Daily Archives: April 22, 2019

Who’s Behind the RevCode WebMonitor RAT?

The owner of a Swedish company behind a popular remote administration tool (RAT) implicated in thousands of malware attacks shares the same name as a Swedish man who pleaded guilty in 2015 to co-creating the Blackshades RAT, a similar product that was used to infect more than half a million computers with malware, KrebsOnSecurity has learned.

An advertisement for RevCode WebMonitor.

At issue is a program called “WebMonitor,” which was designed to allow users to remotely control a computer (or multiple machines) via a Web browser. The makers of WebMonitor, a company in Sweden called “RevCode,” say their product is legal and legitimate software “that helps firms and personal users handle the security of owned devices.”

But critics say WebMonitor is far more likely to be deployed on “pwned” devices, or those that are surreptitiously hacked. The software is broadly classified as malware by most antivirus companies, likely thanks to an advertised feature list that includes dumping the remote computer’s temporary memory; retrieving passwords from dozens of email programs; snarfing the target’s Wi-Fi credentials; and viewing the target’s Webcam.

In a writeup on WebMonitor published in April 2018, researchers from security firm Palo Alto Networks noted that the product has been primarily advertised on underground hacking forums, and that its developers promoted several qualities of the software likely to appeal to cybercriminals looking to secretly compromise PCs.

For example, RevCode’s website touted the software’s compatibility with all “crypters,” software that can encrypt, obfuscate and manipulate malware to make it harder to detect by antivirus programs. Palo Alto also noted WebMonitor includes the option to suppress any notification boxes that may pop up when the RAT is being installed on a computer.

A screenshot of the WebMonitor builder panel.

RevCode maintains it is a legitimate company officially registered in Sweden that obeys all applicable Swedish laws. A few hours of searching online turned up an interesting record at Ratsit AB, a credit information service based in Sweden. That record indicates RevCode is owned by 28-year-old Swedish resident Alex Yücel.

In February 2015, a then 24-year-old Alex Yücel pleaded guilty in a U.S. court to computer hacking and to creating, marketing and selling Blackshades, a RAT that was used to compromise and spy on hundreds of thousands of computers. Arrested in Moldova in 2013 as part of a large-scale, international takedown against Blackshades and hundreds of customers, Yücel became the first person ever to be extradited from Moldova to the United States.

Yücel was sentenced to 57 months in prison, but according to a record for Yücel at the U.S. Federal Bureau of Prisons, he was released on Nov. 1, 2016. The first advertisements in hacker forums for the sale of WebMonitor began in mid-2017. RevCode was registered as an official Swedish company in 2018, according to Ratsit.

Until recently, RevCode published on its Web site a value added tax (VAT) number, an identifier used in many European countries for value added tax purposes. That VAT number — first noted by the blog Krabsonsecurity.com (which borrows heavily from this site’s design and banner but otherwise bears no relation to KrebsOnSecurity.com) — has since been removed from the RevCode Web site and from historic records at The Internet Archive. The VAT number cited in that report is registered to Alex Yücel, and matches the number listed for RevCode by Ratsit AB.

Yücel could not be immediately reached for comment. But an unnamed person responded to an email sent to the customer support address listed at RevCode’s site. Presented with the information and links referenced above, the person responding wrote, “nobody working for/with RevCode is in any way related to BlackShades. Anything else suggesting otherwise is nothing but rumors and attempts to degrade our company by means of defamation.”

The person responding from the RevCode support email address contended that the Alex Yücel listed as owner of the company was not the same Alex Yücel convicted of co-authoring Blackshades. However, unless the Ratsit record is completely wrong, this seems unlikely to be true.

According to the Ratsit listing, the Alex Yücel who heads RevCode currently lives in a suburb of Stockholm, Sweden with his parents Can and Rita Yücel. Both Can and Rita Yücel co-signed a letter (PDF) in June 2015 testifying to a New York federal court regarding their son’s upstanding moral character prior to Yücel the younger’s sentencing for the Blackshades conviction, according to court records.

A letter from Alex Yücel’s parents to the court in June 2016.

