4 alternatives to encryption backdoors, but no silver bullet

Read Time:53 Second

End-to-end encrypted communication has been a boon to security and privacy over the past 12 years since Apple, Signal, email providers, and other early adopters first started deploying the technology. At the same time, law enforcement authorities around the globe have pushed for technological solutions to pry open the chain of protected end-to-end encrypted content, arguing that the lack of visibility provides a haven for criminals, terrorists and child abusers to hatch their plans with impunity.

In 2016, Apple prevailed in a now-famous legal standoff with FBI Director James Comey to unlock an encrypted phone used by a mass shooter in San Bernardino, California. In 2019, Attorney General William Barr revived the so-called backdoor debate to advocate some means of breaking encryption to thwart those who distribute child sexual abuse material. Last month, the UK government kicked off a PR campaign to lay the groundwork for killing off end-to-end encryption ostensibly to crack down on child sex abusers.

To read this article in full, please click here

Read More

Microsoft Takes Aim at Malicious Office Macros

Read Time:1 Minute, 58 Second

Microsoft Takes Aim at Malicious Office Macros

Microsoft has finally taken action against a common threat vector, blocking by default Office macros downloaded from the internet.

A vast range of threat actors sent users phishing emails containing innocuous-looking attachments. However, they often contain embedded Visual Basic for Applications (VBA) macros obtained from the internet.

Once enabled by users with a single click, these initiate a download of a malicious payload to support information theft, ransomware and other attacks.

Microsoft’s latest action is intended to enable the continued use of legitimate macros while making it harder for threat actors to socially engineer users into enabling malicious content.

“For macros in files obtained from the internet, users will no longer be able to enable content with a click of a button. A message bar will appear for users notifying them with a button to learn more. The default is more secure and is expected to keep more users safe including home users and information workers in managed organizations,” it explained.

“Organizations can use the ‘Block macros from running in Office files from the internet’ policy to prevent users from inadvertently opening files from the internet that contain macros. Microsoft recommends enabling this policy, and if you do enable it, your organization won’t be affected by this default change.”

The new rules will apply to the five most common Office apps: Access, Excel, PowerPoint, Visio, and Word. It will impact only Office running on Windows devices, with the changes rolled out from version 2203, starting with Current Channel (Preview) in early April 2022.

Later, the change will be available in the other update channels, such as Current Channel, Monthly Enterprise Channel and Semi-Annual Enterprise Channel.

Oliver Tavakoli, CTO at Vectra, argued that default settings matter in cybersecurity.

“Seemingly 50-50 decisions made by product managers at application and platform providers can expose their customers to extraordinary risk. As the example of VBA macros demonstrates, once such a choice has been made it’s a difficult and lengthy process to change the default to something more secure as the fear of breaking things creates a form of institutional paralysis,” he added.

“The security lesson is simple: leave features which may have security implications off by default and let customers choose whether the benefit of the feature outweighs the security risk of having it on.”

Read More

A Quarter of New Online Accounts Are Fake – Report

Read Time:1 Minute, 37 Second

A Quarter of New Online Accounts Are Fake – Report

There was an 85% year-on-year increase in attacks targeting logins or account creation in 2021 as bot-driven fraud attempts soared, according to Arkose Labs.

The fraud prevention firm analyzed over 150 billion transaction requests across 254 countries across the 12-month period to compile its latest report, The 2022 State of Fraud and Account Security.

It found one in four newly created accounts were fake, one in five logins was an account takeover (ATO) attempt and a fifth (21%) of all traffic was linked to fraud.

ATOs are commonly used to steal personal and financial data or launch phishing attacks. Fraudulent new accounts could be used for “inventory hoarding, content scraping and sending spam and phishing messages,” according to Arkose Labs CEO and founder, Kevin Gosschalk.

“As expected, businesses that hit high-growth periods in 2021 saw an increase in attack. For example, gaming saw sky-high attacks in 2020 but leveled off in 2021, which led to attacks dispersing across other industries,” he told Infosecurity.

“Online media and entertainment continued to grow in popularity, bringing more in-platform spam and scam attacks. Attackers flocked to the travel industry to take advantage of scraping and inventory hoarding opportunities as the world shifted more toward post-pandemic normalcy.”

