Checkm8: 5 Things You Should Know About The New iOS Boot ROM Exploit

Last week, the iOS jailbreaking community was set abuzz after security researcher axi0mX dropped what’s been described as a ‘game changing’ new exploit affecting Apple’s mobile platform. Dubbed ‘checkm8’, the Boot ROM exploit has widely been proclaimed as the most important single exploit ever released for iPhone, iPad, Apple TV and Apple Watch devices. But what does that actually mean for the security of the millions of affected iOS devices out there, in use in both personal and enterprise environments? In this post, we look behind the headlines and the inevitable FUD to break it all down and answer the essential questions.

image of checkm8 5 things you should know

1. Are iOS Devices Now Insecure Because of checkm8?

No, let’s get clear about this. For almost all realistic scenarios of in-use devices, Checkm8 hasn’t “changed the game” in terms of risk management. That’s not to say the Boot ROM exploit isn’t hugely important – it is, as we’ll explain below – but the ways in which this exploit can be used by attackers are few and limited.

First, there’s no remote execution possibility here. An attacker cannot use checkm8 to compromise an untethered device. That means anyone wanting to use this exploit without having the target device physically in their possession is out of luck.

Second, checkm8 does not allow a threat actor to bypass TouchID or PIN protections. In other words, it does not compromise the Secure Enclave. That means your personal data remains safe from attackers who don’t have your unlock credentials, notwithstanding the possibility of other zero days.

Third, there’s no persistence mechanism here, either. If an attacker gained possession of your device and used the Boot ROM exploit to compromise it, re-booting the device would bring it back to a healthful state. Any changes made by the attacker would be lost as Apple’s security checks would either delete the files modified by the attacker or refuse to run them.

image of axi0mX tweet

2. What Should I Do To Stay Safe from checkm8?

With that said, checkm8 does mean security-conscious users should consider the possibility of a potential hack or malware infection if the device has been out of their presence or physical control.

If you’ve left your iPhone unattended and powered-on in your hotel room, for example, or on a desk in shared office space, or had it temporarily confiscated by border security guards, say, you should re-boot your iOS device when it comes back into your possession. And for good measure, you should probably do a force restart to ensure that malware hasn’t found a way of simulating a fake reboot.

All that’s probably advice that you should already have been heeding anyway, as there’s been speculation of privately-held hacks and iOS zero days swirling around at least since the infamous San Bernardino, FBI vs Apple story back in 2016. Checkm8 means we now have a publicly-known and available exploit that could have been used in that kind of situation.

The following graphic taken from Apple’s WWDC 2016 presentation shows the flow of the secure boot chain from power on, from left to right, on an uncompromised device.

image of ios secure boot chain

According to the iOS Security Guide:

“Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust…This secure boot chain helps ensure that the lowest levels of software aren’t tampered with.”

What makes checkm8 so devastating is that it exploits flaws right at the beginning of this process, thus undermining all further checks made by subsequent steps in the chain.

image of checkm8 boot rom exploit

3. Which iOS Devices Are Affected by checkm8?

While not every iOS device is affected by checkm8, the vast majority in use are. If you own, or purchase, an iPhone XR, XS, XS Max or any of the iPhone 11 series, all of which use the A12 Bionic or later chip, then the Boot ROM exploit will not work on it. That’s because the use-after-free vulnerability that axi0mX found appears only in devices using A11 chips or earlier, which includes iPhone 4S to iPhone X models, as well as any iPad, Apple TV or Apple Watch device using A11 or earlier chips.

Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).

4. How Does checkm8 Change the Game for iOS Security?

As we’ve already explained, for end users concerned about the practical security of their devices on a day-to-day basis, there isn’t really anything particularly new to worry about it here. However, this exploit really is a game changer for researchers and, to a certain extent, for Apple itself as well as for some developers. That’s because with checkm8, anyone will be able to jailbreak their iOS device and inspect what’s going on ‘under the hood’ with any software that’s running on it.

For example, unscrupulous developers are now on notice that it’s only a matter of time before security researchers start to uncover any underhand behaviour or functionality in their apps that Apple’s code review might have missed. My prediction is that in the coming months we will see quite a few startling revelations of devious behaviour by so-called ‘reputable’ apps as more and more researchers begin jailbreaking devices and reverse engineering apps to examine how particular applications behave at runtime.

image of checkm8 features

The second, massive ‘game changing’ aspect of checkm8 is the one that most people have been talking about this weekend: it means we will not have to depend on Apple’s generosity in handing out special ‘research’ phones to a select few researchers in order to explore iOS itself for more bugs and security flaws. The iOS Security Research Device program was slated to commence in 2020, but it now appears to be effectively redundant. It remains to be seen if there’s any point now in Apple following through with it.

As a result of checkm8, there will be a huge increase in the actual number of people actively investigating iOS security. Assuming Apple don’t now change their minds about offering an expanded bug bounty program, that means we should see a real acceleration in finds of crucial bugs in the iOS operating system itself.

