Work From Home Opens New Remote Insider Threats

Remote work is opening up new insider threats – whether it’s negligence or malicious employees – and companies are scrambling to stay on top of these unprecedented risks.

Employees working from home face a new world of workplace challenges. With childcare facilities mostly closed, many are juggling crying babies or barking dogs, all while tending to job responsibilities. Under those conditions mistakes happen, like sending an email – with critical internal company data – to the wrong address.

This is just one of many insider threat risks that security experts worry will become a regular occurrence. That’s because remote employees have been thrust into new working environments, with no face-to-face supervision and little to no training for handling new security risks. And, they are also facing more distractions from their home settings, as well as new emotional stresses tied to COVID-19.

All of these factors are creating a ticking time bomb for insider threats risks – which according to a report released last week, have already increased by 47 percent since 2018. Worse, security experts warn that organizations aren’t ready for this influx of remote work induced challenges.

“The [work from home] trend due to the COVID-19 pandemic has significantly increased insider threats from employees taking risks with company assets, such as stealing sensitive data for personal use or gain as employers have less visibility to what employees are doing or accessing,” Joseph Carson, chief security scientist and advisory chief information security officer at Thycotic, told Threatpost.

Negligent Insiders: Lack of Training

Insider threats can stem from either “negligent insiders” – which according to Proofpoint is the most common and accounts for 62 percent – or from malicious insiders, who intentionally steal data or company secrets.

The “negligent insiders” are the bigger threat here, researcher say. They may be employees who are well-intentioned, but who mistakenly give away company data or put company data at risk. They might open a phishing email, fall victim to a business email compromise (BEC) scam, or leave a cloud storage bucket misconfigured.

The work from home world has paved the way to an unsecured environment that allows these mistakes to happen more easily, security experts argue. For starters, many remote employees have not been given the appropriate training for how to secure their laptops and how to handle sensitive data in a work from home environment.

recent survey from IBM Security found that more than half surveyed have yet to be given any new security policies on how to securely work from home. Also, more than half surveyed have not been provided with new guidelines on how to handle personal identifiable information (PII) while working from home, despite more than 42 percent newly being required to do so as consumers lean on customer service representatives for a variety of services.

insider threat remote work

In addition to a lack of employee training, experts worry remote employees are using company devices that may have been dependent on network security for protection – such as email gateways, web gateways, intrusion detection systems or firewalls – and moving them to unsecured networks.

The IBM Security survey for instance found that 53 percent of remote employees are using their personal laptops and computers for business operations – and 61 percent say their employer hasn’t provided tools to properly secure those devices.

Remote employees are also dealing with the challenges of working remotely and potentially needing to juggle childcare. That, coupled with the overlying stresses from the pandemic and the pressures of regular work, can open the door for simple mistakes. For instance, on average, 800 emails are sent to the wrong person every year in companies with 1,000 employees, according to Tessian. Experts worry that the new workplace environment could make this type of mistake more common.

“Initially, the sudden shift in environment was taxing on employees, which increased the likelihood for mistakes to be made that could have incredible repercussions for data privacy – for example, sending an email to an incorrect recipient or clicking on a phishing link,” said Durbin. “As remote working continues, organizations continue to digitalize traditionally physical process, such as reliance on post or face-to-face meetings, inevitably driving more sensitive data online.”

Malicious Insiders

While “malicious insider” threats are less common (according to Proofpoint, these types of threats only occur 14 percent of the time), coronavirus-spurred changes to the workforce is making it more difficult for organizations to root out these threats.

According to Verizon’s 2020 Data Breach Investigations Report (DBIR), malicious insider threat motivations vary. Financial motivations are the most popular, but espionage or disgruntled employees are listed as other common reasons.

coronavirus insider threat

Malicious insider threats may stem from the emotional toll of change. Earlier in May, for instance, a former BlueLinx IT manager, unhappy after his company was acquired by a large Atlanta-based building products distributor, was sentenced to federal prison for hacking his former Atlanta-based employer.

Experts worry what kind of emotional toll the current changes in today’s coronavirus world will have on employees. Many employees currently have concerns, need support and require protection. Employees may react maliciously to potentially limited hours, lowered compensation, reduced promotion opportunities.

These concerns at work can be compounded by increased levels of stress outside of the work environment due to worries about the health of their families, livelihood and uncertainty about the future, said Steve Durbin, managing director of the Information Security Forum.

“Under these conditions, employees might become resentful or disgruntled towards the organization, resulting in occurrences of information leakage and theft of intellectual property,” said Durbin.

At the same time, the shift to remote work is creating challenges for organizations to detect such internal, nefarious acts due to limited access controls and a lack of capabilities in detecting unusual activity.

Protecting Against the Insider Threat

Organizations can take several steps to reduce the risks of these insider threats. The implementation of training measures for employees to better understand remote workplace security policies is an important first step.

However, going beyond that, companies also need better visibility into the devices that are being used by employees handling sensitive information, Tim Bandos, vice president of cybersecurity at Digital Guardian, told Threatpost.

Identity and access management (IAM) has an important role to play here. As employees have moved outside the company perimeter, IAM will help organizations maintain a full audit trail, which can help follow an employee’s tracks.

“Users are now less restricted with how they collaborate with information and what services or devices they can use in order to transfer data,” said Bandos. “Unless there was an established data protection policy in place that took into consideration remote employees with outlined controls, companies will experience data loss whether they realize it or not.”

BofA Phish Gets Around DMARC, Other Email Protections

The June campaign was targeted and aimed at stealing online banking credentials.

A credential-phishing attempt that relies on impersonating Bank of America has emerged in the U.S. this month, with emails that get around secure gateway protections and heavy-hitting protections like DMARC.

The campaign involves emails that ask recipients to update their email addresses, warning users that their accounts could be recycled if this isn’t done.

“The email language and topic was intended to induce urgency in the reader owing to its financial nature,” according to analysis from Armorblox. “Asking readers to update the email account for their bank lest it get recycled is a powerful motivator for anyone to click on the URL and follow through.”

The messages contain a link that purports to take visitors to a site to update their information – but clicking the link simply takes the recipients to a credential-phishing page that closely mirrors a legitimate Bank of America home page, researchers said.

