Security – Page 13

Account compromise of “unprecedented scale” uses everyday home devices

Biz & IT, credential stuffing, okta, Security / Paul Patrick / April 30, 2024

STUFF THIS —

Credential-stuffing attack uses proxies to hide bad behavior.

Dan Goodin – Apr 29, 2024 7: 35 pm UTC

Authentication service Okta is warning about the “unprecedented scale” of an ongoing campaign that routes fraudulent login requests through the mobile devices and browsers of everyday users in an attempt to conceal the malicious behavior.

The attack, Okta said, uses other means to camouflage the login attempts as well, including the TOR network and so-called proxy services from providers such as NSOCKS, Luminati, and DataImpulse, which can also harness users’ devices without their knowledge. In some cases, the affected mobile devices are running malicious apps. In other cases, users have enrolled their devices in proxy services in exchange for various incentives.

Unidentified adversaries then use these devices in credential-stuffing attacks, which use large lists of login credentials obtained from previous data breaches in an attempt to access online accounts. Because the requests come from IP addresses and devices with good reputations, network security devices don’t give them the same level of scrutiny as logins from virtual private servers (VPS) that come from hosting services threat actors have used for years.

“The net sum of this activity is that most of the traffic in these credential-stuffing attacks appears to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers,” according to an advisory that Okta published over the weekend.

Okta’s advisory comes two weeks after Cisco’s Talos security team reported seeing a large-scale credential compromise campaign that was indiscriminately assailing networks with login attempts aimed at gaining unauthorized access to VPN, SSH, and web application accounts. These login attempts used both generic and valid usernames targeted at specific organizations. Cisco included a list of more than 2,000 usernames and almost 100 passwords used in the attacks, along with nearly 4,000 IP addresses that are sending the login traffic. The attacks led to hundreds of thousands or even millions of rejected authentication attempts.

Within days of Cisco’s report, Okta’s Identity Threat Research team observed a spike in credential-stuffing attacks that appeared to use a similar infrastructure. Okta said the spike lasted from April 19 through April 26, the day the company published its advisory.

Okta officials wrote:

Residential Proxies are networks of legitimate user devices that route traffic on behalf of a paid subscriber. Providers of residential proxies effectively rent access to route authentication requests through the computer, smartphone, or router of a real user, and proxy traffic through the IP of these devices to anonymize the source of the traffic.

Residential Proxy providers don’t tend to advertise how they build these networks of real user devices. Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download “proxyware” into their device in exchange for payment or something else of value. At other times, a user device is infected with malware without the user’s knowledge and becomes enrolled in what we would typically describe as a botnet. More recently, we have observed a large number of mobile devices used in proxy networks where the user has downloaded a mobile app developed using compromised SDKs (software development kits). Effectively, the developers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any user running the app in a residential proxy network.

People who want to ensure that malicious behavior isn’t routed through their devices or networks should pay close attention to the apps they install and the services they enroll in. Free or discounted services may be contingent on a user agreeing to terms of service that allow their networks or devices to proxy traffic from others. Malicious apps may also surreptitiously provide such proxy services.

Okta provides guidance for network administrators to repel credential-stuffing attacks. Chief among them is protecting accounts with a strong password—meaning one randomly generated and consisting of at least 11 characters. Accounts should also use multifactor authentication, ideally in a form that is compliant with the FIDO industry standard. The Okta advisory also includes advice for blocking malicious behavior from anonymizing proxy services.

Account compromise of “unprecedented scale” uses everyday home devices Read More »

Hackers try to exploit WordPress plugin vulnerability that’s as severe as it gets

Biz & IT, Security, SQL injection, vulnerability, wordpress / Paul Patrick / April 27, 2024

GOT PATCHES? —

WP Automatic plugin patched, but release notes don’t mention the critical fix.

Dan Goodin – Apr 26, 2024 7: 07 pm UTC

Hackers are assailing websites using a prominent WordPress plugin with millions of attempts to exploit a high-severity vulnerability that allows complete takeover, researchers said.

The vulnerability resides in WordPress Automatic, a plugin with more than 38,000 paying customers. Websites running the WordPress content management system use it to incorporate content from other sites. Researchers from security firm Patchstack disclosed last month that WP Automatic versions 3.92.0 and below had a vulnerability with a severity rating of 9.9 out of a possible 10. The plugin developer, ValvePress, silently published a patch, which is available in versions 3.92.1 and beyond.

Researchers have classified the flaw, tracked as CVE-2024-27956, as a SQL injection, a class of vulnerability that stems from a failure by a web application to query backend databases properly. SQL syntax uses apostrophes to indicate the beginning and end of a data string. By entering strings with specially positioned apostrophes into vulnerable website fields, attackers can execute code that performs various sensitive actions, including returning confidential data, giving administrative system privileges, or subverting how the web app works.

“This vulnerability is highly dangerous and expected to become mass exploited,” Patchstack researchers wrote on March 13.

Fellow web security firm WPScan said Thursday that it has logged more than 5.5 million attempts to exploit the vulnerability since the March 13 disclosure by Patchstack. The attempts, WPScan said, started slowly and peaked on March 31. The firm didn’t say how many of those attempts succeeded.

