The IT Privacy & Security Weekly Update for August 24th 2021


This is the Jailbreak edition. We start with an example of the quickest way to end up in prison, a story of an inmate made good and of course, we end up right back in the clink in what must be one of the worst hacker “job applications” in history.

In between those rough-and-tumble walls, we have insight on one country’s cyber curriculum, your streaming service’s second income, OnePerCent, the potential post $610 million job offer, and why Amazon could be sold out of Razor gaming mice.

Ducking and diving, dodging and weaving, we are all in this week, so let’s get on the striped shirts and have a quick look inside.

Global: Don’t even think about it

Criminal hackers will try almost anything to get inside a profitable enterprise and secure a million-dollar payday from a ransomware infection. Apparently now that includes emailing employees directly and asking them to unleash the malware inside their employer’s network in exchange for a percentage of any ransom amount paid by the victim company.

Crane Hassold, director of threat intelligence at Abnormal Security, described what happened after he adopted a fake persona and responded to the proposal in an email. It offered to pay him 40 percent of a million-dollar ransom demand if he agreed to launch their malware inside his employer’s network.

This attacker’s approach may seem fairly amateur, but it would be a mistake to dismiss the threat from West African cybercriminals dabbling in ransomware. While multi-million dollar ransomware payments are hogging the headlines, by far the biggest financial losses tied to cybercrime each year stem from so-called Business Email Compromise (BEC) or CEO Scams, in which crooks mainly based in Africa and Southeast Asia will spoof communications from executives at the target firm in a bid to initiate unauthorized international wire transfers.

According to the latest figures (PDF) released by the FBI Internet Crime Complaint Center (IC3), the reported losses from BEC scams continue to dwarf other cybercrime loss categories, increasing to $1.86 billion in 2020.

So what’s the upshot for you? It was bound to happen.

Global: Ransomware Gangs and the Name Game Distraction

Isn’t it annoying to track something and then discover someone else has done a much better job? Yes, we found that to be the case with Brian Krebs RaaS group tracking, where he even goes so far as to put dates to the name changes. So in addition to those presented at the start of last week’s update, we add in Vasa Locker morphing into Bsbuk and then Payload.bin, Defray777 becoming RansomExx, Sekhmet becoming Egregor and Hermes updating to Conti and Cerber becoming Revil.

Additionally, Brian has a lovely graphic with all the bad guys’ current logos.

So what’s the upshot for you? Jealous? Who us?

RU: Why So Many Top Hackers Hail from Russia

This might have a higher relevance now, given the Russian based ransomware explosion around us, than when the article originally appeared in 2017: Conventional wisdom says one reason so many hackers seem to hail from Russia and parts of the former Soviet Union is that these countries have traditionally placed a much greater emphasis than educational institutions in the West on teaching information technology in middle and high schools, and yet they lack a Silicon Valley-like pipeline to help talented IT experts channel their skills into high-paying jobs.

Russian students are required to study the subject beginning at a much younger age. Russia’s Federal Educational Standards (FES) mandate that informatics be compulsory in middle school, with any school free to choose to include it in their high school curriculum at a basic or advanced level.

“In elementary school, elements of Informatics are taught within the core subjects ‘Mathematics’ and ‘Technology,” the Perm University research paper notes. “Furthermore, each elementary school has the right to make [the] subject “Informatics” part of its curriculum.”

The core components of the FES informatics curriculum for Russian middle schools are the following:

  1. Theoretical foundations
  2. Principles of computer’s functioning
  3. Information technologies
  4. Network technologies
  5. Algorithmization
  6. Languages and methods of programming
  7. Modeling
  8. Informatics and Society

“Very few middle schools teach Computational Thinking Practices in the United States,” lan Paller, director of research for the SANS Institute — an information security education and training organization said. “We don’t teach these topics in general and we definitely don’t test them. The Russians do and they’ve been doing this for the past 30 years. Which country will produce the most skilled cybersecurity people?”

So what’s the upshot for you? We’ve always said that if you start with a good Daml language skillset you can work anywhere. We stand by that no matter what nationality you are!

Global: Privacy of Streaming Apps and Devices: Watching the TV That Watches Us

Ever wonder what streaming services do with the data collected on you?

YouTube TV received the best privacy rating and at 81% the highest overall numerical score because Google TV had a more transparent policy despite engaging in some worse privacy practices. YouTube TV says they don’t sell users’ data to third parties, but they do target users with advertisements and track users on other apps and services across the internet.

