Category Archives: social networks

Facebook removes 200 suspicious apps

Following the Cambridge Analytica scandal, Facebook CEO Mark Zuckerberg announced on March 21 that the company would conduct an audit to identify suspicious applications that may have exploited user data.

So far, 200 applications have been detected and removed, but their names haven’t been made public yet. Users whose data has been misused will be immediately notified by Facebook. However, this casts doubt over the company’s ability to properly secure users’ information and right to privacy.

“To date thousands of apps have been investigated and around 200 have been suspended — pending a thorough investigation into whether they did in fact misuse any data,” reads an update written by Ime Archibong, VP of Product Partnerships. “Where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website. It will show people if they or their friends installed an app that misused data before 2015 — just as we did for Cambridge Analytica.”

The main problem is that Facebook’s business model has always been based on sharing user data with applications and the sudden change of heart might not necessarily fix much because once the information leaves their servers, they lose control over it.

“The investigation process is in full swing, and it has two phases,” added Archibong. “First, a comprehensive review to identify every app that had access to this amount of Facebook data. And second, where we have concerns, we will conduct interviews, make requests for information (RFI) — which ask a series of detailed questions about the app and the data it has access to — and perform audits that may include on-site inspections.”

Soon after Facebook announced partial results of its app audit, New Scientist reported that the personal data of over 3 million Facebook users collected through the Cambridge Analytica personality test had in fact been accessible to anyone for the past four years.

Twitter Plain Text Password Bug Prompts Users for Immediate Password Change

Twitter has warned its 330 million users to immediately change their passwords, as a result of a bug that caused passwords to be logged in plaintext before being hashed. Although Twitter says passwords are stored using the bcrypt hashing algorithm, it seems they were inadvertently placed in an internal log before being hashed.

“We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system,” reads the Twitter blog post. “Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”

The vulnerability does not appear to have been misused by cyber criminals nor have Twitter’s systems been breached or misused to access these plaintext passwords. However, because the blog post seems to encourage all Twitter users to change their passwords, it is believed that the number of potentially affected accounts is significant, and the vulnerability may have been present for months before it was detected.

“Out of an abundance of caution,” the social network strongly advises users to immediately change their account passwords, while also enabling two-factor authentication for additional security. Twitter also emphasizes that the vulnerability has been addressed, while apologizing for the incident.

“We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone,” reads the blog post. ”We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”

Twitter is the second company this week to reveal the existence of a “bug” in its password management systems, with GitHub announcing a similar vulnerability just days ago. From their description and warning to users, the two companies seem to have experienced the same type of password security issue.

PROTECTING YOUR PRIVACY – Part 2: How to Maximize Your Privacy on Social Media and in Your Browser

As social media sites become a bigger part of users' daily lives, they must be increasingly careful about their online privacy.

In the last post we highlighted the privacy risks associated with using popular social networking sites and browsers. You might not appreciate just how much of your personal data is being accessed by advertisers and other third parties via your social media accounts and internet browsing. Similarly, your privacy settings may have changed significantly since the last time you checked them, meaning that you’re now over-sharing via your updates and posts online.

This could lead to various unintended consequences. For example, a prospective employer may cut you from a shortlist of candidates because they don’t like what they see on your Facebook page. Or an enterprising burglar might see from a Twitter post that you’re not at home and raid your property. Hackers might even harvest the information you share and use your identity to apply for new bank cards in your name.

Fortunately, there are things you can do to protect your privacy online — both within the sites themselves and by using third-party tools like Trend Micro’s Privacy Scanner. Let’s take a look.

Changing your Privacy Settings

You can manually configure your Privacy Settings on sites including Facebook, Twitter, Google+, LinkedIn, and more, as well as in your browser. However, no two sites are the same, and some are easier than others to navigate.

Facebook:

The good news is that following the Cambridge Analytica scandal, Facebook has made several changes designed to make it easier for you to manage your privacy settings. A privacy shortcuts button   is now accessible from the top right of any Facebook page and will help you manage who can view your content; who can contact you; and how you can stop someone hassling you. In addition, anywhere you’re able to share your status updates, photos and other posts, there’s an “audience selector” tool which allows you to specify whether they can be seen by the Public (anyone on or off Facebook), Friends, or just you. Be aware that Facebook remembers your most recent setting.