The attack flow also included a page that asked readers for their ‘security challenge questions’, both to increase legitimacy as well as get further identifying information from targets, researchers said in a posting on Thursday.

“With the enforcement of Single Sign On (SSO) and two-factor authentication (2FA) across organizations, adversaries are now crafting email attacks that are able to bypass these measures,” Chetan Anand, co-founder and architect of Armorblox, told Theatpost. “This credential-phishing attack is a good example. Firstly, it phishes for Bank of America credentials, which are likely not to be included under company SSO policies. Secondly, it also phishes for answers to security-challenge questions, which is often used as a second/additional form of authentication. Asking security-challenge questions not only increases the legitimacy of the attack, but also provides the adversaries with vital personal information about their targets.”

More interesting, the emails are able in some cases to get past existing email security controls – because they don’t follow the patterns of more traditional phishing attacks.

For instance, the campaign, while using a classic “spray-and-pray” lure, is not a mass email effort, according to the firm. In examining one of the emails, researchers noticed that “this was not a bulk email and only a few people in the target organization received it,” they wrote. “This ensured that the email wasn’t caught in the bulk email filters provided by native Microsoft email security or the Secure Email Gateway (SEG).”

Anand told Threatpost, “We’re working on identifying scope of impact outside of our customer base but campaigns like this in the past have been fairly broad in their attack scope since the content is generic enough to cut across organizations and industry verticals. Within our customer base, it was not a mass email but not a single email either. A few key VIPs or VAPs (Very Attacked Persons) got the email.”

Also, the email they examined was able to get past common authentication checks, such as DMARC. DMARC (which stands for Domain-based Message Authentication, Reporting and Conformance) is an industry standard that flags messages where the “from” field in an email header has been tampered with. It ensures emails are authenticated before they reach users’ mailboxes and confirms that they have been sent from legitimate sources. If configured correctly, potential phishing emails can be stopped at the gateway, or redirected to the junk folder.

“Although the sender name – Bank of America – was impersonated, the email was sent from a personal Yahoo account via SendGrid. This resulted in the email successfully passing all authentication checks such as SPF [Sender-Policy Framework], DKIM [DomainKeys Identified Mail] and DMARC,” explained the researchers.

DMARC is useful but has a few key gaps, Anand told Threatpost.

“Firstly, DMARC is mainly designed to protect against direct domain spoofs (which this was not),” he said. “Secondly, to protect an organization using DMARC, all domains used in communication with employees should have DMARC enabled on them (which doesn’t happen today). Emails sent from legitimate domains (Gmail, Yahoo) while not being a direct domain spoof have a good chance of passing DMARC.”

The attackers also used a brand-new, never-before-used URL to set up their phishing website. Because the page is hosted on a new domain, it was able to get past any filters that were created to block known bad links.

Also, the effort exhibits much better social engineering than what is usually seen in attacks like these, according to the firm. For instance, the final credential phishing page was “painstakingly made to resemble the Bank of America login page,” explained the researchers.

“The level of polish involved in this attack is noteworthy,” Anand said. “The phishing sites are unerringly made to resemble Bank of America pages at first glance. The other sign of sophistication in this attack is the fact that attackers asked targets for their security challenge questions as well. If attackers successfully harvest any such answers, they can potentially brute-force their way into other accounts where security challenge questions are involved (since these questions tend to be common across apps).”

Microsoft Joins Ban on Sale of Facial Recognition Tech to Police

Microsoft has joined Amazon and IBM in banning the sale of facial recognition technology to police departments and pushing for federal laws to regulate the technology.

Microsoft is joining Amazon and IBM when it comes to halting the sale of facial recognition technology to police departments. In a statement released Thursday by Microsoft President Brad Smith, he said the ban would stick until federal laws regulating the technology’s use were put in place.

“We will not sell facial recognition tech to police in the U.S. until there is a national law in place… We must pursue a national law to govern facial recognition grounded in the protection of human rights,” Smith said during a virtual event hosted by the Washington Post.

On Wednesday, Amazon announced a one-year ban on police departments using its facial recognition technology. In a short statement the company said it would be pushing for “stronger regulations to govern the ethical use of facial recognition technology.”

The actions by both tech behemoths dovetail actions by IBM earlier this week. In a statement by IBM’s new CEO Arvind Krishna, he said that it will no longer offer general purpose facial recognition or analysis software “for mass surveillance, racial profiling, violations of basic human rights and freedoms, or any purpose which is not consistent with our values and Principles of Trust and Transparency.”

Krishna’s statements were part of a letter to Congress where he advocated policy reviews such as “police reform, responsible use of technology, and broadening skills and educational opportunities.”

The moves align with a broader demand for law enforcement reforms and calls for racial justice by social justice activists in the wake of the death of George Floyd by Minneapolis, Minnesota police and the weeks of protests that followed.

“It should not have taken the police killings of George Floyd, Breonna Taylor, and far too many other black people, hundred of thousands of people taking to the streets, brutal law enforcement attacks against protesters and journalists, and the deployment of military-grade surveillance equipment on protests led by black activists for these companies to wake up to the everyday realities of police surveillance for black and brown communities,” said Matt Cagle, technology and civil liberties attorney with the American Civil Liberties Union of Northern California in a statement to NBC News this week.

Boom in Technology Prompts Privacy Alarms

The debate over the use of facial recognition has been simmering for years. Big questions about privacy, civil rights and civil liberties have been raised by the American Civil Liberties Union (ACLU), Surveillance Technology Oversight Project and the Electronic Frontier Foundation (EFF).

Objections to police use of facial recognition include a lack of consent by citizens to have their biometric profiles captured by law enforcement agencies. Civil liberties activists argue the technology is imperfect and could lead to a mistaken detainment or arrests. The EFF cites a 2012 FBI study (.pdf) that found the accuracy rates of facial recognition and African Americans were lower than for other demographics.

“Face recognition can be used to target people engaging in protected speech. For example, during protests surrounding the death of Freddie Gray, the Baltimore Police Department ran social media photos through face recognition to identify protesters and arrest them,” the EFF wrote.

