Table of Contents

  1. Social Engineering
    1. Pentester's mom breaks into a state prison and infects wardens computer
  2. Vulnerabilities
    1. Zyxel 0day Affects its Firewall Products, Too
    2. CVE-2020-0688: Remote Code Execution on Microsoft Exchange Server
    3. Kr00k Bug in Broadcom, Cypress WiFi Chips Leaks Sensitive Info
    4. IoT Insecurity: When Your Vacuum Turns on You
    5. Don’t try to sanitize input – escape output
  3. Leaks
    1. Clearview AI Reports Breach of Customer List
    2. 49 Million Unique Emails Exposed Due to Mishandled Credentials
    3. SQL Dump from BGR India Shared on Hacker Forum
  4. Ransomware
    1. Nemty Ransomware Actively Distributed via 'Love Letter' Spam
    2. FBI Says $140+ Million Paid to Ransomware, Offers Defense Tips
    3. DoppelPaymer Hacked Bretagne Télécom Using the Citrix ADC Flaw
  5. Digital rights
    1. Facebook, Google and Twitter Rebel Against Pakistan's Censorship Rules
    2. Social media blocked in Turkey as Idlib military crisis escalates
    3. Apple subpoenas Santander and US intelligence contractor on use of Corellium
  6. Malware
    1. As Coronavirus Spreads, So Does Covid-19 Themed Malware
    2. Cerberus Android Malware Can Bypass 2FA, Unlock Devices Remotely
    3. Norton LifeLock Phishing Scam Installs Remote Access Trojan
    4. Roaming Mantis, part V
    5. CPR evasion encyclopedia: The Check Point evasion repository
    6. Data on Detection of Malicious Documents in Gmail are impressive
    7. Microsoft Edge Now Lets You Block Potentially Unwanted Programs
    8. Revealing the Trick | A Deep Dive into TrickLoader Obfuscation
  7. Privacy
    1. Schools Are Pushing the Boundaries of Surveillance Technologies
    2. How Ring Could Really Protect Its Users: Encrypt Footage End-To-End

Social Engineering

Pentester's mom breaks into a state prison and infects wardens computer

Security analyst John Strand had a contract to test a correctional facility's defenses. He sent the best person for the job: his mother. John Strand breaks into things for a living. Normally, Strand embarks on these missions himself, or deploys one of his experienced colleagues at Black Hills Information Security. Then 58, she had signed on as chief financial officer of Black Hills the previous year after three decades in the food service industry. And while pen testers are contractually permitted to break into a client's systems, if they're caught tensions can escalate quickly. Two pen testers who broke into an Iowa courthouse as part of their job recently spent 12 hours in jail after a run-in with local authorities. Mom's mission would also be complicated by her lack of technical expertise. The thumb drives would beacon back to her Black Hills colleagues and give them access to the prison's systems. If someone could break into the prison and take over computer systems, it becomes really easy to take someone out of the prison. "We were just dumbfounded," Strand says. "It was an overwhelming success. And there's a lot to take from it for the security community about fundamental weaknesses and the importance in institutional security of politely challenging authority. Even if someone says they're an elevator inspector or a health inspector or whatever, we need to do better about asking people questions. Don't blindly assume."


Zyxel 0day Affects its Firewall Products, Too

On Monday, networking hardware maker Zyxel released security updates to plug a critical security hole in its Network Attached Storage (NAS) devices that is being actively exploited by crooks who specialize in deploying ransomware. Today, Zyxel acknowledged the same flaw is present in many of its firewall products. This week's story on the Zyxel patch was prompted by the discovery that exploit code for attacking the flaw was being sold in the cybercrime underground for $20,000. Alex Holden, the security expert who first spotted the code for sale, said at the time the vulnerability was so "stupid" and easy to exploit that he wouldn't be surprised to find other Zyxel products were similarly affected. "We've now completed the investigation of all Zyxel products and found that firewall products running specific firmware versions are also vulnerable," Zyxel wrote in an email to KrebsOnSecurity.