That, again, is a great thing for iOS security. As the old saying goes, security by obscurity is no security at all, and checkm8 really brings the inner workings of iOS out into the light for inspection by anyone, not just a handful of chosen researchers.

5. Will Apple Release a Security Patch to Fix checkm8?

No, that’s not going to happen for the simple reason that security updates cannot fix flaws in the Boot ROM code. The flaw is “baked in” at the factory and could only be fixed, perhaps, by a recall of affected devices. Given the cost to Apple of doing that versus the benefit, that’s extremely unlikely to happen.

This means that affected devices are vulnerable “forever”. Of course, there’s a shelf-life for how long these devices will be upgradable to the latest version of iOS, perhaps as much as 5 years from manufacture in some cases. That gives researchers a great opportunity to thoroughly explore how iOS works from now and into the mid-term future. Beyond that, although these devices will themselves still be vulnerable, once they are unable to run the latest version of iOS, we will once again be back to the ‘dark ages’ of not knowing what running code is doing on our iOS devices.

Conclusion

The main takeaway from the checkm8 Boot ROM exploit released last week by axi0mX is that while it doesn’t change much for users in terms of how they should manage risk in practical terms, it does change pretty much everything for researchers in terms of giving them unprecedented, privileged access to the inner workings of iOS and, indeed, 3rd party code running on their devices.

While there have been some voices in the media suggesting that these kind of exploits should not be made public, it’s hard to see how the net benefit of this won’t be a huge positive for users, researchers and Apple itself. The more people hunting bugs on iOS the better for everyone, and the checkm8 exploit is arguably only doing what Apple themselves had this year promised to do by providing ‘research’ phones and an expanded bug bounty program; namely, opening up iOS bug hunting to a larger – a very much larger – community of researchers.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Confluent adds free tier to Kafka real-time streaming data cloud service

When Confluent launched a cloud service in 2017, it was trying to reduce some of the complexity related to running a Kafka streaming data application. Today, it introduced a free tier to that cloud service. The company hopes to expand its market beyond large technology company customers, and the free tier should make it easier for smaller companies to get started.

The new tier provides up to $50 of service a month for up to three months. Company CEO Jay Kreps says that while $50 might not sound like much, it’s actually hundreds of gigabytes of throughput and makes it easy to get started with the tool.

“We felt like we can make this technology really accessible. We can make it as easy as we can. We want to make it something where you can just get going in seconds, and not have to pay anything to start building an application that uses real-time streams of data,” Kreps said.

Kafka has been available as an open-source product since 2011, so it’s been free to download, install and build applications, but still required a ton of compute and engineering resources to pull off. The cloud service was designed to simplify that, and the free tier lets developers get comfortable building a small application without making a large financial investment.

Once they get used to working with Kafka on the free version, users can then buy in whatever increments make sense for them, and only pay for what they use. It can be pennies’ worth of Kafka or hundreds of dollars, depending on a customer’s individual requirements. “After free, you can buy 11 cents’ worth of Kafka or you can buy it $10 worth, all the way up to these massive users like Lyft that use Confluent Cloud at huge scale as part of their ridesharing service,” he said.

While a free SaaS trial might feel like a common kind of marketing approach, Kreps says for a service like Kafka, it’s actually much more difficult to pull off. “With something like a distributed system where you get a whole chunk of infrastructure, it’s actually technically an extraordinarily difficult thing to provide zero to elastic scale up capabilities. And a huge amount of engineering goes into making that possible,” Kreps explained.

Kafka processes massive streams of data in real time. It was originally developed inside LinkedIn and open-sourced in 2011. Confluent launched as a commercial entity on top of the open-source project in 2014. In January the company raised $125 million on a $2.5 billion valuation. It has raised than $205 million, according to Crunchbase data.

Microsoft’s Windows Virtual Desktop service is now generally available

Microsoft today announced that Windows Virtual Desktop (WVD), its Azure-based system for virtualizing the Windows and Office user experience it announced last September, is now generally available. Using WVD, enterprises can give their employees access to virtualized applications and remote desktops, including the ability to provide multi-session Windows 10 experiences, something that sets Microsoft’s own apart from that of other vendors that offer virtualized Windows desktops and applications.

In addition to making the service generally available, Microsoft is also rolling it out globally, whereas the preview was U.S.-only and the original plan was to slowly roll it out globally. Scott Manchester, the principal engineering lead for WVD, also told me that more than 20,000 companies signed up for the preview. He also noted that Microsoft Teams is getting enhanced support in WVD with a significantly improved video conferencing experience.

Shortly after announcing the preview of WVD, Microsoft acquired a company called FSLogix, which specialized in provisioning the same kind of virtualized Windows environments that Microsoft offers through WVD. As Microsoft’s corporate VP for Microsoft 365 told me ahead of today’s announcement, the company took a lot of the know-how from FSLogix to ensure that the user experience on WVD is as smooth as possible.