The next best to worst were: Apple, Disney+, Paramount+, HBO Max, Peacock, Amazon Prime, Discovery+, Hulu, and Netflix finishing out with a privacy rating of 46%.

Only Google, Apple, Amazon, and Netflix do not sell your data onward, but apart from Apple they all “track their users on other apps and services across the internet.”

So what’s the upshot for you? “May the streaming service be with you.” It seems even when you are away from your streaming service, your streaming service is not away from you.

Global: Say what?

With the new Apple 4k TV, if you’re watching something but missed a line of dialog, as a nod to function and privacy, you hold down the Siri button on the remote and ask “What did they say?" The TV rewinds to the beginning of the last line of the person or people you’ve specified, turns on captions, and then turns them off again afterward.

That’s pretty cool.

So what’s the upshot for you? The uncool? Pretty much the most expensive dongle on the market, it doesn’t come with the $30 recommended HDMI cable, but the constant, additional upselling of other streaming service subscriptions pushes this over the (far) edge.

Global: 38M Records Were Exposed Online—Including Contact-Tracing Info

More than a thousand web apps mistakenly exposed 38 million records on the open internet, including data from a number of Covid-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases.

The data included a range of sensitive information, from people’s phone numbers and home addresses to social security numbers and Covid-19 vaccination status.

The incident affected major companies and organizations, including American Airlines, Ford, the transportation and logistics company J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. And while the data exposures have since been addressed, they show how one bad configuration setting in a popular platform can have far-reaching consequences.

The exposed data was all stored in Microsoft’s Power Apps portal service, a development platform that makes it easy to create web or mobile apps for external use. If you need to spin up a vaccine appointment sign-up site quickly during, say, a pandemic, Power Apps portals can generate both the public-facing site and the data management backend.

Beginning back in May, researchers from the security firm Upguard began investigating a large number of Power Apps portals that publicly exposed data that should have been private—including in some Power Apps that Microsoft made for its own purposes. None of the data is known to have been compromised, but the finding is significant still, as it reveals an oversight in the design of Power Apps portals that has since been fixed.

Microsoft itself exposed a number of databases in its own Power Apps portals, including an old platform called “Global Payroll Services,” two “Business Tools Support” portals, and a “Customer Insights” portal.

After years of studying cloud misconfigurations and data exposures, the Upguard researchers were surprised to discover those issues in a platform they’d never seen before. Between Microsoft’s fixes and UpGuard’s own notifications, the vast majority of the exposed portals, and all of the most sensitive ones, are now private.

So what’s the upshot for you? These days the default is to leave ports or services closed or disabled. The fact that Microsoft had not is silly, but the fact that the service was new and no one seemed to know what it was did provide some cover (you are less likely to hack it if you don’t know what it is).

Global: As Linux grows in use, so does Targeting by Malware.

Many regard Linux as a unique operating system because of its stability, flexibility, and open-source nature. Its stellar reputation is backed by its many notable achievements in recent years.

The good news: 100% of the world’s top 500 supercomputers run on Linux, and 50.5% of the top 1,000 websites in the world use it, according to a survey by W3Techs.

The not so good: TrendMicro’s latest report states that they detected nearly 15 million malware events aimed at Linux-based cloud environments, found coin miners and ransomware to make up 54% of all malware, with web shells accounting for a 29% share.

So what’s the upshot for you? Up until a few years ago the baddies sidestepped Linux, but with it growing in popularity, malware for Linux is set to rage on.

CN: China Propaganda Network Targets BBC Media, UK in Large-Scale Influence Campaign

CHINESE TROLLS AND fake news websites have been attacking the BBC in a bid to undermine its credibility, new research published today claims. The online influence operation, which is being linked to the Chinese Communist Party (CCP), is seemingly a response to the BBC’s reporting on human rights abuses against Uyghur Muslims and state-backed misinformation campaigns.

The new research from analysts at cybersecurity company Recorded Future claims that the “likely state-sponsored” operation used hundreds of websites and social media accounts to attack the BBC’s reporting. Propaganda accounts have taken to social media to criticize BBC’s journalistic integrity, accusing them of using an “underworld filter” or “gloom filter” (阴间滤镜) on photos and video of China to make the country look lifeless, dull, and sad to foreign audiences.

