Stories from the SOC – WannaCry malware

Read Time:3 Minute, 35 Second

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.

Executive summary

WannaCry malware was first discovered in May 2017 and a patch was released roughly two months prior to its public release. However, 230,000 computers were globally affected by WannaCry as of 3/31/2021. It is unfortunate to hear, but many companies remain vulnerable to this attack due to unpatched systems. We often see that by the time some companies update their systems, they have already experienced a breach.

The Managed Threat Detection and Response (MTDR) SOC analyst team received 56 alarms related to the suspicious use of port 445 within a 24-hour timeframe. Given the high influx of alarms, our team created an Investigation to reveal which assets were using port 445, the destinations that were being communicated with, and the frequency of the connections. The customer quickly identified that the source assets were unpatched Windows 7 production servers affected by WannaCry. They were able to segment the infected computers, block SMB port 445, use Trend Micro’s Anti-Threat Toolkit to clean the machines, and then return the assets to the network.

Investigation

Initial alarm review

Indicators of compromise (IOC)

The initial alarms that triggered this investigation were created from a custom alarm. The MTDR team can create custom alarms specific to the customers environment to help improve time to response. The alarms were triggered when events from Trend Micro showed assets using Server Message Block (SMB) port 445 in which a single source was communicating with multiple destinations.

This initial alarm was one of many that was generated. The alarms came in with a priority of “Low” because use of SMB port 445 is common within the customer’s organization. Our team and the customer began to suspect that a breach had occurred due to the high volume of internal connections as well as those connections attempting to reach external IP’s.

Expanded investigation

Events search

Upon further investigation, we searched for events “CnC Callback” and “Suspicious Connection”. The team then analyzed these events over a 24-hour period. This analysis revealed all of the internal assets and their events’ sources and destinations. These assets were communicating over port 445 and were likely compromised systems.

Event deep dive

Continuing with the investigation, we learned that the affected assets were communicating with unknown external IP’s. Many of these outbound connections were blocked at the firewall; however, at this point, we were able to pivot from the external IP’s to look for more affected assets.

Reviewing for additional indicators

We then made a complete list of all potentially affected internal assets. After individually inspecting the assets, we discovered the following event: “Ransom_WCRY.SM2” on a few of the assets. This particular event confirmed our suspicion that this was, indeed, the WannaCry malware.

Response

Building the investigation

Within minutes of the team creating the investigation, the customer escalated the case. The customer noticed that all of the associated assets were part of a single subnet isolated to one sector of their business. The customer then isolated the subnet of potentially affected assets from the rest of the network in order to begin reviewing the machines.

While the assets were being scanned for further indicators of compromise, we involved the customer’s Threat Hunter (TH). The TH helped generate additional reports of all internal assets that were associated with the malicious events.

At this point, the customer blocked port 445 on the assets, used Trend Micro’s Anti-Threat Toolkit to clean the machines, and then returned the assets to the network.

We continued to closely monitor the customer’s network for further signs of compromise from the WannaCry malware. We maintained this vigilance until the team ensured the situation had been fully resolved.

Customer interaction

Our team worked closely with the customer to ensure we were up to date with any changes being made to their systems. Because of the close communication between our team and the customer, we were able to quickly assess the situation, investigate appropriate assets, and resolve the issue before any systems could be encrypted for ransomware.

Read More

Crypto Finance Firm Offers $2m Bug Bounty to Hackers

Read Time:1 Minute, 37 Second

Crypto Finance Firm Offers $2m Bug Bounty to Hackers

A decentralized lending platform that lost $80m to hackers has offered them an astonishing multimillion-dollar bug bounty in return for the stolen funds.

Qubit Finance revealed at the end of last week that an attacker had exploited a vulnerability in its QBridge deposit function.

In doing so, they managed to get away with a large amount of Ethereum, which they converted to Binance coins with a value of tens of millions of dollars. In effect, they were able to exploit a mistake in Qubit Finance’s code to withdraw Binance tokens without depositing any Ethereum.

The firm pleaded with its attacker to return the funds, addressing them on Twitter as “dear exploiter.”

“We propose you to negotiate directly with us before taking any further action,” it wrote on Friday. “The exploit and loss of funds have a profound effect on thousands of real people. If the maximum bounty is now what you are looking for, we are open to have a conversation. Let’s figure out a solution.”

A follow-up note confirmed the firm would offer a “maximum” bug bounty and not seek to press charges if the attacker returned the funds.

Subsequent messages over the weekend then increased this ‘maximum’ bounty to $1m and then on Sunday to $2m.

It’s unclear whether the tactic was merely intended to buy investigators ADDITIONAL time or if the firm was genuinely prepared to hand over a considerable bug bounty to a cyber-criminal.

