Thought leadership. threat analysis, news and alerts.
Mozi Botnet Accounts for 90% of Traffic to and from IoT Devices, IBM Report Shows
Researchers at IBM recently reported that 90% of traffic to and from all internet of things (IoT) devices comes from the botnet called “Mozi”.
What Is a Botnet?
A botnet, also known as “zombie army”, is a group of hijacked computers, including IoT devices. These hijacked computers are each infected with malicious software (malware) for the purpose of controlling these computers from a remote location without the knowledge of the owners of the hijacked computers.
Threat actors have used these hijacked computers for malicious activities such as distributed denial-of-service (DDoS) attacks. In a DDoS attack, the traffic from hijacked computers are directed towards a target, for instance, a website, overwhelming the target with traffic, rendering it inaccessible to legitimate users. A malicious actor, for example, sent a DDoS ransom note, taunting a target that their "Botnet army" is ready to take down the target's website and that the target has 48 hours to pay the ransom.
What Is Mozi Botnet?
Researchers at 360 Netlab first reported about the Mozi botnet. According to the researchers, they first observed Mozi in the wild in September 2019.
In the recent report released by researchers at IBM, the researchers said that Mozi accounted for nearly 90% of the observed IoT network traffic from October 2019 to June 2020. They added that the overall combined IoT attack instances from October 2019 to June 2020 increased by 400% compared to the combined IoT attack instances for the previous two years.
This massive traffic from Mozi, the researchers at IBM suggested, that this botnet didn’t remove competitors from the market, but rather flooded the market and dwarfing other botnets. The hijacking of IoT devices to form part of the Mozi botnet, the researchers said, could be due in part to the ever-expanding IoT landscape.
According to IBM researchers, there are nearly 31 billion IoT devices deployed around the world, with IoT deployment rate now stands at 127 devices per second. IoT devices include consumer IoT (security cameras and lighting control); commercial IoT (internet-connected pacemakers and vehicle trackers); enterprise IoT (projectors, routers and security systems); industrial IoT (production line automation systems and aircraft systems); infrastructure IoT (traffic control devices and utility monitoring devices), Internet of Military Things (wearable combat biometrics devices, robots and surveillance equipment).
Researchers from 360 Netlab and IBM reported that Mozi is capable of conducting these malicious activities: conduct DDoS attack (HTTP, TCP, UDP), carry out command execution attack, download malicious payload from specified URL and execute it, and gather bot information. Devices affected by Mozi include Netgear, D-Link and Huawei routers.
How Mozi Hijacks IoT Devices to Form Part of Its Botnet?
According to IBM researchers, nearly all of the initial entry to these Mozi-hijacked devices was done through command injection (CMDi) attacks.
“Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application,” Open Web Application Security Project (OWASP) defines CMDi. “Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code.”
Researchers at IBM said CMDi attacks are extremely popular against IoT devices for the following reasons:
First, IoT embedded systems commonly contain a web interface and a debugging interface left over from firmware development that can be exploited.
Second, PHP modules that are built into IoT web interfaces can be exploited, giving threat actors remote execution capability.
Third, IoT interfaces are often left vulnerable when deployed as administrators “fail to harden the interfaces by sanitizing expected remote input”. This failure, the researchers said, allows threat actors to input shell commands.
Fourth, new vulnerabilities require constant updating and slow patch implementation can be exploited.
Fifth, CMDi attacks can easily be automated, allowing threat actors to hijack a large number of IoT devices quickly at low cost.
Sixth, IBM researchers suggested that Mozi continues to be successful largely through the use of CMDi attacks as corporate networks are being accessed remotely more often due to COVID-19.
Israel-based cybersecurity firm JSOF earlier reported that vulnerabilities in Treck TCP/IP stack put hundreds of millions of IoT and embedded devices at risk. Developed 20 years ago, Treck TCP/IP stack is a piece of software that serves as a basic building block for IoT or embedded device that works over a network.
Out of the 19 security vulnerabilities discovered on Treck TCP/IP, 4 are rated critical remote code execution vulnerabilities. In remote code execution, a threat actor from any geographical location could run malicious programs on the target device.
Cybersecurity Best Practices
Here are some cybersecurity best practices in preventing your organization’s IoT devices from being hijacked and made part of a botnet: keep all firmware up to date and retire devices that no longer receive security updates.
Using outdated IoT devices or those that no longer receive security updates leave these devices vulnerable to hijacking and being made part of a botnet for malicious activities such as DDoS attacks.
On the flip side, with the proliferation of hijacked IoT devices, it’s important to protect your organization from DDoS attacks.
Bugs in Treck TCP/IP Stack Put Hundreds of Millions of IoT and Embedded Devices At Risk
Nineteen vulnerabilities in a piece of software called “Treck TCP/IP Stack” have recently been discovered. This piece of software is present in hundreds of millions of IoT and embedded devices, putting these devices and connected devices at risk.
The 19 vulnerabilities in Treck TCP/IP stack is collective called “Ripple20”, giving emphasis on the word “ripple”, as the ripple effect of these vulnerabilities has grown exponentially due to the supply chain factor. Out of the 19 vulnerabilities discovered, 2 were disclosed anonymously and 17 were disclosed by Israel-based cybersecurity firm JSOF.
“A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people,” JSOF said in the report "19 Zero-Day Vulnerabilities Amplified by the Supply Chain". “Ripple20 reached critical IoT devices from a wide range of fields, involving a diverse group of vendors.”
Tracing the Supply Chain
TCP/IP stack was developed 20 years ago by the firm called “Treck”. This piece of software serves as a basic networking element or a building block, useful in any context for any IoT or embedded device that works over a network.
