May 2018: new tricks in classic attacks and vice versa

Historically, we’ve seen threat activity rise before summer. This May was no exception. With a lot to choose from: from new tricks in classic attacks to classic tricks in new attacks, big vulnerabilities with their own logo’s, Fancy bear and the FBI, this month was definitely one we’ll remember at the end of the year.

1. Ransomware using “Process Doppelgänging”

Process Doppelgänging sounds ominous in the best of situations.  In the beginning of May, a ransomware was discovered using the technique. File less code injection takes advantage of a built-in Windows function and an undocumented implementation of the Windows process loader. It can replace a legitimate program with a malicious one in memory. The upshot is that this malware could defeat most of the modern antivirus solutions and forensic tools. The malware is a SynAck variant, and it’s the first as far as we know to leverage process Doppelgänging. It seems to target specific countries, by crudely matching a list of the user’s installed keyboard layouts. If you use United States, Kuwait, Germany or Iran layouts, beware.

2. Efail vulnerability in… well, some say PGP and S/MIME, others say mail clients

On May 14th, security researchers published “Efail”, a flaw that abuses a critical vulnerability in OpenPGP and S/MIME in combination with most e-mail clients. OpenPGP is used for end-to-end email encryption, where Efail leaks the plaintext of encrypted emails. This much is sure. It becomes fuzzy when a heated discussion arises on whose fault it is, and whether the vulnerability was disclosed “correctly”. Researchers leveraged the credibility of the EFF for spreading the news widely. What rubbed people the wrong way was the investment in a logo and website.

Furthermore, the OpenPGP team had been given a several months long heads up, but they chose the stance of “not our problem”, given that, according to them, the flaws were in e-mail clients. While there’s technically soundness in their statements, as echoed by protonmail, the game was on. The mitigation is to disable HTML rendering and remote content in your client. Disabling PGP, as suggested by some, is equivalent to leaving a door with a vulnerable lock open.

As an industry we might want to learn a little bit about collaboration. E-mail is 47 years old, and inherently insecure. PGP is a beast of an add-on process, and maybe we should start thinking of something better.

3. VPNFilter

For the better part of May, VPNFilter, an IoT botnet, remained a threat, but then the FBI had enough. They took control of the botnet, which had infected over 500,000 home networking devices, in 54 different countries. The malware uses a multi-staged approach, it’s geared towards destruction and comes with a self-destruct button. Named after the directory (/var/run/vpnfilter), the malware targets mostly low hanging fruit: devices that are exposed to known vulnerabilities. The FBI recommends rebooting your internet router. It will eliminate the non-persistent second stage malware. The threat actors behind the botnet are supposedly the Russia linked APT28 (aka Fancy Bear).

Extended research informs us of more brands targeted, and offers a solution by factory resetting or even throwing your device away and buying a new one. The real kick in the butt, though, is that the malware looks for Modbus traffic, which is used by PLC’s in ICS & SCADA environments. This supports the trend that nation state actors are interested in ICS environments for disruption opportunity. If critical infrastructure doesn’t use cheap consumer grade products, there’s no problem, right? ¯_(ツ)_/¯

4. Ransomware & banking trojans

As we’ve seen ransomware is still among us. Don’t the bad guys know that cryptojacking is a much easier and less risky business? Indeed, there’s a new Dharma variant called Bip Dharma. Researchers had created a decryptor for the older one, which unfortunately doesn’t work one on this one. To get your files back you’re supposed to send an e-mail to a specific e-mail address. This is not the most victim friendly process. We find criminals take less time for victim experience nowadays. Which is just as well, because we would urge victims not to pay anyway. Bite the bullet and invoke your recovery process.

new trojan called “BackSwap” is adding some innovation to the most classic attack known: stealing money from banks. This time, it’s not plain classic webinjects (injecting and manipulating browser content), it’s a process of simulating keypresses, manipulating the developer console and javascript. The attacks are only targeting Poland at the time of writing, but we’d still like to mention criminals are investing in their old tricks.

5. The FBI releases their IC3 report for 2017

Not a threat, quite the opposite, but a good overview of how internet crime evolved over 2017. We’ve dedicated a separate blog post diving into the numbers if you want to learn more. The top attacks haven’t changed much, and ransomware is not a criminal cash cow, but CEO fraud is.

Bonus: Twitter advised 330 million users to change their passwords

A bug caused twitter to store plaintext passwords for a while. They figured it out themselves and corrected it. Out of an “abundance of caution,” they advised every user to change their passwords. Now, there’s a difference between “330 million passwords leaked” and “out of caution, because we can’t be 100% sure, change your password”. So, do not panic. Especially since you are security aware, and you use 2 factor authentication on your twitter account, right?

More reading:

2018-06-19T11:30:40+00:00June 19th, 2018|

About the Author:

Eward Driehuis
Chief Research Officer, SecureLink Group

Leave A Comment

SecureLink Norge