That should be enough to cause the average person to cease using the application.

Threat Actors Breach Japan's Kobe Steel and Pasco in Latest Defense Industry Targeted Cyber Attacks

February has brought an onslaught of breach-related news from Japan. These latest disclosures follow those from Mitsubishi Electric and NEC, two of the largest players in the Japanese defense industry:

Kobe Steel and Pasco found some of their intracompany network terminals were infected with a computer virus, likely from unauthorized outside access in August 2016 and May 2018, respectively, according to the ministry.

Kobe Steel said a total of 250 files -- including information on the ministry, as well as personal data -- might have been leaked. The company has taken measures to beef up cybersecurity.

A Pasco official quoted a third party as saying the attacker may have links to China.

Kobe Steel has been a supplier of submarine parts for the Self-Defense Forces, while Pasco has provided the SDF with satellite data.

Is this a precursor of what is to be expected as Tokyo 2020 approaches?

TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly

TrickBot has switched up its privilege escalation game, and is not leveraging a Windows 10 security vulnerability to do so without showing the normal UAC prompt users expect:

This week, ReaQta discovered that TrickBot has now switched to a different UAC bypass that utilizes the Wsreset.exe program.

Wsreset.exe is a legitimate Windows program used to reset the Windows Store cache.

When executed, Wsreset.exe will read a command from the default value of the HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command key and execute it.

When executing the command it will not display a UAC prompt and users will have no idea that a program has been executed.

TrickBot is now exploiting this UAC bypass to launch itself with elevated privileges, but without the logged in Windows user being notified by a UAC prompt.

TrickBot is particularly evil because it, along with Emotet, is used for deploying the highly evil Ryuk ransomware. If you are into technical details, this analysis of TrickBot using the Wsreset.exe UAC bypass by MorphiSec is a great read.

Creating a Strong Password is Not Difficult; Follow These Simple Rules to Keep Safe

There are so many web sites to visit, so many social media accounts, various email services, passwords to login to our corporate accounts, and much more. Many people find it overwhelming to manage these myriad accounts. That feeling is magnified when they are told to use strong passwords, as well as unique passwords for each service. CNet has compiled a list of nine best practices to be followed:

Strong passwords are of course key to your security. The challenge is to create strong passwords you can actually remember, without stumbling into the bad habits that can harm you -- like reusing the same password for multiple accounts. But how many passwords can you actually remember? You could easily have 85 passwords for all your accounts, from banking to streaming to social media, according to LogMeIn, which makes the LastPass password manager.

Weak passwords, or overusing the same password, can have serious consequences if your data is compromised -- even if that password is strong. For example, companies reported 5,183 data breaches in 2019 that exposed personal information like login credentials and home addresses that someone could use to defraud you or steal your identity. And since 2017, hackers published 555 million stolen passwords on the dark web that criminals can use to crack into your accounts.

Cyber Security Does Not Warrant Special Naming

Cyber Security Does Not Warrant Special Naming

What makes the cyber security domain so important as to warrant its own word? Even though cyber has permeated almost every aspect of modern human culture, should it be rewarded with pedestal-like status above other security specialties, and therefore its own special word?

South Carolina Water Company Cyber Attack, CEO "Fairly Certain" No Comprise Occurred

If the CEO is only "fairly certain" no corporate data has been compromised there is a major problem. Approximately ten days have elapsed since the attack occurred so there should be no uncertainty at this point:

The cyber-attack on Greenville Water triggered a payment system outage that began on Wednesday, January 22. Company spokesperson Emerald Clark said 500,000 customers were affected by the incident.

An investigation has been launched into the cyber-attack, the exact nature of which is yet to be revealed by Greenville Water. It's not yet known who targeted the water company or from where the attack was launched.

Greenville Water CEO David Bereskin said he was "fairly certain" that the utility's data had not been compromised as a result of the incident.

This sounds reassuring:

In the statement, Clark said that the incident "has not and will not impact or compromise the safety and delivery of water that is treated and maintained by our facilities."

When asked for comment on the cyber-attack by the Greenville News, Greenville County government affairs coordinator Bob Mihalic stated only that "Greenville County uses multiple methods of protecting data, hardware, and infrastructure from potential cyber-attacks."