According to JSOF, over the past two decades, Treck TCP/IP has been spreading around the world, through both direct and indirect use. JSOF reported that in the 1990s, Treck collaborated with a Japanese company named Elmic Systems. The two later went their separate ways, resulting in two separate branches of the TCP/IP stack devices, one managed by Treck and the other one managed by Elmic Systems. Other than ELMIC, the Treck TCP/IP stack is also known by other names such as Net+ OS, Quadnet, GHNET v2, and Kwiknet.
Printers, routers, infusion pumps in the medical sector, and industrial controls are some of the devices affected by these vulnerabilities. Affected device vendors as a result of the 19 vulnerabilities discovered in Treck TCP/IP include HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, and Baxter. JSOF estimates that the discovered 19 vulnerabilities affect hundreds of millions or more devices.
Security Vulnerabilities in Treck TCP/IP
Out of the 19 security vulnerabilities discovered on Treck TCP/IP, 4 are rated critical remote code execution vulnerabilities with CVSS ≥ 9; 4 are major with a CVSS ≥ 7; and 11 more have various lower severity. CVSS, short for Common Vulnerability Scoring System, is the industry standard for assessing the severity of computer system security vulnerabilities, most critical of which is rated 10.
Security vulnerabilities designated as CVE-2020-11896, CVE-2020-11898, and CVE-2020-11901 are some of the notable out of the 19 vulnerabilities.
CVE-2020-11896 is a critical vulnerability in Treck TCP/IP stack. This vulnerability allows for remote code execution by any attacker that can send UDP packets to an open port on the target device. Remote code execution allows attackers from any geographical location to run programs on the target device.
CVE-2020-11898 is a security vulnerability in Treck TCP/IP stack that improperly handles an IPv4/ICMPv4 Length Parameter Inconsistency, which allows remote attackers to trigger an information leak. JSOF researchers tested the CVE-2020-11896 and CVE-2020-11898 vulnerabilities on Digi Connect ME 9210 – a device that’s embeddable and is used in medical devices. Digi Connect can be purchased from any of the large electronic-parts resellers, amplifying these vulnerabilities as any device embedded also becomes vulnerable.
Among the 19 security vulnerabilities in Treck TCP/IP stack, the most severe is CVE-2020-11901, receiving a CVSS score of 9.1. This vulnerability is a collection of vulnerabilities for several critical client-side vulnerabilities in the DNS resolver of the Treck TCP/IP stack.
If successfully exploited, this vulnerability allows pre-authentication arbitrary remote code execution. This vulnerability is of particular interest because a sophisticated attacker, such as a nation state “can potentially reply to a DNS request from outside of the corporate network, thus breaking network segmentation,” researchers at JSOF said.
JSOF researchers tested the CVE-2020-11901 vulnerability on a Schneider Electric UPS device model APC Smart-UPS 750 (SMT750I/ID18/230V). UPS, short for Uninterruptible Power Supply, is a device designed for use in enterprise networks, data centers, and mission-critical systems. It’s used as an embedded battery to ensure that devices connected to it won’t suffer from power outages or fluctuations. Remotely exploiting UPS device can, therefore, have disastrous consequences.
Preventive and Mitigating Measures
Here some cybersecurity measures in preventing or mitigating the effects of the 19 vulnerabilities discovered in Treck TCP/IP stack:
Keep all Firmware and Software Up to Date
Some vendors of the products affected by the 19 vulnerabilities discovered in Treck TCP/IP stack, such as Aruba Networks, Digi International, HP, Intel, Teradici, Xerox have issued a corresponding patch or security update fixing the said vulnerabilities.
Retire Devices that No Longer Receive Security Updates
“The Treck stack has been around for more than 20 years,” JSOF researchers said. “Possibly the vulnerabilities too.”
Due to the length of time, some of the IoT and embedded devices affected by the vulnerabilities discovered in Treck TCP/IP stack may no longer receive security updates. Continuous use of vulnerable devices puts your organization’s network at risk of cyberattacks.
Devices which no longer receive security updates, and which have served their purpose for years should no longer be used. Luckily, some of these devices are inexpensive, as such, it’s much cheaper to replace them with the latest versions as opposed to using outdated devices which only put your organization’s network at risk.
Rise of Phishing and DDoS Attacks in the Education Sector
COVID-19 resulted in the temporary shutdown of schools and universities across the world. This has given rise to online classes, whereby classes are conducted remotely and on digital platforms.
As schools and universities across the world reopen, many opt for mixed physical and online classes, while some still opting for purely online classes. The shift to online classes, however, has opened a window for malicious actors to exploit.
The shift to online classes gives rise to phishing attacks and distributed denial of service (DDoS) attacks directed against the education sector.
Phishing is one of the oldest and popular forms of cybercrimes. In a phishing campaign, intended victims, whether targeted or random individuals, are tricked into clicking something leading to the stealing of data or the downloading of malicious software (malware).
Microsoft Security Intelligence has found that as of September 7, 2020, out of the nearly 8.7 million malware encounters reported in the last 30 days, 59.84% came from the education sector, making it the most affected sector.
In the report “Digital Education: The cyberrisks of the online classroom”, Kaspersky Lab said that attackers lure victims in downloading malware by bundling fake versions of popular video meeting apps and online course platforms as legitimate application installers. Victims encounter these fake video meeting apps and online course platform installers through phishing websites – referring to sites designed to look like legitimate websites supposedly for downloading popular video meeting apps and online course platform app installers.
Another way by which victims encounter these fake video meeting apps and online course platform installers is through phishing emails that masquerade as special offers or notifications. Downloading of the fake video meeting apps and online course platform installers either from phishing websites or phishing emails could lead to the installation and running of malicious software on the victim’s computer or stealing of sensitive data.
