Cyberweekly #57 - Malware is still your biggest threat

Sent on 2019-06-22

Are you worried that nation states are coming to get you? That the cyber criminals will breach your systems and steal all of your data? Malware, distributed by email or phishing is still the biggest threat to most businesses, and of that malware, the most common is still ransomware. Malware families like Emotet spread because users open attachments to their email and infect their machine. That malware then spreads from machine to machine, using tools like Mimikatz to steal credentials and move from machine to machine. The payload that they eventually drop is normally some form of ransomware.

We've seen cities bought to their knees by this, both those that paid the ransomware fee and those that didn't, and of course, how much can you trust someone who has demanded money from you. Once it's public that you were a victim, everyone else will know that you were infected and you could be high on the target lists in future.

What can you do about ransomware and malware attacks? We know that training users not to click doesn't work because most users have to open attachments as part of their job! Strong multi-layer defences do work against email based malware attacks. If you are using a modern cloud productivity suite such as Office 365 or Google Suite, then you almost certainly get world class scanning as part of that productivity package. But additionally you need antivirus running on your desktop machines that can catch malware when it executes. You also need to contain the infection, and try to prevent it spreading around your network. This is harder, but segmented networks are the way to go to ensure that the spread is contained only to a small business area rather than your entire organisation.

Tools and magic black boxes that are designed to prevent "Advanced Persistent Attackers" are often snakeoil in a can. Most of the reports from APT's shows that they'll start with just sending you simple malware by email, the same as all the other attackers, and only if that doesn't work will they move on to more advanced techniques. Make them work for it and protect yourself against the lowest common denominator of attacks.

Proofpoint Q1 2019 Threat Report: Emotet carries the quarter with consistent high-volume campaigns | Proofpoint
https://www.proofpoint.com/us/threat-insight/post/proofpoint-q1-2019-threat-report-emotet-carries-quarter-consistent-high-volume

Assume users will click. Social engineering is increasingly the most popular way to launch email attacks, and criminals continue to find new ways to exploit the human factor. Leverage a solution that identifies and quarantines both inbound email threats targeting employees and outbound threats targeting customers before they reach the inbox.

Build a robust email fraud defense. Highly targeted, low-volume email fraud attacks often have no payload at all and are thus difficult to detect. Preventing email fraud requires a multilayered solution that includes email authentication and domain discovery, as well as dynamic classification that can analyze the content and context of emails, stopping display-name and lookalike-domain spoofing at the email gateway.

Protect your brand reputation and customers. Fight attacks targeting your customers over social media, email, and mobile—especially fraudulent accounts that piggyback on your brand. Look for a comprehensive digital risk solution that scans all domains related to your brand and reports potentially fraudulent activity.

Two things from this report. The first is that some 60% of malware being run on desktop machines is Emotet malware. That's a huge percentage of the malware, and shows that good generic malware with changeable payloads does have a market dominance effect. Interestingly until recently Emotet was primarily banking malware, but it's been reclassified by Proofpoint this quarter as "botnet" malware instead. This is because Emotet spreads and then takes command and control from a central location, including downloading a second stage for for exploitation. This can be something like TrickBot which uses the EternalBlue and DoublePulsar exploits to spread, or can be traditional banking malware like Dridex.

The primary method for Emotet to spread is via email attachments and links in email. Therefor we are back to the normal advice of "don't click links in emails". But as Proofpoint says here, you should assume that users will click. You should be using technical methods for minimising the amount of bad email that comes to users, as well as handling post infection remediation.

Florida city gives in to $600,000 bitcoin ransomware demand
https://www.engadget.com/2019/06/20/florida-hacker-ransom-riviera-beach/

Aside from locking down the files, the attack took down the city email network, forced Riviera Beach to pay employees and contractors by check instead of direct deposit and made it so 911 dispatchers couldn't enter calls into their systems. The city says there was no delay in response time despite the technological barrier.

Security consultants urged the city to pay up, according to the Associated Press, despite the risk the hackers won't restore the systems and files. The city's insurance provider will cover the payment. Riviera Beach also voted earlier this month to spend $941,000 to replace its computers and other hardware after the hackers took over on May 29th.

While Riviera Beach isn't the only entity to have met hackers' ransom demands (plenty of other municipalities, businesses and people have done so), others have refused to pay up. Notably, Baltimore decided not to fork over $76,000 in bitcoin when hackers hampered city systems last month. That's despite the attack ultimately costing the city north of $18 million.