In March, the ACLU filed a suit against the Department of Homeland Security (DHS) over its use of facial recognition technology in airports, decrying the government’s “extraordinarily dangerous path” to normalize facial surveillance as well as its secrecy in making specific details of the plan public.

Currently, 22 airports are using what is called the Traveler Verification Service (TVS), which as of June 2019 had scanned the faces of more than 20 million travelers entering and exiting the country, the ACLU said. Several major airlines, including Delta, JetBlue and United Airlines, have already partnered with U.S. Customs and Border Protection to build this surveillance infrastructure, while more than 20 other airlines and airports have committed to using CBP’s face-matching technology.

Facial Recognition has also come under fire as it relates to the technology’s use globally to track the spread of coronavirus. The technology is seen as a zero-contact solution for identifying and tracking individuals exposed to someone infected with COVID-19.

Hawaii’s KHON2 News reported Thursday that the U.S. Department of Transportation is behind a test of facial recognition technology at Honolulu’s international airport. It reported that “facial recognition will be tested along with thermal temperature scanning… in the next couple of weeks.”

Political Prospects of Change

Staunch privacy advocate U.S. Sen. Ron Wyden, on Thursday, urged the Trump administration to stop “weaponizing” facial recognition technology against protesters. In a letter co-signed by U.S. Sens. Cory Booker and Sherrod Brown to Attorney General William Barr and the Department of Homeland Security, Wyden chided federal law enforcement for its use of facial recognition technology on the peaceful protesters marching against the police killing of George Floyd.

“Advances in facial recognition technologies should not be weaponized to victimize Americans across the nation who are standing up for change,” Wyden wrote. “It is no secret that Clearview AI’s controversial facial recognition tool is used by law enforcement throughout your departments despite the numerous legal challenges it faces. However, scientific studies have repeatedly shown that facial recognition algorithms are significantly less accurate for people with non-white skin tones.”

One legal victory came last September when California lawmakers passed a bill to ban the use of facial recognition-equipped cameras by law enforcement. Meanwhile, a number of legal challenges attempt to slow the widespread use of the technology.

Last month the ACLU sued New York-based facial-recognition startup Clearview AI for amassing a database of biometric face-identification data of billions of people and selling it to third parties without their consent or knowledge. The complaint, filed in Circuit Court of Cook County in Illinois, accused the company of violating an Illinois law that protects people “against the surreptitious and nonconsensual capture of their biometric identifiers.”

Clearview AI founder, Hoan Ton-Thatand, has defended his company’s practices and intentions. He said he welcomes the privacy debate, stating in various published reports that the technology is meant to be used by law enforcement to help solve crimes and not to violate people’s privacy.

Whether or not Microsoft, Amazon and IBM have the market might and political capital to force new regulations is unclear. Meanwhile, the EFF reminds that the list of facial recognition vending firms  is long – including 3MCognitecDataWorks PlusDynamic Imaging SystemsFaceFirst, and NEC Global.

Thanos Ransomware First to Weaponize RIPlace Tactic

Thanos is the first ransomware family to feature the weaponized RIPlace tactic, enabling it to bypass ransomware protections.

Researchers have uncovered a new ransomware-as-a-service (RaaS) tool, called Thanos, which they say is increasing in popularity in multiple underground forums.

Thanos is the first ransomware family observed that advertises the use of the RIPlace tactic. RIPlace is a Windows file system technique unveiled in a proof of concept (PoC) last year by researchers at Nyotron, which can be used to maliciously alter files and which allows attackers to bypass various anti-ransomware methods.

Beyond its utilization of RIPlace, Thanos does not incorporate any novel functionality, and it is simple in its overall structure and functionality. But this ease-of-use may be why Thanos has surged in popularity amongst cybercriminals, according to Wednesday research from Recorded Future’s Insikt Group, shared with Threatpost.

“Ransomware-as-a-service provides a means for less-experienced cybercriminals to employ ransomware as part of their operations, and to date, these services remain popular in underground forums,” Lindsay Kaye, director of operational outcomes for the Insikt Group at Recorded Future, told Threatpost. “It is hard to say whether ransomware-as-a-service itself will become more sophisticated in the future, but in general, ransomware actors are getting more sophisticated — they are investing money into adding more exploits, so this may materialize in the form of more sophisticated ransomware offered as part of the RaaS marketplace.”

Thanos was first spotted by researchers in January, up for sale on an underground forum. It was developed by a threat actor under the alias “Nosophoros.” Since then, the threat actor continued to develop Thanos over the past six months, with regular updates and new features (the new RIPlace tactic was first advertised in February, for instance).

The Thanos ransomware builder gives operators the ability to create the ransomware clients with various different options that can be used in attacks. On underground forums, it’s being sold as a “Ransomware Affiliate Program,” similar to a ransomware-as-a-service (RaaS) model. As part of this, the Thanos builder is offered either as a monthly “light” or lifetime “company” subscription. The “company” version includes additional features, compared to the light version, such as data-stealing functionalities, RIPlace tactics and lateral-movement capabilities.

Thanos Builder

The ransomware offers various configuration options, features and classes depending on the service. Researchers observed more than 80 Thanos “clients” with different configuration options enabled.

One of the company-tier features is the ability to change the Thanos encryption process to use the RIPlace technique, which was released last year by Nyotron as a PoC. The PoC showed how ransomware can replace a victim’s files with encrypted data, by writing the encrypted data from memory to a new file, and then using the “Rename” call to replace the original file. After this sensitive file is replaced (hence the name, “RIPlace”) it enables bad actors to bypass ransomware protections.

“In the Thanos ransomware builder, a user can choose to select the option to enable RIPlace, which results in a modification of the encryption process workflow to use the technique,” Kaye told Threatpost.

Thanos Ransomware Note

Another feature offered by the Thanos client is a lateral-movement function. This makes use of a legitimate security tool called SharpExec, which is specifically designed for lateral movement. The client downloads the SharpExec tools from a GitHub repository, scans the local network to get a list of online hosts, and uses the SharpExec’s functionality to then execute the Thanos client on remote computers.

Other features of Thanos include the ability to exfiltrate all files with a specified set of extensions, an anti-analysis tool allowing the client to perform several checks to determine whether it is executing within a virtual machine environment, and two obfuscation options.

