Wazawaka Goes Waka Waka

In January, KrebsOnSecurity examined clues left behind by “Wazawaka,” the hacker handle chosen by a major ransomware criminal in the Russian-speaking cybercrime scene. Wazawaka has since “lost his mind” according to his erstwhile colleagues, creating a Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance, and publishing bizarre selfie videos taunting security researchers and journalists.

Wazawaka, a.k.a. Mikhail P. Matveev, a.k.a. “Orange,” a.k.a. “Boriselcin,” showing off his missing ring finger.

In last month’s story, we explored clues that led from Wazawaka’s multitude of monikers, email addresses, and passwords to a 30-something father in Abakan, Russia named Mikhail Pavlovich Matveev. This post concerns itself with the other half of Wazawaka’s identities not mentioned in the first story, such as how Wazawaka also ran the Babuk ransomware affiliate program, and later became “Orange,” the founder of the ransomware-focused Dark Web forum known as “RAMP.”

The same day the initial profile on Wazawaka was published here, someone registered the Twitter account “@fuck_maze,” a possible reference to the now-defunct Maze Ransomware gang.

The background photo for the @fuck_maze profile included a logo that read “Waka Waka;” the bio for the account took a swipe at Dmitry Smilyanets, a researcher and blogger for The Record who was once part of a cybercrime group the Justice Department called the “largest known data breach conspiracy ever prosecuted.”

The @fuck_maze account messaged me a few times on Twitter, but largely stayed silent until Jan. 25, when it tweeted three videos of a man who appeared identical to Matveev’s social media profile on Vkontakte (the Russian version of Facebook). The man seemed to be slurring his words quite a bit, and started by hurling obscenities at Smilyanets, journalist Catalin Cimpanu (also at The Record), and a security researcher from Cisco Talos.

At the beginning of the videos, Matveev holds up his left hand to demonstrate that his ring finger is missing. This he smugly presents as evidence that he is indeed Wazawaka.

The story goes that Wazwaka at one point made a bet wherein he wagered his finger, and upon losing the bet severed it himself. It’s unclear if that is the real story about how Wazawaka lost the ring finger on his left hand; his remaining fingers appear oddly crooked.

“Hello Brian Krebs! You did a really great job actually, really well, fucking great — it’s great that journalism works so well in the US,” Matveev said in the video. “By the way, it is my voice in the background, I just love myself a lot.”

In one of his three videos, Wazawaka says he’s going to release exploit code for a security vulnerability. Later that same day, the @fuck_maze account posted a link to a Pastebin-like site that included working exploit code for a recently patched security hole in SonicWall VPN appliances (CVE-2021-20028).

When KrebsOnSecurity first started researching Wazawaka in 2021, it appeared this individual also used two other important nicknames on the Russian-speaking crime forums. One was Boriselcin, a particularly talkative and brash personality who was simultaneously the public persona of Babuk, a ransomware affiliate program that surfaced on New Year’s Eve 2020.

The other handle that appeared tied to Wazawaka was “Orange,” the founder of the RAMP ransomware forum. I just couldn’t convincingly connect those two identities with Wazawaka using the information available at the time. This post is an attempt to remedy that.

On Aug. 26, 2020, a new user named Biba99 registered on the English language cybercrime forum RaidForums. But the Biba99 account didn’t post to RaidForums until Dec. 31, 2020, when they announced the creation of the Babuk ransomware affiliate program.

On January 1, 2021, a new user “Babuk” registered on the crime forum Verified, using the email address teresacox19963@gmail.com, and the instant message address “admin@babuk.im.” “We run an affiliate program,” Babuk explained in their introductory post on Verified.

A variety of clues suggest Boriselcin was the individual acting as spokesperson for Babuk. Boriselcin talked openly on the forums about working with Babuk, and fought with other members of the ransomware gang about publishing access to data stolen from victim organizations.

According to analysts at cyber intelligence firm Flashpoint, between January and the end of March 2021, Babuk continued to post databases stolen from companies that refused to pay a ransom, but they posted the leaks to both their victim shaming blog and to multiple cybercrime forums, an unusual approach.

This matches the ethos and activity of Wazawaka’s posts on the crime forums over the past two years. As I wrote in January:

“Wazawaka seems to have adopted the uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder — not privately sold to the highest bidder. In thread after thread on the crime forum XSS, Wazawaka’s alias ‘Uhodiransomwar’ can be seen posting download links to databases from companies that have refused to negotiate after five days.”