In April of this year, researchers at Check Point reported that in just a span of 3 weeks, nearly 2,500 new websites relating to the video conferencing app Zoom were registered. Out of these 2,500 new Zoom-related websites, 1.5% of these websites were found as malicious and the other 13% were found as suspicious. The researchers added that cybercriminals impersonated other video conferencing apps such as Microsoft Teams and Google Meet.
Researchers at Check Point reported that victims fell prey to phishing emails that came with the subject “You have been added to a team in Microsoft Teams“. The phishing emails contained a malicious website URL, which on the first glance looks similar to the legitimate Microsoft Teams URL. A double-check, however, of this URL shows that this URL is a fake one and victims who landed on this fake Microsoft Team site ended up downloading a malware.
Distributed Denial-of-Service (DDoS) Attacks
In a DDoS attack, a botnet – referring to a network of computers infected with self-propagating malware – is used by an attacker in overwhelming the target or its surrounding infrastructure with a flood of internet traffic. According to Kaspersky Lab, between January 2020 and June 2020, the number of DDoS attacks affecting the education sector increased by at least 350% when compared to the corresponding month in 2019.
Authorities recently arrested a 16-year-old in connection with a series of DDoS attacks on Miami-Dade County Public Schools that disrupted the district's first week of online classes. The teenager admitted to launching the DDoS attacks using Low Orbit Ion Cannon (LOIC).
LOIC is a decade-old application developed originally used for network stress testing. Since becoming an open-source application it has been used for malicious activities such as DDoS attacks. A successful DDoS attack using LOIC floods a target server with TCP, UDP, or HTTP packets with the goal of disrupting service.
A DDoS attack via LOIC uses IRC chat channels to run a “Hivemind” version of the LOIC. This allows a primary user of the IRC chat to control secondary computers, creating a botnet – referring to a network of computers controlled by the primary user for malicious activities such as DDoS.
LOIC was used in the past to launch DDoS attacks against Visa and MasterCard websites in response to the freezing of payments to WikiLeaks. The thing about using LOIC in launching DDoS attacks is that attackers are unable to hide their IP addresses, making it easy for authorities to track them down. Due to this IP address visibility, authorities in many countries have taken legal actions against DDoS attackers leveraging LOIC.
Preventive and Mitigating Measures Against Phishing and DDoS Attacks
To stay safe from phishing attacks, be wary of clicking anything online as these could lead you to phishing sites. Also double-check URLs as a difference in one letter or character could lead you to a malicious site.
To stay safe against DDoS attacks, including DDoS attacks leveraging LOIC, use WAF, short for Web Application Firewall. WAF specifically provides strong protection against HTTP floods. As protection against TCP and UDP, use a dedicated DDoS protection.
DDoS Extortions Return
Over the past few weeks, a group of cybercriminals has launched distributed denial-of-service (DDoS) attacks targeting companies in the finance and retail sectors and demanding ransom payment for the attacks to stop.
In the blog post "Ransom Demands Return: New DDoS Extortion Threats From Old Actors Targeting Finance and Retail", Akamai reported that over the past few weeks, a series of DDoS attacks from the so-called "Armada Collective" and "Fancy Bear" actors have targeted businesses across multiple sectors, including finance and retail, and these DDoS attacks come with extortion demands. Some of the attacks peaked at almost 200 gigabyte per second (GB/s), Akamai said.
ZDNet likewise reported that in the past weeks, a criminal group that goes with the names "Armada Collective" and "Fancy Bear" has launched DDoS attacks against some of the biggest financial service providers and demanded payments in the form of the cryptocurrency bitcoin as extortion fees to stop the DDoS attacks.
Incidentally, a few days ago, the operations of the New Zealand stock exchange were disrupted as a result of a DDoS attack. Other than the comment that the attack came from overseas, authorities in New Zealand won't comment on whether or not the DDoS attack also involved a ransom demand.
Evolution of DDoS Extortions
DDoS extortion is nothing new. This type of extortion has been around in the last few years. The recent DDoS extortions, however, differ with the older DDoS extortions in terms of methods and severity.
The recent DDoS extortion campaign described by Akamai and ZDNet resembled that the type of DDoS extortion campaign described in the alert entitled "DDoS extortion campaign targeting financial sector" released on November 1, 2019 by the Computer Emergency Response Team New Zealand (CERT NZ).
According to CERT NZ, it received reports relating to a DDoS extortion campaign targeting companies within the financial sector in New Zealand. This extortion campaign had also been observed in other countries, CERT NZ said. As described by CERT NZ, the DDoS extortion campaign followed these steps:
First, the target company receives an email stating “We are the Fancy Bear and we have chosen [Company Name] as a target for our next DDoS attack.” In the email, the attackers give the target company a deadline when the major DDoS will happen and demand from the target ransom to prevent the said major DDoS attack.
Second, to threaten the target that the major DDoS attack is coming, a minor DDoS is launched against an IP address belonging to the company's network. These demo attacks generally last for 30 minutes.
In the DDoS extortion campaign observed by Akamai, the targets were warned that going public about the extortion demand will result in the immediate major DDoS attack. The extortion demand also threatens the targets that the major attack will make websites and other connected services "unavailable for everyone" and will harm the target's reputation.
While past DDoS extortion campaigns targeted the victims' websites, the recent extortion campaign described by CERT NZ, Akamai and ZDNet targeted the victims' backend infrastructure, resulting in prolonged and severe outages. An example of a backend infrastructure is the DDoS attack on the target's web hosting provider resulting in the outages of the ultimate target's website.
In the case of the attack of the New Zealand stock exchange, the stock exchange's web hosting provider Spark was targeted in a series of DDoS attacks, resulting in the outages at the New Zealand stock exchange as well as downtime of the websites of Spark's other customers.