There have been over 11,000 references of the Mandarin-language term for “gloom filter” across open sources in the past 6 months, with over half of them occurring in the last 30 days.

On February 10, 2021, China banned BBC World News from broadcasting within the country. China’s National Radio and Television Administration (NRTA) based the decision on internal findings that BBC World News reports about China “seriously violated” broadcast guidelines, including “the requirement that news should be truthful and fair” and not “harm China’s national interests”. However, BBC World News is largely unavailable to the common Chinese audience, appearing only in international hotels and some diplomatic compounds. British

Foreign Secretary Dominic Raab responded publicly to the move, calling it “an unacceptable curtailing of media freedom”, noting that “China has some of the most severe restrictions on media & internet freedoms across the globe, & this latest step will only damage China’s reputation in the eyes of the world”. The United States (US) State Department also commented on the situation, calling it part of a wider campaign to suppress free media in China.

So what’s the upshot for you? The Research group judges with high confidence that this activity is a CCP-sponsored influence operation targeting the BBC and the UK government. The volume of activity paired with a clearly identifiable narrative, coordination across the Chinese state-sponsored media apparatus, use of both Mandarin and foreign-language content, use of dozens of fringe media outlets, and the campaign’s alignment with the CCP’s objectives create a clear picture of how the CCP is conducting large-scale information operations to counter criticism and censor foreign media. Similar recent campaigns have been set against Canada and the US.

US: Background on a particular IT Security Presenter.

Kevin David Mitnick was a controversial hacker who was arrested in 1995 and sentenced to five years in prison for computer and communications-related crimes. His trial, arrest, and pursuit were all such high-profile that they created a lot of media buzz.

He gained unauthorized access for the first time into a computer at the age of 16 in 1979 after a friend gave him the phone number for Ark, the computer system used by Digital Equipment Corporation (DEC). He was arrested for this in 1988 for 12 months followed by three years in a supervised release, but Mitnick hacked into another computer system before the supervised release ended and went into hiding.

He used cloned cellular phones to hide his real location and stole valuable software from the United States’ largest cell phone companies. He also read the private e-mails of many people. When arrested, he was found with more than 100 cell phone clone codes and several cloned cell phones along with false identification documents.

Out of the five odd years he served in prison, for four and a half years, he was on trial, and for the rest of his sentence of eight months, he was kept in solitary confinement. This was because a few law enforcement officers told a judge that he could whistle into a payphone and start a nuclear war. This meant that Mitnick somehow knew how to dial into a NORAD modem via payphone and communicate with it through whistling, to launch nuclear missiles.

He now runs a security firm called Mitnick Security Consulting, LLC and is co-owner of KnowBe4, a provider for a platform for simulated phishing testing and security awareness training.

So what’s the upshot for you? If ever Kevin as an IT security instructor was in doubt, we hope we have restored some faith in him. Now you can boast: “I just took a training course from a guy who did 8 months in solitary confinement at a US Federal Penitentiary!”

Global: Windows has a new rodent problem

"jonhat. @j0nh4t
Need local admin and have physical access?
the bug goes something like this:

  • You plug in a Razer gaming mouse for the first time.
  • Windows detects that this device type has special software and drivers that will make it work Even Better than a regular mouse.
  • Windows finds Razer’s official addons in the Windows Update cloud.
  • Windows downloads and launches the offical addons so you don’t have to.
  • The Razer app helpfully ends with a clickable directory name, showing you what ended up where, in the installation process.

Once you’re in Explorer, you can do a Shift-and-right-click and use the handy option Open PowerShell window here, giving you a command-line alternative to the existing Explorer window.

But that PowerShell prompt was spawned from the Explorer process, which was spawned from Razer’s installer, which was spawned by the automatic device installer process in Windows itself…

…which was running under the all-powerful NT AUTHORITY\SYSTEM account, usually referred to as NTSYSTEM or just System for short.

So the PowerShell window is now running as System too, which means you have almost complete control over the files, memory, processes, devices, services, kernel drivers and configuration of the computer.

So what’s the upshot for you? In other words, if you’re a penetration tester given access to unlocked company laptops to see how long it takes you to promote yourself to get Admin superpowers via a regular user’s account, and if you have a Razer mouse with you, the answer is probably, “Not very long”. … and for only $19.99 on Amazon…

Global: EC2 Cloud budgets are being way overspent.