McAfee ATR Team Discovers New IoT Vulnerability in Wemo Insight Smart Plugs

*This blog is originally from August 2018 and was updated April 2019*

From connected baby monitors to smart speakers — IoT devices are becoming commonplace in modern homes. Their convenience and ease of use make them seem like the perfect gadgets for the whole family. However, users can be prone to putting basic security hygiene on the backburner when they get a shiny new IoT toy, such as applying security updates, using complex passwords for home networks and devices, and isolating critical devices or networks from IoT. Additionally, IoT devices’ poor security standards make them conveniently flawed for someone else: cybercriminals, as hackers are constantly tracking flaws which they can weaponize. When a new IoT device is put on the market, these criminals have a new opportunity to expose the device’s weaknesses and access user networks. As a matter of fact, our McAfee Labs Advanced Threat Research team uncovered a flaw in one of these IoT devices: the Wemo Insight Smart Plug, which is a Wi-Fi–connected electric outlet.

Once our research team figured out how exactly the device was vulnerable, they leveraged the flaw to test out a few types of cyberattacks. The team soon discovered an attacker could leverage this vulnerability to turn off or overload the switch, which could overheat circuits or turn a home’s power off. What’s more – this smart plug, like many vulnerable IoT devices, creates a gateway for potential hackers to compromise an entire home Wi-Fi network. In fact, using the Wemo as a sort of “middleman,” our team leveraged this open hole in the network to power a smart TV on and off, which was just one of the many things that could’ve been possibly done.

And as of April 2019, the potential of a threat born from this vulnerability seems as possible as ever. Our ATR team even has reason to believe that cybercriminals already have or are currently working on incorporating the unpatched Wemo Insight vulnerability into IoT malware. IoT malware is enticing for cybercriminals, as these devices are often lacking in their security features. With companies competing to get their versions of the latest IoT device on the market, important cybersecurity features tend to fall by the wayside. This leaves cybercriminals with plenty of opportunities to expose device flaws right off the bat, creating more sophisticated cyberattacks that evolve with the latest IoT trends.

Now, our researchers have reported this vulnerability to Belkin, and, almost a year after initial disclosure, are awaiting a follow-up. However, regardless if you’re a Wemo user or not, it’s still important you take proactive security steps to safeguard all your IoT devices. Start by following these tips:

  • Keep security top of mind when buying an IoT device. When you’re thinking of making your next IoT purchase, make sure to do your research first. Start by looking up the device in question’s security standards. A simple Google search on the product, as well as the manufacturer, will often do the trick.
  • Change default passwords and do an update right away. If you purchase a connected device, be sure to first and foremost change the default password. Default manufacturer passwords are rather easy for criminals to crack. Also, your device’s software will need to be updated at some point. In a lot of cases, devices will have updates waiting from them as soon as they’re taken out of the box. The first time you power up your device, you should check to see if there are any updates or patches from the manufacturer.
  • Keep your firmware up-to-date. Manufacturers often release software updates to protect against these potential vulnerabilities. Set your device to auto-update, if you can, so you always have the latest software. Otherwise, just remember to consistently update your firmware whenever an update is available.
  • Secure your home’s internet at the source. These smart home devices must connect to a home Wi-Fi network in order to run. If they’re vulnerable, they could expose your network as a result. Since it can be challenging to lock down all the IoT devices in a home, utilize a solution like McAfee Secure Home Platform to provide protection at the router-level.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post McAfee ATR Team Discovers New IoT Vulnerability in Wemo Insight Smart Plugs appeared first on McAfee Blogs.

The “Nasty List” Phishing Scam Is out to Steal Your Instagram Login

How often do you check your social media accounts? According to a recent study, internet users spend an average of 2 hours and 22 minutes per day on social networking platforms. Since users are pretty reliant on social media, cybercriminals use it as an avenue to target victims with various cyberattacks. The latest social media scheme called “The Nasty List” scams users into giving up their Instagram credentials and uses their accounts to further promote the phishing scam.

