Jerry, Author at Safernet

Joker Malware Hits 500000 Downloads On Google Play

Post On: 12 January, 2022 By : Jerry

Joker Malware, the bane of Google Play, has resurfaced on the app store disguised as an application called Color Message. The app was downloaded more than 500,000 times before Google removed it.

Users are advised to delete Color Message immediately, researchers at Pradeo Security warned.

Joker Malware is a persistent threat that’s been active on Google Play since 2017. The virus is known to hide itself in what seems to be legitimate applications such as games, messengers, photo editors, translators, and wallpapers, many of them aimed at children.

When installed, Joker Malware subscribes the victim to unwanted, paid services that are controlled by hackers. This type of billing fraud is known as ‘fleeceware’.

The victim is often in the dark until they see their mobile bill.

Color Message purported to offer the ability to jazz up messaging with a range of fun emojis and screen overlays.

Joker Malware apps are most often found outside the Google Play store, but the threat actors behind often find ways to get around Google’s protection and into the store. One of the ways this is achieved is by using lightweight development and constant code tinkering.

“By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint that can be tricky to detect,” according to Pradeo.

The most recent version of the malware also takes advantage of a legitimate developer tool called Flutter to evade both device-based security and app-store protections, Zimperium recently found.

Flutter is an open-source app development kit designed by Google that allows developers to craft native apps for mobile, web and desktop from a single codebase. The use of Flutter to code mobile applications is a common approach, and one that traditional scanners see as benign, researchers said.

“Due to the commonality of Flutter, even malicious application code will look legitimate and clean, whereas many scanners are looking for disjointed code with errors or improper assemblies,” explained Zimperium researchers in an analysis published in July.

Due to techniques like these, there are often large-scale infestations of Joker Malware on Google Play. Last July, SaferNet reported on one such onslaught of malware onto the Play store.

Joker Malware Analysis

Note: This analysis of Joker Malware was carried out by CSIS Techblog.

In most of the apps the developers have inserted the Joker Malware initialization component into one or another advertisement framework. The little package of malicious code typically consists of:

Target country checking via MCC
Minimum C&C communication — just enough to report the infection and receive the encrypted configuration
DEX decryption & loading
A notification listener — when a new SMS message arrives, this listener captures it and sends out a broadcast for the Core (second stage) component to pick up.

Often, an app would contain a so-called “Splash” screen — an activity, which displays the app’s logo, while performing various initialization processes in the background. Some of the Joker apps use such activity for initialization as well.

The Joker Malware employs custom string obfuscation schemes for all of the configuration/payload/communication parsing procedures. The code listing below displays an example of an obfuscated MCC code list, (DEFAULT_COUNTRY_ISO) separated by the underscore symbol.

After the initialization is done, the malware will download an obfuscated and AES-encrypted configuration from the payload distribution C&C server. Joker Malware composes the AES key for the configuration string decryption using yet another string scheme, which would concatenate the app’s package name with MCC code string and shuffle the symbols around in a specific way.

The configuration string above contains the necessary information about the second stage code — the core component of the Joker. Being split by a 3-symbol delimiter, the configuration string above contains (ordered):

1. The URL for the Joker Core DEX file — this file is obfuscated
2. The de-obfuscation “keys” — indexes of the obfuscated read buffer
3. The initialization class name — the class, which implements the initialization method
4. The initialization method name — which method to call upon loading
5. The C&C URL
6. The campaign tag

The Loader downloads the DEX and starts the de-obfuscation routine. The said routine reads the DEX file in a buffer 128 bytes at a time. The de-obfuscation “keys” are the positional indexes for this buffer. For each iteration, the routine reads the bytes of the obfuscated buffer only between these positions and writes them into a file, producing a valid DEX file in the end.

This Joker malware kit stands out as a small and silent one. It is using as little Java code as possible and thus generates as little footprint as possible. After all of the Loader’s MCC checks and payload loading — the Core component begins its work.

It is designed in a job-scheduler fashion, meaning that it periodically requests new commands from the C&C server. When found, it executes them in strict order and then reports the results, depending on the type of the given task. The below figure is an example of a command (truncated).