WPScan said that CVE-2024-27596 allows unauthenticated website visitors to create admin‑level user accounts, upload malicious files, and take full control of affected sites. The vulnerability, which resides in how the plugin handles user authentication, allows attackers to bypass the normal authentication process and inject SQL code that grants them elevated system privileges. From there, they can upload and execute malicious payloads that rename sensitive files to prevent the site owner or fellow hackers from controlling the hijacked site.

Successful attacks typically follow this process:

SQL Injection (SQLi): Attackers leverage the SQLi vulnerability in the WP‑Automatic plugin to execute unauthorized database queries.

Admin User Creation: With the ability to execute arbitrary SQL queries, attackers can create new admin‑level user accounts within WordPress.

Malware Upload: Once an admin‑level account is created, attackers can upload malicious files, typically web shells or backdoors, to the compromised website’s server.

File Renaming: Attacker may rename the vulnerable WP‑Automatic file, to ensure only he can exploit it.

WPScan researchers explained:

Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code. To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue. It’s worth mentioning that it may also be a way attackers find to avoid other bad actors to successfully exploit their already compromised sites. Also, since the attacker can use their acquired high privileges to install plugins and themes to the site, we noticed that, in most of the compromised sites, the bad actors installed plugins that allowed them to upload files or edit code.

The attacks began shortly after March 13, 15 days after ValvePress released version 3.92.1 without mentioning the critical patch in the release notes. ValvePress representatives didn’t immediately respond to a message seeking an explanation.

While researchers at Patchstack and WPScan are classifying CVE-2024-27956 as SQL injection, an experienced developer said his reading of the vulnerability is that it’s either improper authorization (CWE-285) or a subcategory of improper access control (CWE-284).

“According to Patchstack.com, the program is supposed to receive and execute an SQL query, but only from an authorized user,” the developer, who didn’t want to use his name, wrote in an online interview. “The vulnerability is in how it checks the user’s credentials before executing the query, allowing an attacker to bypass the authorization. SQL injection is when the attacker embeds SQL code in what was supposed to be only data, and that’s not the case here.”

Whatever the classification, the vulnerability is about as severe as it gets. Users should patch the plugin immediately. They should also carefully analyze their servers for signs of exploitation using the indicators of compromise data provided in the WPScan post linked above.

Hackers try to exploit WordPress plugin vulnerability that’s as severe as it gets Read More »

Message-scraping, user-tracking service Spy Pet shut down by Discord

chat, discord, discord servers, Kiwi Farms, Policy, privacy, Security, spy pet, Tech / Paul Patrick / April 27, 2024

Discord message privacy —

Bot-driven service was also connected to targeted harassment site Kiwi Farms.

Kevin Purdy – Apr 26, 2024 6: 06 pm UTC

Discord

Spy Pet, a service that sold access to a rich database of allegedly more than 3 billion Discord messages and details on more than 600 million users, has seemingly been shut down.

404 Media, which broke the story of Spy Pet’s offerings, reports that Spy Pet seems mostly shut down. Spy Pet’s website was unavailable as of this writing. A Discord spokesperson told Ars that the company’s safety team had been “diligently investigating” Spy Pet and that it had banned accounts affiliated with it.

“Scraping our services and self-botting are violations of our Terms of Service and Community Guidelines,” the spokesperson wrote. “In addition to banning the affiliated accounts, we are considering appropriate legal action.” The spokesperson noted that Discord server administrators can adjust server permissions to prevent future such monitoring on otherwise public servers.

Kiwi Farms ties, GDPR violations

The number of servers monitored by Spy Pet had been fluctuating in recent days. The site’s administrator told 404 Media’s Joseph Cox that they were rewriting part of the service while admitting that Discord had banned a number of bots. The administrator had also told 404 Media that he did not “intend for my tool to be used for harassment,” despite a likely related user offering Spy Pet data on Kiwi Farms, a notorious hub for doxxing and online harassment campaigns that frequently targets trans and non-binary people, members of the LGBTQ community, and women.

Even if Spy Pet can somehow work past Discord’s bans or survive legal action, the site’s very nature runs against a number of other Internet regulations across the globe. It’s almost certainly in violation of the European Union’s General Data Protection Regulation (GDPR). As pointed out by StackDiary, Spy Pet and services like it seem to violate at least three articles of the GDPR, including the “right to be forgotten” in Article 17.

In Article 8 of the GDPR and likely in the eyes of the FTC, gathering data from what could be children’s accounts and profiting from them is almost certainly to draw scrutiny, if not legal action.

Ars was unsuccessful in reaching the administrator of Spy Pet by email and Telegram message. Their last message on Telegram stated that their domain had been suspended and a backup domain was being set up. “TL;DR: Never trust the Germans,” they wrote.

Message-scraping, user-tracking service Spy Pet shut down by Discord Read More »

Millions of IPs remain infected by USB worm years after its creators left it for dead

Biz & IT, infection, plugx, Security, sinkhole, USB, worm / Paul Patrick / April 26, 2024

I’M NOT DEAD YET —

Ability of PlugX worm to live on presents a vexing dilemma: Delete it or leave it be.

Dan Goodin – Apr 25, 2024 6: 49 pm UTC

A now-abandoned USB worm that backdoors connected devices has continued to self-replicate for years since its creators lost control of it and remains active on thousands, possibly millions, of machines, researchers said Thursday.