When encrypting the data for victims, Thanos uses a random, 32-byte string generated at runtime as a password for the AES file encryption. The string is then encrypted with the ransomware operator’s public key – and without the corresponding private key, recovering the encrypted files is impossible.

“The Thanos builder includes the option to use a static password for the AES file encryption,” said researchers. If this option is selected, the clients generated by Thanos will contain the AES password used to encrypt files. Importantly, this means that if a Thanos client is recovered after encryption has occurred, there is a chance that the victims may be able to recover their files without paying the ransom, researchers said.

The Future of Thanos

Based on code similarity, string reuse, the ransomware extension and the format of the ransom notes, researchers say they assess “with high confidence” that ransomware samples tracked as Hakbit are built using the Thanos ransomware builder developed by Nosophoros.

Thanos is under active development by its operators: Researchers have observed the ransomware receiving positive feedback from cybercriminals on underground forums, with claims that the tool “works flawlessly” and requests to “keep the updates coming.” That said, to date, Recorded Future researchers have not yet explicitly observed Thanos being used as part of an actual attack against a company, Kaye told Threatpost.

Researchers believe that Thanos will continue to be weaponized by threat actors, either individually, or collectively as part of its affiliate program. However, they said that “security best practices” can protect companies from the ransomware strain.

“With information security best practices such as prohibiting external FTP connections and blacklisting downloads of known-offensive security tools, the risks associated with the two key components of Thanos — data stealer and lateral movement — can be averted,” said researchers.

Microsoft June Patch Tuesday Fixes 129 Flaws in Largest-Ever Update

The June Patch Tuesday update included CVEs for 11 critical remote code-execution vulnerabilities and concerning SMB bugs.

Microsoft has released patches for 129 vulnerabilities as part of its June Patch Tuesday updates – the highest number of CVEs ever released by Microsoft in a single month.

Within the blockbuster security update, 11 critical remote code-execution flaws were patched in Windows, SharePoint server, Windows Shell, VBScript and other products. Unlike other recent monthly updates from Microsoft, its June updates did not include any zero-day vulnerabilities being actively attacked in the wild.

“For June, Microsoft released patches for 129 CVEs covering Microsoft Windows, Internet Explorer (IE), Microsoft Edge (EdgeHTML-based and Chromium-based in IE Mode), ChakraCore, Office and Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps, and Microsoft Apps for Android,” according to Dustin Childs, with Trend Micro’s Zero Day Initiative, in a Tuesday post. “This brings the total number of Microsoft patches released this year to 616 – just 49 shy of the total number of CVEs they addressed in all of 2017.”

Microsoft’s June Patch Tuesday volume beats out the update from May, where it released fixes for 111 security flaws, including 16 critical bugs and 96 that are rated important.

SMBv3 Flaws

Satnam Narang, staff research engineer at Tenable, told Threatpost that a trio of fixes stuck out in the Patch Tuesday updates, for flaws in Microsoft Server Message Block (SMB). Two of these flaws exist in Microsoft Server Message Block 3.1.1 (SMBv3). All three vulnerabilities are notable because they’re rated as “exploitation more likely” based on Microsoft’s Exploitability Index.

The two flaws in SMBv3 include a denial-of-service vulnerability (CVE-2020-1284) and an information-disclosure vulnerability (CVE-2020-1206), both of which can be exploited by a remote, authenticated attacker.

Narang said the flaws “follow in the footsteps” of CVE-2020-0796, a “wormable” remote code execution flaw in SMBv3 that was patched back in March, dubbed “SMBGhost.” CISA recently warned that the release of a fully functional proof-of-concept (PoC) for SMBGhost could soon spark a wave of cyberattacks.

The third vulnerability patched in Microsoft SMB, CVE-2020-1301, is a remote code-execution vulnerability that exists in the way SMBv1 handles requests. To exploit the flaw, an attacker would need to be authenticated and to send a specially crafted packet to a targeted SMBv1 server.

Narang said this flaw “might create a sense of déjà vu” for another remote code-execution vulnerability in SMBv1, EternalBlue, which was used in the WannaCry 2017 ransomware attacks.

“However, the difference between these two is that EternalBlue could be exploited by an unauthenticated attacker, whereas this flaw requires authentication, according to Microsoft,” he said. “This vulnerability affects Windows 7 and Windows 2008, both of which reached their end of support in January 2020. However, Microsoft has provided patches for both operating systems.”

VBScript

Various critical remote code-execution flaws were discovered in VBScript, Microsoft’s Active Scripting language that is modeled on Visual Basic (CVE-2020-1214, CVE-2020-1215CVE-2020-1216CVE-2020-1230CVE-2020-1260). The flaws exist in the way that the VBScript engine handles objects in memory; an attacker could corrupt memory in such a way that allows them to execute arbitrary code in the context of the current user.

In a real-life attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” said Microsoft. “If the current user is logged on with administrative-user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.”

Other Critical Flaws

Also of note is a critical flaw (CVE-2020-1299) that exists in Microsoft Windows, which could allow remote code-execution if a .LNK file is processed. An .LNK file is a shortcut or “link.” An attacker can embed a malicious .LNK in a removable drive or remote share, and then convince the victim to open the drive or share in Windows Explorer. Then, the malicious binary will execute the code. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user, according to Microsoft.

The update also addressed a Windows critical RCE flaw (CVE-2020-1300) that exists when Microsoft Windows fails to properly handle cabinet files. To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver, according to Microsoft’s update.

Another critical vulnerability (CVE-2020-1286) exists due to Windows Shell not properly validating file paths. An attacker could exploit the flaw by convincing a user to open a specially crafted file, and then would be able to run arbitrary code in the context of the user, according to Microsoft’s update.

“If the current user is logged on as an administrator, an attacker could take control of the affected system,” said Microsoft. “An attacker could then install programs; view, change or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.”

A critical flaw (CVE-2020-1181) in SharePoint server was also fixed, stemming from the server failing to properly identify and filter unsafe ASP.Net web controls. The flaw can be abused by an authenticated, remote user who invokes a specially crafted page on an affected version of Microsoft SharePoint Server, allowing them to execute code.