So, how exactly do hackers trick innocent users into handing over their login information? Cybercriminals spread this scam by sending messages through hacked accounts to the user’s followers, stating that they were spotted on a “Nasty List.” These messages will read something like “OMG your actually on here, @TheNastyList_34, your number is 15! its really messed up.” If the recipient visits the profile listed in the message, they will see a link in the profile description. An example of one URL that has been listed in these scam profiles is nastylist-instatop50[.]me. The user is tricked into believing that this link will supposedly allow them to see why they are on this list. This link brings up what appears to be a legitimate Instagram login page. When the victim enters their credentials on the fake login page, the cybercriminals behind this scheme will be able to take over the account and use it to further promote the scam.

Images courtesy of Bleeping Computer.
Images courtesy of Bleeping Computer.

Fortunately, there are a number of steps Instagram users can take to ensure that they don’t fall victim to this trap. Check out the following tips:

  • Be skeptical of messages from unknown users. If you receive a message from someone you don’t know, it’s best to ignore the message altogether or block the user. Additionally, if you think a friend’s social media account has been compromised, look out for spelling mistakes and grammatical errors in their message, which are common in these scams.
  • Exercise caution when inspecting links sent to your messages. Always inspect a URL before you click on it. In the case of this scam, the URL that appears with the fake login page is clearly incorrect, as it ends in a [.]me.
  • Reset your password. If your account was hacked by ‘The Nasty List’ but you still have access to your account, reset your password to regain control of your account.

And, as usual, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post The “Nasty List” Phishing Scam Is out to Steal Your Instagram Login appeared first on McAfee Blogs.

Our PaaS App Sprung a Leak

Many breaches start with an “own goal,” an easily preventable misconfiguration or oversight that scores a goal for the opponents rather than for your team. In platform-as-a-service (PaaS) applications, the risk profile of the application can lure organizations into a false sense of security. While overall risk to the organization can be lowered, and new capabilities otherwise unavailable can be unlocked, developing a PaaS application requires careful consideration to avoid leaking your data and making the task of your opponent easier.

PaaS integrated applications are nearly always multistep service architectures, leaving behind the simplicity of yesterday’s three-tier presentation/business/data logic applications and basic model-view-controller architectures. While many of these functional patterns are carried forward into modern applications—like separating presentation functions from the modeled representation of a data object—the PaaS application is nearly always a combination of linear and non-linear chains of data, transformation, and handoffs.

As a simple example, consider a user request to generate a snapshot of some kind of data, like a website. They make the request through a simple portal. The request would start a serverless application, which applies basic logic, completes information validation, and builds the request. The work goes into a queue—another PaaS component. A serverless application figures out the full list of work that needs to be completed and puts those actions in a list. Each of these gets picked up and completed to build the data package, which is finally captured by another serverless application to an output file, with another handoff to the publishing location(s), like a storage bucket.

Planning data interactions and the exposure at each step in the passing process is critical to the application’s integrity. The complexity of PaaS is that the team must consider threats both for each script/step at a basic level individually as well as holistically for the data stores in the application. What if I could find an exploit in one of the steps to arbitrarily start dumping data? What if I found a way to simply output more data unexpectedly than it was designed to do? What if I found a way to inject data instead, corrupting and harming rather than stealing?

The familiar threats of web applications are present, and yet our defensive posture is shaped by which elements of the applications we can see and which we cannot. Traditional edge and infrastructure indicators are replaced by a focus on how we constructed the application and how to use cloud service provider (CSP) logging together with our instrumentation to gain a more holistic picture.

In development of the overall application, the process architecture is as important as the integrity of individual technical components. The team leadership of the application development should consider insider, CSP, and external threats, and consider questions like:

  • Who can modify the configuration?
  • How is it audited? Logged? Who monitors?
  • How do you discover rogue elements?
  • How are we separating development and production?
  • Do we have a strategy to manage exposure for updates through blue/green deployment?
  • Have we considered the larger CSP environment configuration to eliminate public management endpoints?
  • Should I use third-party tools to protect access to the cloud development and production environment’s management plane, such as a cloud access broker, together with cloud environmental tools to enumerate accounts and scan for common errors?