Brad Anderson, CVP of Microsoft 365, noted that just as enterprises are getting more comfortable with moving some of their infrastructure to the cloud (and have others worry about managing it), there is now also growing demand from organizations that want this same experience for their desktop experiences. “They look at the cloud as a way of saying, ‘listen, let the experts manage the infrastructure. They can optimize it; they can fine-tune it; they can make sure that it’s all done right.’ And then I’ll just have a first-party service — in this case Microsoft — that I can leverage to simplify my life and enable me to spin up and down capacity on demand,” Anderson said. He also noted, though, that making sure that these services are always available is maybe even more critical than for other workloads that have moved to the cloud. If your desktop stops working, you can’t get much done, after all.

Anderson also stressed that if a customer wants a multi-session Windows 10 environment in the cloud, WVD is the only way to go because that is the only way to get a license to do so. “We’ve built the operating system, we built the public cloud, so that combination is going to be unique and this gives us the ability to make sure that that Windows 10 experience is the absolute best on top of that public cloud,” he noted.

He also stressed that the FSLogix acquisition enabled his team to work with the Office team to optimize the user experience there. Thanks to this, when you spin up a new virtualized version of Outlook, for example, it’ll just take a second or two to load instead of almost a minute.

A number of companies are also still looking to upgrade their old Windows 7 deployments. Microsoft will stop providing free security patches for them very soon, but on WVD, these users will still be able to get access to virtualized Windows 7 desktops with free extended security updates until January 2023. Anderson does not believe that this will be a major driver for WVD adoption, but he does see “pockets of customers who are working on their transition.”

Enterprises can access Windows 10 Enterprise and Windows 7 Enterprise on WVD at no additional licensing cost (though, of course, the Azure resources they consume will cost them) if they have an eligible Windows 10 Enterprise or Microsoft 365 license.

 

AWS IQ matches AWS customers with certified service providers

AWS has a lot going on, and it’s not always easy for customers to deal with the breadth of its service offerings on its own. Today, the company announced a new service called AWS IQ that is designed to connect customers with certified service providers.

“Today I would like to tell you about AWS IQ, a new service that will help you to engage with AWS Certified third party experts for project work,” AWS’s Jeff Barr wrote in a blog post introducing the new feature. This could involve training, support, managed services, professional services or consulting. All of the companies available to help have received associate, specialty or professional certification from AWS, according to the post.

You start by selecting the type of service you are looking for such as training or professional services, then the tool walks you through the process of defining your needs including providing a title, description and what you are willing to pay for these services. The service then connects the requestor with a set of providers that match the requirements. From there, the requestor can review expert profiles and compare the ratings and offerings in a kind of online marketplace.

AWS IQ start screen

You start by selecting the type of service you want to engage.

Swami Sivasubramanian, vice president at AWS says they wanted to offer a way for customers and service providers to get together. “We built AWS IQ to serve as a bridge between our customers and experts, enabling them to get to work on new projects faster and easier, and removing many of the hassles and roadblocks that both groups usually encounter when dealing with project-based work,” he said in a statement.

The company sees this as a particularly valuable tool for small and medium sized vendors, who might lack the expertise to find help with AWS services. The end result is that everyone should win. Customers get direct access to this community of experts, and the experts can more easily connect with potential customers to build their AWS consulting practice.

Why is Dropbox reinventing itself?

According to Dropbox CEO Drew Houston, 80% of the product’s users rely on it, at least partially, for work.

It makes sense, then, that the company is refocusing to try and cement its spot in the workplace; to shed its image as “just” a file storage company (in a time when just about every big company has its own cloud storage offering) and evolve into something more immutably core to daily operations.

Earlier this week, Dropbox announced that the “new Dropbox” would be rolling out to all users. It takes the simple, shared folders that Dropbox is known for and turns them into what the company calls “Spaces” — little mini collaboration hubs for your team, complete with comment streams, AI for highlighting files you might need mid-meeting, and integrations into things like Slack, Trello and G Suite. With an overhauled interface that brings much of Dropbox’s functionality out of the OS and into its own dedicated app, it’s by far the biggest user-facing change the product has seen since launching 12 years ago.

Shortly after the announcement, I sat down with Dropbox VP of Product Adam Nash and CTO Quentin Clark . We chatted about why the company is changing things up, why they’re building this on top of the existing Dropbox product, and the things they know they just can’t change.

You can find these interviews below, edited for brevity and clarity.

Greg Kumparak: Can you explain the new focus a bit?

Adam Nash: Sure! I think you know this already, but I run products and growth, so I’m gonna have a bit of a product bias to this whole thing. But Dropbox… one of its differentiating characteristics is really that when we built this utility, this “magic folder”, it kind of went everywhere.

German Cops Raid “Cyberbunker 2.0,” Arrest 7 in Child Porn, Dark Web Market Sting

German authorities said Friday they’d arrested seven people and were investigating six more in connection with the raid of a Dark Web hosting operation that allegedly supported multiple child porn, cybercrime and drug markets with hundreds of servers buried inside a heavily fortified military bunker. Incredibly, for at least two of the men accused in the scheme, this was their second bunker-based hosting business that was raided by cops and shut down for courting and supporting illegal activity online.

