The IT Privacy & Security weekly update for "Identity Theft Awareness Week", February 2nd 2021

Happy Identity Theft Awareness Week!

In celebration, we move from stories about a 7 year old to a 30 something, the first an agent, and the last a real operator… to a mischievous creature that is causing some real worry in the security community.

We get the lowdown on the face off between Mark Zuckerberg and Tim Cook and more crazy stats on social engineering with tips on how to avoid trouble.

This is the BEST IT Privacy and Security Update yet, so put on your party hats and let’s celebrate!

Global: The latest evolution of the 7 year old Agent Tesla malware seeks out the Microsoft anti malware interface.

Researchers have identified new versions of the Agent Tesla remote access trojan (RAT) that target the Windows anti-malware interface used by security vendors to protect PCs from attacks.

The malware actually targets Microsoft’s anti-malware software interface (ASMI) in order to avoid detection. ASMI allows applications and services to integrate with any anti-malware product that’s present on a machine.

  • The malware arrives as an e-mail attachment.
  • It updates from sites like pastebin.
  • The installer overwrites the Microsoft’s AMSI by patching the first 8 bytes of the AmsiScanBuffer function in memory. It forces AMSI to return an error (code 0x80070057), making all the AMSI scans of memory appear to be invalid, “This kneecaps AMSI-enabled endpoint protection software, so it skips further scans."
  • Then the second-stage loader and the Agent Tesla payload (with a Tor client) are downloaded and installed.
  • The malware targets credentials from applications like Apple Safari, Chromium, Google Chrome, Iridium, Microsoft IE and Edge, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, Opera, Opera Mail, Qualcomm Eudora, Tencent QQBrowser and Yandex.

By the end of last year it accounted for 20% of all malware e-mail attachments.

So what’s the upshot for you? It’s pretty amazing to find a piece of malware that actually seeks out an anti-malware interface to put the kibosh on. Feel relieved that this is a company (Microsoft) that has the resources to deal with the challenger and … for any OS, always keep your patches as up to date as possible.

EU:A Wild Kobalos Appears

ESET researchers just released a white paper about a new type of malware that has been targeting high performance computing (HPC) clusters, among other high-profile targets. They reverse engineered this small, yet complex, malware that is portable to many operating systems including Linux, BSD, Solaris, and possibly AIX and Windows.

"We have named this malware Kobalos for its tiny code size and many tricks; The kobalos was a sprite from Greek mythology, a mischievous creature fond of tricking and frightening mortals. "

Thorough analysis of Kobalos revealed that it is sometimes possible to remotely determine if a system is compromised by connecting to the SSH server using a specific TCP source port. Using that knowledge, ESET researchers scanned the internet to find potential victims. “We were able to identify multiple targets of Kobalos, including HPC systems.”

“The numerous well-implemented features and the network evasion techniques show the attackers behind Kobalos are much more knowledgeable than the typical malware author targeting Linux and other non-Windows systems. Their targets, being quite high profile, also show that the objective of the Kobalos operators isn’t to compromise as many systems as possible, and its small footprint and network evasion techniques may explain why it went undetected.”

When deployed, this malware gives access to the file system of the compromised host and enables access to a remote terminal, giving the attackers the ability to run arbitrary commands.

Kobalos is a generic backdoor in the sense that it contains broad commands that don’t reveal the intent of the attackers. In short, Kobalos grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers.

Key findings

  • Kobalos uses a complex obfuscation mechanism that makes its analysis challenging.
  • Any Kobalos-compromised server can be turned into a command and control server for other hosts compromised by Kobalos. The code is embedded into the malware and can be activated by the operator at any time.
  • Most hosts compromised by Kobalos that we investigated also had an OpenSSH credential stealer installed. This may explain how Kobalos propagates.
  • The intent of the authors of this malware is still unknown. We have not found any clues to indicate whether they steal confidential information, pursue monetary gain, or are after something else. No other malware was found on compromised systems except the SSH credential stealer.

So what’s the upshot for you? More proof that the software is getting better at being harder to detect. Now part of keeping a machine safe now extends to activities on and from the machine.

US: Who are you again?

The challenges that COVID-19 has brought include a higher risk of identity theft. In 2020, the Federal Trade Commission got about 1.4 million reports of identity theft, double the number from 2019. Repeatedly, identity thieves targeted government funds earmarked to help people hard hit financially by the pandemic.

Fraudulent unemployment claims rose from just under thirteen thousand in 2019 to almost four hundred thousand in 2020.

Tax ID theft tripled between the two years.

So what’s the upshot for you? We’ve said this before and will repeat it here. Get in early and lock in your accounts for tax filing and any other applications you are filing with the Feds. Freeze your credit records with the credit agencies. We know it’s a pain to unfreeze, but it’s so much easier than dealing with a stolen identity and credit fraud.

UK:Barclays Bank reveals 2020 as the year with the highest number of scams on record.

New research from Barclays reveals 2020 as the highest year on record for scams, as the value of fraudulent activity increased more than 66 per cent during the months of July to December.