Reflective DDoS Techniques
In the November 2019 alert, the CERT NZ said that the so-called Fancy Bear threat group overwhelms the target using a variety of reflective DDoS techniques, with targets including services using the following protocols:
A reflective DDoS technique is a DDoS attack that depends on publicly accessible UDP servers to overwhelm a victim’s system with UDP traffic. UDP, short for User Datagram Protocol, is an internet communication protocol for time-sensitive transmissions such as video chat. UDP is designed not to validate source Internet Protocol (IP) addresses for the protocol to operate very quickly. This, however, creates an exploitation opportunity for attackers.
In general, in a reflective DDoS attack, an attacker who’s capable to spoof IP addresses sends fake requests to a vulnerable UDP server. The UDP server, not knowing the request is fake, prepares the response. These UDP responses are delivered to an unsuspecting target, overwhelming the target’s resources such as the network itself.
Best Practices Against DDoS Extortions
It’s recommended not to pay ransom to DDoS extortionists. Ransom payment only encourages extortionists to attack your organization again.
Like any other types of DDoS attacks, in DDoS attacks using reflective techniques, two groups are exploited by the attackers: the ultimate target and vulnerable computers, in this case, vulnerable UDP servers. In order to prevent your organization’s computers from being used for reflective DDoS attacks, it’s best to stop using UDP when not needed. If UDP is needed, configure it to always respond with smaller packet size. It’s also important to use a Firewall.
To protect your organization from being the ultimate target of a reflective DDoS attack, it’s best to work with your trusted cybersecurity service provider and use a DDoS protection service to prevent the DDoS traffic from reaching your organization’s systems.
The Driz Group specialized in DDoS protection and can mitigate the DDoS attack in just a few minutes.
Cybersecurity Threat Spotlight: Malicious Bots
The recent hacking incident affecting thousands of Canadian Government accounts highlights the growing threat of malicious bots.
Hacking of Thousands of Canadian Government Accounts
The Government of Canada, through the Treasury Board of Canada Secretariat, last August 15th issued a statement stating that an unidentified attacker or attackers targeted the Canadian Government's GCKey system. This system is used by 30 Canadian federal departments as a single sign-on (SSO) system for the public to access government services, such as social services including access to Covid-19 relief programs. The GCKey system is also a means to access the Canadian Revenue Agency (CRA) accounts.
According to the Treasury Board of Canada Secretariat, out of the approximately 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to access government services.
Of the total number of accounts fraudulently accessed by the attackers, approximately 5,500 CRA accounts were fraudulently accessed. This prompted authorities to shut down the CRA web portal. To date, the web portal is up and running.
In the August 15th statement, the Treasury Board of Canada Secretariat attributed the hacking incident to the cyberattack called "credential stuffing". In credential stuffing, usernames and passwords stolen from past unrelated data breaches are used to login to victims’ accounts on the assumption that people typically reused usernames and passwords across multiple online accounts.
Tests conducted by BleepingComputer showed that accessing the Canadian departments' web portals, such as CRA, multi-factor authentication and security CAPTCHA (short for Completely Automated Public Turing Test To Tell Computers and Humans Apart in use) aren't enabled in the workflow. "When signing-in from a new computer, the user would be asked a security question (e.g. pet's name), however, there is no mechanism prompting the user for a 2FA code, for example, to be sent via a text message (SMS)," BleepingComputer said.
CNN, meanwhile, reported that Canadian officials disclosed that at one point, they detected as many as 300,000 malicious attempts to access accounts on at least 24 government web portals.
In a press conference held days after the issuance of the August 15th statement of the Treasury Board of Canada Secretariat, Marc Brouillard, acting Chief Technology Officer for the Secretariat said that at one point, the CRA portal was directly targeted with a large amount of traffic using a "botnet to attempt to attack the services through credential stuffing". Brouillard added that the attackers were able to bypass the CRA security questions and fraudulently access CRA accounts by exploiting a vulnerability in the configuration of security software solutions that the Government of Canada used. The acting Chief Technology Officer for the Treasury Board of Canada Secretariat said that this security vulnerability has since been fixed by applying the latest security update.
Credential stuffing attacks and exploitation of known security vulnerabilities are executed through the use of malicious bots.
The word "bots" originates from the word " internet robots". Bots are software programs created for the purpose of automating repetitive tasks.
The repetitive task, for instance, of indexing new webpages had been taken over by bots. For its search engine, Google uses the bot known as "Googlebot" to crawl the internet to index new webpages. Googlebot is one example of a non-malicious bot.
Threat actors, on the other hand, use bots in conducting malicious activities such as credential stuffing attacks, exploitation of known security vulnerabilities, and other cyberattacks such as distributed denial-of-service (DDoS) attacks.
Malicious bots start with one " bad bot". This bad bot is used by a cybercriminal to hijack a computer. This hijacked computer is referred to as a "zombie" computer. Over a period of time, a cybercriminal could hijack thousands to millions of computers to create a network of zombie computers. These zombie computers, collectively called as "botnet", are then used to launch a large-scale malicious attack.
Necurs is an example of a botnet that wreaked havoc globally for years. This botnet was first observed in the wild in 2012. In March 2020, Microsoft said that along with partners across 35 countries, they took coordinated legal and technical steps to disrupt the operation of Necurs.
According to Microsoft, during the span of 8 years, the group behind Necurs, hijacked more than 9 million computers globally to form part of its botnet. During a 58-day period, Microsoft observed one Necurs-hijacked computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.
Aside from sending spam emails, botnet can be used to amass a large list of usernames and passwords used for credential stuffing attacks and can be used to automatically scan websites for software vulnerabilities.
Cybersecurity Best Practices Against Malicious Bots
Malicious bots threaten both the target as well as the zombie computers used as part of the botnet.