Around Apr. 27, 2021, Babuk hacked the Washington Metropolitan Police Department, demanding $4 million in virtual currency in exchange for a promise not to publish the police department’s internal data.

Flashpoint says that on April 30, Babuk announced they were shuttering the affiliate program and its encryption services, and that they would now focus on data theft and extortion instead. On May 3, the group posted two additional victims of their data theft enterprise, showing they are still in operation.

On May 11, 2021, Babuk declared negotiations with the MPD had reached an impasse, and leaked 250 gigabytes worth of MPD data.

On May 14, 2021, Boriselcin announced on XSS his intention to post a writeup on how they hacked the DC Police (Boriselcin claims it was via the organization’s VPN).

On May 17, Babuk posted about an upcoming new ransomware leaks site that will serve as a “huge platform for independent leaks,” — i.e., a community that would publish data stolen by no-name ransomware groups that don’t already have their own leaks/victim shaming platforms.

On May 31, 2021, Babuk’s website began redirecting to Payload[.]bin. On June 23, 2021, Biba99 posted to RaidForums saying he’s willing to buy zero-day vulnerabilities in corporate VPN products. Biba99 posts his unique user ID for Tox, a peer-to-peer instant messaging service.

On July 13, 2021, Payload[.]bin was renamed to RAMP, which according to Orange stands for “Ransom Anon Market Place.” Flashpoint says RAMP was created “directly in response to several large Dark Web forums banning ransomware collectives on their site following the Colonial Pipeline attack by ransomware group ‘DarkSide.” [links added]

“Babuk noted that this new platform will not have rules or ‘bosses,’” Flashpoint observed in a report on the group. “This reaction distinguishes Babuk from other ransomware collectives, many of which changed their rules following the attack to attract less attention from law enforcement.”

The RAMP forum opening was announced by the user “TetyaSluha. That nickname soon switched to “Orange,” who appears to have registered on RAMP with the email address “teresacox19963@gmail.com.” Recall that this is the same email address used by the spokesperson for the Babuk ransomware gang — Boriselcin/Biba99.

In a post on RAMP Aug. 18, 2021, in which Orange is attempting to recruit penetration testers, he claimed the same Tox ID that Biba99 used on RaidForums.

On Aug. 22, Orange announced a new ransomware affiliate program called “Groove,” which claimed to be an aggressive, financially motivated criminal organization dealing in industrial espionage for the previous two years.

In November 2021, Groove’s blog disappeared, and Boriselcin posted a long article to the XSS crime forum explaining that Groove was little more than a pet project to mess with the media and security industries.

On Sept. 13, 2021, Boriselcin posted to XSS saying he would pay handsomely for a reliable, working exploit for CVE-2021-20028, the same exploit that @fuck_maze would later release to Twitter on Jan. 25, 2022.

Asked for comment on this research, cyber intelligence firm Intel 471 confirmed that its analysts reached the same conclusion.

“We identified the user as the Russian national Михаил Павлович Матвеев aka Mikhail Pavlovich Matveev, who was widely known in the underground community as the actor using the Wazawaka handle, a.k.a. Alfredpetr, andry1976, arestedByFbi, boriselcin, donaldo, ebanatv2, futurama, gotowork, m0sad, m1x, Ment0s, ment0s, Ment0s, Mixalen, mrbotnet, Orange, posholnarabotu, popalvprosak, TetyaSluha, uhodiransomwar, and 999,” Intel 471 wrote.

As usual, I put together a rough mind map on how all these data points indicate a connection between Wazawaka, Orange, and Boriselcin.

A mind map connecting Wazawaka to the RAMP forum administrator “Orange” and the founder of the Babuk ransomware gang.

As noted in January’s profile, Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. Wazawaka said LockBit had paid him roughly $500,000 in commissions for the six months leading up to September 2020.

Wazawaka also said he’d teamed up with DarkSide, the ransomware affiliate group responsible for the six-day outage at Colonial Pipeline last year that caused nationwide fuel shortages and price spikes. The U.S. Department of State has since offered a $5 million reward for information leading to the arrest and conviction of any DarkSide affiliates.

The Good, the Bad and the Ugly in Cybersecurity – Week 6

The Good

This week’s good news sees the end of the road for four notorious darknet trading markets from the unlikely but welcome work of Russian law enforcement agencies. Darknet markets Ferum Shop, Sky-Fraud, Trump’s Dumps and UAS (Ultimate Anonymity Services) specialized in credit card fraud and credential theft.