The statement is mere obfuscation. It would be easy to state unequivocally the operational network where the industrial control systems and SCADA for the water treatment facility reside are air-gapped, and therefore not physically connected to the business network - a security best practice for sensitive, mission critical networks. Since Bob Mihalic failed to mention this point it makes me wonder if, in fact, the networks are connected and therefore lateral movement to the OT network is possible.

Hackers Targeting Japan by Leveraging Coronavirus Scare to Spread Emotet

e-Crime threat actor Mummy Spider has been observed capitalizing on the current Coronavirus scare by using the outbreak as a phishing attack theme. The attackers have crafted official looking emails in an attempt to lure unsuspecting victims into opening a document infected with Emotet:

The emails falsely claims that there are reports of coronavirus patients in the Gifu, Tottori and Osaka prefectures in Japan, urging victims to read an attached Microsoft Word document which contains the Emotet trojan. The messages are particularly dangerous because they were made to look like official government emails, equipped with legitimate addresses, phone numbers and emails.

The emails have predominantly been composed in native Japanese language, and have spoofed a number of prefectural governments across Japan, to include the Kyoto Prefectural Yamashiro Minami Public Health Center.

Malicious actors, especially e-crime adversaries, often use current events in spear-phishing campaigns. Playing on peoples fears is quite common, and leveraging official-looking communications make these campaigns difficult for the average citizen to discern between what is true and what is fake.

If you are a recipient of these types of emails, before opening any attachments ask yourself the following question: did I provide my email address to the Ward Office or City Hall?

If the answer is no, then quite obviously do not open the attachment because it is most likely malicious.

If the answer is yes, then cross-reference the communication with what is listed on their web site, or even call to check if this is valid. Local governments will generally not inform their inhabitants via email with a requirement to open an attachment. They will generally post important information on their web site, and social media accounts, as email cannot be trusted. Even in Japan.

As a general rule, never open an unsolicited email attachment unless you are one-hundred percent sure of its authenticity.

e-Skimming: FBI Warns of New Online Threat to Personal and Credit Card Information

Never heard of e-skimming until today? It is when threat adversaries compromise an e-commerce web site, whether through a vulnerability in the web server or the e-commerce software, and then introduce malicious code into the checkout process. The code is designed to send both the buyers personal and credit card details to the attackers, which is then later used for fraudulent purchases. What makes e-skimming terrible is users have no way of knowing the web site has been compromised until it is too late:

This new type of skimming is called e-skimming or Magecart.

Cybercriminals[sic] can gain access to your personal and credit card information in a number of ways. They can break into a web server directly or break into a common server that supports many online shopping websites to compromise them all and once a site has been compromised, the shopper can’t spot the difference.

“It’s nearly impossible for a consumer to detect that this has happened to them before the actual occurrence. The site that they would look at, which is already infected, would look no different to a consumer,” Stapleton said.

How do you avoid being the victim of e-skimming? There are a few important things to do:

  • Utilize reputed web sites for online purchases, such as the Amazon's and Rakuten's of the world, to name a couple examples.
  • Use a credit card, not debit card, when shopping online. Credit cards generally have fraud protection whereas debit cards do not. A bank account can be drained quite rapidly through debit card loss, and in most cases the funds are not replaceable. Contrast that with a credit card which has safety mechanisms built-in.
  • Use a specific credit card only for online purchases, and one with a very low credit limit. This can restrict the amount of damage an attacker can do with a stolen card.
  • Check credit card and bank account balances often. If either have applications with push notifications, ensure those are configured to alert on large purchase and failed transactions.

At the end of the day this is all about paying attention to detail and limiting risk by taking some specific actions. Catching e-skimming is nearly impossible as a customer, which is why the above is exceedingly important.

Severe Microsoft Flaw is Major Cloud Security Nightmare

Two new major security vulnerabilities were found in Microsoft Azure that could lead to disastrous consequences if left unpatched (CVE-2019-1234 and CVE-2019-1372):

There are two vulnerabilities here. The first is a modest software bug that can be pushed hard to crash a system and escalate that crash to secure user privileges. And the second in a lack of security on a relatively arbitrary shared service that can be manipulated to break out of a user’s own part of the cloud infrastructure and onto the common shared hardware. That great advantage of the cloud, using only what you need, just when you need it, means you are a tenant in a server version of an apartment block. Check Point’s exploit built a master key for all the other apartments in that block.

