| | | Welcome to the first edition of the MalwareTech Newsletter. If you have any suggestion or would like to help out, please reach out to me on [emailprotected]. | | |
|
White House Bans Kaspersky, Sanctions Executives | MalwareTech’s Notes: This one is going to be significantly longer than you’d typically expect for a newsletter, but there’s a lot to unpack, and trust me, it’s worth the read. Following a two year long national security review, the White House has made the decision to ban Kaspersky from selling their products within the US. Several Kaspersky executives have also found their names added to the Treasury’s OFAC sanctions list, though notably absent from the list is CEO & founder, Eugene Kaspersky. Now, whilst this comes amid a flurry of handwavy national security legislation being leverage against popular foreign tech companies, this one has some pretty serious lore that goes back over a decade. As far as I’m aware, the US have never publicly accused Kaspersky of any specific acts, only raised concerns that their product could be used for espionage purposes. However, we’ve been given plenty of less-than-subtle hints. Throughout 2017 we saw everything from seemingly out of the blue questions at senate hearings, conveniently timed intelligence leaks, and ominous public statements, all pointing to a single narrative: Kaspersky passed US secrets to Russian intelligence. It sure seems like the US government is trying to paint us a pretty clear picture, albeit one that doesn’t require them publicly going on record and explaining how it is they know this. It all starts back in 2010 when an NSA employee (and contender for worst OpSec ever award) began transferring highly classified files to his internet connected personal computer. At some point in 2015 he gets infected with malware while trying to use a Microsoft Office key generator, and enables Kaspersky antivirus to clean it up. Kaspersky’s scanner detects unknown malware matching a signature related to “Equation Group” (read: definitely not the NSA), and automatically uploaded it to their cloud antivirus for further analysis. As it turns out, our employee worked for Tailored Access Operations (TAO), the NSA’s elite hacking unit, thus had access to the source code for some of their most prized hacking tools. The detect file was not in fact a malware infection, but a zip archive containing troves of classified documents, source codes, and binaries related to his work at TAO. This much has been confirmed by Kaspersky themselves, and the details match several intelligence leaks, and the US Department of Justice’s conviction of said employee. However, according to Kaspersky’s own account, they deleted the files upon realizing what they were and that’s all there is to it. Whilst it’s not uncommon for western companies to turn a blind eye towards friendly intelligence operations, Kaspersky is based out of Russia, and that same year released a publication lifting the lid on several Equation Group (absolutely not the NSA) campaigns. A 2017 New York Times article citing "anonymous officials”, dropped the bombshell claim that Kaspersky was hacked by Israeli intelligence, who documented witnessing cooperation between Kaspersky and Russian intelligence in realtime. A couple months Prior to the NYT article, Kaspersky reported that their networks had been breached and infected with the Duqu 2.0 (a piece of spyware widely believed to be the work of Israeli Defense Force’s Unit 8200). Given the amount of corroboration on all the key facts, I think it’s safe to say that either with or without Kaspersky’s knowledge, Russian intelligence most likely did exfiltrate classified data belonging to Equation Group through Kaspersky’s antivirus. As many of you will remember, it was the ShadowBrokers’ leaking of several Equation Group tools which lead to NotPetya and WannaCry, two of the most destructive cyber attacks in history. It’s unclear if any of the tools leaked match the ones exfiltrated from Kaspersky’s network, but given that the shadowbrokers are widely believed to be a front for Russian intelligence, it’s easy to see why the US is a little bit upset. | |
|
|
Want to sponsor my next edition and reach over 1,000 cybersecurity professionals? |
|
|
|
EU Government Hits Pause on Proposed CSAM Scanning Legislation |
The European Union Council has cancelled a planned vote on draft legislation that would require end-to-end encrypted messaging apps to scan messages for CSAM prior to encryption. Whilst it’s something that seems like a good idea on the surface, many digital rights activists have rightly raised concerns about the wider privacy implications. Most proposals suggest either running messages content through a fuzzy-hashing algorithm or feeding them into AI. In both cases, app providers would be required to add extra handling of unencrypted messages. The key issue at play is that such a system would need to be opaque by design, which leaves little room for any controls enforcing that it only be used for its intended purpose. Although the legislation proposes limiting scanning to only images, videos, or URLs, the potential is still ripe for abuse. One often proposed privacy-friendly solution is that no data leaves the user’s device. Instead, message content would be hashed and scanned locally against a constantly updating database of known hashes, similar to how an antivirus works. Content that matches signatures for known CSAM would then be uploaded for further analysis, or reported to authorities. However, it would be entirely possible for a sufficiently motivated government to add hashes for essentially anything they want, weaponizing the system for generic surveillance. |
|
|
Major Ransomware Attack Disrupts Hospitals Across London | A ransomware attack against lab provider Synnovis Group, used by the UK’s National Health Services, has caused major disruption to hospitals around London. As of last report, over 800 operations and 700 appointments have been cancelled. The ransomware group, known as Qilin, allegedly asked for a $50 million ransom. Though, it seems as if the ransom demands were not met, as the group later published 400 GB of stolen data to the dark web. In a strange twist, the person responsible for the attack agreed to an interview with BBC news via encrypted chat, where they made some interesting statements. Whilst these kinds of attacks are typically opportunistic, the actor claims to have deliberately targeted Synnovis, stating that “Our citizens are dying in unequal combat from a lack of medicines and donor blood”. They also apologized to patients for the disruption, before attempting to shift blame onto the UK government for “not doing enough to help in the war”. What’s interesting here is that none of the statements allude to specifically which war, or which side they think isn’t receiving enough support. Whilst it’s entirely possible that the actor is Ukrainian and referencing the Russian invasion of Ukraine, it’s also possible that this is just a Russian threat actor engaging in some of the classic trolling & misdirection they’ve become known for. | | |