The worm—which first came to light in a 2023 post published by security firm Sophos—became active in 2019 when a variant of malware known as PlugX added functionality that allowed it to infect USB drives automatically. In turn, those drives would infect any new machine they connected to, a capability that allowed the malware to spread without requiring any end-user interaction. Researchers who have tracked PlugX since at least 2008 have said that the malware has origins in China and has been used by various groups tied to the country’s Ministry of State Security.

Still active after all these years

For reasons that aren’t clear, the worm creator abandoned the one and only IP address that was designated as its command-and-control channel. With no one controlling the infected machines anymore, the PlugX worm was effectively dead, or at least one might have presumed so. The worm, it turns out, has continued to live on in an undetermined number of machines that possibly reaches into the millions, researchers from security firm Sekoia reported.

The researchers purchased the IP address and connected their own server infrastructure to “sinkhole” traffic connecting to it, meaning intercepting the traffic to prevent it from being used maliciously. Since then, their server continues to receive PlugX traffic from 90,000 to 100,000 unique IP addresses every day. Over the span of six months, the researchers counted requests from nearly 2.5 million unique IPs. These sorts of requests are standard for virtually all forms of malware and typically happen at regular intervals that span from minutes to days. While the number of affected IPs doesn’t directly indicate the number of infected machines, the volume nonetheless suggests the worm remains active on thousands, possibly millions, of devices.

“We initially thought that we will have a few thousand victims connected to it, as what we can have on our regular sinkholes,” Sekoia researchers Felix Aimé and Charles M wrote. “However, by setting up a simple web server we saw a continuous flow of HTTP requests varying through the time of the day.”

They went on to say that other variants of the worm remain active through at least three other command-and-control channels known in security circles. There are indications that one of them may also have been sinkholed, however.

As the image below shows, the machines reporting to the sinkhole have broad geographic disbursement:

Enlarge / A world map showing country IPs reporting to the sinkhole.

Sekoia

A sample of incoming traffic over a single day appeared to show that Nigeria hosted the largest concentration of infected machines, followed by India, Indonesia, and the UK.

Enlarge / Graph showing the countries with the most affected IPs.

Sekoia

The researchers wrote:

Based on that data, it’s notable that around 15 countries account for over 80% of the total infections. It’s also intriguing to note that the leading infected countries don’t share many similarities, a pattern observed with previous USB worms such as RETADUP which has the highest infection rates in Spanish spelling countries. This suggests the possibility that this worm might have originated from multiple patient zeros in different countries.

One explanation is that most of the biggest concentrations are in countries that have coastlines where China’s government has significant investments in infrastructure. Additionally many of the most affected countries have strategic importance to Chinese military objectives. The researchers speculated that the purpose of the campaign was to collect intelligence the Chinese government could use to achieve those objectives.

The researchers noted that the zombie worm has remained susceptible to takeover by any threat actor who gains control of the IP address or manages to insert itself into the pathway between the server at that address and an infected device. That threat poses interesting dilemmas for the governments of affected countries. They could choose to preserve the status quo by taking no action, or they could activate a self-delete command built into the worm that would disinfect infected machines. Additionally, if they choose the latter option, they could elect to disinfect only the infected machine or add new functionality to disinfect any infected USB drives that happen to be connected.

Because of how the worm infects drives, disinfecting them risks deleting the legitimate data stored on them. On the other hand, allowing drives to remain infected makes it possible for the worm to start its proliferation all over again. Further complicating the decision-making process, the researchers noted that even if someone issues commands that disinfect any infected drives that happen to be plugged in, it’s inevitable that the worm will live on in drives that aren’t connected when a remote disinfect command is issued.

“Given the potential legal challenges that could arise from conducting a widespread disinfection campaign, which involves sending an arbitrary command to workstations we do not own, we have resolved to defer the decision on whether to disinfect workstations in their respective countries to the discretion of national Computer Emergency Response Teams (CERTs), Law Enforcement Agencies (LEAs), and cybersecurity authorities,” the researchers wrote. “Once in possession of the disinfection list, we can provide them an access to start the disinfection for a period of three months. During this time, any PlugX request from an Autonomous System marked for disinfection will be responded to with a removal command or a removal payload.”

Millions of IPs remain infected by USB worm years after its creators left it for dead Read More »

Nation-state hackers exploit Cisco firewall 0-days to backdoor government networks

Biz & IT, firewalls, network perimeter, Security, uat4356, vpns / Rejus Almole / April 25, 2024

A stylized skull and crossbones made out of ones and zeroes.

Hackers backed by a powerful nation-state have been exploiting two zero-day vulnerabilities in Cisco firewalls in a five-month-long campaign that breaks into government networks around the world, researchers reported Wednesday.

The attacks against Cisco’s Adaptive Security Appliances firewalls are the latest in a rash of network compromises that target firewalls, VPNs, and network-perimeter devices, which are designed to provide a moated gate of sorts that keeps remote hackers out. Over the past 18 months, threat actors—mainly backed by the Chinese government—have turned this security paradigm on its head in attacks that exploit previously unknown vulnerabilities in security appliances from the likes of Ivanti, Atlassian, Citrix, and Progress. These devices are ideal targets because they sit at the edge of a network, provide a direct pipeline to its most sensitive resources, and interact with virtually all incoming communications.