The highest value claims came from investment scams (29 per cent) and impersonation scams (29 per cent). Investment scams often involve cloned webpages that appear legitimate to the untrained eye, while impersonation scams involve a customer being convinced their account is at risk and moving their money to a so-called ‘safe account’. The use of fear and intimidation is a powerful tactic, making impersonation scams the most commonly recorded scam by volume (22 per cent) for Barclays in 2020.

Despite the increase in scams, a Barclays poll shows that over half of Brits who have been scammed (54 per cent) are left feeling too embarrassed to report the crime.

So what’s the upshot for you? It is embarrassing to be scammed, that’s natural, but there should not be any shame in reporting it to the authorities. Even if they cannot help you, they may be able to help someone else and get a step closer to shutting down the scammers.

US: Why is Facebook’s Mark Zuckerberg mad at Apple?

"Trackers are embedded in apps you use every day: the average app has 6 trackers.
The majority of popular Android and iOS apps have embedded trackers. By including trackers, developers also allow third parties to collect and link data you have shared with them across different apps and with other data that has been collected about you. Data brokers regularly collect and sell, license, or otherwise disclose to third parties the personal information of particular individuals with whom they do not have a direct relationship.

Starting soon, with our next beta update, App Tracking Transparency will require apps to get the user’s permission before tracking their data across apps or websites owned by other companies. Under Settings, users will be able to see which apps have requested permission to track so they can make changes as they see fit. This requirement will roll out broadly in early spring with an upcoming release of iOS 14."

It’s no secret that Facebook tracks you across Messenger, Instagram and WhatsApp, but many were surprised that Facebook pays other apps for their tracking data. Mr Zuckerberg says that is the best way for a vendor to tailor ads so that your 14 year old gamer doesn’t get ads for arthritis ointments, and that targeted ads reduce the cost for vendors who then have a higher buy rate.

With the Apple update, you will have to “Opt-in” to tracking. Mister Zuckerberg doesn’t think that will happen, and will mean a big hit to his revenue stream.

Ultimately the question for us all is whether we give up our privacy to keep the “free” things free. One thing is certain, Facebook is currently preparing an antitrust lawsuit against Apple and the action is only beginning.

So what’s the upshot for you? It’s eye opening news to discover that even without a Facebook account, large collections of data on your behavior are amassed. It will be interesting to see the cat and mouse game that emerges from this, how it affects Facebook and more importantly the businesses that have come to depend on this tracking to target us with ads.

Global:Social Media, Social Engineering, and Business Email Compromise

This is a really interesting report, forget that they want to sell you anti-phishing software and just join us for the ride, because the assembled facts are pretty compelling.

"Over the last decade, phishing - a type of social engineering attack - has transformed from something more like spam to the threat most likely to cause a breach. During that same period, the number of adults on social media platforms like Facebook increased by almost 1,300%.

See the correlation? To find out just how vulnerable people and businesses are, we surveyed 4,000 employees and interviewed ten hackers.

90% of people post information related to their personal and professional lives online. As you might expect, younger generations are more likely to have a social media presence than older generations.
We know what you’re thinking: “So what?”

*Every photo we post, status we update, person we tag, and place we check-in to reveals valuable information about our personal and professional lives. With this information, hackers are able to craft more targeted, more believable, and – most importantly – more effective social engineering attacks against people and businesses, leaving PII, trade secrets, and money vulnerable to attack. *

Hackers hack humans to hack companies: While those in the UK share slightly less information online than those in the US, employees in both regions are leaving their organizations incredibly vulnerable to BEC. Remember: The more bad actors know about you, the more personalized (and effective) their attacks will be.
One-third of people share business travel updates and photos online. 93% of people update their social profiles when they get a new job. This can help hackers decide who to impersonate, who to target (new-starters can be prime targets), when to target them, and what mediums to use for the attack.

Connecting the dots: But social media isn’t just used for reconnaissance. It can also be used as a cheat sheet to access your accounts.
Think about the most common questions you’re asked to verify your identity as a first-step in any “security check”.

*Your birthday, your pet’s name, your mother’s maiden name, your zipcode… *

If your social media accounts are public, if you share photos, and if your family and friends are also active online, this information is surprisingly easy to unearth, especially with tools like Sherlock."

"About that OoO message… Whether they realize it or not, people share a lot of personal information on email, too. For example, 93% of people automate Out of Office (OoO) messages. It’s a sensible thing to do.
But, sharing too much information in those OoO messages isn’t so sensible, especially because email is an open channel. Anyone can email you. That means – depending on your OoO settings – anyone could access the information included in your message. 53% of people say how long they’ll be gone. 43% give the details of where they’re going. (A conference, for example.) 48% identify a point of contact.

All this information provides a hacker with the raw material they need to craft a convincing email targeting or impersonating the person out of the office or a colleague.

Not-so-strong passwords
Your birthday, your pet’s name, your mother’s maiden name, your zip code…this information is often easily accessible online.
As we’ve mentioned, it can help hacker’s breeze through security checks. It can also help them crack passwords.