In the hacking incident affecting thousands of Canadian Government accounts, compromised accounts are at risk as attackers can change bank account details and siphon money out of the victims' accounts. Being part of a botnet, on the other hand, will slow down and hasten the wear and tear process of hijacked computers.
Some of the best practices in preventing your organization's computers (including IoT devices) from being hijacked as part of a botnet include changing default login details and keeping all software up to date.
To prevent the exploitation of known security vulnerabilities, it's important to keep all of your organization's software up to date.
Here are some of the best practices in preventing or minimizing the effects of credential stuffing attacks:
What Is Consent Phishing and How to Prevent Such Attack
SANS Institute, the largest provider of cybersecurity training and certification to professionals, recently admitted that it fell victim to consent phishing attack, leading to the theft of 28,000 records of personally identifiable information.
This recent successful consent phishing attack on SANS Institute highlights the growth of this type of cyberattack.
What Is Consent Phishing?
Consent phishing is a type of cyberattack that tricks victims into getting their permission via a malicious app to access legitimate cloud services such as Microsoft 365, formerly known as Office 365.
In a conventional phishing attack, an attacker attempts to obtain sensitive information or data by disguising oneself as a trustworthy individual or entity. The traditional way of launching a phishing attack is via email.
In leveraging an email for a conventional phishing attack, an attacker sends a malicious email to the target. This email masquerades as coming from a trusted individual or entity. Clicking on the link or attachment provided in the phishing email could lead to the installation and running of a malicious software (malware) on the email receiver's computer.
According to SANS Institute, the consent phishing attack was discovered last August 6th as part of a systematic review of email configuration and rules. SANS's internal investigation of the incident showed that the company's email configuration and rules werechanged, allowing the forwarding of emails to an external email address.
The change of the email forwarding configuration and rules allowed the forwarding of 513 emails to a suspicious external email address. Approximately 28,000 records of personally identifiable information were forwarded to a suspicious external email address, SANS said in its Data Incident 2020 report.
The information sent to the suspicious external email address includesemail address, work title, first name and last name, work phone, company name, industry, address and country of residence.
How the Consent Phishing Attack Unfolded?
In its Data Incident 2020 – Indicators of Compromise, SANS Institute reported that on July 24, 2020, several of its employees received an email with the subject “Copy of sans July Bonus 24JUL2020.xls”. The recipients of the email were enticed to click on the “Open” button to read the purported "Bonus" document in the Enabler4Excel 365 format – the new version of the popular Enabler4Excel add-in built to work on Microsoft Excel 2016 or higher and Microsoft Excel Online.
Clicking on the Open button, however, initiates the installation of a malicious Microsoft 365 app. Once installed, the malicious app changes the affected email’s forwarding rule and forwarding emails with the following keywords to an external email address: Bank, bic, capital call, cash, Contribution, dividend, fund, iban, Payment, purchase, shares, swift, transfer, Wire and wiring info.
According to SANS Institute, only one employee's email account was impacted in the consent phishing attack.
Consent Phishing: An Application-Based Threat
Consent phishing is an application-based threat in which an attacker seeks the target's permission for an attacker-controlled app to access valuable data stored in a cloud service.
In the blog post "Protecting your remote workforce from application-based attacks like consent phishing", Agnieszka Girling, Partner Group PM Manager at Microsoft said that consent phishing is another threat vector that organizations must be aware of. Girling said that consent phishing typically follows the following steps:
First, an attacker registers a malicious app with an OAuth 2.0 provider, such as Azure Active Directory. OAuth 2.0 is an industry-standard protocol for authorization, granting users of websites or applications access to other websites without the need of passwords.
Second, the malicious app is designed in such as a way that makes it seem trustworthy, such as using the name of a popular product used in the same IT environment.
Third, the attacker presents a link in front of the target via conventional email-based phishing, by compromising a legitimate website, or other techniques.
Fourth, the target clicks the link and is shown an authentic-looking consent button asking the target to grant the malicious app permission to access data in a particular cloud service.
Fifth, once the target clicks on the consent button, the malicious app is then granted access to sensitive data stored in a cloud service such as Microsoft 365. The consent button is so powerful as it unwitting grants the attacker access to the target's Microsoft 365 account contents, including email, forwarding rules, files, contacts, profile and materials stored in the target's OneDrive cloud storage space and corporate SharePoint document management and storage system.
Cybersecurity Best Practices Against Consent Phishing
On the part of Microsoft, the company said that it filed legal actions against criminals who deployed consent phishing designed to compromise Microsoft customer accounts. The company said its Digital Crimes Unit (DCU) first observed in December 2019 cybercriminals deploying consent phishing calling it “a sophisticated, new phishing scheme”.
Here are some cybersecurity best practices in order to prevent or mitigate the effects of consent phishing:
Cloud Security: How to Prevent MFA Bypass Exploiting Legacy Email Protocols
Threats to cloud accounts have grown considerably making the single-factor authentication – the reliance of the traditional username and password combination – undependable and leading the way to the adoption of multi-factor authentication (MFA).
Legacy Email Protocols
Legacy email protocols refer to email protocols that use basic authentication, that is, the reliance of the single-factor authentication consisting of only the username and password combination. These legacy email protocols can’t enforce any type of multi-factor authentication. Examples of these legacy email protocols include POP, IMAP, SMTP, and MAPI.
Prevalence of Cyberattacks Exploiting Legacy Email Protocols
Microsoft 365, formerly Office 365, by default, supports legacy email protocols. For MFA to be operational on Microsoft 365, a user needs to block legacy authentication, that is, the use of single-factor authentication only. Microsoft 365 adoption has risen as a result of the COVID-19 pandemic, which forces organizations around the globe to adopt the work from home model.