Cisco ASA likely one of several targets

On Wednesday, it was Cisco’s turn to warn that its ASA products have received such treatment. Since November, a previously unknown actor tracked as UAT4356 by Cisco and STORM-1849 by Microsoft has been exploiting two zero-days in attacks that go on to install two pieces of never-before-seen malware, researchers with Cisco’s Talos security team said. Notable traits in the attacks include:

An advanced exploit chain that targeted multiple vulnerabilities, at least two of which were zero-days
Two mature, full-feature backdoors that have never been seen before, one of which resided solely in memory to prevent detection
Meticulous attention to hiding footprints by wiping any artifacts the backdoors may leave behind. In many cases, the wiping was customized based on characteristics of a specific target.

Those characteristics, combined with a small cast of selected targets all in government, have led Talos to assess that the attacks are the work of government-backed hackers motivated by espionage objectives.

“Our attribution assessment is based on the victimology, the significant level of tradecraft employed in terms of capability development and anti-forensic measures, and the identification and subsequent chaining together of 0-day vulnerabilities,” Talos researchers wrote. “For these reasons, we assess with high confidence that these actions were performed by a state-sponsored actor.”

The researchers also warned that the hacking campaign is likely targeting other devices besides the ASA. Notably, the researchers said they still don’t know how UAT4356 gained initial access, meaning the ASA vulnerabilities could be exploited only after one or more other currently unknown vulnerabilities—likely in network wares from Microsoft and others—were exploited.

“Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication (MFA),” the researchers wrote. Cisco has released security updates that patch the vulnerabilities and is urging all ASA users to install them promptly.

UAT4356 started work on the campaign no later than last July when it was developing and testing the exploits. By November, the threat group first set up the dedicated server infrastructure for the attacks, which began in earnest in January. The following image details the timeline:

One of the vulnerabilities, tracked as CVE-2024-20359, resides in a now-retired capability allowing for the preloading of VPN clients and plug-ins in ASA. It stems from improper validation of files when they’re read from the flash memory of a vulnerable device and allows for remote code execution with root system privileges when exploited. UAT4356 is exploiting it to backdoors Cisco tracks under the names Line Dancer and Line Runner. In at least one case, the threat actor is installing the backdoors by exploiting CVE-2024-20353, a separate ASA vulnerability with a severity rating of 8.6 out of a possible 10.

Nation-state hackers exploit Cisco firewall 0-days to backdoor government networks Read More »

Hackers infect users of antivirus service that delivered updates over HTTP

antivirus, backdoors, Biz & IT, Encryption, HTTP, HTTPS, man in the middle, Security / Mike M. / April 24, 2024

GOT HTTPS? —

eScan AV updates were delivered over HTTP for five years.

Dan Goodin – Apr 23, 2024 9: 03 pm UTC

Hackers abused an antivirus service for five years in order to infect end users with malware. The attack worked because the service delivered updates over HTTP, a protocol vulnerable to attacks that corrupt or tamper with data as it travels over the Internet.

The unknown hackers, who may have ties to the North Korean government, pulled off this feat by performing a man-in-the-middle (MiitM) attack that replaced the genuine update with a file that installed an advanced backdoor instead, said researchers from security firm Avast today.

eScan, an AV service headquartered in India, has delivered updates over HTTP since at least 2019, Avast researchers reported. This protocol presented a valuable opportunity for installing the malware, which is tracked in security circles under the name GuptiMiner.

“This sophisticated operation has been performing MitM attacks targeting an update mechanism of the eScan antivirus vendor,” Avast researchers Jan Rubín and Milánek wrote. “We disclosed the security vulnerability to both eScan and the India CERT and received confirmation on 2023-07-31 from eScan that the issue was fixed and successfully resolved.”

Complex infection chain

The complex infection chain started when eScan applications checked in with the eScan update system. The threat actors then performed a MitM attack that allowed them to intercept the package sent by the update server and replace it with a corrupted one that contained code to install GuptiMiner. The Avast researchers still don’t know precisely how the attackers were able to perform the interception. They suspect targeted networks may already have been compromised somehow to route traffic to a malicious intermediary.

To lower the chances of detection, the infection file used DLL hijacking, a technique that replaces legitimate dynamic link library files used by most Microsoft apps with maliciously crafted ones that use the same file name. For added stealth, the infection chain also relied on a custom domain name system (DNS) server that allowed it to use legitimate domain names when connecting to attacker-controlled channels.

Last year, the attackers abandoned the DNS technique and replaced it with another obfuscation technique known as IP address masking. This involved the following steps:

Obtain an IP address of a hardcoded server name registered to the attacker by standard use of the gethostbyname API function

For that server, two IP addresses are returned—the first is an IP address which is a masked address, and the second one denotes an available payload version and starts with 23.195. as its first two octets

If the version is newer than the current one, the masked IP address is de-masked, resulting in a real command-and-control (C&C) IP address

The real C&C IP address is used along with a hardcoded constant string (part of a URL path) to download a file containing malicious shellcode

Some variants of the infection chain stashed the malicious code inside an image file to make them harder to detect. The variants also installed a custom root TLS certificate that satisfied requirements by some targeted systems that all apps must be digitally signed before being installed.