CVE-2020-0688: Remote Code Execution on Microsoft Exchange Server

This most recent Patch Tuesday, Microsoft released an Important-rated patch to address a remote code execution bug in Microsoft Exchange Server. This vulnerability was reported to Zero Day Initiative by an anonymous researcher and affects all supported versions of Microsoft Exchange Server up until the recent patch. Initially, Microsoft stated this bug was due to a memory corruption vulnerability and could be exploited by a specially crafted email sent to a vulnerable Exchange server. They have since revised their write-up to (correctly) indicate that the vulnerability results from Exchange Server failing to properly create unique cryptographic keys at the time of installation. Experts warn that hackers are actively scanning the Internet for Microsoft Exchange Servers vulnerable in the attempt to exploit the CVE-2020-0688 RCE.

Kr00k Bug in Broadcom, Cypress WiFi Chips Leaks Sensitive Info

A vulnerability in some popular WiFi chips present in client devices, routers, and access points, can be leveraged to partially decrypt user communication and expose data in wireless network packets. The flaw received the name Kr00k and was identified in components from Broadcom and Cypress, which are integrated into mobile phones, tablets, laptops, IoT gadgets. Kr00k is now identified as CVE-2019-15126 and affects both WPA2-Personal and WPA2-Enterprise protocols using AES-CCMP encryption for data integrity and confidentiality, the researchers say. It is related to KRACK (Key Reinstallation Attack), a flaw in the 4-way handshake of the WPA2 protocol, discovered by security researchers Mathy Vanhoef and Frank Piessens, and disclosed publicly in October 2017. The 4-way handshake process establishes cryptographic keys for data integrity and confidentiality, one of them being the Pairwise Transient Key (PTK). ESET researchers explain that Kr00k occurs after a disassociation stage, when the TK stored in the WiFi chip is set to zero, a.k.a. Unlike KRACK, which is an attack occurring during the 4-way handshake, Kr00k is a vulnerability that can be leveraged after triggering a disassociation state. An adversary can intercept the data frames remnant in the transmit buffer and decrypt them, potentially capturing sensitive information. Cisco announced that it is working to patch multiple products that are affected by the recently disclosed Kr00k vulnerability in WiFi chips from Broadcom and Cypress.

IoT Insecurity: When Your Vacuum Turns on You

From vacuum cleaners to baby monitors, the IoT landscape continues to be plagued by concerning security issues that lead to privacy threats. Hackable Internet of Things (IoT) devices are on full display this week at the RSA Conference 2020. They include everything from baby monitors to Wi-Fi chips. One such device is a connected vacuum cleaner, the Trifo Ironpie M6. According to researchers with Checkmarx, the vacuum has several high-severity flaws that open the device to remote attacks. Those include a Denial of Service (DoS) attack that bricks the vacuum, to a hack that allows adversaries to peer into private homes via the vacuum's embedded camera. Speaking to Threatpost at RSAC was Erez Yalon with Checkmarx who warns that consumers should re-think buying smart home devices with potentially invasive cameras. He cautions, the IoT marketplace continues to have worrying security issues. The general story here is about consumers deciding to add another camera in the house. The price we pay is privacy, maybe we need to stop and think again.

Don’t try to sanitize input – escape output

Ben Hoyt wrote a blog post advocating for developers not to try to sanitize the inputs, instead they should focus on escaping the output.


Clearview AI Reports Breach of Customer List

Facial recognition company Clearview AI notified customers that an intruder had gained "unauthorized access" to its entire list of customers. Clearview gained widespread attention in recent weeks after a wave of media coverage, starting with The New York Times in January. The company stands out from others due to its use of a database of over 3 billion photos the firm constructed by scraping images from Facebook, Twitter, Instagram, and other social networks and websites. Clearview sells its product to law enforcement clients particularly in the U.S. The company's app allows a customer to point their phone's camera at a subject, or upload a photo into the system. Then, the system provides links to other photos and related social media profiles of the suspected person online. "Security is Clearview's top priority," Tor Ekeland, an attorney for the company said in a statement provided to The Daily Beast. "Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security". A BuzzFeed News review of Clearview AI documents has revealed the company is working with more than 2,200 law enforcement agencies, companies, and individuals around the world.