The latest busted cybercrime bunker is in Traben-Trarbach, a town on the Mosel River in western Germany. The Associated Press says investigators believe the 13-acre former military facility served a number of dark web sites, including: the “Wall Street Market,” a sprawling, online bazaar for drugs, hacking tools and financial-theft wares before it was taken down earlier this year; the drug portal “Cannabis Road;” and the synthetic drug market “Orange Chemicals.”

German police reportedly seized $41 million worth of funds allegedly tied to these markets, and more than 200 servers that were operating throughout the underground temperature-controlled, ventilated and closely guarded facility.

The former military bunker in Germany that housed CyberBunker 2.0 and, according to authorities, plenty of very bad web sites.

The authorities in Germany haven’t named any of the people arrested or under investigation in connection with CyberBunker’s alleged activities, but said those arrested were apprehended outside of the bunker. Still, there are clues in the details released so far, and those clues have been corroborated by sources who know two of the key men allegedly involved.

We know the owner of the bunker hosting business has been described in media reports as a 59-year-old Dutchman who allegedly set it up as a “bulletproof” hosting provider that would provide Web site hosting to any business, no matter how illegal or unsavory.

We also know the German authorities seized at least two Web site domains in the raid, including the domain for ZYZTM Research in The Netherlands (zyztm[.]com), and cb3rob[.]org.

A “seizure” placeholder page left behind by German law enforcement agents after they seized cb3rob.org, an affiliate of the the CyberBunker bulletproof hosting facility owned by convicted Dutch cybercriminal Sven Kamphuis.

According to historic whois records maintained by Domaintools.com, Zyztm[.]com was originally registered to a Herman Johan Xennt in the Netherlands. Cb3rob[.]org was an organization hosted at CyberBunker registered to Sven Kamphuis, a self-described anarchist who was convicted several years ago for participating in a large-scale attack that briefly impaired the global Internet in some places.

Both 59-year-old Xennt and Mr. Kamphuis worked together on a previous bunker-based project — a bulletproof hosting business they sold as “CyberBunker” and ran out of a five-story military bunker in The Netherlands.

That’s according to Guido Blaauw, director of Disaster-Proof Solutions, a company that renovates and resells old military bunkers and underground shelters. Blaauw’s company bought the 1,800 square-meter Netherlands bunker from Mr. Xennt in 2011 for $700,000.

Guido Blaauw, in front of the original CyberBunker facility in the Netherlands, which he bought from Mr. Xennt in 2011. Image: Blaauw.

Media reports indicate that in 2002 a fire inside the CyberBunker 1.0 facility in The Netherlands summoned emergency responders, who discovered a lab hidden inside the bunker that was being used to produce the drug ecstasy/XTC.

Blaauw said nobody was ever charged for the drug lab, which was blamed on another tenant in the building. Blauuw said Xennt and others in 2003 were then denied a business license to continue operating in the bunker, and they were forced to resell servers from a different location — even though they bragged to clients for years to come about hosting their operations from an ultra-secure underground bunker.

“After the fire in 2002, there was never any data or servers stored in the bunker,” in The Netherlands, Blaauw recalled. “For 11 years they told everyone [the hosting servers where] in this ultra-secure bunker, but it was all in Amsterdam, and for 11 years they scammed all their clients.”

Firefighters investigating the source of a 2002 fire at the CyberBunker’s first military bunker in The Netherlands discovered a drug lab amid the Web servers. Image: Blaauw.

Blaauw said sometime between 2012 and 2013, Xennt purchased the bunker in Traben-Trarbach, Germany — a much more modern structure that was built in 1997. CyberBunker was reborn, and it began offering many of the same amenities and courted the same customers as CyberBunker 1.0 in The Netherlands.

“They’re known for hosting scammers, fraudsters, pedophiles, phishers, everyone,” Blaauw said. “That’s something they’ve done for ages and they’re known for it.”

The former Facebook profile picture of Sven Olaf Kamphuis, shown here standing in front of Cyberbunker 1.0 in The Netherlands.

About the time Xennt and company were settling into their new bunker in Germany, he and Kamphuis were engaged in a fairly lengthy and large series of distributed denial-of-service (DDoS) attacks aimed at sidelining a number of Web sites — particularly anti-spam organization Spamhaus. A chat record of that assault, detailed in my 2016 piece, Inside the Attack that Almost Broke the Internet, includes references to and quotes from both Xennt and Kamphuis.

Kamphuis was later arrested in Spain on the DDoS attack charges. He was convicted in The Netherlands and sentenced to time served, which was approximately 55 days of detention prior to his extradition to the United States.

Some of the 200 servers seized from CyberBunker 2.0, a “bulletproof” web hosting facility buried inside a German military bunker. Image: swr.de.

The AP story mentioned above quoted German prosecutor Juergen Bauer saying the 59-year-old main suspect in the case was believed to have links to organized crime.