Driving most of these attacks is the use of intelligent, automated bots. Arkose Labs claimed that today’s bot signatures are three times more complex than those of previous years, making it even harder to discern real human behavior imposters.

Some 86% of attacks in 2021 were linked to bots, while bot-driven credential stuffing attempts peaked at 76 million per week. The Black Friday/Thanksgiving month of November was the worst hit.

The worst attacked sectors in the UK in 2021 were online gaming, accounting for 46% of all attacks, then social networks and online streaming sites, which comprised a third of malicious activity

Read More

Russia Arrests Third Cybercrime Group

Read Time:1 Minute, 42 Second

Russia Arrests Third Cybercrime Group

The Russian authorities are claiming to have arrested a third cybercrime group following previous high-profile detentions.

The six individuals were detained in different regions of the country and have “special knowledge in the field of international payment systems,” a source told the state-run TASS news agency.

They are suspected of committing vaguely worded technology and online-related crimes. However, the report claimed that the Ministry of Internal Affairs is asking Moscow’s Tverskoy Court to detain the six under part two of article 187 of the Criminal Code of the Russian Federation.

This relates to making counterfeit cards and other payment “documents” by an organized crime group. That makes it likely they are involved in payment fraud or other parts of the cybercrime supply chain, like carding forums.

According to the report, the detained are Denis Pachevsky, general director of Saratovfilm Film Company; ‘entrepreneur’ Alexander Kovalev; Transtechcom employee, Artem Bystrykh; Get-net employee, Artem Zaitsev; and two people described as unemployed, Vladislav Gilev and Yaroslav Solovyov.

The news follows two major cybercrime busts since the start of the year in a country known for turning a blind eye to law enforcement in this area.

The first involved 14 alleged members of the REvil group, or at least its affiliates. The second, just over a week later, was of four suspected members of the infamous InFraud group, including its alleged founder Andrey Novak.

During its seven-year reign, the latter group reportedly made as much as $568m by running a popular marketplace for carders.

Although there are no signs Russia is planning to extradite any of these individuals if found guilty, the REvil raid, in particular, appears to have been conducted with intelligence and cooperation from US law enforcers, which is a rarity.

However, some commentators have suggested the arrests are more of a propaganda stunt by the Russian state and that its basic strategy remains the same: allowing cybercrime to flourish in the country as long as it’s directed at foreign victims.

Read More

Multiple Vulnerabilities in Google Android OS Could Allow for Escalation of Privilege

Read Time:36 Second

Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for escalation of privilege. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for escalation of privilege. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Read More

IRS To Ditch Biometric Requirement for Online Access

Read Time:4 Minute, 40 Second

The Internal Revenue Service (IRS) said today it will be transitioning away from requiring biometric data from taxpayers who wish to access their records at the agency’s website. The reversal comes as privacy experts and lawmakers have been pushing the IRS and other federal agencies to find less intrusive methods for validating one’s identity with the U.S. government online.

Late last year, the login page for the IRS was updated with text advising that by the summer of 2022, the only way for taxpayers to access their records at irs.gov will be through ID.me, an online identity verification service that collects biometric data — such as live facial scans using a mobile device or webcam.

The IRS first announced its partnership with ID.me in November, but the press release received virtually no attention. On Jan. 19, KrebsOnSecurity published the story IRS Will Soon Require Selfies for Online Access, detailing a rocky experience signing up for IRS access via ID.me. That story immediately went viral, bringing this site an almost unprecedented amount of traffic. A tweet about it quickly garnered more than two million impressions.

It was clear most readers had no idea these new and more invasive requirements were being put in place at the IRS and other federal agencies (the Social Security Administration also is steering new signups to ID.me).

ID.me says it has approximately 64 million users, with 145,000 new users signing up each day. Still, the bulk of those users are people who have been forced to sign up with ID.me as a condition of receiving state or federal financial assistance, such as unemployment insurance, child tax credit payments, and pandemic assistance funds.

In the face of COVID, dozens of states collectively lost tens of billions of dollars at the hands of identity thieves impersonating out-of-work Americans seeking unemployment insurance. Some 30 states and 10 federal agencies now use ID.me to screen for ID thieves applying for benefits in someone else’s name.