According to a report, the take downs were the handiwork of Russia’s Ministry of Internal Affairs’ Department “K”. Aside from shuttering the sites, Russian authorities also announced the arrest of six individuals on charges of “illegal circulation of means of payment”. Russia’s Article 187 of the Criminal Code act states that offences relating to illegal card trading are punishable by imprisonment of up to seven years.

These carding sites, some of which have been in business since 2013, are estimated to have collectively made over $263 million. UAS specialized in trading credentials for RDP (Remote Desktop Protocol) accounts, a common entrypoint for ransomware attackers.

It’s been a tough year so far for darknet markets, with CanadaHQ kicked into touch last week, and potentially more seizures to come promised by Russian authorities, who left the message “Кто из вас следующий” embedded in the html of the seized sites.

    CLOSED



    
    
#

The message translates as “Which of you is next?”.

The Bad

It may have been a bad week for carding markets, but the news hasn’t been great for those still operating Magento 1 e-commerce stores, either. Over 500 stores running the platform were breached with payment skimmer malware, according to a report released on Tuesday.

The hackers used known vulnerabilities to gain access to the stores. In one case, they abused a flaw in the Quickview plugin to run an SQL injecton and PHP Object Injection attack to gain control of the target store.

Researchers say the attackers found a clever trick to execute the malicious code after adding it to the store’s database: browsing the Magento sign up page. Having compromised a store, the attackers left multiple backdoors on the system—as many as 19 separate backdoors—to ensure reentry if the attack were discovered.

According to researchers, the following files were either added or edited to contain malicious code:

/api.php
/api_1.php
/install.php
/sc_api.php
/phpinfo.php
/adminer.php
/app/code/core/Mage/Page/Block/Html.php
/errors/api.php
/media/api.php
/media/catalog/category/test.jpeg
/media/catalog/category/panch.jpg
/js/api.php
/js/cartcheckout.php
/skin/api.php
/skin/adminhtml/default/default/images/loader.php
/skin/adminhtml/default/default/controller.php
/skin/frontend/default/default/upldr.php
/skin/frontend/base/default/conf.php
/var/importexport/customer.csv

Once a store is compromised, shoppers are presented with a fake payment popup. Payments that are intended for the store are instead sent to the attacker at

hxxps://naturalfreshmall[.]com/payment/Payment.php

While the Magento 1 platform reached End-Of-Life over 18 months ago, thousands of merchants continue to use it and the latest breach comes after over 2000 Magento 1 stores were hacked back in September 2020. All e-commerce traders still using Magento 1 are urged to upgrade to Magento 2 without delay.

The Ugly

It’s well-known that there are APTs that attack organizations, governments and on occasion individuals in order to conduct espionage or even steal money, but APTs that conspire to plant false evidence and imprison civil rights activists is behavior that is only recently starting to come to light. This week, SentinelLabs’ researchers disclosed how activists in India had been targeted repeatedly over ten years by an APT with the aim of planting false evidence on their devices.

Researchers say that the ModifiedElephant APT engages in long-term surveillance to plant incriminating files on its targets, who are then conveniently arrested. The group operates primarily through phishing with malicious attachments and unsophisticated, off-the-shelf malware that targets Windows and Android devices.

This isn’t the first time the SentinelLabs researchers have identified an APT acting with the primary intent of planting false evidence on its targets. In September 2021, they also reported on a Turkish-nexus state actor they dubbed ‘EGoManiac’, finding that the actor was responsible for a cluster of two campaigns that targeted Turkish journalists.

One thing both cases seem to share in common is a connection to private sector offensive actors. EGoManiac appeared to have connections with the now defunct Hacking Team, while  some of ModifiedElephant’s targets were also infected with the now infamous NSO Group’s Pegasus mobile spyware.

While this kind of activity doesn’t appear to be new – some of the cases go back to 2010 – it’s an aspect of APT activity that has rarely been brought to light before, so all credit to the researchers for bringing it to public attention. To paraphrase our Russian law enforcement friends mentioned above, which of you APTs is next?

Ingenuity Bouncer – Quality Baby Bouncers!

The Bouncer is a great item to have with you and your baby. It keeps them safe and secure while allowing for some bouncy movement at the same time. It is like a big swing that you can set up anywhere with you. The bouncy chair also helps train your baby’s legs and feet for standing – which they will one day need to stand on their own two feet!

The company that stands behind the Ingenuity brand, Kids2 Inc, is built on family. Their goal is to make fun products for your child while also being safe! On top of their innovative solutions, they are also very conscious of what parents look for in baby products. Kids2 Inc wants to make sure that their products are easy to use while still cost-efficient! We all know how expensive children can be, so this is an excellent point of consideration.