A 2015 expose’ (PDF) by the Irish newspaper The Sunday World compared Mr. Xennt (pictured below) to a villain from a James Bond movie, and said he has been seen frequently associating with another man: an Irish mobster named George “the Penguin” Mitchell, listed by Europol as one of the top-20 drug traffickers in Europe and thought to be involved in smuggling heroin, cocaine and ecstasy.

Cyberbunkers 1.0 and 2.0 owner and operator Mr. Xennt, top left, has been compared to a “Bond villain.” Image: The Sunday World, July 26, 2015.

Blaauw said he doesn’t know whether Kamphuis was arrested or named in the investigation, but added that people who know him and can usually reach him have not heard from Kamphuis over several days.

Here’s what the CyberBunker in The Netherlands looked like back in the early aughts when Xennt still ran it:

Here’s what it looks like now after being renovated by Blaauw’s company and designed as a security operations center (SOC):

The former CyberBunker in the Netherlands, since redesigned as a security operations center by its current owner. Image: Blaauw.

I’m glad when truly bad guys doing bad stuff like facilitating child porn are taken down. The truth is, almost anyone trafficking in the kinds of commerce these guys courted also is building networks of money laundering business that become very tempting to use or lease out for other nefarious purposes, including human trafficking, and drug trafficking.

The Good, the Bad and the Ugly in Cybersecurity – Week 39

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

There was good news this week for everyone concerned about the widening cybersecurity skills shortage. Thanks to an expansion in the US Department of Labor’s industry-recognized apprenticeship programs (IRAPs) and an extra $183.8 million in funding, 23 higher ed institutions and groups along with their private-sector partners will receive support to provide 85,000 apprenticeships across several fields, including information technology. On the back of that, Florida International University have announced Cyber-CAP, a program that will train 800 cybersecurity apprentices over a period of four years. 

image of florida International University

This week also saw release of a new public tool that should be of interest to threat researchers concerned with Russian APT groups. The sheer number and diversity of Russian-backed hacking groups with shared tooling has always presented an additional obstacle to attribution. Now, a new web-based interactive map can be used by anyone wishing to learn more about the connections between various groups, tools and campaigns. The map currently tracks 2000 malware samples and some 22000 connections between them. 

image of russian apt map

The Bad

A sophisticated and targeted campaign using one-click mobile exploits was revealed this week by researchers in collaboration with the Tibetan Computer Emergency Readiness Team (TibCERT). The campaign involved sending malicious WhatsApp messages to members of Tibetan groups using both Android and iOS devices. Although the exploits involved publicly-known vulnerabilities rather than exploiting any new zero days, the researchers were able to link the threat actor to an earlier campaign that targeted the Uyghur ethnic minority. That points the finger at a likely Chinese-backed APT group. Activists in Hong Kong take note.

malicious whats app messages

The Ugly

Phishing remains the number one vector of compromise, so it’s unfortunate to see yet more open redirects become available for attackers to exploit. In a thread entitled Here’s a phishing URL to give you nightmares…, Reddit user wanderingbilby explained how he stumbled over an adobe.com domain being used to redirect the unwary to a compromised WordPress site hosted on Microsoft’s windows.net. The trick is easy to pull off. Add whatever (legitimate!) domain you like in place of in this one and Adobe will kindly redirect it for you.

https://t-info.mail.adobe.com/r/?id=hc43f43t4a,afd67070,affc7349&p1=

It’s hardly a new vector: as other Reddit commentators were quick to point out, spammers have been seen exploiting open redirects via LinkedIn, Google and many other domains for some time. What it does highlight is that simply training your users to examine the primary domain in a link is neither a reliable nor sufficient method of protection.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Google will soon open a cloud region in Poland

Google today announced its plans to open a new cloud region in Warsaw, Poland to better serve its customers in Central and Eastern Europe.

This move is part of Google’s overall investment in expanding the physical footprint of its data centers. Only a few days ago, after all, the company announced that, in the next two years, it would spend $3.3 billion on its data center presence in Europe alone.

Google Cloud currently operates 20 different regions with 61 availability zones. Warsaw, like most of Google’s regions, will feature three availability zones and launch with all the standard core Google Cloud services, including Compute Engine, App Engine, Google Kubernetes Engine, Cloud Bigtable, Cloud Spanner and BigQuery.

To launch the new region in Poland, Google is partnering with Domestic Cloud Provider (a.k.a. Chmury Krajowej, which itself is a joint venture of the Polish Development Fund and PKO Bank Polski). Domestic Cloud Provider (DCP) will become a Google Cloud reseller in the country and build managed services on top of Google’s infrastructure.

“Poland is in a period of rapid growth, is accelerating its digital transformation, and has become an international software engineering hub,” writes Google Cloud CEO Thomas Kurian. “The strategic partnership with DCP and the new Google Cloud region in Warsaw align with our commitment to boost Poland’s digital economy and will make it easier for Polish companies to build highly available, meaningful applications for their customers.”