Cybersecurity specialists suggested that they pay the ransom and claim against their cyber insurance. We covered this a few weeks ago [Well, Joel did, I just kept it a few weeks], and there's a lot of wiggle room in cyberinsurance. I don't think anybody has a good grip on what taking reasonable precautions would mean, because there is no industry standard baseline to prove that you were being careless or not. I'd expect the insurer to claim that running out of date machines and not patching would not be "reasonable care" and to refuse to pay out.

However, if you have no backups, and those systems contain critical data, then what else can you do but pay the ransom. The next step is to ensure that you never get caught by this again, and make sure that you have backups, and that you can cope with ransomware by burning it to the ground and restoring your data from it's healthily backed up location.

New Mac cryptominer Malwarebytes detects as Bird Miner runs by emulating Linux - Malwarebytes Labs | Malwarebytes Labs
https://blog.malwarebytes.com/mac/2019/06/new-mac-cryptominer-malwarebytes-detects-as-bird-miner-runs-by-emulating-linux/

Bird Miner malware is somewhat stealthy, as it will bail out at multiple points if Activity Monitor is running, and it effectively obfuscates the miner code by hiding it inside Qemu images.

However, it also shoots itself in the foot, stealth-wise, by using quite obvious launch daemons for persistence, and by using shell scripts to kick everything off. These things don’t reveal the intent of the malware, but it’s pretty easy for a savvy user to notice that something suspicious is going on.

More interesting is the fact that the malware runs via emulation, when it could easily have run as native code. This would have given the malware better performance and a smaller footprint. Further, the fact that the malware runs two separate miners, each running from their own 130 MB Qemu image file, means that the malware consumes far more resources than necessary.

The fact that Bird Miner was created this way likely indicates that the author probably is familiar with Linux, but is not particularly well-versed in macOS. Although this method does obfuscate the miner itself, which could help the malware evade detection, that benefit is countered by reliance on shell scripts and the heavy footprint of running not one but two miners simultaneously in emulation.

Obviously, this malware provides a solid example of why piracy is not a good idea. If you’re engaging in piracy, you’re likely to get infected, even with antivirus software installed.

This is a cute bit of Malware. Firstly, it is distributed as cracked versions of Ableton Live and other audio mixing software. That means that it's targeting people who have powerful computers and are installing random software (and therefore used to weirdness and less likely to have antivirus).

Secondly, it actively looks for and detects ActivityMonitor and high CPU usage and doesn't start the service if there's high CPU usage, this is rudimentary detection avoidance. Finally, it runs the cryptominer in a virtual machine rather than direct. This means that the cryptominer can be distributed to different operating systems easily.

LaLiga facing €250k fine for GDPR violations in app used to spy on users - TechRepublic
https://www.techrepublic.com/article/laliga-facing-eur250k-fine-for-gdpr-violations-in-app-used-to-spy-on-users/

LaLiga introduced a feature in the official Android app last year that activates the microphone and GPS functions when matches are being played, under the pretense of using the features to identify venues such as bars or restaurants that are broadcasting soccer games illegally.

This functionality is not happening surreptitiously, as the app requests access to the microphone and geolocation service—it does not rely on a vulnerability to access these components without explicit permission—as TechRepublic reported a year ago.

Despite this, users were not explicitly informed of the intended use of the microphone and geolocation permissions, which is central to the decision by AEPD to levy fines against LaLiga.

This is quite clever really. La Liga knows that fans will go and watch matches in pubs, and they want to find pubs that are broadcasting the matches without a license. So why not spy on the fans and see if you can pick up locations where the match is broadcast that doesn't have a license.

Interestingly, La Liga did tell users that they would do this, and that it was for the purpose of trying to find unlicensed broadcasts. The decision appears to be more that is was hard to opt out, and that it was likely that the users didn't understand that it was using the microphone and GPS in order to do that detection.

Chinese-Made Drones Spark Concerns And Warnings From U.S. Government : NPR
https://www.npr.org/2019/05/29/727612692/we-re-not-being-paranoid-u-s-warns-of-spy-dangers-of-chinese-made-drones?t=1559325153674

The department sent out an alert on the subject on May 20, and a video on its website notes that drones in general pose multiple threats, including "their potential use for terrorism, mass casualty incidents, interference with air traffic, as well as corporate espionage and invasions of privacy."