When Joker Malware receives such a message, it proceeds to open the offer URL, injects the JavaScript commands one by one and waits for an authorization SMS (if any). When the SMS message arrives, the malware extracts the necessary authorization code using case-specific regular expressions. At other times, it simply sends a SMS message to a premium number, with a specific code from the offer page.

Whenever the Joker malware extracts a code from a SMS message — it also reports it to the C&C after the job is complete. Hypothetically, the botnet operator can craft a job, which would result in all incoming SMS messages being stolen.

The final important thing worth mentioning about the Joker Malware is the phone book contact list theft. The core component collects all numbers in the contact list and sends them over to the C&C in an encrypted form:

A total of 12 unique builds of the second stage payload were observed among the 24 infected apps. The version names come from the payload URLs and data inside the sample’s configuration class:

Protection

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked. Try SaferNet Now!

Flagpro Malware Linked To Chinese State-Sponsored Hackers

Post On: 12 January, 2022 By : Jerry

Flagpro Malware is being used against Japanese companies by cyber-espionage hacker group BlackTech. BlackTech uses Flagpro Malware in the initial stage of an attack to conduct network reconnaissance. Using Flagpro Malware in this way, BlackTech aim to evaluate the target’s environment and download additional malware to the network.

The attack vector starts with a phishing email written specifically for the target organization, pretending to be from a trustworthy source.

The email carries a password-protected ZIP or RAR attachment that contains a Microsoft Excel file (.XLSM) laced with a malicious macro. Running this code creates an executable in the startup directory, the Flagpro Malware.

On its first execution, Flagpro Malware connects to the C2 server via HTTP and sends system ID details obtained by running hardcoded OS commands.

In response, the C2 can send back additional commands or a second-stage payload that Flagpro can execute.

The communication between the two is encoded with Base64, and there’s also a configurable time delay between connections to avoid creating a pattern of identifiable operations.

According to a report by NTT Security, Flagpro Malware has been deployed against Japanese firms for more than a year, since at least October 2020. The most recent sample the researchers could retrieve is from July 2021.

The targeted entities are from various sectors, including defense technologies, media, and communications.

NTT researchers noticed a new version of Flagpro Malware, which can automatically close dialogs relevant to establishing external connections that could reveal its presence to the victim.

“In the implementation of Flagpro v1.0, if a dialog titled “Windows セキュリティ” is displayed when Flagpro accesses to an external site, Flagpro automatically clicks OK button to close the dialog,” explains the NTT Security report.

“This handling also works when the dialog is written in Chinese or English. It indicates the targets are in Japan, Taiwan, and English-speaking countries.”

BlackTech were first spotted in 2017, and are believed to be State-Sponsored Hackers operating from China.

Its typical targets are in Taiwan, although it occasionally attacked companies in Japan and Hong Kong to steal technology.

In February 2021, a Unit 42 report connected BlackTech to WaterBear; another cyber-espionage group believed to be backed by the Chinese government.

As an APT, BlackTech possesses the knowledge and sophistication to adjust its tools to new reports like this one, so Flagpro Malware will likely now be modified for stealthier deployment.

As the NTT report concludes: “Recently, they (BlackTech) have started using other new malware called “SelfMake Loader” and “Spider RAT”. It means that they are actively developing new malware.”

Protection Against Flagpro Malware

Hackers Abusing Server Module To Steal Microsoft Exchange Credentials

Post On: 12 January, 2022 By : Jerry

Hackers are using an Internet Information Services (IIS) webserver module dubbed “Owowa,” on Exchange Outlook servers with the aim of stealing credentials and enabling remote code execution.

“Owowa is a C#-developed .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange’s Outlook Web Access (OWA),” Kaspersky researchers Paul Rascagneres and Pierre Delcher said. “When loaded this way, Owowa will steal credentials that are entered by any user in the OWA login page, and will allow a remote operator to run commands on the underlying server.”

The idea that a rogue IIS module can be fashioned as a backdoor is not new. In August 2021, Slovak cybersecurity company ESET’s study of the IIS landscape revealed as many as 14 malware families that were developed as native IIS modules in an attempt to intercept HTTP traffic and remotely commandeer the compromised computers.

As a persistent component on the compromised system, Owawa is engineered to capture the credentials of users who are successfully authenticated on the OWA authentication web page. Exploitation can then be achieved by sending “seemingly innocuous requests” to the exposed web services by entering specifically crafted commands within the username and password fields in the OWA authentication page of a compromised server.