MyPayrollHR CEO Arrested, Admits to $70M Fraud

Earlier this month, employees at more than 1,000 companies saw one or two paycheck’s worth of funds deducted from their bank accounts after the CEO of their cloud payroll provider absconded with $35 million in payroll and tax deposits from customers. On Monday, the CEO was arrested and allegedly confessed that the diversion was the last desperate gasp of a financial shell game that earned him $70 million over several years.

Michael T. Mann, the 49-year-old CEO of Clifton Park, NY-based MyPayrollHR, was arrested this week and charged with bank fraud. In court filings, FBI investigators said Mann admitted under questioning that in early September — on the eve of a big payroll day — he diverted to his own bank account some $35 million in funds sent by his clients to cover their employee payroll deposits and tax withholdings.

After that stunt, two different banks that work with Mann’s various companies froze those corporate accounts to keep the funds from being moved or withdrawn. That action set off a chain of events that led another financial institution that helps MyPayrollHR process payments to briefly pull almost $26 million out of checking accounts belonging to employees at more than 1,000 companies that use MyPayrollHR.

At the same time, MyPayrollHR sent a message (see screenshot above) to clients saying it was shutting down and that customers should find alternative methods for paying employees and for processing payroll going forward.

In the criminal complaint against Mann (PDF), a New York FBI agent said the CEO admitted that starting in 2010 or 2011 he began borrowing large sums of money from banks and financing companies under false pretenses.

“While stating that MyPayroll was legitimate, he admitted to creating other companies that had no purpose other than to be used in the fraud; fraudulently representing to banks and financing companies that his fake businesses had certain receivables that they did not have; and obtaining loans and lines of credit by borrowing against these non-existent receivables.”

“Mann estimated that he fraudulently obtained about $70 million that he has not paid back. He claimed that he committed the fraud in response to business and financial pressures, and that he used almost all of the fraudulently obtained funds to sustain certain businesses, and purchase and start new ones. He also admitted to kiting checks between Bank of America and Pioneer [Savings Bank], as part of the fraudulent scheme.”

Check-kiting is the illegal act of writing a check from a bank account without sufficient funds and depositing it into another bank account, explains MagnifyMoney.com. “Then, you withdraw the money from that second account before the original check has been cleared.”

Kiting also is known as taking advantage of the “float,” which is the amount of time between when an individual submits a check as payment and when the individual’s bank is instructed to move the funds from the account.

Magnify Money explains more:

“Say, for example, that you write yourself a check for $500 from checking account A, and deposit that check into checking account B — but the balance in checking account A is only $75. Then, you promptly withdraw the $500 from checking account B. This is check-kiting, a form of check fraud that uses non-existent funds in a checking account or other type of bank account. Some check-kiting schemes use multiple accounts at a single bank, and more complicated schemes involve multiple financial institutions.”

“In a more complex scenario, a person could open checking accounts at bank A and bank B, at first depositing $500 into bank A and nothing in bank B. Then, they could write a check for $10,000 with account A and deposit it into account B. Bank B immediately credits the account, and in the time it might take for bank B to clear the check (generally about three business days), the scammer writes a $10,000 check with bank B, which gets deposited into bank A to cover the first check. This could keep going, with someone writing checks between banks where there’s no actual funds, yet the bank believes the money is real and continues to credit the accounts.”

The government alleges Mann was kiting millions of dollars in checks between his accounts at Bank of American and Pioneer from Aug. 1, 2019 to Aug. 30, 2019.

For more than a decade, MyPayrollHR worked with California-based Cachet Financial Services to process payroll deposits for MyPayrollHR client employees. Every other week, MyPayrollHR’s customers would deposit their payroll funds into a holding account run by Cachet, which would then disburse the payments into MyPayrollHR client employee bank accounts.

But when Mann diverted $26 million in client payroll deposits from Cachet to his account at Pioneer Bank, Cachet’s emptied holding account was debited for the payroll payments. Cachet quickly reversed those deposits, causing one or two pay periods worth of salary to be deducted from bank accounts for employees of companies that used MyPayrollHR.

That action caused so much uproar from affected companies and their employees that Cachet ultimately decided to cancel all of those reversals and absorb that $26 million hit, which it is now trying to recover through the courts.

According to prosecutors in New York, Pioneer was Mann’s largest creditor.

“Mann stated that the payroll issue was precipitated by his decision to route MyPayroll’s clients’ payroll payments to an account at Pioneer instead of directly to Cachet,” wrote FBI Special Agent Matthew J. Wabby. “He did this in order to temporarily reduce the amount of money he owed to Pioneer. When Pioneer froze Mann’s accounts, it’s also (inadvertently) stopped movement of MyPayroll’s clients’ payroll payments to Cachet.”

Approximately $9 million of the $35 million diverted by Mann was supposed to go to accounts at the National Payment Corporation (NatPay) — the Florida-based firm which handles tax withholdings for MyPayrollHR clients. NatPay said its insurance should help cover the losses it incurred when MyPayrollHR’s banks froze the company’s accounts.