The payload contained multiple backdoors that were activated when installed on large networks. Curiously, the update also delivered XMRig, an open-source package for mining cryptocurrency.

Enlarge / The GuptiMiner infection chain.

Avast

GuptiMiner has circulated since at least 2018 and has undergone multiple revisions. One searched compromised networks for systems running Windows 7 and Windows Server 2008, presumably to deliver exploits that worked on those earlier versions. Another provided an interface for installing special-purpose modules that could be customized for different victims. (This version also scanned the local system for stored private keys and cryptocurrency wallets.)

The researchers were surprised that malware that took such pains to fly under the radar would also install a cryptocurrency miner, which by nature is usually easy to detect. One possibility is the attackers’ possible connection to Kimsuky, the tracking name for a group backed by the North Korean government. Over the years, North Korea’s government has generated billions of dollars in cryptocurrency through malware installed on the devices of unwitting victims. The researchers made the possible connection after finding similarities between a known Kimsuky keylogger and code fragments used during the GuptiMiner operation.

The GuptiMiner attack is notable for exposing major shortcomings in eScan that went unnoticed for at least five years. Besides not delivering updates over HTTPS, a medium not susceptible to MitM attacks, eScan also failed to enforce digital signing to ensure updates hadn’t been tampered with before being installed. Representatives of eScan didn’t respond to an email asking why engineers designed the update process this way.

People who use or have used eScan should check the Avast post for details on whether their systems are infected. It’s likely that most reputable AV scanners will also detect this infection.

Hackers infect users of antivirus service that delivered updates over HTTP Read More »

Windows vulnerability reported by the NSA exploited to install Russian malware

Biz & IT, exploits, microsoft, Security, vulnerabilities, Windows / Mike M. / April 23, 2024

Kremlin-backed hackers have been exploiting a critical Microsoft vulnerability for four years in attacks that targeted a vast array of organizations with a previously undocumented tool, the software maker disclosed Monday.

When Microsoft patched the vulnerability in October 2022—at least two years after it came under attack by the Russian hackers—the company made no mention that it was under active exploitation. As of publication, the company’s advisory still made no mention of the in-the-wild targeting. Windows users frequently prioritize the installation of patches based on whether a vulnerability is likely to be exploited in real-world attacks.

Exploiting CVE-2022-38028, as the vulnerability is tracked, allows attackers to gain system privileges, the highest available in Windows, when combined with a separate exploit. Exploiting the flaw, which carries a 7.8 severity rating out of a possible 10, requires low existing privileges and little complexity. It resides in the Windows print spooler, a printer-management component that has harbored previous critical zero-days. Microsoft said at the time that it learned of the vulnerability from the US National Security Agency.

On Monday, Microsoft revealed that a hacking group tracked under the name Forest Blizzard has been exploiting CVE-2022-38028 since at least June 2020—and possibly as early as April 2019. The threat group—which is also tracked under names including APT28, Sednit, Sofacy, GRU Unit 26165, and Fancy Bear—has been linked by the US and the UK governments to Unit 26165 of the Main Intelligence Directorate, a Russian military intelligence arm better known as the GRU. Forest Blizzard focuses on intelligence gathering through the hacking of a wide array of organizations, mainly in the US, Europe, and the Middle East.

Since as early as April 2019, Forest Blizzard has been exploiting CVE-2022-38028 in attacks that, once system privileges are acquired, use a previously undocumented tool that Microsoft calls GooseEgg. The post-exploitation malware elevates privileges within a compromised system and goes on to provide a simple interface for installing additional pieces of malware that also run with system privileges. This additional malware, which includes credential stealers and tools for moving laterally through a compromised network, can be customized for each target.

“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” Microsoft officials wrote.

GooseEgg is typically installed using a simple batch script, which is executed following the successful exploitation of CVE-2022-38028 or another vulnerability, such as CVE-2023-23397, which Monday’s advisory said has also been exploited by Forest Blizzard. The script is responsible for installing the GooseEgg binary, often named justice.exe or DefragmentSrv.exe, then ensuring that they run each time the infected machine is rebooted.

Windows vulnerability reported by the NSA exploited to install Russian malware Read More »

Roku forcing 2-factor authentication after 2 breaches of 600K accounts

passwords, Roku, Security, smart tvs, streaming, Tech, two-factor authentication / Kris Guyer / April 20, 2024

Roku account breach —

Accounts with stored payment information went for as little as $0.50 each.

Kevin Purdy – Apr 19, 2024 5: 09 pm UTC

Getty Images

Everyone with a Roku TV or streaming device will eventually be forced to enable two-factor authentication after the company disclosed two separate incidents in which roughly 600,000 customers had their accounts accessed through credential stuffing.

Credential stuffing is an attack in which usernames and passwords exposed in one leak are tried out against other accounts, typically using automated scripts. When people reuse usernames and passwords across services or make small, easily intuited changes between them, actors can gain access to accounts with even more identifying information and access.

In the case of the Roku attacks, that meant access to stored payment methods, which could then be used to buy streaming subscriptions and Roku hardware. Roku wrote on its blog, and in a mandated data breach report, that purchases occurred in “less than 400 cases” and that full credit card numbers and other “sensitive information” was not revealed.