Microsoft also issued updates addressing Windows 10, 8.1 and Windows Server versions affected by a critical, use-after-free Adobe Flash Player flaw (CVE-2020-9633).  According to Microsoft, “In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website.”

Meanwhile, Adobe earlier on Tuesday released patches for four critical flaws in Flash Player and in its Framemaker document processor as part of its regularly scheduled updates. The bugs, if exploited, could enable arbitrary code-execution.

Dark Basin Hack-For-Hire Group Targeted Thousands Over 7 Years

Thousands of journalists, advocacy groups and politicians worldwide were targeted by Dark Basin.

A hack-for-hire group, called Dark Basin, has been outed after targeting thousands of individuals and organizations worldwide – including advocacy groups and journalists, elected and senior government officials, and hedge funds — over the course of seven years.

Dark Basin conducted commercial espionage on behalf of their clients, against customers’ opponents involved in high-profile public events, criminal cases, financial transactions, news stories and advocacy, according to researchers at Citizen Lab. In all, more than 10,000 victim email accounts were targeted, according to Reuters, who broke the news.

“Citizen Lab has notified hundreds of targeted individuals and institutions and, where possible, provided them with assistance in tracking and identifying the campaign,” according to a report on Dark Basin released by Citizen Lab researchers on Tuesday. “At the request of several targets, Citizen Lab shared information about their targeting with the U.S. Department of Justice (DoJ). We are in the process of notifying additional targets.”

Citizen Lab first discovered the group in 2017 after it was contacted by a journalist who had been targeted with phishing attempts. The phishing was linked to a custom URL shortener, which was tied to a larger network of almost 28,000 URL shorteners containing the email addresses of targets and operated by Dark Basin.

Tactics, Techniques and Procedures

The group sent highly targeted phishing emails to its targets from a range of email accounts, including Gmail accounts and self-hosted accounts. The use of URL shorteners for masking phishing sites is a staple for the group – researchers said that over 16 months, they observed 28 unique URL shortener services that were operated by Dark Basin.

These malicious links led to phishing sites, designed to look identical to popular online web services such as Google Mail, Yahoo Mail, Facebook and others. These landing pages then stole the credentials of victims.

“Sophistication of the bait content, specificity to the target, message volume and persistence across time varied widely between clusters,” researchers said. “It appears that Dark Basin’s customers may receive varying qualities of service and personal attention, possibly based on payment, or relationships with specific intermediaries.”

Widespread Targeting

Researchers tied the group to years of attacks against various targets. That includes at least two American advocacy groups who were requesting that the Federal Communications Commission (FCC) preserve net-neutrality rules in the U.S. (in a campaign previously uncovered by the EFF); U.S. non-governmental organizations Fight for the Future and Free Press; and journalists from multiple major U.S. media outlets.

For instance, the group targeted campaigners involved with #ExxonKnew, which is a campaign that claims that ExxonMobil hid information about climate change for decades. That included targeting #ExxonKnew campaigners’ family members with phishing emails – in at least one case a target’s minor child was among those targeted.

Phishing bait from Dark Basin. Click to enlarge.

As part of their investigation, researchers linked the phishing attacks with highly targeted emails, purporting to come from other campaigners or from legal counsel involved in litigation against ExxonMobil, that referenced targets’ work on ExxonMobil and climate change. In other cases, Dark Basin sent emails with fake Google News updates involving ExxonMobil. The emails would then contain a malicious URL that brought victims to the landing page.

In 2016, a private #ExxonMobil email inviting campaigners to a January 2016 meeting was  leaked by unknown parties to two newspapers, including the Wall Street Journal.

“The leak of the January 2016 email, as well as suspicious emails noticed by campaigners, led some present at the meeting to suspect their private communications may have been compromised,” said researchers. “We later determined that all but two recipients of the leaked January email were also Dark Basin targets.”

BellTroX InfoTech Services

Researchers also associated Dark Basin to BellTroX InfoTech Services, an India-based technology company, with “high confidence.” Threatpost has reached out to BellTroX InfoTech Services for comment but had not heard back by publication time.

BellTroX InfoTech home page. Click to enlarge.

“We are an independent firm of transcriptionists, designers, developers, engineers, consultants and technical specialists offering a broad range of professional services. Through our work, we make a positive difference in the world,” according to BellTroX’s website.

Several clues led researchers to link Dark Basin to the company. Initially, researchers found that timestamps in the phishing emails were consistent with the working hours in India’s UTC+5:30 time zone. Several of Dark Basin’s URL shortening services also had names associated with India (Holi, Rongali and Pochanchi, for example).

Then, upon further investigation, they were able to identify several  BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a C.V. (resume), as bait content when testing their URL shorteners.

The employees also put up social-media posts taking credit for attack techniques, which contained screenshots of links to Dark Basin infrastructure, researchers said. The company’s “staff activities” listed on LinkedIn include email penetration, exploitation, corporate espionage and more.

“BellTroX and its employees appear to use euphemisms for promoting their services online, including ‘Ethical Hacking’ and ‘Certified Ethical Hacker,’” they said. “BellTroX’s slogan is: ‘you desire, we do!’”

As of Sunday (June 7) BellTroX’s website began serving an error message. Researchers said that since then, postings and other materials linking BellTroX to these operations have been recently deleted.

Hack-for-Hire

Researchers said that they believe that in at least one case, Dark Basin repurposed a stolen internal email to re-target other individuals – leading them to conclude that Dark Basin had “some success” in gaining access to the email accounts of one or more advocacy groups.

Researchers said that the utilization of hack-for-hire firms may be fueled by an increasing normalization of commercialized cyber-offensive activity, including surveillance and “hacking back.” Recently for instance, researchers with Google’s Threat Analysis Group (TAG) warned that they’ve spotted a spike in activity from several India-based firms that have been creating Gmail accounts that spoof the World Health Organization (WHO) to send coronavirus-themed phishing emails.

“Dark Basin’s activities make it clear that there is a large and likely growing hack-for-hire industry,” Citizen Lab researchers said. “Hack-for-hire groups enable companies to outsource activities like those described in this report, which muddies the waters and can hamper legal investigations.”

