Readers like you help support my blog. When you make a purchase using links on our site, we may earn an affiliate commission! Thank you!

Tuesday, March 31, 2020

Distributed disruption: Coronavirus multiplies the risk of severe cyberattacks


 Marc Wilczek, COO, Link11
March 31, 2020

The coronavirus pandemic is upending everything we know. As the tally of infected people grows by the hour, global healthcare, economic, political, and social systems are bending and breaking under the strain, and for much of the world there’s no end in sight. But amid this massive wave of disruption, one thing hasn’t changed: the eagerness of cybercriminals to capitalize on society’s misfortune and uncertainty to sabotage, cripple, mislead and steal.



New states of emergency are being declared every day as the virus keeps spreading. Confirmed cases have meanwhile been reported in more than 150 countries on six different continents. Nations and organizations everywhere are working around the clock to flatten the COVID-19 curve by imposing remote work policies, travel bans, and self-isolation.

In an unprecedented time like this, the reliance on the Internet is growing exponentially, turning the data highway into an even more indispensable channel for communication, information sharing, commerce, and everyday social interaction.
The Internet lifeline

To prevent their phone lines from being overwhelmed with information requests, governments around the globe are making digital the default communication stream and directing citizens to the official websites of their health ministries or public health agencies for COVID-19 updates. People are hitting Facebook and other social media like never before to keep up with and share the latest news. Telecom giant Vodafone has reported a 50% surge in European internet use, and Netflix has been requested to cut its bitrate in Europe for 30 days in order to prevent the Internet from collapsing.

In this context, a cyberattack that denies organizations or families access to their devices or data could be catastrophic. In a worst-case scenario, one or more cyberattacks could cause broad-based infrastructure shutdowns that take whole communities or cities offline and further hinder already overburdened healthcare providers, transportation systems and networks.

Germany, Italy and Spain are among the many countries and jurisdictions (like New York and California) that have implemented draconian measures to limit the spread of the COVID-19 virus. Non-essential businesses have been made to close, and people to stay at home. Consequently, citizens are relying heavily on delivery services, which continue to operate. However, in Germany, cybercriminals recently unleashed a DDoS attack on one of the largest home delivery platforms, which affected customers and owners of more than 15,000 restaurants across the country. The criminals asked for two bitcoins (worth roughly $11,000) to stop the siege.

A few days earlier, the U.S. Department of Health and Human Services (HHS) suffered a DDoS attack, assumed to have been launched by a hostile foreign actor, aimed at slowing down the agency’s services amid the government’s rollout of a response to coronavirus. The incident allegedly tried to overload HHS servers with millions of hits in just hours. The attack in the US occurred just two weeks after Australia’s federal cyber agency warned that Australian banks were in the crosshairs of extensive DDoS extortion campaigns.

Especially digitally-advanced industries with a heavy dependence on internet connectivity are more vulnerable than ever. Europol’s “Internet Organised Crime Threat Assessment 2019” report notes that – besides the public sector and financial institutions – travel agents, Internet infrastructure, e-commerce, and online gaming services were lucrative targets for DDoS extortionists.
The perils of DDoS attacks on VPN servers

When it comes to remote work, VPN servers turn into bottlenecks. Keeping them secure and available is a number-one IT priority. Hackers can launch DDoS campaigns on VPN services and deplete their resources, knocking out the VPN server and limiting its availability. The implications are clear: Since the VPN server is the gateway to a company’s internal network, an outage can keep all employees working remotely from doing their job, effectively cutting off the entire organization from the outside world.

During an unprecedented time of peak traffic, the risk of a DDoS attack is growing exponentially. If the utilization of the available bandwidth is very high, it does not take much to cause an outage. In fact, even a tiny attack can become the last nail in the coffin. For instance, a VPN server or firewall can be taken down by a TCP blend attack with an attack volume as low as 1 Mbps. SSL-based VPNs are just as vulnerable to an SSL flood attack, as are web servers.