Specifically, if the OWA username is “jFuLIXpzRdateYHoVwMlfc,” Owawa responds back with the encrypted credentials. If the username, on the other hand, is “dEUM3jZXaDiob8BrqSy2PQO1”, the PowerShell command typed in the OWA password field is executed, the results of which are sent back to the attacker.

The Russian security firm said it detected a cluster of targets with compromised servers located in Malaysia, Mongolia, Indonesia, and the Philippines that primarily belong to government organizations, with the exception of one server that’s attached to a government-owned transportation company. That said, additional organizations in Europe are believed to have been victimized by the actor as well.

Although no links have been unearthed between the Owowa operators and other publicly documented hacking groups, a username “S3crt” (read “secret”) that was found embedded in the source code of the identified samples has yielded additional malware executables that are likely the work of the same developer. Chief among them are a number of binaries designed to execute an embedded shellcode, load next-stage malware retrieved from a remote server, and trigger the execution of Cobalt Strike payloads.

Kaspersky’s Global Research and Analysis Team (GReAT) also said it identified an account with the same username on Keybase, where the individual has shared offensive tools such as Cobalt Strike and Core Impact, in addition to demonstrating an interest in the latter on RAIDForums.

“IIS modules are not a common format for backdoors, especially when compared to typical web application threats like web shells and can therefore easily be missed during standard file monitoring efforts,” Rascagneres and Delcher said. “The malicious module […] represents an effective option for attackers to gain a strong foothold in targeted networks by persisting inside an Exchange server.”

Protection Against Hackers

There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.

Cuban ransomware has breached 49 US infrastructure organizations

Post On: 12 January, 2022 By : Jerry

The Federal Bureau of Investigation (FBI) has disclosed that a Cuban ransomware gang has breached 49 organizations from US critical infrastructure sectors.

“The FBI has identified, as of early November 2021 that Cuba ransomware actors have compromised at least 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology sectors,” the federal law enforcement agency said.

The FBI also added that this ransomware group had made over $40 million since it started targeting US companies.

The Federal Bureau of Investigation (FBI) has revealed that the Cuba ransomware gang has compromised the networks of at least 49 organizations from US critical infrastructure sectors.

The FBI also added that this ransomware group had made over $40 million since it started targeting US companies.

Cuba ransomware is delivered on victims’ networks through the Hancitor malware downloader, which allows the ransomware gang to gain easier access to previously compromised corporate networks.

Hancitor (Chancitor) is known for delivering information stealers, Remote Access Trojans (RATs), and other types of ransomware.

Zscaler spotted it distributing the Vawtrak information-stealing trojan. Since then, it switched to password-stealers, including Pony and Ficker, and, more recently, Cobalt Strike.

For initial compromise of their victims’ systems, Hancitor uses phishing emails and stolen credentials, exploits Microsoft Exchange vulnerabilities, or break-in via Remote Desktop Protocol (RDP) tools.

Once in using the access provided by Hancitor, Cuba ransomware operators will use legitimate Windows services (e.g., PowerShell, PsExec, and various other unspecified services) to deploy their ransomware payloads remotely and encrypt files using the “.cuba” extension.

In the flash alert, the FBI also asked systems admins and security professionals who detect Cuba ransomware activity within their enterprise networks to share any related information they have with their local FBI Cyber Squad.

Useful information that can be shared to help identify the attackers behind this ransomware gang includes “boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file.”

Protection Against Ransomware

There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.

Northern Europe Faces Flurry Of Flubot Banking Trojan Attacks

Post On: 12 January, 2022 By : Jerry

The Flubot banking trojan is actively attacking countries in Northern Europe, spreading via Android phones that are sending millions of malicious text messages. The attacks are mostly occurring in Finland.

Last week, the National Cyber Security Centre (NCSC-FI) at the Finnish Transport and Communications Agency disclosed a “severe” alert about rising Flubot malware infections.