Chafer APT Hits Middle East Govs With Latest Cyber-Espionage Attacks

Government and air transportation companies in Kuwait and Saudi Arabia were targeted in a recent attack tracked back to the Chafer APT.

Researchers have uncovered new cybercrime campaigns from the known Chafer advanced persistent threat (APT) group. The attacks have hit several air transportation and government victims in hopes of data exfiltration.

The Chafer APT has been active since 2014 and has previously launched cyber espionage campaigns targeting critical infrastructure in the Middle East. This most recent wave of cyberattacks started in 2018 and have lasted until at least the end of 2019, targeting several unnamed organizations based in Kuwait and Saudi Arabia. The campaigns used a bevy of custom-built tools, as well as “living off the land” tactics. Living off the land tools are features already existing in the target environment, which are abused by attackers to help them achieve persistence.

“Researchers have found attacks conducted by this actor in the Middle East region, dating back to 2018,” according to a Thursday Bitdefender analysis. “The campaigns were based on several tools, including ‘living off the land’ tools, which makes attribution difficult, as well as different hacking tools and a custom built backdoor. Victims of the analyzed campaigns fit into the pattern preferred by this actor, such as air transport and government sectors in the Middle East.”

Liviu Arsene, global cybersecurity analyst with Bitdefender, told Threatpost that researchers can’t specify how many companies have been targeted in each country. However, “it is safe to estimate that the cybercriminal group likely went after more than those we investigated,” he said.

The Campaigns

While the modus operandi behind the attacks against firms in Kuwait and Saudi Arabia shared “some common stages,” researchers noted that the attacks on victims from Kuwait were more sophisticated as attackers were able to move laterally on the network. Researchers believe the threat actors initially infected victims using tainted documents with shellcodes, potentially sent via spear-phishing emails.

“During our investigation, on some of the compromised stations we observed some unusual behavior performed under a certain user account, leading us to believe the attackers managed to create a user account on the victims’ machine and performed several malicious actions inside the network, using that account,” said researchers.

Credit: Bitdefender

Once they gained a foothold inside the company, attackers then installed a backdoor (imjpuexa.exe), that was executed as a service on some machines. Attackers also deployed several network-scanning and credential-gathering tools used for reconnaissance and to help them move laterally inside the network.  For instance, attackers deployed CrackMapExec, a multi-purpose tool used for network scanning, credential dumping, accounts discovery and code injection.

Another custom tool of note that attackers utilized is a modified PLINK tool (called wehsvc.exe). PLINK is a command-line connection tool mostly used for automated operations. The PLINK tool used in the campaign preserves the original functionality, with some new key features such as the possibility to run as a Windows service or to uninstall the service.

“We believe this tool may have been used either to communicate with the [command and control server] C2 or to gain access to some internal machines, but found no conclusive evidence to support these scenarios,” said researchers.

While the attack on the victim in Kuwait achieved further lateral movement,  researchers said the attack on the victim in Saudi Arabia was not as elaborate, “either because the attackers did not manage to further exploit the victim, or because the reconnaissance revealed no information of interest.”

For these attacks, researchers said they believe “initial compromise was achieved through social engineering.” After initial compromise, a RAT was loaded and executed twice, with different names (“drivers.exe” and “drivers_x64.exe”). The two executions were three minutes apart, leading researchers to believe that the user was tricked into running them.

Credit: Bitdefender

The RAT was written in Python and converted into a standalone executable: “Some RATs are very similar to tools that have been previously documented by security researchers, but have been customized for this particular attack,” Arsene told Threatpost. “It’s not uncommon for cybercriminal groups to tweak their tools based on either victim profile or immediate needs. For example, they might change the way the RAT communicates with the C2 server, or they can add other features that were not necessary in the past but currently prove useful.”

Researchers also found three different RAT components that were used at different times. One of these components (“snmp.exe”) was the same as the backdoor (“imjpuexa.exe”) used on the targeted attacks in Kuwait – leading researchers to link the two campaigns.

“While this attack was not as extensive as the one in Kuwait, some forensic evidence suggests that the same attackers might have orchestrated it,” they said. “Despite the evidence for network discovery, we were not able to find any traces for lateral movement, most probably because threat actors were not able to find any vulnerable machines.”

Of note, the threat actor also used “living off the land” tools extensively in both campaigns. This included the heavy use of the Non-Sucking Service Manager (NSSM), which is a legitimate service manager for Microsoft Windows. The NSSM utility manages background and foreground services and processes. Researchers believe the APT used NSSM for ensuring that its critical components, such as the RAT, are up and running.

“We estimate that attackers relied on NSSM to make sure that the services they were monitoring were actually running and not terminated or stopped,” Arsene explained. “It’s a way of ensuring persistence for malicious services and restarting them if they are inadvertently killed or stopped by various other applications.”

So far, all of the incidents that researchers uncovered have been stopped: “the investigation in both countries was stopped before concluding when or if the cyberattack had stopped,” Arsene said. “It’s likely that… local authorities were notified and decided to continue the investigation locally.”

Cyber-Espionage

Researchers linked these campaigns with Chafer because some of the tools used bear similarities to the tools used in previously-documented Chafer APT attacks. The C2 domains in these attacks have been previously associated with the same cybercriminal group, Arsene told Threatpost.

It’s only the latest campaign for the Chafer APT. Last year, the Iran-linked APT was spotted targeting various entities based in Iran with an enhanced version of a custom malware that takes a very unique approach to communication by using the Microsoft Background Intelligent Transfer Service (BITS) mechanism over HTTP. Another campaign in February, launched by two Iran-backed APTs who were possibly working together to compromise high-value organizations from the IT, telecom, oil and gas, aviation, government and security sectors in Israel, was loosely linked to the Chafin APT after researchers noted an overlap in approaches.

That said, cyber-espionage campaigns have spiraled downwards overall over the past year, according to the recent 2020 Verizon Data Breach Investigations Report (DBIR),  dropping from making up 13.5 percent of breaches in 2018 to a mere 3.2 percent of data breaches in 2019.

Crooks Tap Google Firebase in Fresh Phishing Tactic

Cybercriminals are taking advantage of the Google name and the cloud to convince victims into handing over their login details.