A new post issued hours ago revealed the firm is working on a new site that will enable affected users to access their digital wallets to file reports with local police. However, they have little hope of getting their money back unless the cyber-thieves decide to cooperate with Qubit Finance.

A report from Chainalysis last week claimed that decentralized finance (DeFi) protocols were attacked most last year, losing over $2bn.

Read More

12 CISO resolutions for 2022

Read Time:45 Second

It’s still early days, but if this year is anything like years past, it’s safe to say CISOs will have a lot to contend with, from a continuing labor shortage to the increasing sophistication of cyberattacks to an ongoing threat from nation-state actors.

However, they also have plenty of ideas on how they’ll tackle those challenges.

To learn what they’re planning to do and what they want to accomplish in the months ahead, we asked CISOs across various industries to share their main objectives—or, their top resolutions, if you will—for 2022.

Here’s what they say:

1. Eliminate blind spots

Suyesh Karki, CISO and VP of IT at cloud software company Domo, wants to eliminate blind spots within his tech environment because he knows that he can’t protect what he can’t see.

To read this article in full, please click here

Read More

DDoS attacks: Definition, examples, and techniques

Read Time:42 Second

What is a DDoS attack?

A distributed denial of service (DDoS) attack is when an attacker, or attackers, attempt to make it impossible for a service to be delivered. This can be achieved by thwarting access to virtually anything: servers, devices, services, networks, applications, and even specific transactions within applications. In a DoS attack, it’s one system that is sending the malicious data or requests; a DDoS attack comes from multiple systems.

Generally, these attacks work by drowning a system with requests for data. This could be sending a web server so many requests to serve a page that it crashes under the demand, or it could be a database being hit with a high volume of queries. The result is that available internet bandwidth, CPU and RAM capacity becomes overwhelmed.

To read this article in full, please click here

Read More

QNAP Ransomware: Thousands Infected with DeadBolt

Read Time:1 Minute, 26 Second

QNAP Ransomware: Thousands Infected with DeadBolt

Thousands of QNAP users have been infected by a new ransomware variant flagged by the network-attached storage (NAS) vendor last week, according to a security vendor.

Taiwan-headquartered QNAP said last week that customers should urgently upgrade their systems to the latest version of its QTS operating systems and take steps to disconnect devices from the internet to mitigate the campaign.

Dubbed “DeadBolt,” the new ransomware variant demands a 0.03 Bitcoin ($1100) payment in return for a decryption key.

“This is not a personal attack,” reads the notice. “You have been targeted because of the inadequate security provided by your vendor (QNAP).”

Inventory firm Censys last week claimed there were around 5000 such devices impacted by the ransomware, although this is out of a total of 130,000 globally.

Interestingly, the vendor observed that the number fell sharply between January 26 and 27.

“Overnight, the number of services with the DeadBolt ransomware dropped by 1061, down to a total of 3927 infected services on the public internet,” it wrote.

“The exact reason for this drop is unknown at the moment, and we are continuing to monitor the situation. But earlier today, Malwarebytes reported that QNAP released a forced automatic update for their Linux-based operating system called QTS to address the vulnerability. This update reportedly removed the ransomware executable and reverted the web interface changes made by the ransomware.”

QNAP’s extorters had given it the opportunity to pay a flat rate of 50 BTC ($1.8m) to decrypt all customer data, but it does not appear to have acceded to these demands.

Some users have reported that decryption keys they were given following payment did not work.

Read More

Latest Proof of Concept Details How iOS Malware May Snoop on Our Devices

Read Time:6 Minute, 26 Second

Smartphones have become such an integral part of our lives that it’s hard to imagine a time when we didn’t have them. We carry so much of our lives on our devices, from our social media accounts and photos of our pets to our banking information and home addresses. Whether it be just for fun or for occupational purposes, so much of our time and attention is spent on our smartphones. 

Because our mobile devices carry so much valuable information, it’s important that we stay educated on the latest cyber schemes so we can be prepared to combat them and keep our data safe.  According to Bleeping Computer1, researchers have developed a trojan proof of concept tool that fakes a shutdown or reboot of iPhones, preventing malware from being removed and allowing hackers to secretly snoop on microphones and cameras.  

Let’s dive into the details of this technique.  

How “NoReboot” allows hackers to spy on a device 

Typically, when an iOS device is infected with malware, the solution is as simple as just restarting the device. However, with this new technique researchers are calling “NoReboot,” ridding a device of malware is not quite as simple. 

“NoReboot” blocks the shutdown and reboot process from being carried out, preventing the device from actually restarting. Without a proper shutdown and reboot, a malware infection on an iOS device can continue to exist. Because the device appears to be shut off with a dark screen, muted notifications, and a lack of response, it is easy to assume that the device has shut down properly and the problem has been solved. However, the “NoReboot” technique has only simulated a reboot, allowing a hacker to access the device and its functions, such as its camera and microphone. If a hacker has access to these functions, they could record the user without their knowledge and potentially capture private information.  