Once Flubot is deployed on a phone, it goes about gaining permissions, stealing banking information and credentials, lifting passwords stored on the device and extracting away various pieces of personal information. It also self-replicates by sending out additional text messages from the infected host. Just like the regular flu, flubot uses a similar logic to become “viral”

“An Android malware called Flubot is being spread by SMS. According to our current estimate, tens of thousands of messages have been sent to people in Finland during one day. We expect the amount to increase in the coming days and weeks,” said Aino-Maria Väyrynen, information security adviser at the NCSC-FI, in the alert.

As Väyrynen predicted, the campaign did grow in numbers. An article published by Bloomberg on Tuesday quoted Väyrynen as saying the daily messages were now in the millions.

The country’s biggest telecom companies told the news outlet that they’ve intercepted hundreds of thousands of messages. Teemu Makela, CISO at Elisa Oyj, called the attack “extremely exceptional and very worrying.”

The NCSC-FI’s advisory said that the malware is targeting “everyone using an Android device and a mobile subscription,” while iPhones and other devices “are directed to other fraudulent material on the website.”

The malicious texts tell targets they’ve received a voicemail or a message from their mobile operator, however the containing link is malicious.

The link won’t install flubot right away – instead, targets are prompted to grant voicemail permissions, which is actually a front for malware installation. Once installed, Flubot goes about its business.

There are telltale red flags: The messages “are often written without Scandinavian letters (å, ä and ö) and may contain the characters +, /, &, % and @ in random and illogical places in the text,” the advisory explained.

Finnish authorities shared examples of the messages, as well as the malware’s installation request, both of which are shown below.

This is the second campaign in which Flubot recorded heavy infections across Finland. It first appeared in June 2021, and persisted into August. The ploy of the earlier campaign involved trying to trick the user into clicking a link concerning a missed package delivery.

That time, thanks to cooperation between the authorities and telecoms, the NCSC-FI said that the country managed to eliminate Flubot “almost completely.”

Atti Turnun, frad manager with Telia, spoke to Bloomberg and stated that this time the infection is far worse. The new wave shows that the Flubot operators have mutated their malware to hook its tentacles into victims regardless of the control measures put in place to eradicate the summer Flubot campaign, the security center said.

Hank Schless, senior manager of security solutions at Lookout, spoke to reporters with Threatpost and said that Finland’s plight is an example of “the problems that the malware-as-a-service (MaaS) market creates for consumers and enterprises alike.”

This market has made malware and phishing kits “incredibly accessible for even the least skilled threat actors,” he said. “Usually, for a very small price, someone can go online and find one of these kits fully built and ready to be used. Once they acquire the kit, all the attacker needs to do is host it on a web domain then build a delivery mechanism. Most frequently, this mechanism is some form of message targeting mobile users because of the number of ways you can deliver a message to these devices via SMS, email, social media platforms, third party messaging apps, gaming and even dating apps.”

The only difference between Finland’s earlier Flubot campaign and this one are the different social-engineering hooks, he noted – a sign of how “socially engineered phishing attacks can continue to be effective over time.”

Phishing has become “the most concerning issue for every enterprise,” Schless observed. “Threat actors not only use it to steal login credentials, but deliver malware to devices and infrastructure as well. Lookout data shows that threat actors heavily target users through mobile channels such as SMS, social media platforms, third party messaging apps, gaming and even dating apps.”

“Once the attacker has those compromised credentials, they’re free to log in to any corporate app and move laterally through the infrastructure,” Schless continued. “This could lead to them exfiltrating or encrypting data for an eventual ransomware attack.”

Schless concluded by stating that intelligence was “king” when it came to protecting against any attacks, but especially ones like Flubot.

“Solutions backed by datasets with enough threat telemetry are the only way to detect and protect against these attacks before they can even reach the end user,” he said. “Since these campaigns typically run for a short amount of time, traditional security solutions will be too slow on the uptake. Pushing automated coverage against attacks like this as the malicious page when it’s being built, is the only way to mitigate the gap in protection.”

NCSC-FI offered some solutions on what to do in the case of a flubot infection on your device. The chief most solution is to perform a factory reset.

However, in the case that Flubot banking trojan has deeply infected a users device and attacked banking apps, the NCSC-FI said the following:

If you used a banking application or handled credit card information on the infected device, contact your bank.
Report any financial losses to the police.
Reset your passwords on any services you have used with the device. The malware may have stolen your password if you have logged in after you installed the malware.
Contact your operator, because your subscription may have been used to send text messages subject to a charge. The currently active malware for Android devices spread by sending text messages from infected devices.