49 Million Unique Emails Exposed Due to Mishandled Credentials

An Israeli marketing firm exposed 49 million unique email addresses after mishandling authentication credentials for an Elasticsearch database, that were sitting in plain text on an unprotected web server. In a vaguely-worded notification, Straffic, a privately-held digital marketing company, informed that the incident was the result of a "security vulnerability" affecting one of its servers. The asset was an Elasticsearch database with 140 GB of contact details consisting of names, phone numbers, and postal addresses. While it was password protected, it appears that the credentials were not properly stored. A researcher with focus on security, 0m3n decided to check the webserver after receiving a link in a spam message. 0m3n told Jeremy Kirk that they discovered a configuration text file (.ENV) file that pointed to an AWS Elasticsearch instance.

SQL Dump from BGR India Shared on Hacker Forum

Hackers are currently sharing SQL databases from unsecured Amazon Simple Storage Service (S3) buckets, one dump belonging to the BGR tech news site in India. With about two million monthly users and over 210,000 followers on Twitter, BGR India is a popular website. Researchers from Under the Breach, a company that monitors the cybercrime space, spotted the BGR data dump, noting that it is a full SQL backup that includes usernames, emails, and passwords.


Nemty Ransomware Actively Distributed via 'Love Letter' Spam

Security researchers have spotted an ongoing malspam campaign using emails disguised as messages from secret lovers to deliver Nemty Ransomware payloads on the computers of potential victims. The spam campaign was identified by both Malwarebytes and X-Force IRIS researchers and has started distributing malicious messages via a persistent stream of emails. What sets this campaign apart from others is that the operators didn't bother composing an enticing email since all these spam messages only contain a wink ;) text emoticon.

FBI Says $140+ Million Paid to Ransomware, Offers Defense Tips

Through the analysis of collected ransomware Bitcoin wallets and ransom notes, the FBI states that victims have paid over $140 million to ransomware operators over the past six years. According to DeCapua between 10/0/1/2013 and 11/07/2019, there have been approximately $144,350,000 in Bitcoins paid to ransomware actors as part of a ransom. When analyzing the ransomware families that the ransoms were paid, Ryuk stood out head and shoulders above the rest with payments totaling $61.26 million. The second-place spot goes to Crysis/Dharma at $24.48 million and then third place is Bitpaymer at $8.04 million. Furthermore, many companies keep ransomware attacks secret to prevent it from impacting stock prices.

DoppelPaymer Hacked Bretagne Télécom Using the Citrix ADC Flaw

Cloud services provider Bretagne Télécom was hacked by the threat actors behind the DoppelPaymer Ransomware using an exploit that targeted servers unpatched against the Citrix CVE-2019-19781 vulnerability. Bretagne Télécom is a privately held French cloud hosting and enterprise telecommunications company that provides telephony, Internet and networking, hosting, and cloud computing services to roughly 3,000 customers, operating around 10,000 managed servers. As Bretagne Télécom CEO Nicolas Boittin says, the servers were vulnerable to attacks because there were no patches available yet from Citrix for the CVE-2019-19781 vulnerability when the threat actors managed to drop the DoppelPaymer Ransomware payload on the compromised servers. DoppelPaymer confirmed this information in an email sent to BleepingComputer, saying that the attack took place somewhere at the 1st half of January.