Making matters worse, many organizations either use in-house hardware appliances or rely on their Internet carrier to ward off incoming attacks. These deployment models tend to run with low levels of automation, requiring human intervention of some sort to operate. If someone or something throws a digital wrench into the system, fixing the problem remotely will be an uphill battle if there are few or no IT staff on-site. Since these deployment models typically require 10 or even 20 minutes before they even detect an incident, any attack will almost inevitably cause a major outage.
APIs and web apps broaden the attack surface

The Application Programming Interface (API) is a key part of every cloud service or web app. APIs enable service integration and interoperability – by, for instance, enabling any given app to process a payment from PayPal or a client’s credit account in order to complete the transaction. But they can also turn into single point of failure that expose companies to a wide variety of risks and vulnerabilities. When a business-critical application or API is compromised, it knocks out all the operations related to the business and initiates a potentially devastating chain reaction.

Guarding against or managing application layer attacks – such as an HTTP/HTTPS flood – is especially difficult, as the malicious traffic is hard to distinguish from regular traffic. Layer-7 attacks are in that sense highly effective, as they require little bandwidth to create a blackout.
Cybercrime exploits anxiety

Cybercriminals take advantage of human foibles to break through systemic defenses. In a crisis, especially if prolonged, IT people run the risk of making mistakes they would not have made otherwise. Attackers might cut off system administrators from their own servers while they run virtually rampant through the company network, steal proprietary data, or ingest ransomware. Any downtime can alienate customers, erode trust and cause negative publicity, even anxiety.

Organizations should remain vigilant and prepare for attacks in advance, before they occur, as this sort of incident can be very difficult to respond to once the attack unfolds. Companies should also continue to opt for cloud services to take advantage of scalability, and higher bandwidth to maintain redundancy. Most importantly, during times of remote work and self-isolation, radical security automation is more important than ever in order to ensure an instant response and get human error out of the equation.

Hacker hijacks YouTube accounts to broadcast Bill Gates-themed crypto Ponzi scam


UPDATE: Microsoft says none of its verified accounts were hacked. YouTube has also intervened to take down the scam's live streams.

 By Catalin Cimpanu for Zero Day | March 30, 2020


Image: ZDNet

A hacker has hijacked tens of YouTube accounts, renamed them to various Microsoft brands, and is currently broadcasting a cryptocurrency Ponzi scam to tens of thousands of users, posing as a message from the company's former CEO Bill Gates.

The hacks are part of a growing issue on YouTube, where hackers hijack popular accounts to broadcast a classic "crypto giveaway" -- where victims are tricked into sending a small sum of cryptocurrency to the scammer in order double their earnings but never get any funds in return.

Such scams were once very common on Twitter, but have now moved to YouTube in recent months as Twitter began cracking down on users posing as verified accounts.

At the time of writing, a hacker appears to have taken over 30+ YouTube profiles from where they are live streaming an old Bill Gates talk on startups that the former Microsoft CEO gave to an audience at Village Global in June 2019, but also asking users to participate in a scammy giveaway.

Image: ZDNet

The cryptocurrency Ponzi scheme is currently live streaming on the YouTube accounts using names such as Microsoft US, Microsoft Europe, Microsoft News, and others. Spokespersons for Microsoft and YouTube denied that hackers breached any of Microsoft's verified official accounts, although some users reported scam streams appearing on non-verified Microsoft accounts.

However, the vast majority of live streams were airing on YouTube channels with high subscriber counts, hijacked from YouTube users and later renamed to appear as legitimate Microsoft accounts, in an attempt to amplify the hack and give it an air of legitimacy.

Some of the Bitcoin addresses listed in the scams had received thousands of US dollars at the time of writing, suggesting the scam had fooled at least some users.


Based on YouTube stream stats, tens of thousands have seen the video feeds.

Microsoft was not the only organization impacted by the mass hijack and defacement incident. The Chaos Computer Club, a famous Germany-based hacking community, has also had its account hijacked to broadcast a similar message. The YouTube account of YouTube's founder was also hacked in the same manner in January. Furthermore, the Microsoft CEO is not the only popular figure to have his name abused in this way. Many past crypto-scams impersonated figures from the cryptocurrency community.

Linux's WireGuard VPN is here and ready to protect you

By Steven J. Vaughan-Nichols for Networking | March 30, 2020

In the newly released Linux 5.6 kernel, you'll finally find the long anticipated open-source Virtual Private Network, WireGuard.