Court records indicate Mann hasn’t yet entered a plea, but that he was ordered to be released today under a $200,000 bond secured by a family home and two vehicles. His passport also was seized.

Info Stealers | How Malware Hacks Private User Data

The Zero2Hero malware course continues with Daniel Bunce exploring information stealers that target users’ browser data, passwords and other sensitive credentials.

feature image info stealers with text

One of the most common types of malware found nowadays are known as Info-Stealers. As the name suggests, the sole purpose of Info-Stealers is to steal as much personal information as possible, from basic system information up to locally stored usernames and passwords. They are typically not very sophisticated and are usually sold on hacking-related sites such as HackForums from as little as $10 to over a couple of hundred dollars. Most info-stealers out there follow a very similar methodology when stealing user information, with only a few major differences such as encryption algorithms and the networking side of things. In this post, we will be taking a look at three different popular info-stealers: KPot, Vidar, and Raccoon Stealer, and find the commonalities between the three in the amount of data each attempts to steal.

KPot Info-Stealer

According to the NJCCIC, KPot Stealer is a stealer

“that focuses on exfiltrating account information and other data from web browsers, instant messengers, email, VPN, RDP, FTP, cryptocurrency, and gaming software.”

This was later altered to also target users of the Jaxx cryptocurrency wallet.

Upon startup, KPot will begin to load required API calls using API hashing; however, rather than using a common hashing algorithm such as CRC-32, it utilizes an algorithm known as MurmurHash for hashing and importing.

image of kpot 1

KPot also contains many encrypted strings, which are stored in the sample in arrays. One function is used for decryption, where the first argument depicts which string should be decrypted. The algorithm used to decrypt these strings is a simple XOR loop, using a key stored in the mentioned array. These arrays contain the XOR key, size of the string, and a pointer to the encrypted string.

image of kpot info stealer 2

image of kpot info stealer 3

Another interesting feature of KPot is the checking of the default user language ID. The value of this is compared to languages from countries that are part of the Commonwealth of Independent States (CIS), and if a match is discovered, the process will exit. This is quite common in a lot of samples, as threat actors who are based there can avoid legal issues as long as they don’t infect anyone in those countries.

image of kpot info stealer 4

Looking at the communications side of things, KPot communicates over HTTP to a hardcoded C2 panel. In this sample, the C2 server is:

http[:]//bendes[.]co[.]uk/lmpUNlwDfoybeulu/gate[.]php

Upon first contact, the sample simply tries to perform a GET request on the C2 server until it gets a response. The response is Base64 Encoded and XOR’d with a key that is stored in the binary in one of the encrypted arrays. In this sample, the key is:

4p81GSwBwRrAhCYK

image of kpot info stealer 5

Once the data has been decrypted, KPot parses the data to find the commands it has been given, such as files to steal, passwords to retrieve, and system information. The system information is collected, comprising of system GUIDs, RAM information, Screen Size, CPU, plus the data exfiltrated based on the commands. As this is not meant to be a full analysis of KPot, I will skip the majority of the communications phase; however, I highly suggest taking a look at it if you are interested in learning malware analysis but don’t want anything highly complicated.

As with the password stealing, it is almost identical to that of Vidar and Raccoon, and as at the time of writing the C2 server for this sample had gone down, it was very unlikely (without C2 replication) that the sample could get past the initial connection stage. Therefore, the main comparisons of the password stealing capabilities will be done between Vidar and Raccoon.

Vidar Stealer

The Vidar Stealer is another popular stealer that was utilized by the threat actors behind GandCrab to steal user information, profile a system, and finally drop and execute the GandCrab ransomware, increasing profitability with each infection. This stealer is actually a fork of the Arkei stealer, and according to another security researcher, Fumik0, there are very little differences in the operations of the two. Interestingly out of the three samples discussed here, only Vidar was packed using a simple self-injection packer.

As soon as we open up Vidar in IDA, we can already see the checks for the Locale – in this sample there are a lot less checks, potentially narrowing down the locations where the threat actors are based; however, this could just be a false positive.

image of vidar info stealer 1

As we saw in the previous info-stealer, Vidar also utilizes encrypted strings, although in this case they are easier to locate based on the sheer size of the function. The encrypted strings contain the file paths and names of each browser, wallet, and piece of software that Vidar can steal information from. This ranges from the basic browsers such as Opera, Chrome, and Firefox all the way up to TOR browser and a large number of uncommon browsers – there is a very high chance that for any browser you can think of, Vidar steals some form of information from it, whether it is cookies, usernames and passwords, or card details.

image of Vidar info stealer img2

image of Vidar info stealer img3

image of Vidar info stealer img4

image of Vidar info stealer 5

It also targets software such as Telegram and plenty of Cryptowallets, making it no surprise it was the tool of choice for those behind the infamous Gandcrab. This is probably one of the major differences between info-stealers: the amount of information that each is capable of stealing. Vidar covers all bases, whereas smaller tools such as Raccoon Stealer focus on the more popular software like Chrome and Opera.

image of Vidar info stealer 6

Not only does Vidar steal a vast quantity of data from software, it also gathers as much system information as possible, and stores this in the file information.txt inside a created directory in ProgramData. The data it attempts to gather consists of data such as running processes and system hardware, but it also attempts to gather information such as the IP address, country, city, geo-coordinates and ISP of the victim. Vidar then steals as much information as possible including Telegram passwords and browser information, storing the data in files called outlook.txt and passwords.txt. This is then zipped, and sent to the C2 server.

image of Vidar info stealer 7

image of Vidar info Stealer 8

Rather than cover password extraction of every single browser, I will cover how passwords and usernames are extracted from one of the most popular browsers: Chrome.