"We're not being paranoid," the video's narrator adds.

Most drones bought in the U.S. are manufactured in China, with most of those drones made by one company, DJI Technology. Lanier Watkins, a cyber-research scientist at Johns Hopkins University's Information Security Institute, said his team discovered vulnerabilities in DJI's drones.

"We could pull information down and upload information on a flying drone," Watkins said. "You could also hijack the drone."

The flag waving here is a bit silly. There isn't any real indication that China as a nation are behind this, but instead, as with many things, this happens to be a Chinese company that has poor cybersecurity record for their pile-em-high, sell them cheap manufacturing process.

This will be made worse by various white label drone sellers who buy the dronkes, rebadge and ship them but don't enable updates, patches or cybersecurity features even if DJI Technology behind the scenes do release updated firmware for the drones.

What a U.S. Operation in Russia Shows About the Limits of Coercion in Cyber Space
https://warontherocks.com/2019/06/what-a-u-s-operation-in-russia-shows-about-the-limits-of-coercion-in-cyber-space/

The U.S. response to Russian election inference illustrates the complexity of signaling an adversary in a connected era. To be credible, signals of the possible use of force need to be backed by a reputation for resolve and sufficient capabilities to achieve the desired effect.  In this case, Russia needs to know the United States is willing to shut down the power to Moscow, to St. Petersburg, and to key military installations and that it has the capability to do so. Washington certainly has the capabilities, but the question of resolve is not as clear-cut. In fact, one has to ask: What Russian action would really push the United States to shut down power and cripple civilian as well as military facilities in a nuclear-armed state’s territory? Would the United States really run the risk that Russia might view the power cuts as the precursor to a preemptive strike?

There is some good thinking in this write up. What does it mean to send signals in a cyber enabled warfare campaign. Especially with the thought process of moving from cyber enabled espionage to cyber enabled warfare. In espionage operations, gaining access is everything, and once you have access, you don't willingly give it up. Gaining access to a 0-day means trying hard not to use it in a way that will get it detected. But in warfare, you need to use your military capability in ways that demonstrate to the other side that you have it and are willing to use it. We don't have equivalents in the cyber realm yet.

Facial Animation
https://sites.google.com/view/facial-animation/home

The videos generated using this model do not only produce lip movements that are synchronized with the audio but also exhibit characteristic facial expressions such as blinks, brow raises etc. This extends our previous model by separately dealing with audio-visual synchronization and expression generation. Our improved model works on "in-the-wild" unseen faces and is capable of capturing the emotion of the speaker and reflecting it in the facial expression.

Take the test, see if you can tell fake from real. I got only 9 out of 25 and felt I was doing well until I saw the answers.

Snapchat Employees Abused Data Access to Spy on Users - VICE
https://www.vice.com/en_us/article/xwnva7/snapchat-employees-abused-data-access-spy-on-users-snaplion

Tools like SnapLion are an industry standard in the tech world, as companies need to be able to access user data for various legitimate purposes. Although Snap said it has several tools that the company uses to help with customer reports, comply with laws, and to enforce the network's terms and policies, employees have used data access processes for illegitimate reasons to spy on users, according to two former employees.

One of the former employees said that data access abuse occurred "a few times" at Snap. That source and another former employee specified the abuse was carried out by multiple individuals. A Snapchat email obtained by Motherboard also shows employees broadly discussing the issue of insider threats and access to data, and how they need to be combatted.

Motherboard was unable to verify exactly how the data abuse occurred, or what specific system or process the employees leveraged to access Snapchat user data.

Snapchat actually comes out of this article quite well. Managing the privileged admins of a service and their access to customer data is hard, and it looks like Snapchat made a good start early on to build a tool that had access control and audit logging built in.

Former CIA Chief of Disguise Breaks Down 30 Spy Scenes From Film & TV | WIRED - YouTube
https://www.youtube.com/watch?v=mUqeBMP8nEg

Jonna Mendez, former CIA Chief of Disguise, takes a look at spy scenes from a variety of television shows and movies and breaks down how accurate they really are.

This is just fun. Jonna clearly enjoys a good spy movie and there's some classics in here.

Previous Editions