A series of phishing campaigns using Google Firebase storage URLs have surfaced, showing that cybercriminals continue to leverage the reputation of Google’s cloud infrastructure to dupe victims and skate by secure email gateways.

Google Firebase is a mobile and web application development platform. Firebase Storage meanwhile provides secure file uploads and downloads for Firebase apps. Using the Firebase storage API, companies can store data in a Google cloud storage bucket.

The phishing effort starts with spam emails that encourage recipients to click on a Firebase link inside the email in order to visit promised content, according to Trustwave researcher Fahim Abbasi, writing in an analysis released Thursday. If the targets click on the link, they’re taken to a supposed login page (mainly for Office 365, Outlook or banking apps) and prompted to enter their credentials – which of course are sent directly to the cybercriminals.

“Credential phishing is a real threat targeting corporates globally,” noted Abbasi. “Threat actors are finding smart and innovative ways to lure victims to covertly harvest their corporate credentials. Threat actors then use these credentials to get a foothold into an organization to further their malicious agendas.”

In this case, that “innovative way” is using the Firebase link.

“Since it’s using Google Cloud Storage, credential-capturing webpages hosted on the service are more likely to make it through security protections like Secure Email Gateways due to the reputation of Google and the large base of valid users,” Karl Sigler, senior threat intelligence manager, Spiderlabs at Trustwave, told Threatpost. “The use of cloud infrastructure is rising among cybercriminals in order to capitalize on the reputation and valid uses of those services. They tend to not be immediately flagged by security controls just due to the URL.”

The campaigns were circulating globally, across a range of industries, but the majority of the “hits” have been in Europe and Australia, Sigler said.

“Most of the emails we saw were from late March through the middle of April, but we’ve seen samples as a part of this campaign as far back as February and as recently as mid-May,” he added. “While these tactics of piggy-backing on valid cloud services likely go back to the days those services were invented, this is a current and active trend.”

Major themes for the lures include payment invoices, exhortations to upgrade email accounts, prompts to release pending messages, urging recipients to verify accounts, warnings of account errors, change-password emails and more. In one case, “scammers used the Covid-19 pandemic and internet banking as an excuse to lure the victims into clicking on the fake vendor payment form that leads to the phishing page hosted on Firebase Storage,” according to the analysis.

An example of a phishing email using Firebase. Click to enlarge.

Overall, the phishing messages are convincing, according to Trustwave, with only subtle imperfections that might tip off potential victims that there’s something wrong, such as a few poor graphics.

“Cybercriminals are constantly evolving their techniques and tools to covertly deliver their messages to unwitting victims,” Abbasi said. “In this campaign, threat actors leverage the reputation and service of the Google Cloud infrastructure to conduct phishing by embedding Google firebase storage URLs in phishing emails.”

Using Google to lend an air of legitimacy is an ongoing trend. Earlier this year, an attack surfaced that uses homographic characters to impersonate Google domain names and launch convincing but malicious websites. And last August, a targeted spearphishing campaign hit an organization in the energy sector – after using Google Drive to get around the company’s Microsoft email security stack. The campaign impersonated the CEO of the targeted company, sending email via Google Drive purporting to be “sharing an important message” with the recipients.

“Again, because of the valid uses and large user base of these services, many of these phishing emails can slip through the cracks of the security controls we put in place,” Sigler added. “Educating users about these tactics helps provide defense-in-depth against these techniques when they hit a victim’s inbox.”

Adobe Patches Critical RCE Flaw in Character Animator App

A critical remote code execution flaw in Adobe Character Animator was fixed in an out-of-band Tuesday patch.

Adobe has issued an out-of-band patch for a critical flaw in Adobe Character Animator, its application for creating live motion-capture animation videos. The flaw can be exploited by a remote attacker to execute code on affected systems.

The flaw (CVE-2020-9586) is found in versions 3.2 and earlier and exists within the parsing of the BoundingBox element in PostScript. Specifically, it stems from a stack-based buffer overflow error, meaning the element lacks proper validation of the length of user-supplied data prior to copying it to a stack-based buffer.

“Of the bugs fixed today, CVE-2020-9586 stands out as it could code execution if a user opens a malicious file or visits a malicious web page,” Dustin Childs, manager at Trend Micro’s Zero Day Initiative, told Threatpost. “An attacker can leverage this vulnerability to execute code in the context of the current process.”

Users are urged to update to version 3.3 for Windows and macOS. While the flaw is critical, the security bulletin is a Priority 3 update, which according to Adobe resolves vulnerabilities in a product that has historically not been a target for attackers. “Adobe recommends administrators install the update at their discretion,” according to the update.

Adobe on Tuesday also issued several updates addressing other flaws. While these other vulnerabilities are “important” in severity, they would all need to be combined with additional bugs to gain code execution, Childs told Threatpost.

One such flaw exists in Adobe Premiere Rush, its video editing software for online video creators. The software has an out-of-bounds read vulnerability (CVE-2020-9617) that could lead to information disclosure. Users are urged to update to Adobe Premiere Rush version 1.5.12 for Windows and macOS.

Another “important”-severity flaw exists in Adobe Premiere Pro, another version of Adobe’s video editing software that is more advanced than Adobe Premiere Rush (which is instead more targeted toward YouTubers and social media creators). Like Premiere Rush, Premiere Pro has an out-of-bounds read flaw (CVE-2020-9616) that could lead to information disclosure. Users can update to version 14.2 for Windows and macOS.

Finally, Adobe stomped out a flaw in Audition, which is its toolset offering for creating and editing audio content. The out-of-bounds read flaw (CVE-2020-9618) can enable information disclosure if exploited. A patch is available in Audition 13.0.6 for Windows and macOS.

For all of these flaws, “Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates,” according to the alert. Mat Powell with ZDI was credited with discovering these flaws.

The unscheduled patches come a week after Adobe’s regularly-scheduled updates, which fixed 16 critical flaws across its Acrobat and Reader applications and its Adobe Digital Negative (DNG) Software Development Kit – and addressed 36 CVEs overall.