But ID.me has been problematic for many legitimate applicants who saw benefits denied or delayed because they couldn’t complete ID.me’s verification process.  Critics charged the IRS’s plan would unfairly disadvantage people with disabilities or limited access to technology or Internet, and that facial recognition systems tend to be less accurate for people with darker skin.

Many readers were aghast that the IRS would ask people to hand over their biometric and personal data to a private company that begin in 2010 as a way to help veterans, teachers and other public servants qualify for retail discounts. These readers had reasonable questions: Who has (or will have) access to this data? Why should it be stored indefinitely (post-verification)? What happens if ID.me gets breached?

The Washington Post reported today that in a meeting with lawmakers, IRS officials said they were considering another identity verification option that wouldn’t use facial recognition. At the same time, Senate Finance Committee Chairman Ron Wyden (D-Ore.) challenged the Treasury Department and IRS to reconsider the biometric requirements.

In a statement published today, the IRS said it was transitioning away from using a third-party service for facial recognition to help authenticate people creating new online accounts.

“The transition will occur over the coming weeks in order to prevent larger disruptions to taxpayers during filing season,” the IRS said. “During the transition, the IRS will quickly develop and bring online an additional authentication process that does not involve facial recognition. The IRS will also continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.”

“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” IRS Commissioner Chuck Rettig wrote. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

The statement further stressed that the transition announced today does not interfere with the taxpayer’s ability to file their return or pay taxes owed. “During this period, the IRS will continue to accept tax filings, and it has no other impact on the current tax season,” the IRS said. “People should continue to file their taxes as they normally would.”

It remains unclear what other service or method the IRS will use going forward to validate the identities of new account signups. Wyden and others have urged the IRS to use Login.gov, a single sign-on service that Congress required federal agencies to use in 2015.

“Login.gov is already used to access 200 websites run by 28 Federal agencies and over 40 million Americans have accounts,” Wyden wrote in a letter to the IRS today. “Unfortunately, login.gov has not yet reached its full potential, in part because many agencies have flouted the Congressional mandate that they use it, and because successive Administrations have failed to prioritize digital identity. The cost of this inaction has been billions of dollars in fraud, which has in turn fueled a black market for stolen personal data, and enabled companies like ID.me to commercialize what should be a core government service.”

Login.gov is run by the U.S. General Services Administration, which told The Post that it was “committed to not deploying facial recognition…or any other emerging technology for use with government benefits and services until a rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations.”

Read More

ACTINIUM – Targeting Interests in the Ukraine

Read Time:3 Minute, 17 Second

FortiGuard Labs is aware of various campaigns targeting Ukraine by threat actors known as ACTINIUM/Gamaredon/DEV-0157. ACTINIUM’s modus operandi targets various verticals to conduct cyber espionage, including but not limited to governmental, NGO, law enforcement and nonprofit organizations. This latest campaign targeting Ukraine was observed by security analysts at Microsoft. Observed TTPs of ACTINIUM include spearphishing emails using specially crafted Microsoft Word documents that contain malicious macros. Other observed tactics use image files in the emails that are very tiny in scale and report back to the hosting server so that the attacker can check to see if the email was viewed or not. Of course, this depends on whether the recipient chooses to download images or not.Previous analysis on Gamaredon (another name for ACTINIUM) conducted by FortiGuard Labs can be found here. FortiGuard Labs also documented attacks against Ukraine here.What are the Technical Details of the Attack?ACTINIUM uses multiple stage processes that contain payloads that download and execute further additional payloads. Observed staging techniques contain highly obfuscated VBScripts, PowerShells, self-extracting archives, LNK files, etc. To remain persistent, ACTINIUM relies on scheduled tasks. To evade detection and analysis, the usage of randomly generated dictionary words from a predefined word list were used to assign subdomains, scheduled tasks and file names to further confuse analysts. Other observations seen are the usage of DNS records that are frequently changed and contain unique domain names using multiple IP addresses attributed to them.Three malware families were documented in the report, and they are:PowerPunch – Downloader and droppers using PowerShellPterodo – Malware that uses various hashing algorithms and on-demand schemes for decrypting data while freeing allocated heaps space to evade detection and thwart analysis. The malware is evolving, with the usage of various strings to POST content using forged user agents and various commands and scheduled tasks.QuietSieve – These are heavily obfuscated .NET binaries that act primarily as an infostealer.Who/What is Behind this Attack?According to Microsoft, this latest attack is attributed to the Russian FSB. This is per previous reports by the Ukrainian government linking Gamaredon actors to the FSB.Is this a Widespread Attack?No. According to Microsoft, attacks are limited to targeted attacks in the Ukraine.What is the Status of Coverage?Fortinet customers running the latest definitions are protected by the following AV signatures:MSIL/Pterodo.JJ!trMSIL/Pterodo_AGen.B!trMSIL/Pterodo.JK!trMSIL/Pterodo.JF!trMSIL/Pterodo.JI!trPossibleThreatW32/PossibleThreatVBS/SAgent!trW32/APosT.AUC!trW32/Pterodo.AWR!trW32/APosT!trW32/APosT.AWN!trVBA/Amphitryon.1918!trW32/Pterodo.AVL!trW32/Pterodo.AUZ!trW32/Pterodo.ASQ!trW32/GenKryptik.FGHO!trRiskware/PterodoW32/Pterodo.APR!trW32/Pterodo.AQB!trAll network IOC’s are blocked by the WebFiltering client.Any Other Suggested Mitigation?As ACTINIUM uses spearphishing techniques as an entry point, organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don’t know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations’ internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.