The Ingenuity Bouncers are great bouncy chairs for your baby. They come in several different styles, all with their unique features and each one with the Ingenuity standard of quality that parents know and love. Let’s take a look at some of the best Ingenuity Bouncers available today:

Ingenuity SmartBounce

With this bouncer, you can take care of a baby hands-free! The Ingenuity SmartBounce will gently rock and swaddle your baby in 2-speed automatic soothing motions that mimic mom’s natural movements, making your little one feel at peace.

The 3-point safety harness on the bouncing seat ensures your baby stays safe and secure while you can relax. Let’s not forget that the baby needs some fun, too: that’s why this Ingenuity automatic bouncer comes with 11 melodies and soothing nature sounds, as well as toys on a pivot bar.

In addition to being a very safe bouncer with a 3-point harness, the Ingenuity SmartBounce works on batteries. This is great because you can easily carry spare batteries in your bag when out and about. No more worrying about the bouncer running the electricity bill up. This bouncer rocks, bounces, swaddles, and entertains your baby – it even has an automatic turn-off mode to save battery life.

The seat pad on this baby bouncer is machine washable, making it simple to keep clean. Last but not least: it is fantastic to look at, and the colors are fabulous! Perfect for newborns and babies up to 6 months.

How to assemble Ingenuity automatic bouncer

This bouncer seat is straightforward to put together, but if you run into any trouble, we are happy to offer guidance.

The bouncer seat comes in a box with all the parts and a manual to help you assemble it. It is a great idea to look at the manual before using the Ingenuity automatic bouncer to take care of any safety concerns.

Inspect your Ingenuity baby bouncer carefully when you get it home from the store and before first-time use to ensure that no parts are missing and that there is no visible damage.

Ingenuity Cradling Bouncer

When there’s a baby in the picture, it is challenging to keep up with your everyday chores! Keep your baby happy and within view with a bouncer explicitly designed for daily activities.

Ingenuity Cradling Bouncer is a safe spot for your baby: it provides a secure environment, and the 3-point harness keeps your baby safe. The soft fabric seat is comfortable and gentle on your baby’s delicate skin. It also has a head support area to help keep them supported when they fall asleep.

This baby bouncer also comes with two built-in comfort vibration settings that allow you to soothe your baby easily. Some parents also love that this bouncer has a vibration feature because it makes their life easier, which means happier babies and more time for everyday chores.

There is a removable toy bar with toys that your baby can play with, and there are 8 soothing melodies you both will love. You can easily switch between movement and vibration modes with the push of a button.

The Ingenuity Cradling Bouncer is also super easy to clean, making it perfect for busy parents on the go! The bouncer seat cover is machine washable. This baby bouncer also takes up minimal space, allowing you to use it anywhere in the house.

You will need 3 “C” batteries that are not included in the box to use this baby bouncer. However, it is worth mentioning that the Ingenuity Cradling Bouncer uses minimum energy so that the batteries will go a long way.

Ingenuity cradling bouncer manual and assembly

The user manual comes with detailed diagrams and instructions to guide you through the assembly process.

The Ingenuity cradling bouncer requires minimal assembly. The frame comes with the fabric seat already installed. You just need to attach the toys and batteries, and you’re ready to go. It should take up about 5-7 minutes for the whole process.

If you need to wash the fabric seat, it is easily removed and machine washed. The frame may require a quick wipe down to keep it looking good as new.

Ingenuity Bouncity Bounce

A perfect substitute for parents’ arms: the Ingenuity Bouncity Bounce is a great option for parents looking to give their baby a bouncing seat that is lightweight and easy to move around.

When you need a cozy place for your baby to relax and play, the Ingenuity Buncity Bounce seat is a great solution. Your baby will feel extra safe and secure in this bouncing seat, thanks to its 3-point harness system.

The plush, removable headrest helps keep newborns comfortable. You can easily remove, wash and replace the seat pad for easy cleaning. As the child grows and begins to kick those legs, the baby can create their own steady bounce. This will help strengthen their leg muscles while having fun at the same time!

Moreover, the Ingenuity Bouncity seat has a vibration mode with adjustable intensity levels. It also comes equipped with both music and plush toys to keep your child entertained and happy during playtime.

The Ingenuity Bouncity Bounce seat requires just 1 “C” battery to operate. This provides about 100 hours of power, which means you won’t need to replace the batteries often.