Protection Against Flubot

There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.

IKEA Battles On-Going Phishing Attack

Post On: 12 January, 2022 By : Jerry

IKEA has been caught in the middle of a destructive phishing campaign, where hackers are targeting employees in internal phishing attacks which make use of stolen reply-chain emails. A reply-chain email attack is when threat actors steal legitimate corporate email and then reply to them with links to malicious documents that install malware on recipients’ devices.

Because reply-chain emails are legitimate emails from a company, recipients’ are far more likely to trust the email sender, and be more likely to open any attached malicious documents. It is by far the most effective method of phishing.

Internal emails, seen by reporters at BleepingComputer, show that IKEA is warning employees of an ongoing reply-chain phishing cyber-attack targeting internal mailboxes. These emails are also being sent from other compromised IKEA organizations and business partners.

“There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA,” explained an internal email sent to IKEA employees.

“This means that the attack can come via email from someone that you work with, from any external organisation, and as a reply to an already ongoing conversations. It is therefore difficult to detect, for which we ask you to be extra cautious.”

The IT teams with IKEA warn employees that the phishing emails contain links with seven digits at the end and share an example email, as shown below. In addition, employees are told not to open the emails, regardless of who sent them and to report them to the IT department immediately.

Recipients are also told to tell the sender of the emails via Microsoft Teams chat to report the emails.

“Our email filters can identify some of the malicious emails and quarantine them. Due to that, the email could be a reply to an ongoing conversation, it’s easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine,” IKEA communicated to employees.

From the URLs which were redacted above, reporters have been able to identify the nature of the phishing attacks targeting IKEA.

Visiting these URLs, a browser will be redirected to a download called ‘charts.zip’ that contains a malicious Excel document. This attachment tells recipients to click the ‘Enable Content’ or ‘Enable Editing’ buttons to properly view it, as shown below.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

When the buttons on the document are clicked, malicious macros will force a download of files named ‘besta.ocx,’ ‘bestb.ocx,’ and ‘bestc.ocx’ from a remote site and save them to the C:\Datop folder.

These OCX files are renamed DLLs and are executed using the regsvr32.exe command to install the malware payload.

Campaigns using this method have been seen installing the Qbot trojan (aka QakBot and Quakbot) and possibly Emotet.

The Qbot and Emotet trojans both lead to further network compromise and ultimately the deployment of ransomware on a breached network.

Due to the severity of these infections and the likely compromise of their Microsoft Exchange servers, IKEA is treating this security incident as a significant cyberattack that could potentially lead to a far more disruptive attack.

Protection Against Phishing

There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.

Iranian Airline Struck By Cyberattack

Post On: 12 January, 2022 By : Jerry

Mahan Air, one of Iran’s largest airlines, has been hit by a cyberattack. The cyberattack caused operations to go offline and lead to a possible data breach or data loss.

The firm announced the cyberattack on Twitter, though dealing with hackers is not uncommon for Mahan Airs’ IT security teams.

Customers are unable to access the airline’s website to book flights, but all international and domestic flights are running as usual without delays.

Moreover, the company claims that the attack has been thwarted successfully and in a short time, downplaying its significance and disregarding any real impact.

“Following the news of the cyberattack on the systems of Mahan Airlines, it is reported that due to the position of Mahan Airlines in the country’s aviation industry, such attacks have been carried out against this company many times and at different times, so that they may be damaged,” reads the translated tweet by Mahan airlines.

“This is considered a normal occurrence and Mahan Cyber Security Team has always acted intelligently and in a timely manner and has thwarted these attacks. Therefore, it hereby announces that all Mahan flights will be operated according to the schedule and future flights will be operated according to the previous schedule.”

Mahan Air was added to the US sanctions list in 2011 for supporting members of Iran’s Islamic Revolutionary Guard Corps (IRGC).

In 2019, the US Treasury published a statement on Mahan Air’s operation, detailing the following:

“Mahan Air has transported IRGC-QF operatives, weapons, equipment, and funds abroad in support of the IRGC-QF’s regional operations, and has also moved weapons and personnel for Hizballah.”