Digital rights

Facebook, Google and Twitter Rebel Against Pakistan's Censorship Rules

When Pakistan's government unveiled some of the world's most sweeping rules on internet censorship this month, global internet companies like Facebook, Google and Twitter were expected to comply or face severe penalties -- including the potential shutdown of their services. Instead, the tech giants banded together and threatened to leave the country and its 70 million internet users in digital darkness. The New York Times: Through a group called the Asia Internet Coalition, they wrote a scathing letter to Pakistan's prime minister, Imran Khan. In it, the companies warned that "the rules as currently written would make it extremely difficult for AIC Members to make their services available to Pakistani users and businesses." Their public rebellion, combined with pressure and lawsuits from local civil libertarians, forced the government to retreat. The law remains on the books, but Pakistani officials pledged this week to review the regulations and undertake an "extensive and broad-based consultation process with all relevant segments of civil society and technology companies." "Because Pakistan does not have any law of data protection, international internet firms are reluctant to comply with the rules," said Usama Khilji, director of Bolo Bhi, an internet rights organization based in Islamabad, the country's capital.

Social media blocked in Turkey as Idlib military crisis escalates

Network data from the NetBlocks internet observatory confirm that Turkey has blocked access to social media following an attack on Turkish troops in Idlib, Syria on Thursday 27 February 2020. Social platforms Twitter, Facebook and Instagram became unreachable at 11:30 p.m. local time (8:30 p.m. UTC) via national provider Turk Telecom (AS9121) and subsequently other leading service providers. The restrictions are technically consistent with techniques used to filter content in Turkey, with SNI and DNS filters in use varying by provider.

Apple subpoenas Santander and US intelligence contractor on use of Corellium

Apple lawyers aren't holding back in trying to learn more about Corellium, the cybersecurity startup it's suing after the latter created tech producing "virtual" or software versions of iPhones for security and functionality testing. In a move that's sure to raise eyebrows, Apple has subpoenaed Santander Bank and the $50 billion-valued intelligence contractor L3Harris Technologies for information on their use of Corellium, Forbes has learned. In both subpoenas, which are not yet publicly available, Apple demands L3Harris subsidiary Azimuth Security and Santander provide data including: all communications between the companies and Corellium, details on how they use the iPhone-virtualizing technology, all internal communications about the use of the tech, all contracts, and all information they have on the startup's co founder Chris Wade.


As Coronavirus Spreads, So Does Covid-19 Themed Malware

Threat actors are still taking advantage of the ongoing COVID-19 global outbreak by attempting to drop Remcos RAT and malware payloads on their targets' computers via malicious files that promise to provide Coronavirus safety measures. Researchers recently spotted a suspicious CoronaVirusSafetyMeasures~pdf~.exe executable. As the research team later discovered, the executable is an obfuscated Remcos RAT dropper that would drop a Remcos RAT executable on the compromised computer, together with a VBS file designed to run the RAT. The malware will also gain persistence on the infected device by adding a Startup Registry key at which allows it to restart itself after the computer is restarted. The stolen information is then exfiltrated to its command and control server.

Cerberus Android Malware Can Bypass 2FA, Unlock Devices Remotely

The Cerberus banking Trojan has been upgraded with RAT functionality and is now capable of stealing victims' Google Authenticator two-Factor Authentication (2FA) codes used as an extra layer of security when logging into online accounts. This might get app-based 2FA on the same level of security as SMS-based 2FA in the near future seeing that the codes can now be stolen in both cases. The Android malware that was first spotted in June 2019 as a run-of-the-mill banking Trojan now steals Google Authenticator 2FA codes by abusing Android Accessibility privileges. Once again, we can deduce that this functionality will be used to bypass authentication services that rely on OTP codes. These stolen codes can be used to bypass the additional 2FA security layer on online services such as banks, email services, messaging apps, and social media networks to name just a few. Cerberus' 2FA code theft module is not the first one spotted in the wild so far, with previous cases of malware capable of this stunt being discovered by ESET and Symantec. Also worth noting, the Google Authentication App hasn't been updated since September 2017, so using other alternatives to generate TOTP codes should be used.