The amount of data you share with apps is also increasingly important to users. Following the recent data leakage scandal, Facebook has promised to notify if it removes any apps for breaching terms of service; remove an app’s access if it hasn’t been used in three months; and will reduce the data that an app can request without app review. If you want to manually review what info your Facebook apps can access, click  in the top right, click Settings, then go to Apps and Websites on the left-hand side. You can choose between Active, Expired or Removed websites/apps and remove those you no longer wish to access your personal data.

Twitter:

As mentioned in the previous blog, Twitter is easier to manage than Facebook, but there are some settings users may prefer to enhance their privacy. In your account, click on Settings and Privacy then Privacy and Safety and you’ll be given several options. Tweets are public by default so if you want them to be private, and only shared with approved friends, click Protect your Tweets. Similarly, there are options to remove your geolocation, not allow users to tag you in photos, or let others find you by email address/phone number. Also switch personalization off to stop sharing data with advertisers and switch off Receive Direct Messages from anyone to avoid spam direct messages.

Browser (Chrome on Windows):

As the most popular browser in the world, Google Chrome tracks and sells much of your activity to advertisers as well as sharing it with other Google products. If you don’t want to sync your personal browsing history to all devices, including your work machine, then click on the three dots in the top right-hand corner, Settings, Sync, and then toggle off the features you don’t want. You’ll need to do the same at work or for other machines.

The browser also shares information with various other services. If you’re not happy with that happening, you can toggle them off by going to Settings, Advanced (at the bottom of the page). However, enabling Do Not Track will help prevent third-party sites storing your data, although it’s not 100% effective. It’s also a good idea to keep on the service protecting you and your device from dangerous sites.

Click on “content settings” to dive into additional privacy settings. Go into Cookies and “keep local data until you quit your browser” to limit what data sites can harvest from you. Finally, consider using a password manager from a third-party expert like Trend Micro instead of storing your passwords in the browser, since it’s far more secure.

Automate Privacy Settings with Trend Micro Privacy Scanner

If you want an easier way to manage your privacy on social media and browsers, consider the Trend Micro Privacy Scanner feature, which is available within Trend Micro Security on Windows and Mac, and within Mobile Security on Android and iOS. While we can’t help you with all your social network settings, we can certainly help you with quick and easy fixes on four major platforms, as well as their linked apps, and in Windows browsers.

For Windows, the social networks covered are Facebook, Twitter, Google+, and LinkedIn, as well as Internet Explorer, Chrome, and Firefox browsers. Privacy Scanner also works on Macs the same way for the same social networking platforms. And it works on Android (for Facebook) and iOS (for Facebook and Twitter). It’s turned on by default in Trend Micro Internet, Maximum and Premium Security and can also be launched from the Trend Micro Toolbar. Either click on the Privacy icon in the Console, or in the browser, select the Trend Micro Toolbar and “Check your Online Privacy.” Here are a few scenarios:

Facebook on Windows

A Facebook sign-in page is shown by default by the Privacy Scanner. Sign-in and then See Scan Results. Click Fix All and then Fix to fix all the issues highlighted, or click the drop down to tackle them individually. You can also view any apps here which may have privacy concerns. If you want to fix each separately click “Who can see each app and its posts?”

Once that has been completed you will get a message saying your friends’ accounts need help. In that case you can share a link to the Privacy Scanner with them on the social network.

Chrome on Windows

To start a scan, open up your browser. In the Trend Micro toolbar, select Check your online privacy. The Trend Micro Privacy Scanner portal will appear. Click on the browser you want to check. The scanner will show you where there are privacy concerns. Click Fix All and then Fix or manually fix/edit each one.

Twitter on iOS

To scan and fix Twitter via Trend Micro Mobile Security on iOS, swipe the Safe Surfing shield to the left and tap the Social Network Privacy Shield in the main Console. (Note: this UI will change in the Fall of 2018.) Tap the Twitter icon to sign-in and then Login to start the scan. Tap Improve Now or the individual settings panel to change the settings. The feature works similarly on Android.

Trend Micro Password Manager

Finally, Trend Micro Password Manager has been designed to help you protect the privacy of your account passwords across PCs, Macs, Android and iOS. It’s worth considering as an alternative to storing your online credentials in the browser, which exposes them to hackers. Trend Micro Password Manager is automatically installed with Trend Micro Maximum Security, but you can also install a free or paid stand-alone edition of the product, Password Manager.