In the blog post "Block legacy authentication to Azure AD with Conditional Access", Microsoft said legacy email authentication protocols are the preferred entry points by threat actors in attacking organizations using Microsoft 365 with the following results: more than 99% of password spray attacks use legacy authentication protocols, and more than 97% of credential stuffing attacks use legacy authentication.
Password spray attacks refer to cyberattacks that attempt to login to a large number of online accounts using a few commonly used passwords. Credential stuffing attacks, meanwhile, refer to cyberattacks that use stolen usernames and passwords to access online accounts. Attackers automate the process of launching password spray attacks and credential stuffing attacks by using bots or automated scripts.
Business Email Compromise (BEC)
Security researchers at FireEye Mandiant reported that one of the entry points of Business Email Compromise (BEC) actors is by bypassing Microsoft 365 MFA by exploiting legacy authentication protocols. In a BEC attack, an attacker compromises the official email of an executive, typically a CEO, and uses this compromised email to convince an employee in charge of releasing funds to send money to a bank account controlled by the attacker.
Based on the 2019 Internet Crime Report of the Federal Bureau of Investigation (FBI), in 2019, victims lost over $1.7 billion through BEC scam. In April of this year, the FBI warned that threat actors are using the uncertainty surrounding the COVID-19 pandemic to further their efforts. “Recently, there has been an increase in BEC frauds targeting municipalities purchasing personal protective equipment or other supplies needed in the fight against COVID-19,” the FBI said.
According to security researchers at FireEye Mandiant, the usual routes taken by BEC actors to accomplish their objective is by compromising the target’s email via MFA bypass leveraging legacy authentication protocol. After this initial compromise, the researchers said BEC attackers establish foothold in the target’s system by sending phishing lures to internal and external contacts from Outlook’s global address list, and by changing mailbox rules by forwarding certain or all emails to an external address controlled by the attackers.
With access to the target’s email, the report said, attackers conduct internal reconnaissance by searching the target's mailbox for emails that are of interest, and searching other Microsoft 365 applications such as SharePoint and OneDrive for content of interest. Attackers complete their BEC mission, the report said, by sending a request to the HR department to update the target’s direct deposit information and followed by a wire transfer request for a purported unpaid invoice.
Most Commonly Abused Legacy Email Protocol
In the blog post “Threat actors leverage credential dumps, phishing, and legacy email protocols to bypass MFA and breach cloud accounts worldwide” published in March 2019, security researchers at Proofpoint said they analyzed over 100,000 unauthorized logins across millions of cloud user accounts, including Microsoft 365 and G Suite cloud accounts, and found that IMAP was the most commonly abused legacy email protocol. According to security researchers at Proofpoint, IMAP is a legacy authentication protocol that may be used to bypass multifactor authentication (MFA) under the following specific circumstances:
Preventive and Mitigating Measures Against MFA Bypass via Legacy Authentication Protocols
Microsoft’s recommendation in preventing MFA bypass via legacy authentication protocols from accessing your organization’s 365 resources is by blocking them with a Conditional Access policy.
“For MFA to be effective, you also need to block legacy authentication,” Alex Weinert, Director of Identity Security at Microsoft, in his March 12, 2020 blog post “New tools to block legacy authentication in your organization”. “This is because legacy authentication protocols like POP, SMTP, IMAP, and MAPI can’t enforce MFA, making them preferred entry points for adversaries attacking your organization.”
Aside from disabling legacy authentication protocols, other mitigating measures against MFA bypass via legacy authentication protocols include:
Twitter recently shed a light on the cyberattack that compromised the accounts of a number of its high-profile customer base.
In the blog post “An update on our security incident”, Twitter said that the cyber incident that happened on July 15, 2020 targeted a small number of employees through a “phone spear phishing attack”. Twitter didn’t give details about how the attackers carried out the phone spear phishing attack.
Twitter, however, described the aftermath of the phone spear phishing attack. The company said that while not all of the Twitter employees that were targeted by the phone spear phishing attack had permissions to use Twitter’s account management tools, the “attackers” used the credentials gathered from the phone spear phishing attack to access the company’s internal systems and gain information about its processes.
Knowledge of the company’s internal systems and processes, Twitter said, enabled the attackers to target additional employees who did have access to the platform’s account support tools. Armed with credentials from employees that had access to the platform’s account support tools, Twitter said, the attackers targeted 130 Twitter accounts. Out of the 130 Twitter accounts, the company said, the attackers tweeted from 45 accounts, accessed the Direct Message (DM) inbox of 36 accounts, and downloaded the Twitter data of 7 accounts.
The phone spear phishing attack on Twitter compromised multiple high-profile verified accounts of personalities, including that of Bill Gates, Elon Musk and Jeff Bezos. Verified accounts of tech giants such as Apple and Uber as well as verified accounts of cryptocurrency exchanges such as Binance and Coinbase were also compromised.
Compromised verified accounts were made part of a cryptocurrency scam in which readers were called on to send bitcoin to a particular address with the promise that twice the amount of bitcoin would be returned. As of August 3, 2020, a total of 399 transferees sent bitcoin to the address mentioned in the compromised Twitter accounts. The total amount sent reached nearly 12.87 bitcoin (equivalent to USD 144,213).
As of July 30, 2020 (date of a case filed by the U.S. Department of Justice against one of the alleged perpetrators of the Twitter hack), not one of those that sent bitcoin to the above-mentioned address got their bitcoin doubled nor their bitcoin returned. Last July 31st, the U.S. Department of Justice announced that 3 cases had been filed against 3 individuals for their alleged roles in the Twitter hack.
Details of the alleged phone spear phishing attack are still not available despite the cases filed as the alleged mastermind of the Twitter hack is a minor. In the U.S., cases against minors aren’t available to the public.