Balmas fills in the gaps in terms of what this means. “We can break the isolation of Azure’s functions—now I can see everybody else’s functions. Anyone using Azure will be impacted—that means millions of users.” In addition to storing vast volumes of data in those isolated chambers, the cloud also runs countless programs. As a user, or “tenant,” you drop your code onto your cloud resource and it does the rest, running the program to order. Breaking that isolation enabled Check Point to access other tenants’ code running on any shared Azure server on which it was a tenant.

It is vital for any Azure users to ensure they patch their virtual machines. Failure to do so could lead to fatal consequences, a severe data breach, data destruction, being locked out of the VM, and more. Do not waste any time and apply the patches ASAP.

Lessons Learned from Losing $13,103.91 to Hackers

It is hard to admit, and potentially quite embarrassing, after being tricked by attackers who end up stealing a not so insignificant amount of money. It can happen to anyone, even the current richest man on the planet can be successfully hacked. This well written lessons learned story from a Recode data privacy reporter outlines how even the most innocuous activity may be indicative of a much greater threat:

Because I didn’t take a few basic internet security precautions, hackers robbed me of $13,103.91 worth of cash and prizes from three of my accounts over the next six months. And while this doesn’t make me, your Recode data privacy reporter, look very smart, I’m sharing my story with you in the hope that it will help you avoid a similar fate.

The person who hacked my Grubhub account last March ordered a black fungus salad with celery, a five-spice-marinated beef entree, and 12 pork dumplings (with chives) for a total of $26.84. At first, it was annoying but didn’t seem like that big of a deal: I notified Grubhub about the fraudulent charge and got a refund. Then I changed my password, sent an angry text to the phone number on the food order, and went about my life, foolishly thinking that this was an isolated incident. It was not.

Five months later, I logged into my bank account to find a substantially smaller number in my savings account than I expected. Sure enough, $9,000 had been wired away two days previously. During the subsequent, frantic call to my bank, I looked at my checking account and saw that $4,000 had been wired away from there, too — a discovery I declared with a variety of curse words. The woman on the other end of the line had a pleasant Southern drawl, which made her promises that I would get the money back seem extra reassuring.

Being aware of the threat, paying attention to detail, and being cognizant of your online actions can go a long way in preventing a loss like this from occurring.

US Defense Contractor Hit with Ransomware Infection

In the United States, contractors with the Department of Defense are required to maintain a minimum baseline of security controls to protect defense related information. Either those controls are not strong enough, or EWA did not implement the correct measures to prevent the ransomware infection:

Electronic Warfare Associates (EWA), a 40-year-old electronics company and a well-known US government contractor, has suffered a ransomware infection, ZDNet has learned.

The infection hit the company last week. Among the systems that had data encrypted during the incident were the company's web servers.

Signs of the incident are still visible online. Encrypted files and ransom notes are still cached in Google search results, even a week after the company took down the impacted web servers.

If you are unfamiliar with with Ryuk, it is one of the nastier ransomware strains:

Making matters worse is that Ryuk is not your regular ransomware strain. This type of ransomware is solely used in targeted attacks on high-profile companies.

It is usually installed on infected networks after a victim is infected with the Emotet/TrickBot trojans, two well-known cybercrime-as-a-service platforms.

The Ryuk gang uses the Emotet/TrickBot-infected machine as entry point and launch pad to scan and spread inside a company's internal network, exfiltrate data, and then deploy their ransomware.

Adversaries with Turkish Nexus Responsible for Cyber Attacks Targeting Europe and the Middle East

A series of cyber attacks beginning in early 2018 and continuing through 2019 are believed to have been carried out by threat adversaries with a nexus to the Turkish government. Approximately thirty organizations across Europe and the Middle East were affected by the operations, ranging from government ministries and agencies, private industry, and other groups:

According to two British officials and one U.S. official, the activity bears the hallmarks of a state-backed cyber espionage operation conducted to advance Turkish interests.