  • Generates highly secure, unique and tough-to-hack passwords for each of your online accounts
  • Securely stores and recalls these credentials so you don’t have to remember them
  • Offers an easy way to change passwords, if any do end up being leaked or stolen
  • Makes it quick and easy to manage your passwords from any location, on any device and browser

At Trend Micro we understand that protecting your privacy and security online is becoming increasingly challenging. That’s why we’ve done our best to do the hard work for you—helping you to enjoy your digital life safely and easily.

For more info or to purchase Trend Micro Security for PC and Mac, as well as Trend Micro Mobile Security for iOS and Android, go here.

To watch a video on using Trend Micro Privacy Scanner, go here.

For more info on Trend Micro Password Manager go here, or to watch videos on using Password Manager go here.

The post PROTECTING YOUR PRIVACY – Part 2: How to Maximize Your Privacy on Social Media and in Your Browser appeared first on .

You vs. the Internet: 5 Hands-On Ways to Begin Safeguarding Your Family’s Privacy

Data mining. Privacy breaches. Malicious third parties. Do you ever feel like these scary sounding, albeit significant, concerns got left at the curb somewhere between carpool duty, doctor appointments, and trying to hit two softball games and a track meet in the same day?

You are far from alone. If asked, most of us would confess: Our digital safety habits aren’t keeping up with the wild pace of technology. We understand the risks to our privacy online, but few of us have the time to protect it.

Have you given up? Perhaps you believe the internet is winning and that personal privacy is an outdated, even naïve, expectation online.

That sentiment is true but only to a small extent. Here’s what’s truer: With intention, a small chunk of time — and enlisting the whole family — you can begin to rewrite your privacy future.

You can take steps toward managing (and enjoying) your technology like a boss. Here’s how to get the whole crew on board for a family-wide privacy update.

5 Hands-On Ways to Begin Safeguarding Your Family’s Online Data

  1. Call a family huddle. Change takes action. A successful family-wide privacy update will require, well, the whole family. Call a family huddle. Ask each family member to inventory all devices including phones, tablets, PCs, toys, televisions, gaming systems. This list represents vulnerabilities or points of entry. Assign responsibility to each device. Just as you’d lock windows and doors, commit to securing down digital doorways. Huddle goals: Make privacy a family priority, discuss the online risks, challenge your digital-loving pack to higher digital standards, set up a reward system for keeping family devices safe. Remember: Technology is a privilege, not a right (no matter how culture positions it to the contrary).
  2. Upgrade privacy settings on social platforms. Any social platform — be it Facebook, Instagram, Snapchat or others — requires attention when it comes to protecting personal data. Go through each app and update your privacy settings. Educate yourself on what data you are sharing and with whom. Look closely at the information you’ve willingly shared, and make adjustments from there. For kids: Wipe social profiles clean of any personal information such as school name, age, address, phone number, email, location, and any other personal content.
  3. Scrub apps, update software, add security. Technology brings with it oodles of convenience. However, as with an automobile, our tech also needs maintenance to be enjoyed responsibly. Smartphones, tablets, televisions, and PCs require regular cleaning and updating. As a family, commit to making these changes. 1) Delete unused apps 2) Select “auto update” for software on both your mobile devices and computers 3) Install (and update) robust security software that protects devices against viruses, hackers, and spyware. Useful security software should also filter offensive content, pictures, and websites.
  4. Create strong, unique passphrases. As part of your family’s overall security update, make sure to create strong passwords for family devices. What’s a strong password? According to National Institute of Standards and Technology (NIST), think in terms of a passphrase rather than a password. Passphrases should be simple, long and memorable. They should contain lowercase letters and word associations only you would know. For instance: cottoncandyskies, burntsmoresinsummer, or poetrypinkpasta.Make sure everyone from the eight-year-old to the 18-year-old understands why it’s important to use strong, unique passphrases. To reinforce this, consider a reward for family members who stay on top of their digital housekeeping.
  5. Follow-through, follow-through, follow-through! The only plan of any value is the one that is executed. So much of parenting is spent communicating goals, but effective parenting happens in following through with those goals. Be a firm, focused digital parent. Don’t just communicate the digital risks; follow through to make sure your child makes the hands-on changes listed here to protect their online data. Sit down, watch them do it. Review devices and settings. Discuss and physically check off privacy basics which include: 1) Updating privacy settings on devices and social networks 2) Use strong passphrases 3) Not sharing personal information online 4) Deleting unused apps and auto-updating software 5) Making digital privacy a personal priority.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post You vs. the Internet: 5 Hands-On Ways to Begin Safeguarding Your Family’s Privacy appeared first on McAfee Blogs.