“Since the onset of the Syrian civil war, Mahan Air has routinely flown fighters and materiel to Syria to prop up the Assad regime, which has contributed to mass atrocities and displacement of civilians.”

Although Mahan’s operations oppose American strategic interests, which led to actual military action in July 2020, the hackers responsible for the most recent incident don’t seem to be Americans.

The hacker who took responsibility for the cyberattack is ‘Hooshyarane Vatan,’ who sees IRGC as their enemy and says they fight for the rights of the Ahwaz minority (Iranian Arab minority).

Vatan claims to have stolen confidential documents that expose how the airline has worked with the IRGC and threatened to publish names, numbers, and proof of Mahan’s activities.

“Hacking Mahan Airlines is the first step of a program to stop the looting and encroachments of the corrupt corps on the city and the people of Ahvaz and Khuzestan. With the confidential documents we have obtained from the internal network of Mahan Airlines, we will prove our claim of Mahan complicity in the criminal activities of the IRGC, and we will also show that the Quds force is looting the money and resources of the people and the country of Iran among insurgent groups,” reads a translated text from the alleged hackers.

“And the foreign militia squanders money and at the same time uses the same oppressed people as cover for the air transport of weapons, equipment and ammunition.”

As the actors wrote on their Telegram channel, they have proof of the airline hiding military shipments in civilian flights to secure them from attacks.

This reporting culminated with the indictment of two Iranian cyber-actors who attempted to influence American voters between September and November 2020, promoting false information under the ‘Proud Boys’ attire.

Both of the identified actors allegedly worked for a cybersecurity company that provided services to the Iranian government.

Protection Against Cyberattacks

There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.

TSA Phishing and Scam Sites Take Aim At US Travelers

Post On: 12 January, 2022 By : Jerry

There has been a swift uptick in reports of phishing and scams related to TSA PreCheck, Global Entry, and NEXUS application service sites, in which customers are being charged $140 to receive nothing in return.

Initial reports appeared in March 2021, and by July threat actors were abusing Google Ads to promote fake TSA websites on Google to increase traffic.

A recent report by Abormal Security confirms that the scam sites and phishing activities are still ongoing, and indeed increasing as the Christmas travel season approaches.

TSA PreCheck is a program that allows people to pass through a quicker and easier screening process at the airport.

People who enroll in the program receive a background check once and can then travel across the US without removing personal items or going through vigorous checks each time they fly.

Especially during the pandemic, when people seek to spend the minimum amount of time in crowded places, there’s an increasing number of travelers who sign up for this program.

The TSA PreCheck needs to be renewed every five years, which costs members $70 (down from $85).

Threat actors are sending phishing emails to individuals informing them of the expiration of their TSA PreCheck membership, and attempting to convince to renew by following an embedded URL.

These emails take the victim to fake renewal sites that were made to appear legitimate and also use convincing domain names such as:

airportprescreen[.]com
airportprescreening[.]com
applyfornexuscard[.]com
assist-gov[.]com
applyglobaltraveler[.]com
easynexusapplication[.]com
fastpassapplication[.]com
lowrisktraveler[.]com
immigrationvisaforms[.]com
travelauthorizationusa[.]com

Using a top-level domain such as ‘.com’ adds a sense of legitimacy to unsuspecting targets, increasing the chance of scamming a target.

Many of the phishing/scam sites seen by Abnormal Security include an interesting disclaimer, which states buyers don’t have a guaranteed chance of success with the renewal.

“We are not the United States government or associated with it. There are no guarantees you will be granted a known traveler number by the government. We try to make sure everything is submitted correctly to eliminate rejections from submission errors.”

This may be missed easily, given that people generally don’t read service disclaimers. However, the fact that Paypal is the only available payment method should tip individuals off that the phishing site is not legitimate.

The regular fee is $70, while the threat actors list their price at $139.99

Abnormal Security recommends that if an individual wishes to renew TSA PreCheck, Clear, or Global Entry membership that they should not Google, as it is likely they will encounter a bogus ad.

Instead, visit the Homeland Security’s Trusted Traveler Programs page, which contains the legitimate URLs for all available travel programs.

Protection Against Phishing

Attacks like the Conti Ransomware campaign show that cyberattacks are increasing at an exponential rate, and both government and business leaders are underprepared to face the fallout of an attack. There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.