Read More

Sugar Ransomware in the Wild

Read Time:1 Minute, 17 Second

FortiGuard Labs is aware that a new ransomware called “Sugar” is in the wild. Reportedly, Sugar ransomware targets consumers rather than enterprises. The first sample of Sugar ransomware appears to have been discovered in the wild in early November. Sugar ransomware encrypts files on the compromised machine and appends “.emcoded01” file extension to them. Victims are asked to pay ransom to recover the encrypted files.What is Sugar Ransomware?Sugar is a ransomware that is written in Delphi and appeared in the wild in November 2021 at the latest. Once run, Sugar ransomware encrypts files on the compromised machine and appends “.encoded01” file extension to them. The malware then displays a ransom note that asks the victim to visit the attacker’s TOR page to pay the ransom in order to recover the encrypted files. The attacker offers to decrypt up to five files to prove that the encrypted files can be recovered upon ransom is paid.The ransom note displayed by Sugar ransomware looks similar to that of REvil ransomware. Also, the TOR site used by Sugar ransomware has close resemblance with that of Cl0p ransomware. However, there is no evidence to suggest that the Sugar ransomware group is associated with REvil and Cl0p threat actors.How Widespread is Sugar Ransomware?Based on the telemetry data collected by FortiGuard Labs, Sugar ransomware infections likely occurred in Canada, Thailand, the United States, Israel and Lithuania.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Sugar ransomware:W32/Filecoder.OJD!tr.ransomW32/PossibleThreat

Read More

Proof-of-Concept Code Now Available for an Exploited Windows Local Privilege Escalation Vulnerability

Read Time:1 Minute, 27 Second

FortiGuard Labs is aware that a Proof-of-Concept (POC) code for a newly patched Windows vulnerability (CVE-2022-21882) that is reported to have been exploited in the wild was released to a publicly available online repository. CVE-2022-21882 is a local privilege (LPE) escalation vulnerability which allows a local, authenticated attacker to gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver. The vulnerability is rated as Important by Microsoft and has CVSS score of 7.0.Why is this Significant?This is significant because now that the POC for CVE-2022-21882 has become available to the public attacks leveraging the vulnerability will likely increase. Because CVE-2022-21882 is a local privilege escalation the vulnerability will be used by an attacker that already has access to the network or will be chained with other vulnerabilities.What is CVE-2022-21882?CVE-2022-21882 is a local privilege (LPE) escalation vulnerability which allows a local, authenticated attacker to gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver.Is the Vulnerability Exploited in the Wild?According to the Microsoft advisory, the vulnerability is being exploited in the wild.Has Microsoft Released an Advisory for CVE-2022-21882?Yes. See the Appendix for a link to the advisory.Has Microsoft Released a fix for CVE-2022-21882?Yes. Microsoft has released a patch as part of regular MS Tuesday on January 11th, 2022.What is the Status of Coverage?FortiGuard Labs provide the following IPS coverage for CVE-2022-21882:MS.Windows.Win32k.CVE-2022-21882.Privilege.ElevationFortiGuard Labs has released the following AV coverage based on the available POC:W64/Agent.A93E!exploit.CVE202221882