Phone spear phishing attack isn’t something new. Phishing attack, in general, refers to a cyberattack that tricks victims into giving information to criminals. Spear phishing, meanwhile, refers to a phishing campaign that targets specific individuals or specific organizations.
Traditionally, spear phishing attacks are conducted via emails. With the adoption of the Voice over Internet Protocol (VoIP) – a technology that allows users to make voice calls over the internet instead of a regular (or analog) phone line, phone phishing, also known as vishing, proliferate.
It’s rare to hear about phone phishing because such are reported under the category of phishing which includes traditional email phishing. In a typical email phishing, an attacker sends a target an email that masquerades as coming from a legitimate source.
This malicious email contains a malicious link or attachment. Clicking on this malicious link or attachment could lead to the compromise of the user’s computer or stealing of sensitive data.
In the early 2000s, the Federal Bureau of Investigation (FBI) cited two examples of vishing. In one version of a vishing scam, a target receives a typical email, similar to the traditional email phishing scam. But instead of directing the target to a malicious link, the target is given a phone number (a VoIP account) to call and ask to provide certain information over the given phone number.
The phone number is usually that of a fake customer service. The target that calls the customer service is then directed to a series of voice-prompted menus that ask for passwords and other sensitive information.
According to the FBI, another version of vishing directly contacts the target by phone (VoIP account as well) instead of an initial email. The call can come from a recorded message directing the target to take action to protect his or her account. In this case, the attacker already has some personal information about the target. This gives the target a false sense of security.
Vishing via VoIP, the FBI said, has some advantages over traditional phishing tricks due to the following reasons:
Preventive and Mitigating Measures Against Vishing
Always treat a phone call asking for sensitive information with a healthy dose of skepticism. Verify whether the call is legitimate by hanging up the phone and calling the customer service using the number provided by the organization.
Threat Focus: WastedLocker Ransomware
Garmin, an American multinational company that markets GPS navigation and wireless devices and applications, has reported a global outage on its systems since last July 23.
Last July 23, Garmin announced that it was experiencing an outage that affected Garmin Connect – a service that syncs users' activity and data to the cloud and other devices. Garmin also announced that the outage affected the company's call centers, cutting off the company's ability to respond to any calls, emails and online chats.
Last July 26, Garmin followed up its July 23 announcement. The statement said the company "has no indication that this outage has affected your data, including activity, payment or other personal information."
flyGarmin, Garmin's service that offers navigational software to pilots, in a separate statement said that last July 23 it also experienced a similar outage in which users couldn't access flyGarmin's website and call centers. flyGarmin specified that its Connext services, in particular, weather, data from the on-board Central Maintenance Computer (CMC), position reports were down; and Garmin Pilot apps, in particular, flight plan filing (unless connected to FltPlan, account syncing, database concierge) were down.
Based on its July 26 update, flyGarmin said that its website and mobile app are now operational, and that customer support can handle limited calls, but emails and chat supports are still unavailable.
While Garmin remains silent on what caused the global outage of its systems, BleepingComputer and TechCrunch reported that sources familiar with the Garmin outage investigation and company employees point to the direction that Garmin fell victim to WastedLocker ransomware.
A Garmin employee told BleepingComputer that they first learned of the attack when they arrived at their office last Thursday morning. As devices were being encrypted, employees were told to shut down any computer on the network, including computers used by remote workers that were connected via virtual private network (VPN), to prevent additional devices from being encrypted. As shown by the photo sent by a Garmin employee to BleepingComputer, the ".garminwasted" extension was appended to the file name of every encrypted file.
WastedLocker ransomware was first tracked in the wild in May of this year. This ransomware was named after the filename it creates which includes an abbreviation of the victim’s name and the word "wasted".
One of the known methods used by the group behind the WastedLocker ransomware is the use of fake software update that shows up on the users' computer screen when visiting certain legitimate websites. Malicious code is inserted by the group behind the WastedLocker ransomware on vulnerable websites, prompting unsuspecting users to click on the fake software updates that show up on their trusted websites.
Once a user clicks on this fake software update, the WastedLocker ransomware activates CobaltStrike – a commercial penetration testing tool that can be used by ethical security researchers as well as by malicious actors. This commercial penetration testing tool uses tools such as Metasploit and Mimikatz.
Metasploit is an open-source tool for probing vulnerabilities on networks and servers. It can easily be customized and used with most operating systems.
Mimikatz, meanwhile, is another open-source tool that gives out passwords as well as hashes and PINs from memory. This tool makes it easy for attackers to conduct post-exploitation lateral movement within a victim's network.
After exploring the weak spots and access credentials, the WastedLocker ransomware is then dropped into the victim's network or server. With WastedLocker ransomware, it isn't possible to get backup copy on the affected computer as this malicious software deletes shadow copies – the default backups made by Windows operating systems.
Security researchers, including those from Malwarebytes and Fox-IT, named Evil Corp Group as the group behind WastedLocker ransomware. Most of today's ransomware groups openly admit that they steal victims' data prior to encrypting files. These ransomware groups publish or auction the data belonging to victims that are unwilling to pay the ransom.
According to Malwarebytes, the group behind the WastedLocker ransomware "does not exfiltrate stolen data and publish or auction the data that belong to 'clients' that are unwilling to pay the ransom".
Fox-IT, meanwhile, said that the group behind WastedLocker ransomware “has not appeared to have engaged in extensive information stealing or threatened to publish information about victims”. "We assess that the probable reason for not leaking victim information is the unwanted attention this would draw from law enforcement and the public," Fox-IT said.
The group behind WastedLocker ransomware demands ransom payment ranging from US$500,000 to over $10 million in Bitcoin. One of the sources of BleepingComputer said that the ransom demand in exchange for decryption keys that could unlock the encrypted files of Garmin is priced at US$10 million.