This attack is not one that Apple can fix, as it relies on human-level deception rather than exploiting flaws found on iOS. That’s why it’s important that we know how to use our devices safely and stay protected. 

How to know if your smartphone has been hacked 

As previously mentioned, smartphone usage takes up a big chunk of our time and attention. Since we are so often on these devices, it is usually fairly easy to tell when something isn’t working quite like it is supposed to. While these things could very well just be technical issues, sometimes they are much more than that, such as malware being downloaded onto your smartphone. 

Malware can eat up the system resources or conflict with other apps on your device, causing it to act oddly. 

Some possible signs that your device has been hacked include: 

Performance issues 

A slower device, webpages taking way too long to load, or a battery that never keeps a charge are all things that can be attributed to a device reaching its retirement. However, these things may also be signs that malware has compromised your phone. 

Your phone feels like it’s running hot 

Malware running in the background of a device may burn extra computing power, causing your phone to feel hot and overheated. If your device is quick to heat up, it may be due to malicious activity. 

Mysterious calls, texts, or apps appear 

If apps you haven’t downloaded suddenly appear on your screen, or if outgoing calls you don’t remember making pop up on your phone bill, that is a definite red flag and a potential sign that your device has been hacked. 

Pop-ups or changes to your screen 

Malware may also be the cause of odd or frequent pop-ups, as well as changes made to your home screen. If you are getting an influx of spammy ads or your app organization is suddenly out of order, there is a big possibility that your device has been hacked. 

Six tips to prevent your phone from being hacked 

To avoid the hassle of having a hacked phone in the first place, here are some tips that may help. 

1. Update your phone and its apps

Promptly updating your phone and apps is a primary way to keep your device safe. Updates often fix bugs and vulnerabilities that hackers rely on to download malware for their attacks. 

2. Avoid downloading from third-party app stores

Apple’s App Store and Google Play have protections in place to help ensure that apps being downloaded are safe. Third-party sites may not have those same protections or may even be purposely hosting malicious apps to scam users. Avoiding these sites altogether can prevent these apps from allowing hackers into your device. 

3. Stay safer on the go with a VPN

Hackers may use public Wi-Fi to gain access to your device and the information you have inside of it. Using a VPN to ensure that your network is private and only you can access it is a great way to stay protected on the go. 

4. Turn off your Wi-Fi and Bluetooth when not in use

Turning off your Wi-Fi and Bluetooth when you are not actively using them is a simple way to prevent skilled hackers from working their way into your devices. 

5. Avoid public charging stations

Some hackers have been known to install malware into public charging stations and hack into devices while they are being charged. Investing in your own personal portable charging packs is an easy way to avoid this type of hack.  

6. Encrypt your phone

Encrypting your phone can protect your calls, messages, and information, while also protecting you from being hacked. iPhone users can check their encryption status by going into Touch ID & Passcode, scrolling to the bottom, and seeing if data protection is enabled.  

7. Determine whether your device rebooted properly

Although researchers agree that you can never trust a device to be fully off, there are some techniques that can help you determine whether your device was rebooted correctly.2 If you do suspect that your phone was hacked or notice some suspicious activity, restart your device. To do this, press and hold the power button and either volume button until you are prompted to slide the button on the screen to power off. After the device shuts down and restarts, notice if you are prompted to enter your passcode to unlock the device. If not, this is an indicator that a fake reboot just occurred. If this happens, you can wait for the device to run out of battery, although researchers have not verified that this will completely remove the threat.  

Stay protected 

If you are worried that your device has been hacked, follow these steps: 

Install and run security software on your smartphone if you haven’t already. From there, delete any apps you didn’t download, delete risky texts, and then run your mobile security software again. 
If you still have issues, wiping and restoring your phone is an option. Provided you have your photos, contacts, and other vital info backed up in the cloud, it’s a relatively straightforward process. A quick search online can show how to wipe and restore your model of phone. 
Lastly, check your accounts and your credit to see if any unauthorized purchases have been made. If so, you can go through the process of freezing those accounts, getting new cards, and credentials issued with the help of McAfee Identity Protection Service. Further, update your passwords for your accounts with a password that is strong and unique.   

The post Latest Proof of Concept Details How iOS Malware May Snoop on Our Devices appeared first on McAfee Blog.

Read More

Fake Investor John Bernard Sinks Norwegian Green Shipping Dreams

Read Time:5 Minute, 4 Second

Several articles here have delved into the history of John Bernard, the pseudonym used by a fake billionaire technology investor who tricked dozens of start-ups into giving him tens of millions of dollars. Bernard’s latest victim — a Norwegian startup hoping to build a fleet of environmentally friendly shipping vessels — is now embroiled in a lawsuit over a deal gone bad, in which Bernard falsely claimed to have secured $100 million from six other wealthy investors, including the founder of Uber and the artist Abel Makkonen Tesfaye, better known as The Weeknd.

