May 2018: new tricks in classic attacks and vice versa

Historically, we’ve seen threat activity rising before summer. This may month is no exception. With a lot to choose from, from new tricks in classic attacks to classic tricks in new attacks. Big vulnerabilities with their own logo’s, Fancy bear and the FBI, this month was definitely one we’ll remember at the end of the year.

1. Ransomware using “Process Doppelgänging”. 

Process Doppelgänging sounds ominous in the best of situations.  In the beginning of May, a ransomware was discovered using the technique. Fileless code injection takes advantage of a built-in Windows function and an undocumented implementation of Windows process loader. It can replace a legitimate program with a malicious one in memory. The upshot is this malware could defeat most of the modern antivirus solutions and forensic tools. The malware is a SynAck variant, and it’s the first as far as we know to leverage process Doppelgänging. It seems to target specific countries, by crudely matching a list of the user’s installed keyboard layouts. If you use United States, Kuwait, Germany or Iran layouts, beware.

2. Efail vulnerability in… well, some say PGP and S/MIME, others say mail clients

On May 14th, security researchers published “Efail”, a flaw that abuses a critical vulnerability in OpenPGP and S/MIME in combination with most e-mail clients. OpenPGP is used for end-to-end email encryption, and Efail allows for leaking the plaintext of encrypted emails. This much is sure. It becomes fuzzy when a heated discussion arises on whose fault it is, and whether the vulnerability was disclosed in the “right way”. The researchers leveraged the credibility of the EFF for spreading the news widely. What rubbed people the wrong way was the investment in a logo and website.

Furthermore the OpenPGP team had been given the heads up months before, but they chose the stance of “not our problem”, given that in their view the flaws were in e-mail clients. While there’s technically soundness in their statements, as echoed by protonmail, the game was on. The mitigation is to disable HTML rendering & remote content in your client. Disabling PGP, as suggested by some, is equivalent to leaving a door with a vulnerable lock open.

As an industry we might want to learn a little bit about collaboration. E-mail is 47 years old, and inherently insecure, PGP is a beast of an add-on process, maybe we should start thinking of something better.

3. VPNFilter

For the most of May, VPNFilter, an IoT botnet, remained a threat, but in the end the FBI had enough. They took control of the botnet, which had infected over 500,000 home networking devices, in 54 different countries. The malware uses a multi-staged approach, it’s geared towards destruction and comes with a self destruct button. Named after the directory (/var/run/vpnfilter), the malware targets mostly low hanging fruit: devices that are exposed to known vulnerabilities. The FBI recommends to reboot your internet router. It will eliminate the non-persistent second stage malware. The threat actors behind the botnet are supposedly the Russia linked APT28, (aka Fancy Bear).

Extended research informs us of more brands targeted, and offers a solution by factory resetting or even throwing your device away and buy a new one. But the real kick in the rear is the malware looks for Modbus traffic, which is used by PLC’s in ICS & SCADA environments. This supports trend nation state actors are interested in ICS environments for an opportunity to disrupt. If critical infrastructure doesn’t use cheap consumer grade products, there’s no problem, right? ¯\_(ツ)_/¯

4. Ransomware & banking trojans

As we’ve seen ransomware is still among us. Don’t the bad guys know that cryptojacking is a much easier and less risky business? Indeed, there’s a new Dharma variant called Bip Dharma. Researchers had created a decryptor for the older one, which unfortunately doesn’t work one this one. The way to get your files back is to send an e-mail to a specific e-mail address. This is not the most victim friendly process. We find criminals take less time for victim experience nowadays. Which is just as well, because we would urge victims not to pay anyway. Bite the bullet and invoke your recovery process.

A new trojan “BackSwap” is adding some innovation to the most classic attack known: stealing money from banks. This time, it’s not plain classic webinjects (injecting and manipulating browser content) but by simulating keypresses, manipulating the developer console and javascript. The attacks target Poland at the time of writing, but we’d still like to mention criminals are still investing in their old tricks.

5. The FBI releases their IC3 report for 2017

Not a threat, quite the opposite, but a good overview of how internet crime involved over 2017. We’ve dedicated a separate blog post diving into the numbers if you want to learn the top attacks haven’t changed much, and ransomware is not a criminal cash cow, but CEO fraud is.

Bonus: Twitter advised 330 million users to change their passwords

A bug caused twitter to store plaintext passwords for a while. They found out themselves, and corrected it. Out of an “abundance of caution,” they advised every user to change their passwords. Now there’s a difference between “330 million passwords leaked”  and “out of caution, because we can’t be 100% sure, change your password”. So do not panic. Especially since you are security aware, and you use 2 factor authentication on your twitter account, right? And with 2FA your password, which you store in a password manager and is unique, doesn’t really matter anymore anyway… Right?

2018-06-12T13:47:24+00:00 June 12th, 2018|

About the Author:

Eward Driehuis
Chief Research Officer, SecureLink Group
SecureLink Belgium