The first incident, “earlier this year,” involved roughly 15,000 user accounts, Roku stated. By monitoring these accounts, Roku identified a second incident, one that touched 576,000 accounts. These were collectively “a small fraction of Roku’s more than 80M active accounts,” the post states, but the streaming giant will work to prevent future such stuffing attacks.

The affected accounts will have their passwords reset and will be notified, along with having charges reversed. Every Roku account, when next requiring a login, will now need to verify their account through a link sent to their email address. Alternatively, one can use the device ID of any linked Roku device, according to Roku’s support page. (Forcing this upgrade yourself is probably a good idea for past or present Roku owners.)

Security blog BleepingComputer reported around the time of the incident that breached Roku accounts were sold for as little as 50 cents each and likely obtained using commonly available stuffing tools that bypass brute-force protections through proxies and other means. BleepingComputer reported that “a source” tied Roku’s recent updates to its Dispute Resolution Terms, which all but locked Roku devices until a customer agreed, to the fraudulent activity. Roku told BleepingComputer that the two were not related.

Roku forcing 2-factor authentication after 2 breaches of 600K accounts Read More »

Kremlin-backed actors spread disinformation ahead of US elections

Biz & IT, disinformation, election influence, election interferance, elections, Security / Mike M. / April 18, 2024

MANUFACTURING DIVISION —

To a lesser extent, China and Iran also peddle disinfo in hopes of influencing voters.

Dan Goodin – Apr 17, 2024 9: 55 pm UTC

Kremlin-backed actors have stepped up efforts to interfere with the US presidential election by planting disinformation and false narratives on social media and fake news sites, analysts with Microsoft reported Wednesday.

The analysts have identified several unique influence-peddling groups affiliated with the Russian government seeking to influence the election outcome, with the objective in large part to reduce US support of Ukraine and sow domestic infighting. These groups have so far been less active during the current election cycle than they were during previous ones, likely because of a less contested primary season.

Stoking divisions

Over the past 45 days, the groups have seeded a growing number of social media posts and fake news articles that attempt to foment opposition to US support of Ukraine and stoke divisions over hot-button issues such as election fraud. The influence campaigns also promote questions about President Biden’s mental health and corrupt judges. In all, Microsoft has tracked scores of such operations in recent weeks.

In a report published Wednesday, the Microsoft analysts wrote:

The deteriorated geopolitical relationship between the United States and Russia leaves the Kremlin with little to lose and much to gain by targeting the US 2024 presidential election. In doing so, Kremlin-backed actors attempt to influence American policy regarding the war in Ukraine, reduce social and political support to NATO, and ensnare the United States in domestic infighting to distract from the world stage. Russia’s efforts thus far in 2024 are not novel, but rather a continuation of a decade-long strategy to “win through the force of politics, rather than the politics of force,” or active measures. Messaging regarding Ukraine—via traditional media and social media—picked up steam over the last two months with a mix of covert and overt campaigns from at least 70 Russia-affiliated activity sets we track.

The most prolific of the influence-peddling groups, Microsoft said, is tied to the Russian Presidential Administration, which according to the Marshal Center think tank, is a secretive institution that acts as the main gatekeeper for President Vladimir Putin. The affiliation highlights the “the increasingly centralized nature of Russian influence campaigns,” a departure from campaigns in previous years that primarily relied on intelligence services and a group known as the Internet Research Agency.

“Each Russian actor has shown the capability and willingness to target English-speaking—and in some cases Spanish-speaking—audiences in the US, pushing social and political disinformation meant to portray Ukrainian President Volodymyr Zelensky as unethical and incompetent, Ukraine as a puppet or failed state, and any American aid to Ukraine as directly supporting a corrupt and conspiratorial regime,” the analysts wrote.

An example is Storm-1516, the name Microsoft uses to track a group seeding anti-Ukraine narratives through US Internet and media sources. Content, published in English, Russian, French, Arabic, and Finnish, frequently originates through disinformation seeded by a purported whistleblower or citizen journalist over a purpose-built video channel and then picked up by a network of Storm-1516-controlled websites posing as independent news sources. These fake news sites reside in the Middle East and Africa as well as in the US, with DC Weekly, Miami Chronicle, and the Intel Drop among them.

Eventually, once the disinformation has circulated in subsequent days, US audiences begin amplifying it, in many cases without being aware of the original source. The following graphic illustrates the flow.

Enlarge / Storm-1516 process for laundering anti-Ukraine disinformation.

Microsoft

Wednesday’s report also referred to another group tracked as Storm-1099, which is best known for a campaign called Doppelganger. According to the disinformation research group Disinfo Research Lab, the campaign has targeted multiple countries since 2022 with content designed to undermine support for Ukraine and sow divisions among audiences. Two US outlets tied to Storm-1099 are Election Watch and 50 States of Lie, Microsoft said. The image below shows content recently published by the outlets:

Wednesday’s report also touched on two other Kremlin-tied operations. One attempts to revive a campaign perpetuated by NABU Leaks, a website that published content alleging then-Vice President Joe Biden colluded with former Ukrainian leader Petro Poroshenko, according to Reuters. In January, Andrei Derkoch—the ex-Ukrainian Parliamentarian and US-sanctioned Russian agent responsible for NABU Leaks—reemerged on social media for the first time in two years. In an interview, Derkoch propagated both old and new claims about Biden and other US political figures.