Accenture Discloses Data Breach After LockBit Ransomware Attack

Post On: 2 December, 2021 By : Jerry

IT consultancy giant Accenture has confirmed that the LockBit Ransomware gang made off with data during an attack that hit its systems in August. The details of the heist were revealed in the company’s financial report for the fourth quarter and full fiscal year, which ended on August 31, 2021.

“In the past, we have experienced, and in the future, we may again experience, data security incidents resulting from unauthorized access to our and our service providers’ systems and unauthorized acquisition of our data and our clients’ data including inadvertent disclosure, misconfiguration of systems, phishing ransomware or malware attacks,” Accenture said.

“During the fourth quarter of fiscal 2021, we identified irregular activity in one of our environments, which included the extraction of proprietary information by a third party, some of which was made available to the public by the third party.

“In addition, our clients have experienced, and may in the future experience, breaches of systems and cloud-based services enabled by or provided by us.”

The LockBit Ransomware gang claimed that they stole 6TB of data from Accenture, after which they demanded a $50 million ransom.

Although Accenture has mentioned the attack within SEC filings and filed data breach notification letters, the company has yet to make a public statement of the LockBit Ransomware attack or acknowledge it in any other manner.

This likely means that the stolen data didn’t contain any personally identifiable information (PII) or protected health information (PHI) data which would’ve triggered regulatory notification requirements.

At the time of the LockBit Ransomware attack, Accenture managed to restore all affected systems from backups, with little impact on business operations.

In September, the company claims made by the LockBit Ransomware gang that network credentials belonging to customers were stolen.

In September, the company denied claims made by the LockBit gang that they also stole credentials belonging to Accenture customers that would enable them to compromise their networks.

“We have completed a thorough forensic review of documents on the attacked Accenture systems. This [LockBit’s] claim is false,” Accenture told researchers at BleepingComputer, denying that customer credentials were stolen in the August ransomware attack.

“As we have stated, there was no impact on Accenture’s operations, or on our client’s systems. As soon as we detected the presence of this threat actor, we isolated the affected servers.”

Accenture is a Fortune 500 company and one of the world’s largest IT services and consulting firms with more than 624,000 employees across 120 countries, providing services to a wide array of industry sectors, including banks, government, technology, energy, telecoms, and more.

LockBit Ransomware Analysis

NOTE: This analysis of Lockbit Ransomware was carried out by McAfee

The file found in the investigation of Lockbit Ransomware was a dropper renamed as a .png file. When first opening the .png files we were expecting a real image file, with perhaps some steganography inside, but what we saw instead was the header of a portable executable, so no steganography pictures this time. The PE was compiled in Microsoft Visual C# v7.0 / Basic .NET, .NET executable -> Microsoft.

Entropy-wise is tidy too, not showing any stray sections or big spikes in the graph. This behavior indicates that the writer of the Lockbit Ransomware did not use obfuscation.

This file is a .NET launcher. Examining the Main() function in the code shows that an array containing a particularly long AES encrypted base64 string (in the variable named ‘exeBuffer’) carries the executable for the actual ransomware.

This encrypted string is decrypted using the key ENCRYPTION29942. The first 32 bytes of the long ExeBuffer string are used as the salt in the encryption scheme, where ENCRYPTION29942 is the passphrase.

The script checks for the existence of vbc.exe on its designated host. Usually, this binary is a digitally signed executable from Microsoft; however, in this case, the malware uses it for process hollowing.

By statically analyzing the file we can spot the usage of:

NtUnmapViewOfSection
LockBit Ransomware uses this API in order to unmap the original code in execution
NtWriteVirtualMemory
The malware writes the base address of the injected image into the PEB via NtWriteVirtualMemory
VirtualAllocEx
To allocate the space before injecting the malicious code
The VBC utility is the visual basic compiler for Windows and LockBit Ransomware uses it to compile and execute the code on the fly directly in execution. If the vbc utility does not exist on the system, the malware downloads the original vbc.exe file from the same malicious URL as seen before. After executing vbc.exe, the malware replaces the objects in memory with the code for deploying the ransomware (as deduced from the exeBuffer).