John Bernard is a pseudonym used by John Clifton Davies, a convicted fraudster from the United Kingdom who is currently a fugitive from justice and residing in Ukraine. Davies’ Bernard persona has fleeced dozens of technology companies out of an estimated $30 million with the promise of lucrative investments.

For several years until reinventing himself again quite recently, Bernard pretended to be a billionaire Swiss investor who made his fortunes in the dot-com boom 20 years ago and who was seeking investment opportunities. Bernard generated a stream of victims by offering extraordinarily generous finder’s fees for investment brokers who helped him secure new clients. But those brokers would eventually get stiffed as well because Bernard’s company would never consummate a deal.

In case after case, Bernard would promise to invest millions in tech startups, and then insist that companies pay tens of thousands of dollars worth of due diligence fees up front. However, the due diligence company he insisted on using — another Swiss firm called Inside Knowledge — also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money.

The scam artist John Bernard (left) in a recent Zoom call, and a photo of John Clifton Davies from 2015.

But Bernard would adopt a slightly different approach to stealing from Freidig Shipping Ltd., a Norwegian company formed in 2017 that was seeking the equivalent of USD $100 million investment to bring its green fleet of 30 new offshore service vessels to fruition.

Journalists Harald Vanvik and Harald Berglihn from the Norwegian Business Daily write that through investment advisors in London, Bernard was introduced to Nils-Odd Tønnevold, co-founder of Freidig Shipping and an investment advisor with 20 years of experience.

“Both Bernard and Inside Knowledge appeared to be professionals,” the reporters wrote in a story that’s behind a paywall. “Bernard appeared to be experienced. He knew a lot about start-ups and got into things quickly. Credible and reliable was the impression of him, said Tønnevold.”

“Bernard eventually took on the role of principal investor, claiming he had six other wealthy investors on the team, including artist Abel Makkonen Tesfaye, known as The Weeknd, Uber founder Garrett Camp and Norilsk Nickel owner Russian Vladimir Potanin,” the Norwegian journalists wrote. “These committed to contribute $99.25 million to Freidig.”

So in this case Bernard conveniently claimed he’d come up with almost all of the investment, which came $750,000 short of the goal. Another investor, a Belgian named Guy Devos, contributed the remaining $750,000.

But by the spring of 2020, it was clear that Devos and others involved in the shipping project had been tricked, and that all the money which had been paid to Bernard — an estimated NOK 15 million (~USD $1.67 million) — had been lost. By that time the two co-founders and their families had borrowed USD $1.5 million, and had transferred the funds to Inside Knowledge.

“Further investigations indicated that Bernard was in fact a convicted and wanted Briton based in the Ukrainian capital Kiev,” the Norwegian Business Daily reported. “Guy Devos has sued Nils-Odd Tønnevold with a claim of 750,000 dollars because he believes Tønnevold has a responsibility for the money being transferred to Bernard. Tønnevold rejects this.”

Bernard’s scam is genius because he never approaches investors directly; rather, investors are incentivized to put his portfolio in front of tech firms seeking financial backing. And because the best cons begin as an idea or possibility planted in the target’s mind.

What’s remarkable about Freidig Shipping’s fleecing is that we heard about it at all. In the first of this now five-part series, we heard from Jason Kane, an attorney who focuses on investment fraud. Kane said companies bilked by small-time investment schemes rarely pursue legal action, mainly because the legal fees involved can quickly surpass the losses. What’s more, most victims will likely be too ashamed to come forward.

“These are cases where you might win but you’ll never collect any money,” Kane said. “This seems like an investment twist on those fairly simple scams we all can’t believe people fall for, but as scams go this one is pretty good. Do this a few times a year and you can make a decent living and no one is really going to come after you.”

It does appear that Bernard took advantage of a stunning lack of due diligence by the Freidig co-founders. In this May 2020 post on Twitter — well after their funds had already been transferred to Bernard — Nils-Odd Tønnevold can be seen asking Uber co-founder Garrett Camp if he indeed had agreed to invest in his company:

John Clifton Davies, a.k.a. John Bernard, Jonathan Bibi, John Cavendish, is a U.K. man who absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail on suspicion of murdering his third wife on their honeymoon in India. The U.K. authorities later dropped the murder charges for lack of evidence. Davies currently resides with his fourth wife in or near Kyiv, Ukraine.

If you liked this story, check out my previous reporting on John Bernard/Davies:

Due Diligence That Money Can’t Buy

Who is Tech Investor John Bernard?

Promising Infusions of Cash, Fake Investor John Bernard Walked Away With $30 Million

Investment Scammer John Davies Reinvents Himself?

Read More