Linus Torvalds has released the newest version of the Linux 5.6. It includes many new and neat features like USB4 support, a fix for the 32-bit Epoch problem, multi-path TCP, and numerous driver patches. The biggest news of all s that Linux now has the popular open-source Virtual Private Network (VPN) WireGuard baked in.

WireGuard is a radical new approach to VPNs. With its minimal codebase -- about 4,000 lines of code -- it's much easier to debug and secure than its rivals such as OpenVPN with its over 100,000 lines.

Torvalds himself loves WireGuard for its simplicity. Long before he incorporated WireGuard into Linux, Tovalids said "Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art."

It may be simple, but it supports the most up-to-date cryptography technologies such as the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, and HKD. It's also been shown to be secure by an academic mechanized cryptographic proof.

The final major hurdle WireGuard faced in its acceptance was maintaining compatibility with Linux's built-in cryptographic subsystem. In the end, WireGuard's primary developer Jack Donenfeld built-in cryptographic compatibility. The traditional subsystem also now includes features from Donenfeld's Zinc cryptographic library.

While it's home is on Linux, WireGuard is designed as a general-purpose VPN for everything from Internet-of-Things (IoT) devices to supercomputers. It's also cross-platform with support for the BSD Unixes, MacOS, Windows on computers, and Android and iOS on smartphones.

Linux users, who don't usually touch early Linux kernel builds, will soon be able to give it a try. Donenfeld wrote: "The usual up-to-date distributions like Arch, Gentoo, and Fedora 32 will be getting WireGuard automatically by virtue of having 5.6."


But even if you don't run leading, bleeding-edge Linux distros like these, you'll be getting WireGuard soon, too. Donenfeld added: "On the backports front, WireGuard was backported to Ubuntu 20.04 and Debian Buster." It may end up backported to Linux 5.4, long-term support (LTS) kernel. This will bring WireGuard to almost all 2020 Linux distro releases.

Simple, fast, and secure. WireGuard promises to not only be the future of Linux VPNs but of all VPN programs. Some companies, such as Mullvad VPN, are always shipping it. Others, all the others, soon will be.

Monday, March 30, 2020

COVID-19: Hackers Begin Exploiting Zoom's Overnight Success to Spread Malware

March 30, 2020Ravie Lakshmanan
 

As people increasingly work from home and online communication platforms such as Zoom explode in popularity in the wake of coronavirus outbreak, cybercriminals are taking advantage of the spike in usage by registering new fake "Zoom" domains and malicious "Zoom" executable files in an attempt to trick people into downloading malware on their devices.

According to a report published by Check Point and shared with The Hacker News, over 1,700 new "Zoom" domains have been registered since the onset of the pandemic, with 25 percent of the domains registered in the past seven days alone.

"We see a sharp rise in the number of 'Zoom' domains being registered, especially in the last week," said Omer Dembinsky, Manager of Cyber Research at Check Point.

"The recent, staggering increase means that hackers have taken notice of the work-from-home paradigm shift that COVID-19 has forced, and they see it as an opportunity to deceive, lure, and exploit. Each time you get a Zoom link or document messaged or forwarded to you, I'd take an extra look to make sure it's not a trap."


With over 74,000 customers and 13 million monthly active users, Zoom is one of the most popular cloud-based enterprise communication platforms that offers chat, video and audio conferencing, and options to host webinars and virtual meetings online.

The popularity of Zoom has shot up significantly in recent weeks as millions of students, business people, and even government employees across the world are forced to work and socialize from home during coronavirus pandemic.



The report comes following a significant increase in the number of malicious coronavirus-related domains, with bad actors finding new ways to profit off the global health concern to stage a variety of malware attacks, phishing campaigns, and create scam sites and malicious tracker apps.

What's more, the researchers said they detected malicious files with the name "zoom-us-zoom_##########.exe," which when executed, installed potentially unwanted programs (PUPs) such as InstallCore, a dodgy bundleware application that's known to install other kinds of malware.

But Zoom is not the only app to be targeted by cybercriminals. With schools turning to online learning platforms to keep students occupied, Check Point researchers said they also discovered phishing sites masquerading as the legitimate Google Classroom (e.g., googloclassroom\.com and googieclassroom\.com) website to trick unwitting users into downloading malware.