This is especially the case since the overwhelming majority of people reuse passwords. In fact, only 15% of people don’t reuse passwords. That means if a hacker gains access to one of your accounts – either by brute force or credential phishing – they could be able to access several of your accounts.

For consumer accounts like Amazon, that could mean fraudulent transactions and a compromised address book. For professional accounts like G-Suite, that could mean easy access to everything on your drive and in your inbox.

Question: Do you use the same password for multiple accounts?
76% yes,
15% no
9% would not say…

"Social engineering attacks are carefully crafted. We’re not all security experts. That means it’s unfair and unrealistic to expect the average person to be able to spot one. But, our data shows that the majority of people don’t inspect emails thoroughly before responding to them. 55% don’t inspect cc’d recipients. 50% don’t inspect the sender’s display name. 46% don’t even inspect the sender’s email address.

Why? Quick-to-click cultures. Decreased visibility on mobile. Stress. Distraction.

Whatever it is, the lack of due diligence makes it even easier for hackers to carry out successful attacks.

88% of people have received a suspicious message or link in the last year. Via which channel? Most often…email, followed by social media, then text message.

And some industries are receiving more suspicious messages than others. Unsurprisingly, it’s those that handle the most sensitive information, like Financial Services, Healthcare, and Information Technology."

So what’s the upshot for you? More and more we understand that what we expose online can put us and others at risk. This was a great story about how all the little pieces are used to build a bigger picture, bigger than some of us ever expected. Be conservative with your online activities and if you share, share only to your immediate circle of family and friends.

RU:Interview with a LockBit ransomware operator

Ever want to try to understand that perspective of the bad guys in the cyber warfare game? The Cisco-Talos team had the chance, interviewing a ransomware operator they came to nickname Aleks over the course of dozens of communications across many months.

The report is worth a read, but here are the Key takeaways:
- Threat actors continue to view unpatched systems as an easy, if not preferred, method of intrusion. Routine patching can be difficult, especially for large organizations, and the bad guys know this, too. The most commonly exploited vulnerabilities are those that are well-understood with publicly available exploit code.
- Many cybercriminals rely almost exclusively on common open-source tools that are readily available on the internet and easy to use. They are not looking to reinvent the wheel, and tool reuse is a quicker, more effective way for them to carry out their operations than leveraging more sophisticated means. Companies should be most concerned about the tools and tactics that are also likely used by their own red teams.
- Cybercriminals are avid consumers of security news and remain up to date on the latest research and vulnerabilities, weaponizing that information to use in future attacks. They are often self-taught and hungry for continual knowledge, a mentality that all but ensures they will always be updating their TTPs and looking for new ways to make their attacks more successful. Organizations should encourage their
security teams to continue their own learning — not just by obtaining industry-respected security certificates, but by remaining familiar with the latest open-source information, conducting their own research, and closely following trends in the threat landscape.
- While threat actors may state publicly that their personal ethics influence their target selection, many adversaries go after the easiest victims regardless of any moral obligation, based on our experience. We assess that schools, health care providers, and COVID-19 response-affiliated entities remain high-value targets — despite contrary claims by threat actors — given their generally under-funded cybersecurity teams and low downtime tolerance.

Interesting claims made during the interview:

The actor appears to have a contradictory code of ethics, portraying a strong disdain for those who attack health care entities while displaying conflicting evidence about whether he targets them himself. This is probably representative of many adversaries engaged in illicit cyber activity.

  • Hospitals are considered easy targets, making ransom payments 80 to 90 percent of the time during a ransomware attack.
  • Maze formerly kept up to 35 percent of ransom profits earned by its affiliates, an extremely high amount compared to other ransomware groups that likely deterred some actors from working with them.
  • The EU’s General Data Protection Regulation (GDPR) law plays to adversaries’ favor, with victims in Europe being more likely to pay ransoms to avoid the legal consequences of the compromise if it became public knowledge.
  • The U.S. also has lucrative targets, but with data privacy laws requiring victim companies to report all breaches — regardless of whether an attack is mitigated via cooperation with the adversary — the incentive for such entities to pay the ransom is likely somewhat reduced.

We are confident that the threat actor is a male and resides in the Siberian region of Russia and has probably been an active ransomware operator for at least several years. We estimate that he is in his early 30s and believe that he has at least a university-level education. Aleks claims he is self-taught in cyber-related skills such penetration testing, network security and intelligence collection, both open-source and in the cybercriminal underground. He has been studying and training in IT since the 2000s, when the onset of widespread internet availability sparked his initial interest in what was then a new technology.

So what’s the upshot for you? It’s amazing to have the type of insight into what goes on in the mind of a ransomware operator. It may help you stay one step ahead at work and at home, and it may cause you to pause just long enough to stop you from clicking on the link in that e-mail…

That’s it for this week DAML’ers! What a great opportunity to learn and share. We hope you enjoyed this week’s celebration and collection of stories.

See you in se7en.