|
Security Company Loots $3 Million From Crypto Exchange Bank Account |
During a bug bounty attempt, Web3 security firm CertiK found a vulnerability on the Kraken crypto exchange platform. The flaw enabled them to add arbitrary amounts to their account balance, seemingly out of thin air. Whilst demonstrating the vulnerability would have been enough to make their point, CertiK went a step further (actually several miles), by adding over $3m to their account balance, then withdrawing the money from the exchange. CertiK’s stated justification is that they wanted to test whether the platform would actually let them withdraw money that doesn’t exist, and chose such a large amount to test if the company’s internal security controls would catch such a large fraudulent withdrawal. Whilst I agree that both tests are incredibly important, and it’s embarrassing that Kraken failed at every level, this would be the sort of thing you’d expect to see from a contracted pentest, not a random external company operating under a bug bounty policy. Whether or not CertiK’s actions were legal or not, it’s a lot of money to be liable for should the transfer go wrong (or some pesky Lazarus hackers steal your not so hard earned winnings before you get a chance to return them). Ironically, Kraken’s bug bounty terms of service seems to use generic boilerplate language which makes no mention of customer or exchange funds, nor explicitly puts withdrawing them out of scope. Whilst it’s common sense that looting the company bank account is highly unethical, and not an acceptable part of bug bounty, Kraken’s policy doesn’t exactly say that you can’t. |
|
|
Popular JS Library Polyfill Hit By Supply Chain Attack | Polyfill, a library used to support modern JS functionality on older browsers, has been backdoored. The framework (which is used on over 100,000 websites) was previously bought by a Chinese company, who appear to have been the ones who backdoored it. The backdoor embeds custom JavaScript into websites using the polyfill library, which allows the site’s visitors to be redirected to arbitrary urls. The injected code appears to be part of a Traffic Direction System (or TDS for short), which is a network of compromised websites used to sell page impressions to nefarious actors. Sometimes these systems are simply used to drive fake traffic to webpages for ad-fraud or SEO purposes, but in many cases are leveraged by malware groups to execute drive by attacks, infecting unsuspecting visitors of legitimate websites with malware. It’s also worth noting that developers have been raising concerns over the Polyfill purchase for some time [1][2]. Similar concerns were raised on Polyfill’s GitHub, but appear to have been deleted by the new “maintainers”. | | |
|
Multiple WordPress Plugins Backdoored In Ongoing Supply Chain Attack | Several independent WordPress plugins have been backdoored with code that covertly adds an administrator account to the user’s website, according to wordfence’s threat intelligence team. The backdoored plugins are as follows: As of now, it’s unclear what the attacker is doing, if anything, with the backdoored WordPress installations. Typically, with breaches like this we’d usually expect to see the credentials sold to SEO spammers, TDS operators, or malware groups looking for reputable websites to use as botnet infrastructure. | | |
|
|
CVE-2024-5806 MOVEit Transfer Authentication Bypass | A proof-of-concept for an authentication bypass vulnerability in MOVEit’s SFTP module was published this morning (June 25th). According to a Tweet (or whatever they’re called now) from the Shadowserver foundation, large-scale in-the-wild exploitation has already been observed. | |
|
CVE-2024-1111 - Windows Wi-Fi Driver RCE | With a CVSS rating of 8.8, this vulnerability isn’t the most severe of the latest patch Tuesday collection, but it is one that’s likely to attract the attention of security researchers, potentially resulting in proof-of-concept publication. The vulnerability allows an attacker to gain remote code execution on almost any Windows version via malformed WiFi packets. Although it’s impractical for a typical malicious actors due to the need for being within Wi-Fi range of the target system, it’s the kind of vulnerability that might make the “don’t take your laptop to Defcon” trope more of a reality. | | |
|
Potential Adobe Acrobat PDF Reader Zero Day | Haifei Li, the founder of a sandbox platform that specializes in analyzing file vulnerabilities, claims to have stumbled across a PDF file containing a zero-day exploit. They claim that the zero-day results in a use-after-free which crashes even the latest version of Adobe Reader, but the PDF file does not appear to contain a full exploit chain that is capable of resulting in remote code execution. What’s interesting about this one is how a partial zero-day exploit would end up being uploaded to a public online sandbox. It could be that someone’s proof-of-concept ended up getting leak, or a corrupted file accidentally triggered a vulnerability, but either way, Adobe has been notified and there’s no evidence of a full-chain RCE exploit in the wild. | | |
|
CVE-2024-30103 - Microsoft Outlook Zero-Click RCE | This one is a bit of a he-said-she-said and I’m not really sure what to make of it. Both the company who discovered it and the official Microsoft CVE list it as a remote code execution that doesn’t require user interaction. Supposedly, the vulnerability would allow an attack to gain code execution on a target system simply by having them open (or preview) a malicious email in Outlook. However, there seems to be some ambiguity around the definition of the term “zero-click”. Typically, the term is used to refer to exploits that are capable of hacking a user without them having to do anything. But in this case, several vulnerability researchers have reverse-engineered the patch and suggest that the vulnerability would require the attacker to be in possession of the target user’s login credentials. In my mind, zero-click exploits and phishing the user for their login credentials are two diametrically opposed ends of the user-interaction spectrum, but I guess if you split the tasks up you can have lots of clicking on Monday and zero clicking on Tuesday. If it is the case that credentials are required, I personally wouldn’t call it a zero-click, nor would I really worry about it much, but it’s not the hill I’m going to die on. | | | | If you have any suggestions for sections or stories you'd like to see in the next edition, please don't hesitate to reach out! |
|
|
|
|