Zoom Fixes Privacy Issue in Its iOS App
Zoom, for its part, has had its share of privacy and security issues too. Last year, the video conferencing app fixed a vulnerability that could let websites hijack users' webcam and "forcibly" join them to a Zoom call without their permission.


Then earlier this January, the company squashed another bug that could have allowed attackers to guess a meeting ID and join an unprotected meeting, potentially exposing private audio, video, and documents shared throughout the session. Following the disclosure, Zoom introduced default passwords for each meeting that participants need to enter when joining by manually entering the meeting ID.

And finally, just over the weekend, Zoom updated its iOS app after it was caught sending device information and a unique advertiser identifier to Facebook using the social network's software development kit (SDKs) and concerns were raised over its failure to disclose data sharing in its privacy policy.

Highlighting some of the privacy risks associated with using Zoom's products, The Electronic Frontier Foundation (EFF) said hosts of Zoom calls can see if participants have the Zoom video window active or not to track if they are paying attention. Administrators can also see the IP address, location data, and device information of each participant.

To safeguard yourself from such threats, it's essential that the apps are kept up-to-date, and be on the lookout for emails from unknown senders and lookalike domains that contain spelling errors.

Besides this, also don't open unknown attachments or click on links in the emails, the cure for Corona will not arrive via email and also ensure ordering goods from an authentic source only.

Sunday, March 29, 2020

Hackers sending malware infected USBs with Best Buy Gift Cards

By  WAQAS HACKREAD 

The infamous FIN7 hacking group is behind this
campaign.

The IT security researchers at Trustwave SpiderLabs have identified a new and tricky attack campaign utilizing especially designed USB dongle that acts as a keyboard. In their research, the Trustwave shared details of one of its clients in the US who received malicious USB dongle shipped to their company as a gift card from Best Buy.

The incident has received so much attention that the FBI had to issue a warning stating that this is the work of cybercrime syndicate known as Fin7, and it is specifically targeting businesses by sending them infected USB devices.

See: Employee infects US govt network with malware after visiting 9,000 porn sites

The attack work in such a way that once these devices are plugged into the PC it downloads and runs a JavaScript backdoor. This technique is usually associated with security researchers for training purposes and it is perhaps the first time that hackers have attempted to use it on a large scale.

According to Trustwave SpiderLabs’ vice president Ziv Mador, the company was notified about this campaign from one of their team members’ business associate, and that a US-based hospitality sector firm received the malicious USB dongle in February.

The USB drive was intelligently packaged by the attackers as the company that received the Best Buy $50 gift card with the drive revealed that the package contained a genuine-looking letter bearing the logo of Best Buy.


Best Buy company thanks you for being our regular customer for a long period of time, so we would like to send you a gift card in the amount of $50. You can spend it on any product from the list of items presented on a USB stick. Thank you again for choosing us!, said the letter sent to the company.

Here is a full preview of the letter:


Image provided by Trustwave

Furthermore, they were asked to spend the amount on different items, and the list of items was supposedly stored on the USB drive, which the recipient has to plug into the device to check the list. However, the recipient was well-trained and didn’t do as directed and instead, sent the device for further analysis.

Researchers maintain that this USB drive is an Arduino microcontroller ATMEGA32U4 and infected with GRIFFON malware. The USB is designed to behave like a USB keyboard primarily because such keyboards are compatible with almost all kinds of systems and injecting malicious commands is easier.

In this campaign, the USB drive executes an array of obscured PowerShell commands to upload the device’s system configuration data on a C&C server operated by the attacker(s) and wait for more instructions from the attacker(s).


How the attack works – Image via Trustwave

Researchers urge that businesses must not insert any USB devices that they receive unexpectedly into their systems no matter how attractively it has been disguised or how large the attached gift card is.

See: 8 Technologies That Can Hack Into Your Offline Computer and Phone

While this time it is the FIN7 hacking group sending out malicious USBs, in May 2017, IBM sent off USB sticks infected with malware while in September 2018, Schneider electric also shipped USB drives loaded with malware. In January 2018, Police in Taiwan distributed malware-infected USBs as cybersecurity quiz prizes – oh the irony!

If you care for your business, you need to educate yourself and employees on cyber security. Check our in-depth post explaining how a USB could become a security risk for your device and impact your business