Twitter – Den of Iniquity or Paragon of Virtue… or Someplace in Between?


Twitter - Den of Iniquity or Paragon of Virtue or Someplace in Between


Recently there's been some coverage of Twitter's propensity for porn. Some research has shown that
one in every thousand tweets contains something pornographic. With 8662 tweets purportedly sent every second, that's quite a lot.

Now, this is not something that has escaped our notice here at Smoothwall HQ. We like to help our customers keep the web clean and tidy for their users, and mostly that means free of porn. With Twitter that's particularly difficult. Their filtering isn't easy to enforce and, while we have had some reasonable results with a combination of search term filtering and stripping certain tweets based on content, it's still not optimal. Twitter does not enforce content marking and 140 characters is right on the cusp of being impossible to content filter.

That said - how porn riddled is Twitter? Is there really sex round every corner? Is that little blue bird a pervert? Well, what we've found is: it's all relative.

Twitter is certainly among the more gutter variety of social networks, with Tumblr giving it a decent run for boobs-per-square-inch, but the likes of Facebook are much cleaner — with even images of breastfeeding mothers causing some controversy.

Interestingly, however, our back-of-a-beermat research leads us to believe that about 40 in every 1000 websites is in some way linked to porn — these numbers come from checking a quarter of a million of the most popular sites through Smoothwall's web filter and seeing what gets tagged as porn. Meanwhile, the Huffington Post reports that 30% of all Internet traffic is porn - the biggest number thus far. However, given the tendency of porn toward video, I guess we shouldn't be shocked.

Twitter: hard to filter, relatively porn-rich social network which is only doing its best to mirror the makeup of the Internet at large. As a school network admin, I would have it blocked for sure: Twitter themselves used to suggest a minimum age of 13, though this requirement quietly went away in a recent update to their terms of service.

Clandestine Fox, Part Deux

We reported at the end of April and the beginning of May on an APT threat group leveraging a zero-day vulnerability in Internet Explorer via phishing email attacks. While Microsoft quickly released a patch to help close the door on future compromises, we have now observed the threat actors behind “Operation Clandestine Fox” shifting their point of attack and using a new vector to target their victims: social networking.

An employee of a company in the energy sector recently received an email with a RAR archive email attachment from a candidate. The attachment, ostensibly containing a resume and sample software program the applicant had written, was from someone we’ll call “Emily” who had previously contacted the actual employee via a popular social network.

FireEye acquired a copy of the suspicious email – shown below in Figure 1 – and attachment from the targeted employee and investigated. The targeted employee confirmed that “Emily” had contacted him via the popular social network, and that, after three weeks of back and forth messaging “she” sent her “resume” to his personal email address.  

[caption id="attachment_5658" align="aligncenter" width="441"]clandestine2 Figure 1: Sample email illustrating how “Emily” attacks a victim employee[/caption]

Working our way backwards, we reviewed “Emily’s” social network profile and noticed a few strange aspects that raised some red flags. For example, “her” list of contacts had a number of people from the victim’s same employer, as well as employees from other energy companies; “she” also did not seem to have many other “friends” that fit “her” alleged persona. “Her” education history also contained some fake entries.

Further research and discussions with the targeted company revealed that “Emily,” posing as a prospective employee, had also contacted other personnel at the same company. She had asked a variety of probing questions, including inquiring who the IT Manager was and what versions of software they ran – all information that would be very useful for an attacker looking to craft an attack.

It’s worth emphasizing that in the instances above, the attackers used a combination of direct contact via social networks as well as contact via email, to communicate with their intended targets and send malicious attachments. In addition, in almost all cases, the attackers used the target’s personal email address, rather than his or her work address. This could be by design, with a view toward circumventing the more comprehensive email security technologies that most companies have deployed, or also due to many people having their social network accounts linked to their personal rather than work email addresses.

Details - Email Attachment #1

The resume.rar archive contained three files: a weaponized version of the open-source TTCalc application (a mathematical big number calculator), a benign text copy of the TTCalc readme file, and a benign PDF of Emily’s resume. The resume was a nearly identical copy of a sample resume available elsewhere on the Internet.  The file details are below.