When Chrome (and most other browsers) ask if you want to save the login information for later use, what happens is that information is encrypted and stored in an SQL Database file on the machine. When you revisit that site and try to log in again, Chrome will open up the SQL DB, decrypt it, and locate the correct login. The issue with this is that any malware running on the system is able to do the same. In order to encrypt and decrypt the data, Chrome utilizes 2 Windows API calls: CryptProtectData and CryptUnprotectData. All the malware has to do is utilize the CryptUnprotectData API call to decrypt the saved logins and extract them, either by dropping an SQLITE3 DLL to the system or by using one already present.

image of Vidar info stealer 9

Python Example of Chrome Password Stealer (here)

Some browsers attempt to prevent malware from performing this extraction by using their own encryption algorithms, such as in the case of Firefox, where in order to decrypt the data, two Firefox DLLs need to be loaded and used; however, this only slows down the threat actors briefly, as they then simply dynamically import these libraries at runtime and decrypt the passwords – or download the required libraries in the case of the next stealer, Raccoon Stealer.

Raccoon Stealer

Raccoon Stealer is the newest stealer to be released out of the three. According to Malpedia, it collects 

“passwords, cookies and autofill from all popular browsers (including FireFox x64), CC data, system information, almost all existing desktop wallets of cryptocurrencies”. 

As you can probably imagine, it is very similar to the previous two info-stealers we covered, so let’s take a quick peek into the internals.

What sets Raccoon Stealer apart from the previous two stealers is the fact it downloads a ZIP file and a DLL from the C2 server to perform its stealing routines. As mentioned before, in order to extract login info from Chrome and multiple other browsers, SQLITE3.DLL is required. Rather than bundling this inside the file, Raccoon Stealer simply downloads it from the C2 server. The next file downloaded (the ZIP) contains 50+ libraries required for login/user data extraction from different browsers and software.

image of Racoon info stealer 1

The communications protocol is also fairly simple, and only utilizes Base64 for encoding sent data. Examining one of the files tagged Raccoon Stealer on AnyRun, we can see that the first contact with the C2 simply passes a base64 encoded string. We can see the decoded version of this below.

bot_id=90059C37-1320-41A4-B58D-2B75A9850D2F_admin&config_id=270ed6774bfe19220ed8e893bc7a752ef50727e6&data=null

The response from the C2 is in JSON format and cleartext, and can be seen below:

{
    "url": "http://34.90.238.61/file_handler/file.php?hash=1f0af54680ea00537f3377b60eb459472d62373b&js=8b72c2da30a231cbd0744352e39e6d3a2c9d9cf9&callback=http://34.90.238.61/gate",
    "attachment_url": "http://34.90.238.61/gate/sqlite3.dll",
    "libraries": "http://34.90.238.61/gate/libs.zip",
    "ip": "185.192.69.140",
    "config": {
        "masks": null,
        "loader_urls": null
    },
    "is_screen_enabled": 0,
    "is_history_enabled": 0
}

Here we can see clearly that Raccoon Stealer gets the URLs of the SQLITE3.DLL and the required libraries ZIP file, as well as the configuration, through the response from the C2, increasing the chance that it will get detected by Anti-Virus due to how “noisy” it is on an infected system. Looking at the strings of the Raccoon Stealer payload is enough to determine it’s capabilities as a password stealer.

image of Racoon info stealer 2

Wrapping Up

So, while there are some similarities in how each of the samples perform their user-data stealing tasks, there is definitely a differing level of sophistication between them. While Raccoon Stealer and KPot attempt to steal credentials from the most common software in use, Vidar attempts to steal as much data as possible, including location data. This explains why the threat actors behind GandCrab thought it was the best tool for the job: it allowed them to profit off of stolen credentials as well as profile the system before deploying GandCrab to suitable systems. In contrast, KPot has a modular interface, allowing the threat actors to choose what they want to steal, which is fairly strange considering there is no reason not to steal certain credentials on the machine. Finally, Raccoon Stealer is the least sophisticated of the three, seemingly just a basic information stealer with limited functionality; however, it still gets the job done. 

The one main commonality between all three, however, is the strings, and this shared trait is the best way to identify an information stealer: if you can see references to browsers, API calls such as CryptUnprotectData, and libraries such as SQLITE3 in the strings, then there is a very high chance you are analyzing an info-stealer.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security