The other operation follows a playbook known as hack and leak, in which operatives obtain private information through hacking and leak it to news outlets.

Kremlin-backed actors spread disinformation ahead of US elections Read More »

Billions of public Discord messages may be sold through a scraping service

chat, Cryptocurrency, data scraping, discord, discord servers, Policy, privacy, scraping, Security, spy pet, Tech, Web Scraping / Mike M. / April 18, 2024

Discord chat-scraping service —

Cross-server tracking suggests a new understanding of “public” chat servers.

Kevin Purdy – Apr 17, 2024 7: 42 pm UTC

Getty Images

It’s easy to get the impression that Discord chat messages are ephemeral, especially across different public servers, where lines fly upward at a near-unreadable pace. But someone claims to be catching and compiling that data and is offering packages that can track more than 600 million users across more than 14,000 servers.

Joseph Cox at 404 Media confirmed that Spy Pet, a service that sells access to a database of purportedly 3 billion Discord messages, offers data “credits” to customers who pay in bitcoin, ethereum, or other cryptocurrency. Searching individual users will reveal the servers that Spy Pet can track them across, a raw and exportable table of their messages, and connected accounts, such as GitHub. Ominously, Spy Pet lists more than 86,000 other servers in which it has “no bots,” but “we know it exists.”

An example of Spy Pet’s service from its website. Shown are a user’s nicknames, connected accounts, banner image, server memberships, and messages across those servers tracked by Spy Pet.

Spy Pet
Statistics on servers, users, and messages purportedly logged by Spy Pet.

Spy Pet
An example image of the publicly available data gathered by Spy Pet, in this example for a public server for the game Deep Rock Galactic: Survivor.

Spy Pet

As Cox notes, Discord doesn’t make messages inside server channels, like blog posts or unlocked social media feeds, easy to publicly access and search. But many Discord users many not expect their messages, server memberships, bans, or other data to be grabbed by a bot, compiled, and sold to anybody wishing to pin them all on a particular user. 404 Media confirmed the service’s function with multiple user examples. Private messages are not mentioned by Spy Pet and are presumably still secure.

Spy Pet openly asks those training AI models, or “federal agents looking for a new source of intel,” to contact them for deals. As noted by 404 Media and confirmed by Ars, clicking on the “Request Removal” link plays a clip of J. Jonah Jameson from Spider-Man (the Tobey Maguire/Sam Raimi version) laughing at the idea of advance payment before an abrupt “You’re serious?” Users of Spy Pet, however, are assured of “secure and confidential” searches, with random usernames.

This author found nearly every public Discord he had ever dropped into for research or reporting in Spy Pet’s server list. Those who haven’t paid for message access can only see fairly benign public-facing elements, like stickers, emojis, and charted member totals over time. But as an indication of the reach of Spy Pet’s scraping, it’s an effective warning, or enticement, depending on your goals.

Ars has reached out to Spy Pet for comment and will update this post if we receive a response. A Discord spokesperson told Ars that the company is investigating whether Spy Pet violated its terms of service and community guidelines. It will take “appropriate steps to enforce our policies,” the company said, and could not provide further comment.

Billions of public Discord messages may be sold through a scraping service Read More »

Attackers are pummeling networks around the world with millions of login attempts

Biz & IT, credential compromise, Security, SSH, Talos, vpns / Mike M. / April 16, 2024

UNDER SIEGE —

Attacks coming from nearly 4,000 IP addresses take aim at VPNs, SSH and web apps.

Dan Goodin – Apr 16, 2024 9: 31 pm UTC

Cisco’s Talos security team is warning of a large-scale credential compromise campaign that’s indiscriminately assailing networks with login attempts aimed at gaining unauthorized access to VPN, SSH, and web application accounts.

The login attempts use both generic usernames and valid usernames targeted at specific organizations. Cisco included a list of more than 2,000 usernames and almost 100 passwords used in the attacks, along with nearly 4,000 IP addresses sending the login traffic. The IP addresses appear to originate from TOR exit nodes and other anonymizing tunnels and proxies. The attacks appear to be indiscriminate and opportunistic rather than aimed at a particular region or industry.

“Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions,” Talos researchers wrote Tuesday. “The traffic related to these attacks has increased with time and is likely to continue to rise.”

The attacks began no later than March 18.

Tuesday’s advisory comes three weeks after Cisco warned of a similar attack campaign. Cisco described that one as a password spray directed at remote access VPNs from Cisco and third-party providers connected to Cisco firewalls. This campaign appeared to be related to reconnaissance efforts, the company said.

The attacks included hundreds of thousands or millions of rejected authentication attempts. Cisco went on to say that users can intermittently receive an error message that states, “Unable to complete connection. Cisco Secure Desktop not installed on the client.” Login attempts resulting in the error fail to complete the VPN connection process. The report also reported “symptoms of hostscan token allocation failures.”

A Cisco representative said company researchers currently don’t have evidence to conclusively link the activity in both instances to the same threat actor but that there are technical overlaps in the way the attacks were carried out, as well as the infrastructure that was used.