Filename MD5 Hash
resume.rar resume.rar 8b42a80b2df48245e45f99c1bdc2ce51 8b42a80b2df48245e45f99c1bdc2ce51
readme.txt readme.txt 8c6dba68a014f5437c36583bbce0b7a4 8c6dba68a014f5437c36583bbce0b7a4
resume.pdf resume.pdf ee2328b76c54dc356d864c8e9d05c954 ee2328b76c54dc356d864c8e9d05c954
ttcalc.exe ttcalc.exe e6459971f63612c43321ffb4849339a2 e6459971f63612c43321ffb4849339a2

Upon execution, ttcalc.exe drops the two files listed below, and also launches a legitimate copy of TTCalc v0.8.6 as a decoy:

%USERPROFILE%/Application Data/mt.dat

%USERPROFILE%/Start Menu/Programs/Startup/vc.bat

The file mt.dat is the actual malware executable, which we detect as Backdoor.APT.CookieCutter. (Variants of this family of backdoor are also referred to as “Pirpi” in the security industry). In this case, the malware was configured to use the following remote servers for command and control:

  •  
    • swe[.]karasoyemlak[.]com
    • inform[.]bedircati[.]com (Note: This domain was also used during Operation Clandestine Fox)
    • 122.49.215.108

Metadata for mt.dat:

Description MD5 Hash
md5 md5 1a4b710621ef2e69b1f7790ae9b7a288 1a4b710621ef2e69b1f7790ae9b7a288
.text .text 917c92e8662faf96fffb8ffe7b7c80fb 917c92e8662faf96fffb8ffe7b7c80fb
.rdata .rdata 975b458cb80395fa32c9dda759cb3f7b 975b458cb80395fa32c9dda759cb3f7b
.data .data 3ed34de8609cd274e49bbd795f21acc4 3ed34de8609cd274e49bbd795f21acc4
.rsrc .rsrc b1a55ec420dd6d24ff9e762c7b753868 b1a55ec420dd6d24ff9e762c7b753868
.reloc .reloc afd753a42036000ad476dcd81b56b754 afd753a42036000ad476dcd81b56b754
Import Hash Import Hash fad20abf8aa4eda0802504d806280dd7 fad20abf8aa4eda0802504d806280dd7
Compile date Compile date 2014-05-27 15:48:13 2014-05-27 15:48:13

Contents of vc.bat:

  @echo offcmd.exe /C start rundll32.exe "C:\Documents and Settings\admin\Application Data\mt.dat" UpdvaMt

Details - Email Attachment #2

Through additional research, we were able to obtain another RAR archive email attachment sent by the same attackers to an employee of another company. Note that while there are a lot of similarities, such as the fake resume and inclusion of TTCalc, there is one major difference, which is the delivery of a completely different malware backdoor. The attachment name this time was “my resume and projects.rar,” but this time it was protected with the password “TTcalc.”

Filename MD5 Hash
my resume and projects.rar my resume and projects.rar ab621059de2d1c92c3e7514e4b51751a ab621059de2d1c92c3e7514e4b51751a
SETUP.exe SETUP.exe 510b77a4b075f09202209f989582dbea 510b77a4b075f09202209f989582dbea
my resume.pdf my resume.pdf d1b1abfcc2d547e1ea1a4bb82294b9a3 d1b1abfcc2d547e1ea1a4bb82294b9a3

SETUP.exe is a self-extracting RAR, which opens the WinRAR window when executed, prompting the user for the location to extract the files. It writes them to a TTCalc folder and tries to launch ttcalcBAK.exe (the malware dropper), but the path is incorrect so it fails with an error message. All of the other files are benign and related to the legitimate TTCalc application.

Filename MD5 Hash
CHANGELOG CHANGELOG 4692337bf7584f6bda464b9a76d268c1 4692337bf7584f6bda464b9a76d268c1
COPYRIGHT COPYRIGHT 7cae5757f3ba9fef0a22ca0d56188439 7cae5757f3ba9fef0a22ca0d56188439
README README 1a7ba923c6aa39cc9cb289a17599fce0 1a7ba923c6aa39cc9cb289a17599fce0
ttcalc.chm ttcalc.chm f86db1905b3f4447eb5728859f9057b5 f86db1905b3f4447eb5728859f9057b5
ttcalc.exe ttcalc.exe 37c6d1d3054e554e13d40ea42458ebed 37c6d1d3054e554e13d40ea42458ebed
ttcalcBAK.exe ttcalcBAK.exe 3e7430a09a44c0d1000f76c3adc6f4fa 3e7430a09a44c0d1000f76c3adc6f4fa