The officials said that conclusion was based on three elements: the identities and locations of the victims, which included governments of countries that are geopolitically significant to Turkey; similarities to previous attacks that they say used infrastructure registered from Turkey; and information contained in confidential intelligence assessments that they declined to detail.

The officials said it wasn’t clear which specific individuals or organizations were responsible but that they believed the waves of attacks were linked because they all used the same servers or other infrastructure.

What techniques did these purported nation state threat actors leverage?

The hackers used a technique known as DNS hijacking, according to the Western officials and private cybersecurity experts. This involves tampering with the effective address book of the internet, called the Domain Name System (DNS), which enables computers to match website addresses with the correct server.

By reconfiguring parts of this system, hackers were able to redirect visitors to imposter websites, such as a fake email service, and capture passwords and other text entered there.

Essentially, the initial goal of the threat activity was credential harvesting. If you are unfamiliar with the term, it is the act of tricking unsuspecting users to input their login credentials into a fraudulent web site or application. It usually starts off with a phishing email directing users to visit a web site which appears to be one the victim legitimately uses, asking them to login, and then storing the credentials for use in a later operation.

Once the attackers had amassed enough credential data, knowing average users often use the same password across multiple logins, the adversaries could then attempt to breach personal accounts - such as Twitter, Facebook, Gmail, and more - as well as their official government or business accounts. The latter being the crown jewels, although the personal accounts may also lead to additional opportunistic, targeted attacks.

What I find most alarming is certain DNS top-level domain providers were breached. The actual DNS servers themselves do not appear to have been affected but a number of organizations controlling them were compromised. Those organizations should know better, and have implemented better security controls, and security awareness.

This demonstrates how anyone can be the victim of a cyber attack.

Hackers Breach Multiple NFL Team Twitter Accounts, Including the 49ers and Chiefs

Pestering hackers are at it again, this time compromising a number of Twitter accounts belonging to National Football League teams, to include the two Super Bowl contenders:

Hackers compromised Twitter accounts belonging to the National Football League and some of its most popular teams, including Super Bowl contenders the San Francisco 49ers and Kansas City Chiefs, in an apparent series of cyberattacks Monday.

The hackers taunted the NFL and the teams in messages saying they were “here to show people that everything is hackable,” and promoted the hackers’ security services via email and Twitter hashtags.

Accounts for the Chicago Bears, Green Bay Packers and Cleveland Browns, among others, were also taken over.

It is not like hacking Twitter accounts is all that difficult. Let us assume the malicious actors attempted to breach more than just Twitter, such as the teams corporate networks, and other online presence. Why have they only thus far been successful with Twitter?

This is largely due to many users not configuring Twitter for two-factor authentication with an authenticator app, such as 1Password, Google Authenticator, or Authy. Had these teams been using TFA there is a much greater chance this attack would not have been successful. I specifically called out the use of an authenticator app rather than SMS because the latter is vulnerable.

It will be interesting to see why only these five teams were selected out of the total thirty-two teams in the NFL today. I doubt it has anything to do with specific motivation to attack these teams, but more so because of lax security on those Twitter accounts.

Security Attacks Cost Singapore Businesses $1.25M per Breach

Channel Asia is reporting on a study recently released by McAfee, claiming the average cost of a cyber attack to a Singapore-based business is approximately $1.25m per breach:

According to McAfee findings, the city-state houses the highest estimated costs stemming from a breach across Asia Pacific, ahead of markets such as Australia, Hong Kong, India, Indonesia, Malaysia, New Zealand and Thailand.

Findings from a survey of 480 cyber security decision-makers at a regional level paint a damning picture for Singapore with 80 per cent of respondents claiming that cyber security incidents pose “high” or “medium” impacts on business.

And:

Estimated costs from respondents in Singapore were more than double that of the next highest country in Asia Pacific, identified as Indonesia with financial implications at roughly S$785,000 per breach.

I would like to know how McAfee, and the various companies they interviewed, arrived at these numbers. Internal incident response is a bit of an art to accurately quantify. Leveraging external resources to assist with breach remediation is much easier to understand.

The likelihood of all of these Singapore-based companies only using outside assistance is small. There is a stronger chance of a more hybrid approach, where internal responders work in conjunction with external help of some sort.

In either case, I am curious to see how these numbers were derived.