Talos said Tuesday that services targeted in the campaign include, but aren’t limited to:

Cisco Secure Firewall VPN
Checkpoint VPN
Fortinet VPN
SonicWall VPN
RD Web Services
Mikrotik
Draytek
Ubiquiti.

Anonymization IPs appeared to belong to services, including:

TOR
VPN Gate
IPIDEA Proxy
BigMama Proxy
Space Proxies
Nexus Proxy
Proxy Rack.

Cisco has already added the list of IP addresses mentioned earlier to a block list for its VPN offerings. Organizations can add the addresses to block lists for any third-party VPNs they’re using. A full list of indications of compromise is here.

Cisco has also provided a list of recommendations for preventing the attacks from succeeding. The guidance includes:

Enabling detailed logging, ideally to a remote syslog server so that admins can recognize and correlate attacks across various network endpoints
Securing default remote access accounts by sinkholing them unless they use the DefaultRAGroup and DefaultWEBVPNGroup profiles
Blocking connection attempts from known malicious sources
Implement interface-level and control plane access control lists to filter out unauthorized public IP addresses and prevent them from initiating remote VPN sessions.
Use the shun command.

Additionally, remote access VPNs should use certificate-based authentication. Cisco lists further steps for hardening VPNs here.

Attackers are pummeling networks around the world with millions of login attempts Read More »

Alleged cryptojacking scheme consumed $3.5M of stolen computing to make just $1M

AWS, azure, Biz & IT, Cloud Computing, cryptojacking, Security / Paul Patrick / April 15, 2024

SHOCKING CRYPTOCURRENCY SCAM —

Indictment says man tricked cloud providers into giving him services he never paid for.

Dan Goodin – Apr 15, 2024 7: 46 pm UTC

Federal prosecutors indicted a Nebraska man on charges he perpetrated a cryptojacking scheme that defrauded two cloud providers—one based in Seattle and the other in Redmond, Washington—out of $3.5 million.

The indictment, filed in US District Court for the Eastern District of New York and unsealed on Monday, charges Charles O. Parks III—45 of Omaha, Nebraska—with wire fraud, money laundering, and engaging in unlawful monetary transactions in connection with the scheme. Parks has yet to enter a plea and is scheduled to make an initial appearance in federal court in Omaha on Tuesday. Parks was arrested last Friday.

Prosecutors allege that Parks defrauded “two well-known providers of cloud computing services” of more than $3.5 million in computing resources to mine cryptocurrency. The indictment says the activity was in furtherance of a cryptojacking scheme, a term for crimes that generate digital coin through the acquisition of computing resources and electricity of others through fraud, hacking, or other illegal means.

Details laid out in the indictment underscore the failed economics involved in the mining of most cryptocurrencies. The $3.5 million of computing resources yielded roughly $1 million worth of cryptocurrency. In the process, massive amounts of energy were consumed.

Parks’ scheme allegedly used a variety of personal and business identities to register “numerous accounts” with the two cloud providers and in the process acquiring vast amounts of computing processing power and storage that he never paid for. Prosecutors said he tricked the providers into allotting him elevated levels of services and deferred billing accommodations and deflected the providers’ inquiries regarding questionable data usage in unpaid bills. He allegedly then used those resources to mine Ether, Litecoin, and Monero digital currencies.

The defendant then allegedly laundered the proceeds through cryptocurrency exchanges, an NFT marketplace, an online payment provider, and traditional bank accounts in an attempt to disguise the illegal scheme. Once proceeds had been converted to dollars, Parks allegedly bought a Mercedes-Benz, jewelry, first-class hotel and travel accommodations, and other luxury goods and services.

From January to August 2021, prosecutors allege, Parks created five accounts with the Seattle-based “on-demand cloud computing platform” using different names, email addresses, and corporate affiliations. He then allegedly “tricked and defrauded” employees of the platform into providing elevated levels of service, deferring billing payments, and failing to discover the activity.

During this time, Parks repeatedly requested that the provider “provide him access to powerful and expensive instances that included graphics processing units used for cryptocurrency mining and launched tens of thousands of these instances to mine cryptocurrency, employing mining software applications to facilitate the mining of tokens including ETH, LTC and XMR in various mining pools, and employing tools that allowed him to maximize cloud computing power and monitor which instances were actively mining on each mining pool,” prosecutors wrote in the indictment.

Within a day of having one account suspended for nonpayment and fraudulent activity, Parks allegedly used a new account with the provider. In all, Parks allegedly consumed more than $2.5 million of the Seattle-based provider’s services.

The prosecutors went on to allege that Parks used similar tactics to defraud the Redmond provider of more than $969,000 in cloud computing and related services.

Prosecutors didn’t say precisely how Parks was able to trick the providers into giving him elevated services, deferring unpaid payments, or failing to discover the allegedly fraudulent behavior. They also didn’t identify either of the cloud providers by name. Based on the details, however, they are almost certainly Amazon Web Services and Microsoft Azure. Representatives from both providers didn’t immediately return emails seeking confirmation.

If convicted on all charges, Parks faces as much as 30 years in prison.

Alleged cryptojacking scheme consumed $3.5M of stolen computing to make just $1M Read More »