The list of services LockBit Ransomware tries to stop are:

DefWatch (Symantec Antivirus)
ccEvtMgr (Norton AntiVirus Event Manager)
ccSetMgr (Common Client Settings Manager Service of Symantec)
SavRoam (Symantec Antivirus)
sqlserv
sqlagent
sqladhlp
Culserver
RTVscan (Symantec Antivirus Program)
sqlbrowser
SQLADHLP
QBIDPService (QuickBooksby Intuit.)
QuickBoooks.FCS (QuickBooksby Intuit.)
QBCFMonitorService (QuickBooksby Intuit.)
sqlwriter
msmdsrv (Microsoft SQL Server Analysis or Microsoft SQL Server)
tomcat6 (Apache Tomcat)
zhundongfangyu (this belongs to the 360 security product from Qihoo company)
vmware-usbarbitator64
vmware-converter
dbsrv12 (Creates, modifies, and deletes SQL Anywhere services.)
dbeng8 (Sybase’s Adaptive Server Anywhere version 8 database program)
wrapper (Java Service?)

If one of these services is found by the malware querying the status of it, with the function “QueryServiceStatusEx”, LockBit will get all the depending modules when correct and safe and it will stop the service with the function “ControlService”.

The ransom note is rather compact because the author hardcoded the content right in the code without using any obfuscation or encryption. The text file containing the ransom note is created in every directory after encryption and called Restore-My-Files.txt.

Protection

Sinclair Broadcast Taken Down By Ransomware

Post On: 2 December, 2021 By : Jerry

TV Stations owned by the Sinclair Broadcast Group were taken down across the US due to a ransomware attack last weekend.

Sinclair Broadcast Group is a Fortune 500 media company (with annual revenues of $5.9 billion in 2020) and a leading local sports and news provider that owns multiple national networks.

Its operations include 185 television stations affiliated with Fox, ABC, CBS, NBC, and The CW (including 21 regional sports network brands), with approximately 620 channels in 87 markets across the US (amounting to almost 40% of all US households).

This is the second incident that impacted Sinclair’s TV stations in July 2021, when the company asked all Sinclair stations to change passwords “as quickly as possible” following a security breach.

It is believed the ransomware attack shut down Active Directory services for the domain, leading to wide disruption throughout the entire organization and affiliates by blocking access to domain resources across the network

Several corporate assets were taken down in the incident, including the email servers, broadcasting, and newsroom systems, forcing TV stations to create Gmail accounts to receive news tips from viewers and use PowerPoint for newscasts graphics.

The company released a statement saying, “On October 16, 2021, the Company identified and began to investigate and take steps to contain a potential security incident. On October 17, 2021, the Company identified that certain servers and workstations in its environment were encrypted with ransomware, and that certain office and operational networks were disrupted. Data also was taken from the Company’s network. The Company is working to determine what information the data contained and will take other actions as appropriate based on its review.

Promptly upon detection of the security event, senior management was notified, and the Company implemented its incident response plan, took measures to contain the incident, and launched an investigation. Legal counsel, a cybersecurity forensic firm, and other incident response professionals were engaged. The Company also notified law enforcement and other governmental agencies. The forensic investigation remains ongoing.

While the Company is focused on actively managing this security event, the event has caused – and may continue to cause – disruption to parts of the Company’s business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers. The Company is working diligently to restore operations quickly and securely.

As the Company is in the early stages of its investigation and assessment of the security event, the Company cannot determine at this time whether or not such event will have a material impact on its business, operations or financial results.”

While regional sports channels were largely not affected by the incident, there are reports that, in some US markets, local NFL games were replaced by national sports programming (such as bowling).

A sinclair spokesperson said of the ransomware attack, “Sinclair Broadcast Group recently identified a cybersecurity incident involving our network. As a result of the incident, certain devices were encrypted with ransomware, data was taken from our environment, and certain business operations have been disrupted. Senior management was notified, and we implemented our incident response and business continuity protocols, took measures to contain the incident, and launched an investigation. A cybersecurity firm that has assisted other companies in similar circumstances was engaged, and law enforcement and other governmental agencies were notified.

We are working diligently to address the incident and to restore operations quickly and securely. As we work to complete the investigation, we will look for opportunities to enhance our existing security measures. We appreciate your patience and understanding as we work through this incident.”