If you want to know what’s really happening in the cloud, you have to follow the money. That’s what Hashicorp did in their first annual “State of the Cloud Report”

75% of those surveyed said they were multi-cloud, within 2 years that number is expected to be 90%

AWS was the leader (and expected to stay so) across all groups but retail.

Open Source tools were the most popular but for Security, commercial tools won out.

The survey revealed the complexity of tracking and controlling cloud spending, as 39% of respondents said their organization overspent their cloud budgets in 2020.

Contrary to conventional wisdom, COVID-19 was not the primary driver of the busted cloud budgets — the biggest reason was shifting priorities.

Further, the bigger the organization’s cloud budget, the more likely the company was to overspend.

So what’s the upshot for you? Reminds us of an old English saying, “Mind the pennies and the pounds will follow”. ← Maybe that needs a refresh!

Global: FBI sends its first-ever alert about a ‘ransomware affiliate’

The OnePercent Group got its name, according to the FBI alert, because it threatens to leak 1% of the data if rapid ransom payment is not made. To get inside companies they:

  • Used phishing email campaigns to infect victims with the IcedID trojan.
  • Used the IcedID trojan to deploy additional payloads on infected networks.
  • Used the Cobalt Strike penetration testing framework to move laterally across a victim’s network.
  • Used RClone to exfiltrate sensitive data from a victim’s servers.
  • Encrypted data and demanded a ransom.
  • Phoned or emailed victims to threaten to sell their stolen data on the dark web if they didn’t pay on time.

So what’s the upshot for you? If OnePercent don’t get a response, this group has a tendency to hand off to the REvil Malware team. Reassuring right?

BH: Bahraini Activists Targeted Using a New iPhone Zero-Day Exploit From NSO Group

A previously undisclosed “zero-click” exploit in Apple’s iMessage leveraged by NSO Group to circumvent iOS security protections allowed the government of Bahrain to target nine Bahraini activists, researchers from University of Toronto’s Citizen Lab said in a report published today.

The latest disclosure is significant, not least because the “FORCEDENTRY” zero-click attack successfully works against the latest versions of iOS, but also for the fact that it bypasses a new software security feature called BlastDoor that Apple built into iOS 14 to prevent such intrusions by filtering untrusted data sent over iMessage.

So what’s the upshot for you? This is amazing because only last month 17 media organizations revealed the widespread use of NSO Group’s Pegasus “military-grade spyware” by authoritarian regimes to facilitate human rights violations by surveilling heads of state, activists, journalists, and lawyers around the world, and here is another tool from the NSO group being used for the same thing.

Global: Poly Network says it’s got pretty much all of that $610m in stolen crypto-coins back

Virtually all of the crypto-currency funds, valued at $610m, stolen from Poly Network by a thief have been returned.

The mysterious crook siphoned off the dosh earlier this month by exploiting a vulnerability in the Chinese exchange’s smart contracts that handle the movement of tokens between blockchains.

The thief, dubbed Mr. White Hat by Poly Network, promised to hand the funds back, claiming it was just done for fun and to highlight the security flaw.

"I’m quitting the show. "

So what next for the mystery miscreant? Well, even though the money has been returned, a crime was committed and the police may be keen to unmask the person as well as businesses. Blockchain security outfit Slowmist boasted earlier it had discovered “the attacker’s mailbox, IP, and device fingerprints through on-chain and off-chain tracking. There are certainly plenty of blockchain clues to start from if they decide to pursue the person involved.”

So what’s the upshot for you? Well certainly the upside for this person is this quote: “Building secure decentralized applications is very challenging, and this person could be a very valuable resource. We’re sure many people would be keen to employ them… in the right circumstances.”

***HU: Hungarian Citizen Pleads Guilty to Hacking into Marriott to Extort Employment ***

Back in 2010, a hacker attempted to threaten Marriott International into giving him a job. The person in question was 26-year-old Attila Nemeth from Hungary.

Attila transmitted malicious code to the company’s network. Then threatened to do more damage unless he was given a job.

  1. Marriott responded to the hacker by setting up a fake employee account with the promise of a job.

  2. Nemeth responded by sending over his CV, passport, and other identification.

  3. Marriott passed it all to the Police

So what’s the upshot for you? Well, he didn’t get the job, but he did get a nice record and 30 months of free room and board.

That’s it for this week!

We are releasing you until next week when we hope to have you captive once again!

Until then, be kind, stay safe, stay secure and see you in se7en!

1 Like