Norton LifeLock Phishing Scam Installs Remote Access Trojan

Cybercriminals behind a recently observed phishing campaign used a clever ruse in the form of a bogus NortonLifelock document to fool victims into installing a Remote Access Tool (RAT) that is typically used for legitimate purposes. The malicious activity has the hallmarks of a seasoned threat actor familiar with evasion techniques and offensive security frameworks that help install the payload. The infection chain starts with a Microsoft Word document laced with malicious macro code. The threat actor relied on a creative tactic to entice victims into enabling macros, which are disabled by default across the Office suite. Security researchers from Unit 42, Palo Alto Networks' threat intelligence team, found that the password dialog box accepts only the upper/lowercase letter 'C'. If the user provides the correct input, the macro keeps executing and builds a command string that ultimately installs NetSupport Manager, a legitimate remote control software. However, this procedure occurs only when the request has the user-agent string 'Windows Installer,' which is part of the 'msiexec' command. It is used for persistence, its role is that of a backup solution for installing the NetSupport Manager remote access tool.

Roaming Mantis, part V

Kaspersky has continued to track the Roaming Mantis campaign. The group's attack methods have improved and new targets continuously added in order to steal more funds. The attackers' focus has also shifted to techniques that avoid tracking and research: whitelist for distribution, analysis environment detection and so on. The Roaming Mantis actor is strongly motivated by financial gain and is eager to evade tracking by researchers. It is now employing yet another method -- whitelisting -- to achieve this. This new method is currently only being applied for Korean pages, but it's only a matter of time before it's implemented for other languages. The actor is still very active in using SMiShing for Android malware distribution. This is particularly alarming, because it means all infected mobile devices could form a botnet for malware delivery, SMiShing, and so on.

CPR evasion encyclopedia: The Check Point evasion repository

This encyclopedia attempts to gather all the known ways to detect virtualized environment grouping them into big categories. Within each category the reader will find the description of the technique, code sample showing its usage, signature recommendations to track attempts to apply this technique, table with breakdown of which particular environments are detected with the help of certain constants and possible countermeasures.

Data on Detection of Malicious Documents in Gmail are impressive

Google revealed that the enhancements to its scanning system implemented in Gmail are boosting its detection capabilities. Google announced that the new scanning capabilities implemented in Gmail have increased the detection rate of malicious documents. The figures revealed by Google are awesome, the company declared that its malware scanner processes more than 300 billion attachments each week. According to Google, since the end of 2019, the use of the new scanners allowed to increase the daily detection of weaponized Office documents by 10%.

Microsoft Edge Now Lets You Block Potentially Unwanted Programs

Microsoft announced that starting with Microsoft Edge 80.0.338.0 users will be able to have Potentially Unwanted Applications (PUAs) automatically blocked from downloading. PUAs are software that degrades the overall Windows experience after being installed. As we previously reported, Redmond started testing this new feature designed to block PUAs from being downloaded by the Chromium-based Microsoft Edge Canary build in September 2019. Once toggled on, downloads detected as PUAs by Microsoft Edge will be automatically blocked and the web browser will show an "ExampleApp.exe has been blocked as a potentially unwanted app by Microsoft Defender SmartScreen" message in the bottom downloads bar.

Revealing the Trick | A Deep Dive into TrickLoader Obfuscation

SentinelLabs wrote a blog post detailing the TrickLoader obfuscation techniques.


Schools Are Pushing the Boundaries of Surveillance Technologies

A school district in New York recently adopted facial recognition technology to monitor students, and it is now one of a growing number of schools across the country conducting mass privacy violations of kids in the name of "safety." The invasive use of surveillance technologies in schools has grown exponentially, often without oversight or recourse for concerned students or their parents. Not only that, but schools are experimenting with the very same surveillance technologies that totalitarian governments use to surveil and abuse the rights of their citizens everywhere: online, offline, and on their phones. Schools are also watching students online, and on their phones. Social media monitoring company Social Sentinel offers software to monitor students' social media accounts, not unlike what the Department of Homeland Security regularly does to immigrants and Americans. Qustodio, one of many companies marketing to both schools and parents, earnestly encourages parents to "monitor your kid's Internet use NSA-style.

How Ring Could Really Protect Its Users: Encrypt Footage End-To-End

EFF recommends Ring to encrypt the footage end-to-end and for Ring to implement measures that require warrants to be issued directly to device owners in order for law enforcement to gain access to footage