In the PaaS application construction, the integrity of basic code quality is magnified. The APIs and/or the initiation processes of serverless steps are the gateway to the data and other functions in the code. Development operations (DevOps) security should use available sources and tools to help protect the environment as new code is developed and deployed. These are a few ways to get your DevOps team started:

  • Use the OWASP REST Security Cheat Sheet for APIs and code making calls to other services directly.
  • Consider deploying tools from your CSP, such as the AWS Well-Architected Tool on a regular basis.
  • Use wrappers and tie-ins to the CSP’s PaaS application, such as AWS Lambda Layers to identify critical operational steps and use them to implement key security checks.
  • Use integrated automated fuzzing/static test tools to discover common missteps in code configuration early and address them as part of code updates.
  • Consider accountability expectations for your development team. How are team members encouraged to remain owners of code quality? What checks are necessary to reduce your risk before considering a user story or a specific implementation complete?

The data retained, managed, and created by PaaS applications has a critical value—without it, few PaaS applications would exist. Development teams need to work with larger security functions to consider the privacy requirements and security implications and to make decisions on things like data classification and potential threats. These threats can be managed, but the specific countermeasures often require a coordinated implementation between the code to access data stores, the data store configuration itself, and the dedicated development of separate data integrity functions, as well as a disaster recovery strategy.

Based on the identified risks, your team may want to consider:

  • Using data management steps to reduce the threat of data leakage (such as limiting the amount of data or records which can be returned in a given application request).
  • Looking at counters, code instrumentation, and account-based controls to detect and limit abuse.
  • Associating requests to specific accounts/application users in your logging mechanisms to create a trail for troubleshooting and investigation.
  • Recording data access logging to a hardened data store, and if the sensitivity/risk of the data store requires, transition logs to an isolated account or repository.
  • Asking your development team what the business impact of corrupting the value of your analysis, or the integrity of the data set itself might be, for example, by an otherwise authorized user injecting trash?

PaaS applications offer compelling value, economies of scale, new capabilities, and access to advanced processing otherwise out of reach for many organizations in traditional infrastructure. These services require careful planning, coordination of security operations and development teams, and a commitment to architecture in both technical development and managing risk through organizational process. Failing to consider and invest in these areas while rushing headlong into new PaaS tools might lead your team to discover that your app has sprung a leak!

The post Our PaaS App Sprung a Leak appeared first on McAfee Blogs.

From Internet to Internet of Things

Thirty years ago, Tim Berners-Lee set out to accomplish an ambitious idea – the World Wide Web. While most of us take this invention for granted, we have the internet to thank for the technological advances that make up today’s smart home. From smart plugs to voice assistants – these connected devices have changed the modern consumer digital lifestyle dramatically. In 2019, the Internet of Things dominates the technological realm we have grown accustomed to – which makes us wonder, where do we go from here? Below, we take a closer look at where IoT began and where it is headed.

A Connected Evolution

Our connected world started to blossom with our first form of digital communication in the late 1800s –– Morse code. From there, technological advancements like the telephone, radio, and satellites made the world a smaller place. By the time the 1970s came about, email became possible through the creation of the internet. Soon enough the internet spread like wildfire, and in the 1990s we got the invention of the World Wide Web, which revolutionized the way people lived around the world. Little did Berners-Lee know that his invention would be used decades, probably even centuries, later to enable the devices that contribute to our connected lives.

Just ten years ago, there were less than one billion IoT devices in use around the world. In the year 2019, that number has been projected to skyrocket to over eight billion throughout the course of this year. In fact, it is predicted that by 2025, there will be almost twenty-two billion IoT devices in use throughout the world. Locks, doorbells, thermostats and other everyday items are becoming “smart,” while security for these devices is lacking quite significantly. With these devices creating more access points throughout our smart homes, it is comparable to leaving a backdoor unlocked for intruders. Without proper security in place, these devices, and by extension our smart homes, are vulnerable to cyberattacks.