Verizon Data Breach Report: DoS Skyrockets, Espionage Dips

Denial of Service (DoS), ransomware, and financially-motivated data breaches were the winners in this year’s Verizon DBIR.

Denial-of-service (DoS) attacks have spiked over the past year, while cyber-espionage campaigns have spiraled downwards. That’s according to Verizon’s 2020 Data Breach Investigations Report (DBIR) released Tuesday, which analyzed 32,002 security incidents and 3,950 data breaches across 16 industry verticals.

Notably, this year DoS attacks increased in number (13,000 incidents) and were also seen as a bigger part of cybercriminals’ toolboxes (DoS attacks made up 40 percent of security incidents reported), beating out crimeware and web applications. While DoS attacks use differing tactics, they most commonly involve sending junk network traffic to overwhelm and crash systems. It doesn’t help that cybercriminals have been creating new and dangerous botnets to launch DoS attacks, like Kaiji or Mirai variants, over the past few years.

“While the amount of this traffic is increasing as mentioned, in DDoS, we don’t just look at the number of attacks that are conducted,” said researchers. “We also look at the bits per second (BPS), which tells us the size of the attack, and the packets per second (PPS), which tells us the throughway of the attack. What we found is that, regardless of the service used to send the attacks, the packet-to-bit ratio stays within a relatively tight band and the PPS hasn’t changed that much over time, sitting at 570 Mbps for the most common mode.”

Cyber espionage attacks meanwhile have seen a downward spiral, dropping from making up 13.5 percent of breaches in 2018 to a mere 3.2 percent of data breaches in 2019. That may come as a surprise given that espionage campaigns were actually on the rise in the 2019 Verizon DBIR. In addition, a slew of cyber espionage campaigns (such as ones targeting the WHOseveral governments in the Asia-Pacific region and more) were unearthed over the past year – but researchers say under reporting may be a factor in the dipping statistics.

“The drop in raw numbers could be due to either under-reporting or failure to detect these attacks, but the increase in volume of the other patterns is very much responsible for the reduction in percentage,” said researchers.

In fact, financially motivated breaches continue to not only be more common than espionage campaigns by a wide margin (making up 86 percent of all breaches), but also increasing over the past year, they said.

Breach Origins

When it comes to data breaches, almost half (45 percent) stemmed from actual hacks, while 22 percent used social attacks. Twenty-two percent breaches involved malware and 17 percent were created by errors. And 8 percent of breaches stemmed from misuse by authorized users.

verizon DBIR

In fact, internal actors were only behind 30 percent of breaches, with the majority (70 percent) actually coming from external actors. While researchers said that incidents stemming from “insider actors” have grown over the past few years, that’s likely due to increased reporting of internal errors rather than evidence of actual malice from these actors.

“External attackers are considerably more common in our data than are internal attackers, and always have been,” said researchers. “This is actually an intuitive finding, as regardless of how many people there may be in a given organization, there are always more people outside it. Nevertheless, it is a widely held opinion that insiders are the biggest threat to an organization’s security, but one that we believe to be erroneous.”

Malware Down

Malware has been on a consistent and steady decline as a percentage of breaches over the last five years,  researchers said, due in part to the increasing level of access by cybercriminals to credentials.

“We think that other attack types such as hacking and social breaches benefit from the theft of credentials, which makes it no longer necessary to add malware in order to maintain persistence,” said researchers.

Verizon DBIR

Accordingly, the top malware “varieties” in data breaches was topped by password dumpers (which are used to collect credentials), followed by capture app data and ransomware.

Ransomware attacks continue to grow over the past year and have created high-profile headlines and headaches for companies, such as Norsk Hydro. Ransomware is the third most common “malware breach” variety and the second most common “malware incident” variety. Part of this continued growth can be explained by the ease with which attackers can kick off a ransomware attack, researchers stressed.

“In 7 percent of the ransomware threads found in criminal forums and market places, ‘service’ was mentioned, suggesting that attackers don’t even need to be able to do the work themselves,” said researchers. “They can simply rent the service, kick back, watch cat videos and wait for the loot to roll in.”

Vertical-Specific Findings

The Verizon DBIR also broke down data breaches by vertical to show that cybercriminals are drastically changing how they are targeting industries. For instance, Point of Sale (PoS)-related attacks once dominated breaches in the accommodation and food services industry – however, they have been replaces by malware attacks and web application attacks.

verizon DBIR

“Instead, responsibility is spread relatively evenly among several different action types such as malware, error and hacking via stolen credentials,” said researchers. “Financially motivated attackers continue to target this industry for the payment card data it holds.”

The educational services industry saw phishing attacks trigger 28 percent of breaches, and 23 percent of breaches stem from hacking via stolen credentials. Ransomware is a top threat for the education space, with ransomware accounting for approximately 80 percent of malware infections in the incident data.

Ransomware attacks, triggered by financial motivations, also plagued the healthcare industry. Other top security issues leading to breaches include lost and stolen assets and basic human error. However, privilege misuse, which has topped data breach causes for healthcare in the past, for the first time this year wasn’t an issue in the “top three”.  In the 2019 report, privilege misuse at 23 percent of attacks, while in 2020, it has dropped to just 8.7 percent.

Despite that, “This year, we saw a substantial increase in the number of breaches and incidents reported in our overall dataset, and that rise is reflected within the Healthcare vertical,” said researchers. “In fact, the number of confirmed data breaches in this sector came in at 521 versus the 304 in last year’s report.”

Finally, financial and insurance industries were plagued by phishing attacks and web applications attacks that leverage the use of stolen credentials. The attacks in this sector are perpetrated by external actors who are financially motivated to get easily monetized data (63 percent), internal financially motivated actors (18 percent) and internal actors committing errors (9 percent).

The Positives

Breach timelines continue to show promising results. The number of companies discovering incidents in days or less is up, while containment in that same timeframe surpassed its historic 2017 peak.

Verizon DBIR

Researchers also warned to keep in mind that the positive incident response numbers are likely due to the inclusion of more breaches detected by managed security service providers (MSSPs) in the report’s sampling. Also, it still took a quarter of companies dealing with data breaches months or more.

“All in all, we do like to think that there has been an improvement in detection and response over the past year,” said researchers.