This week, US Cyber Command warns of Iran-linked hackers exploiting Outlook, New “WannaHydra” malware a triple threat to Android, British Airways slapped with record $230M fine, Apple Patches iMessage Bug That Bricks iPhones with Out-of-Date Software. Jason Wood joins us for expert commentary on Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers!
- US Cyber Command warns of Iran-linked hackers exploiting Outlook – US Cyber Command posted on Twitter an alert about cyber attacks exploiting the CVE-2017-11774 vulnerability in Outlook. The timing of this alert raised eyebrows in the security community, as exploitation of CVE-2017-11774 is a favorite technique of APT-33, the Iranian backed hacking group. The flaw is a sandbox escape bug in Outlook that allows an attacker who already possesses the victim’s Outlook credentials to change the user’s home page. That page, in turn, can have embedded code that downloads and executes malware when Outlook is opened. Fortunately, the bug was patched by Microsoft in October of 2017, as long as you patch your systems…
- D-Link agrees to overhaul security in FTC Settlement – D-Link has agreed to implement a comprehensive security program to settle accusations by the U.S. Federal Trade Commission (FTC) claiming that the company failed to implement proper security mechanisms in its routers and IP cameras. The case stems from a 2017 complaint where the FTC stated the company failed to perform basic secure software development, including testing and remediation to address well-known and preventable security flaws, including the use of hard-coded login credentials and storing login credentials in clear, readable text on mobile devices. Additionally, D-Link will have to obtain independent assessments of its security program every two years over the next 10 years.
- New “WannaHydra” malware a triple threat to Android – The latest variant of WannaLocker is a banking Trojan, spyware tool, and ransomware. The three-pronged threat, which Avast calls WannaHydra, is currently targeting users of four major banks in Brazil. But if it takes off, the malware could prove to be a major issue for Android users everywhere. The latest version works by presenting users with a fake message urging them to sign into their accounts to address some account-related issue. Once installed, the malware collects device manufacturer, phone number, text messages, call log, photos, contact list, microphone audio data, and GPS location information. To avoid infection, Android users should only download apps from trusted developers on certified app stores, like Google Play, and verify number of downloads and reviews.
- DDoS attacker who ruined gamers’ Christmas gets 27 months in prison – Austin Thompson, the 23 year old hacker from Utah, who carried out massive DDoS attacks on Sony, EA, and Steam, gets a 27-month prison sentence. The hacker, a.k.a. “DerpTroll,” pledged guilty back in November 2018 after he admitted to being a part of DerpTrolling, a hacker group that was behind the DDoS attacks. In addition to the prison sentence, Thompson was also ordered to pay $95,000 in restitution to one of the victims – Daybreak Games, formerly Sony Online Entertainment. Thompson is currently free on bond and has been ordered to surrender to authorities on August 23, 2019 in order to begin his sentence.
- Canonical GitHub Account Hijacked – Canonical, the company behind the Ubuntu operating system, confirmed over the weekend that one of its GitHub accounts was hacked. According to Canonical, “there was a Canonical owned account on GitHub whose credentials were compromised and used to create repositories and issues among other activities” on July 6. “Canonical has removed the compromised account from the Canonical organization in GitHub and is still investigating the extent of the breach, but there is no indication at this point that any source code or PII was affected. Furthermore, the Launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub.”
- British Airways slapped with record $230M fine – A proposed $230 million fine on British Airways after a data breach would be the biggest GDPR penalty yet. On Monday, the Information Commissioner’s Office (ICO), a U.K. privacy watchdog organization, said it will fine British Airways $230.5 million for infringements of GDPR. In September 2018, British Airways experienced a data breach that impacted 500,000 customers. The fine would be the largest levied by GDPR, surpassing the fine against Google for $57M. Privacy experts say that the penalty represents a “wake-up” call for companies when it comes to ramifications for data privacy incidents.
- Apple Patches iMessage Bug That Bricks iPhones with Out-of-Date Software – Google Project Zero finds Apple iMessage bug that bricks iPhones running older versions of the company’s iOS software. Apple patched a high-severity iMessage bug in iOS 12.3 on May 13, 2019 that can be exploited by an attacker who sends a specially-crafted message to a vulnerable iOS device. iOS devices receiving the malicious message are rendered inoperable, or bricked. The proof-of-concept attack method targets “A method in IMCore [that] can throw an NSException due to a malformed message containing a property with key IMExtensionPayloadLocalizedDescriptionTextKey with a value that is not a NSString. As of last month, 47 percent of iOS devices worldwide are running a vulnerable version of iOS. It’s time to update your iOS devices…
- Serious Security Flaw With Zoom Could Allow Websites to Hijack Mac Webcams – On Monday, security researcher Jonathan Leitschuh publicly disclosed a serious zero-day vulnerability in conferencing software Zoom. This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission. To simplify connectivity and avoid a security update in Safari 12, Zoom installed a web server on your local machine running on port 19421. However, the web server is not removed when you uninstall Zoom, meaning anyone who has previously installed Zoom and removed it still has this vulnerability. Zoom is still working on a fix…
Expert Commentary: Jason Wood, Paladin Security
Let’s say that one of your systems gets hit by ransomware and you decide that there’s no way you want to pay the bad guys the ransom. Unfortunately, you don’t have a good back up of the system, so you decide to contact a data recovery firm to get the data decrypted. The recovery firm is able to unlock your data and you pay them the agreed-upon fee. Congratulations! You may have just paid the bad guys to unlock your data through the data recovery firm. How is that for annoying?
Turns out at least three “data recovery” firms have been identified doing just that. They have identified the issue that victims aren’t always willing to pay the ransom and will seek out help in recovering the data. They insert themselves into this chain and act as a middle man. When they contact the bad guys, they will attempt to negotiate the price of the ransom down. Then once they have a negotiated price, they will mark that price up to for the victim to pay. Here’s an example of how that worked in one instance.
Fabian Wosar is a security researcher who decided to investigate one of these firms. He created fake ransomware and locked up one of his systems with a typical looking ransom demand. He then pretended to be both the attacker and the victim. Victim Wosar contacted a data recovery firm in Scotland and requested help in unlocking his files. He made it clear that he did not want to pay the attackers. The firm responded that they were analyzing the files to see what they could do.
In the meantime, Attacker Wosar’s was immediately contacted by a proton mail email account with an identifier that Wosar had put into the ransom note. The identifier made it clear that this was the data recovery company. The firm wanted to know how much it would cost to unlock the files. Attacker Wosar responded that it would be $1200 in bitcoin. The firm negotiated this down to $900 and then contacted Victim Wosar with a quote of $3,950 to get the data back. That is nearly 4 times the original price demanded by Attacker Wosar! Payment would be required ahead of decryption, but they would return the funds if they were not able to decrypt the data. Victim Wosar pushed for information on how they would be able to recover the data, but only received information on how to pay the company. At this point, Wosar broke off all communications and didn’t pay out any money.
So what do you think? Dodgy? Should be illegal, but apparently isn’t? They do apparently recover the victim’s data if possible. They just don’t do it in the way you would expect. To me, this seems like they are taking advantage of the situation. Sure, the victim doesn’t have to actually buy the bitcoin, talk to the attacker, or decrypt the data, but it sure seems slimy.
If you are interested in the articles on ProPublica, check out the links in the show notes. If you have thoughts on this, please let me know what you think. @Jason_Wood
Jason Wood – Founder; Primary Consultant, Paladin Security.