The file ttcalcBAK.exe is also a self-extracting Rar which drops and launches chrome_frame_helper, which is a Backdoor.APT.Kaba (aka PlugX/Sogu) backdoor using a legitimate Chrome executable to load the malicious DLL via side-loading. Although this backdoor is used by multiple threat groups and is quite commonly seen these days, this is the first time we've observed this particular threat group using this family of malware. The malware was configured to communicate to the command and control domain www[.]walterclean[.]com (72.52.83.195 at the time of discovery) using the binary TCP protocol only. The file details are below, followed by the malware configuration.

Filename MD5 Hash
chrome_frame_helper.dll chrome_frame_helper.dll 98eb249e4ddc4897b8be6fe838051af7 98eb249e4ddc4897b8be6fe838051af7
chrome_frame_helper.dll.hlp chrome_frame_helper.dll.hlp 1b57a7fad852b1d686c72e96f7837b44 1b57a7fad852b1d686c72e96f7837b44
chrome_frame_helper.exe chrome_frame_helper.exe ffb84b8561e49a8db60e0001f630831f ffb84b8561e49a8db60e0001f630831f

 

Metadata MD5 Hash
chrome_frame_helper.dll chrome_frame_helper.dll 98eb249e4ddc4897b8be6fe838051af7 98eb249e4ddc4897b8be6fe838051af7
.text .text dfb4025352a80c2d81b84b37ef00bcd0 dfb4025352a80c2d81b84b37ef00bcd0
.rdata .rdata 4457e89f4aec692d8507378694e0a3ba 4457e89f4aec692d8507378694e0a3ba
.data .data 48de562acb62b469480b8e29821f33b8 48de562acb62b469480b8e29821f33b8
.reloc .reloc 7a7eed9f2d1807f55a9308e21d81cccd 7a7eed9f2d1807f55a9308e21d81cccd
Import hash Import hash 6817b29e9832d8fd85dcbe4af176efb6 6817b29e9832d8fd85dcbe4af176efb6
Compile date Compile date 2014-03-22 11:08:34 2014-03-22 11:08:34

Backdoor.APT.Kaba Malware Configuration:

PlugX Config (0x150c bytes):

Flags: False True False False False False True True True True False

Timer 1: 60 secs

Timer 2: 60 secs

C&C Address: www[.]walterclean[.]com:443 (TCP)

Install Dir: %ALLUSERSPROFILE%\chrome_frame_helper

Service Name: chrome_frame_helper

Service Disp: chrome_frame_helper

Service Desc: Windows chrome_frame_helper Services

Online Pass: 1234

Memo: 1234

Open Source Intel

The domain walterclean[.]com shares registration details with securitywap[.]com:

The following domains are registered to QQ360LEE@126.COM

Domain: walterclean[.]com

Create Date: 2014-03-26 00:00:00

Registrar: ENOM, INC.

Domain: securitywap[.]com

Create Date: 2014-03-26 00:00:00

Registrar: ENOM, INC.

Conclusion

In short, we attributed these attacks to the same threat actor responsible for “Operation Clandestine Fox,” based on the following linkages:

  • The first-stage malware (mt.dat) is a slightly updated version of the Backdoor.APT.CookieCutter malware dropped during Operation Clandestine Fox
  • Based on our intel, Backdoor.APT.CookieCutter has been used exclusively by this particular threat group
  • Finally, the command and control domain inform[.]bedircati[.]com seen in this activity was also used during the Clandestine Fox campaign

Another evolutionary step for this threat group is that they have diversified their tool usage with the use of the Kaba/PlugX/Sogu malware – something we have never seen them do before.

As we have noted in other blog posts, APT threat actors take advantage of every possible vector to try to gain a foothold in the organizations they target. Social networks are increasingly used for both personal and business reasons, and are one more potential threat vector that both end-users and network defenders need to think about.

Unfortunately, it is very common for users to let their guard down when using social networks or personal email, since they don’t always treat these services with the same level of risk as their work email.  As more companies allow their employees to telecommute, or even allow them to access company networks and/or resources using their personal computers, these attacks targeting their personal email addresses pose significant risk to the enterprise.

Acknowledgements

 The author would like to acknowledge the following colleagues for their contributions to this report: Josh Dennis, Mike Oppenheim, Ned Moran, and Joshua Homan.