Read More

BotenaGo Malware Targets Multiple IoT Devices

Read Time:2 Minute, 44 Second

FortiGuard Labs is aware of a report that source code of BotenaGo malware was recently made available on GitHub. BotenaGo is a malware written in Golang and is reportedly capable of exploiting more than 30 vulnerabilities in various IoT devices such as routers, modems, and NAS devices, and varies the delivered payload depending on the device it successfully exploited.Why is this Significant?This is significant because the source code of BotenaGo malware is available on a publicly available repository and with the report that BotenaGo is capable of exploiting more than 30 vulnerabilities, an uptick of its activities is expected.What is BotenaGo Malware?BotenaGo is an IoT (Internet fo Things) malware written in Golang and may become a new arsenal used by Mirai attackers.The malware is reportedly capable of exploiting more than 30 vulnerabilities in various IoT devices (a list of those vulnerabilities is contained in the Alien Labs blog linked in the Appendix). After the targeted device is successfully exploited, the malware executes remote shell commands that download a payload that varies depending on the device it successfully compromised. BotenaGo also sets up a backdoor on the compromised machine and awaits remote commands from the attacker on ports 19412 and 31412. It can also set a listener to system IO (terminal) user input and get remote commands through it.What Vulnerabilities are Exploited by BotenaGo?Some of the known vulnerabilities exploited by BotenaGo are below:CVE-2013-3307: Linksys X3000 1.0.03 build 001CVE-2013-5223: D-Link DSL-2760U Gateway (Rev. E1)CVE-2014-2321: ZTE modemsCVE-2015-2051: D-Link routersCVE-2016-11021: D-Link routersCVE-2016-1555: Netgear devicesCVE-2016-6277: Netgear devicesCVE-2017-18362: ConnectWise pluginCVE-2017-18368: Zyxel routers and NAS devicesCVE-2017-6077: Netgear devicesCVE-2017-6334: Netgear devicesCVE-2018-10088: XiongMai uc-httpd 1.0.0CVE-2018-10561: Dasan GPON home routersCVE-2018-10562: Dasan GPON home routersCVE-2019-19824: Realtek SDK based routersCVE-2020-10173: VR-3033 routerCVE-2020-10987: Tenda productsCVE-2020-8515: Vigor routersCVE-2020-8958: Guangzhou 1 GE ONUCVE-2020-9054: Zyxel routers and NAS devicesCVE-2020-9377: D-Link routers What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against available BotenaGo malware samples:Linux/Botenago.A!trPossibleThreatFortiGuard Labs provides the following IPS coverage against exploit attempts made by BotenaGo:ZTE.Router.Web_shell_cmd.Remote.Command.Execution (CVE-2014-2321)D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution (CVE-2015-2051)Netgear.macAddress.Remote.Command.Execution (CVE-2016-1555)NETGEAR.WebServer.Module.Command.Injection (CVE-2016-6277)TrueOnline.ZyXEL.P660HN.V1.Unauthenticated.Command.Injection (CVE-2017-18368)NETGEAR.ping_IPAddr.HTTP.Post.Command.Injection (CVE-2017-6077)NETGEAR.DGN.DnsLookUp.Remote.Command.Injection (CVE-2017-6334)XiongMai.uc-httpd.Buffer.Overflow (CVE-2018-10088)Dasan.GPON.Remote.Code.Execution (CVE-2018-10561, Dasan.GPON.Remote.Code.Execution)Comtrend.VR-3033.Remote.Command.Injection (CVE-2020-10173)Tenda.AC15.AC1900.Authenticated.Remote.Command.Injection (CVE-2020-10987)DrayTek.Vigor.Router.Web.Management.Page.Command.Injection (CVE-2020-8515)ZyXEL.NAS.Pre-authentication.OS.Command.Injection (CVE-2020-9054)All network IOCs are blocked by the WebFiltering client.FortiGuard Labs is currently investigating for additional coverage. This Threat Signal will be updated when new protection becomes available.

Read More

News, Advisories and much more

Exit mobile version