Moving Forward with Security Top of Mind

If we’ve learned one thing from this technological evolution, it’s that we aren’t moving backward anytime soon. Society will continue to push the boundaries of what is possible – like taking the first a picture of a black hole. However, in conjunction with these advancements, to steer in the right direction, we have to prioritize security, as well as ease of use. For these reasons, it’s vital to have a security partner that you can trust, that will continue to grow to not only fit evolving needs, but evolving technologies, too. At McAfee, we make IoT device security a priority. We believe that when security is built in from the start, user data is more secure. Therefore, we call on manufacturers, users, and organizations to all equally do their part to safeguard connected devices and protect precious data. From there, we can all enjoy these technological advancements in a secure and stress-free way.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post From Internet to Internet of Things appeared first on McAfee Blogs.

Seqrite mSuite can be the perfect solution for the education industry

Estimated reading time: 3 minutes

While financial institutions like banks or other multinational corporations (MNCs) occupy the bulk of headlines when it comes to topics like cybersecurity and data breach, it would be foolish to disregard the threats that organizations in the education industry face. Consider the sheer scale of the kind of information a school, college or any other educational institution receives and stores. At the very least, this data will contain names, addresses, personal credentials, financial details, photos, medical information for potentially thousands of students and teachers. That is a massive amount of Personally Identifiable Information (PII).

Ultra-sensitive data

The nature of the data will most likely be ultra-sensitive. Educational institutes are attended by young students, some possibly even underage. This is extremely precarious data which can be dangerous and can ruin lives & families in the wrong hands. This is also exactly the kind of information that an attacker would want to replicate cyber identities for other types of crime. Attackers are also likely to target these type of organizations for two major reasons:  i) hackers sometimes correctly estimate that these organizations do not give cybersecurity its due importance, and ii) the kind of information educational institutes store are a veritable goldmine for them.

Hence, it is critical for educational sector organizations to invest in strong cybersecurity solutions, especially when it comes to mobile devices. As educational organizations get more connected, the number of entry points through a hacker can enter a closed network increase.

Seqrite mSuite is a simple and comprehensive yet extremely powerful tool which organizations in the educational sector can consider to manage all mobile devices running on Android and iOS. It allows the network manager to get total control over the apps being installed on official devices, monitor the internet usage patterns, track the device location, apply policies as per location and time and provide support through remote device control as well as file transfer. This allows the organization to remain in total control of what’s happening with its data even beyond their own network.

The benefits of Seqrite mSuite

In particular, the following features offered by Seqrite mSuite make it the perfect solution for the education industry:

  • Comprehensive Mobile Security & Anti-Theft

Since the solution is cloud-based, it can be easily used by educational institutions while offering comprehensive mobile security. Any mobile device can be easily located, locked or erased in case of theft or damage.

  • App Management

Educational institutes need to manage control of external applications in a digital classroom situation which mSuite’s App Management feature allows seamlessly. App Distribution pushes apps and updates from the server to the mobile with the ability of certain apps to be recommended. Custom apps can be published to a specified organizational App Store while App Control allows blacklisting or whitelisting of specific applications or certain categories of applications.

  • Launcher & Kiosk Mode

The launcher & kiosk mode feature is extremely useful for use in an educational environment. The launcher enables control over the use of apps on devices and enables the configuration of selected apps for use within the organization. This way, educational institutes can control the type of apps used by students and prevent the use of apps they want to disallow. The Kiosk mode, on the other hand, transforms a device to use a single app for a single purpose within a system kiosk mode which can be extremely useful for organizations who want to restrict mobile devices to just educational content.

  • Fencing & Data Monitoring

Seqrite mSuite allows digital boundaries to be defined and restrictions to be applied on devices in regards to Wi-FI, Geo and Time Fence. Through this feature, institutes can regulate usage of mobile devices within the digital classroom. Network Data Monitoring also allows the monitoring of data usage over mobile and Wi-Fi networks.

These features make Seqrite mSuite a great investment for educational organizations for usage in the digital classroom.

The post Seqrite mSuite can be the perfect solution for the education industry appeared first on Seqrite Blog.