In December 2019, the U.S. Treasury Department, sanctioned Evil Corp by way of prohibiting U.S. persons in dealing with the group. The U.S. Treasury Department said that "U.S. persons are generally prohibited from engaging in transactions with them [Evil Corp]." Engagement, in this case, could be mean that US individuals or organizations are prohibited in engaging with Evil Corp, such as via ransom payment.
The sanction of the U.S. Treasury Department’ came after leaders and members of the Evil Corp were charged for developing and distributing the malicious software (malware) called "Dridex". The U.S. Treasury Department said that Dridex infected computers and harvested login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than US$100 million in theft.
Twitter Attributes Latest Hack to Its Systems to Social Engineering
Last July 15th, verified Twitter accounts, including that of Amazon CEO Jeff Bezos and Former U.S. President Barack Obama, tweeted similar content, saying that they've decided to give back to their community by giving back twice the Bitcoin amount (limited to US $50 million) for every Bitcoin that will be sent to a particular Bitcoin address.
The tweets were later removed – a confirmation that the tweets were part of a scam and that the involved verified Twitter accounts were, in fact, hacked. A total of 393 transactions sent varying amounts of Bitcoin to the indicated Bitcoin address. Whoever orchestrated the campaign earned 12.8 Bitcoins, valued at US $117,473 as of July 18, 2020.
How Twitter Was Hacked?
In a blog post dated July 18, 2020, Twitter attributed the hacking of the 130 verified Twitter accounts to social engineering. "At this time, we believe attackers targeted certain Twitter employees through a social engineering scheme," Twitter said.
The company, however, didn't elaborate how the social engineering was carried out by attackers. Twitter defined social engineering as the "intentional manipulation of people into performing certain actions and divulging confidential information."
According to Twitter, the intentional manipulation of a small number of Twitter employees enabled the attackers to access the company's internal systems using the credentials of the targeted Twitter employees, and "getting through" the company's two-factor authentication (2FA) protection.
Twitter said the attackers were able to view personal information including phone numbers and email addresses – information that were accessible to some of the targeted employees. Out of the 130 hacked verified accounts, Twitter added, 45 of those accounts, the attackers were able to login to the account, send tweets and initiate a password reset.
In accounts taken over by the attackers, the company said that the attackers may have been able to view additional information. The company also added that the attackers attempted to sell some of the hacked accounts.
The July 15th cyber incident at Twitter isn't the first hacking incident that the company experienced. Nearly a year ago, the Twitter account of its CEO Jack Dorsey was hacked.
After taking over Dorsey's Twitter account @jack, attackers fired off nearly two dozen tweets and retweets. "The phone number associated with the account was compromised due to a security oversight by the mobile provider," Twitter said in a statement. "This allowed an unauthorized person to compose and send tweets via text message from the phone number."
The above-mentioned statement from Twitter on how its CEO's account was hacked describes a typical SIM swap attack – a type of cyberattack in which a mobile phone company employee switches a victim’s phone number to a new phone number that's under the attacker’s control.
This type of attack is carried out in two ways. One method is by calling a customer help line of the mobile phone company and pretend to be the intended victim. The other method is by paying off phone company employees to do the phone number switches. There have been reports that attackers paid off phone company employees to do the phone number switching for as low as US $100.
SIM swap plays a big role in an attack that tries to bypass text message-based 2-factor authentication, an authentication method that requires additional authentication, that is, on top of the usual username and password requirement, a user can only login to an account by providing a one-time code – a code that's sent to the phone number provided by a user. In a SIM swap attack, by changing the target's phone number to the phone number controlled by the attacker, the one-time code is sent to the new phone number controlled by the attacker.
In September 2019, the U.S. Federal Bureau of Investigation (FBI) warned its partner organizations about SIM swapping. According to the FBI, between 2018 and 2019, the most common tactic used by attackers in circumventing the 2-factor authentication was through SIM swapping.
In 2019, a report came out that Twitter left its internal systems exposed to outsiders by failing to apply the latest security update of a particular software. This time, however, bug bounty hunters found the vulnerability and responsively disclosed the vulnerability to Twitter.
In a blog post dated September 2, 2019, security researchers at DEVCORE reported that they were able to perform on Twitter's internal systems remote code execution – the ability to access someone else's computing device and make changes to it regardless of where this computing device is geographically located. The researchers said they initially gained access to Twitter's internal system by exploiting an unpatched Pulse Secure VPN used by the company.
The security researchers at DEVCORE are the same researchers that discovered the remote code execution vulnerability in Pulse Secure VPN products and reported this vulnerability to the software vendor Pulse Secure. The same researchers also discovered and reported the security vulnerabilities in the VPN products of OpenVPN and Fortinet.
"During our research, we found a new attack vector to take over all the clients [computers or software that accesses a service made available by a server]," security researchers at DEVCORE said. "It’s the 'logon script' feature. It appears in almost EVERY SSL VPNs, such as OpenVPN, Fortinet, Pulse Secure… and more. It can execute corresponding scripts to mount the network filesystem or change the routing table once the VPN connection established. Due to this 'hacker-friendly' feature, once we got the admin privilege, we can leverage this feature to infect all the VPN clients!"
The researchers also reported that they bypassed the 2-factor authentication as Twitter enabled the Pulse Secure VPN's roaming session feature, which allows a session from multiple IP locations. "Due to this 'convenient' [roaming session] feature, we can just download the session database and forge our cookies to log into their system!"
Prior to going public, the security researchers at DEVCORE reported to Twitter their findings via the company's bug bounty program.
Social engineering is a significant risk for most organizations and individuals alike. This is why we’ve created a blog post with 52 cybersecurity tips for businesses and individuals to help mitigate key risks.
Steve E. Driz, I.S.P., ITCP