Ingenuity Bouncity Bounce Manual and Assembly

The user’s manual has comprehensive illustrations to assist you with the installation. All in all, it should take up about 5-7 minutes to install this seat.

The Ingenuity bouncy seat requires minimal assembly before use. It is an easy task, even for those not technically inclined or DIY savvy.

The plush seat pad is easily removable and machine washable. The bouncer does not require any special maintenance either, so you don’t have to worry about waking up in the middle of the night for a routine clean-up.

Ingenuity InLighten Baby Bouncer

The Ingenuity InLighten Baby Bouncer has some cool features that come in handy for new parents. It has two vibration settings that can be turned on or off by the push of a button. It also has a removable headrest that can be quickly dealt with by machine washing it when necessary.

The comfortable, cradling bouncing chair is covered in soft velours to hug your infant. The Ingenuity InLighten bouncer seat can accommodate your child from infancy to 20 pounds.

Your baby will enjoy kicking and playing in this baby bouncer, as it is full of surprises: the dazzling lights that dance over the canopy toy bar, the spinning mobile with removable plush toys, and the melodies that keep your baby entertained.

The Ingenuity InLighten bouncer also includes a set of tranquil melodies, nature sounds, and white noise to allow your child to relax and sleep. Soothing vibrations add to the calming atmosphere.

Ingenuity InLighten Baby Bouncer Manual and Assembly

The Ingenuity InLighten bouncer is easy to install and only takes a couple of minutes with simple instructions illustrated in the user’s manual.

Assembly time usually takes no more than 5 minutes. The bouncer is not bulky or heavy so that you can carry it around with you to different house rooms for convenience.

The Ingenuity InLighten Baby Bouncer requires 3 “D” batteries to operate. They are not included in the package, so be ready to spend some extra bucks to buy them.

Which Ingenuity Baby Bouncer to choose?

All Ingenuity baby bouncers come with their benefits. Depending on your baby’s needs, convenience and preferences, you can pick the best model that will suit their lifestyle. If we were to choose ComfyBummy’s favorites, we would go with:

  • Ingenuity SmartBounce
  • InLighten Baby Bouncer

The Ingenuity SmartBounce is an automatic baby bouncer that emulates the natural motions of parents when comforting their children. With this model, you will bounce your child without any difficulties. Your baby will be cradled and comfortable.

The Ingenuity InLighten Baby Bouncer is also worth purchasing if you want a bouncer with many features. It is very engaging and entertaining for your infant, so it can significantly contribute to your kid’s development.

These amazing devices have many benefits that first-time moms may not even be aware of, but for those with an experienced hand, they are the only way to go. They provide a safe place for your baby to play or sleep, soothe them with a gentle rocking motion, and help to develop their motor skills. These great features combine to make the best baby bouncers money can buy!

The post Ingenuity Bouncer – Quality Baby Bouncers! appeared first on Comfy Bummy.

Russian Govt. Continues Carding Shop Crackdown

Russian authorities have arrested six men accused of operating some of the most active online bazaars for selling stolen payment card data. The crackdown — the second closure of major card fraud shops by Russian authorities in as many weeks — comes closely behind Russia’s arrest of 14 alleged affiliates of the REvil ransomware gang, and has many in the cybercrime underground asking who might be next.

Dept. K’s message for Trump’s Dumps users.

On Feb. 7 and 8, the domains for the carding shops Trump’s Dumps, Ferum Shop, Sky-Fraud and UAS were seized by Department K, a division of the Ministry of Internal Affairs of the Russian Federation that focuses on computer crimes. The websites for the carding stores were retrofitted with a message from Dept. K asking, “Which one of you is next?”

According to cyber intelligence analysts at Flashpoint, that same message was included in the website for UniCC, another major and venerated carding shop that was seized by Dept. K in January.

Around the same time Trump’s Dumps and the other three shops began displaying the Dept. K message, the Russian state-owned news outlet TASS moved a story naming six Russian men who were being charged with “the illegal circulation of means of payment.”

TASS reports the six detained include Denis Pachevsky, general director of Saratovfilm Film Company LLC; Alexander Kovalev, an individual entrepreneur; Artem Bystrykh, an employee of Transtekhkom LLC; Artem Zaitsev; an employee of Get-net LLC; and two unemployed workers, Vladislav Gilev and Yaroslav Solovyov.

None of the stories about the arrests tie the men to the four carding sites. But Flashpoint found that all of the domains seized by Dept. K. were registered and hosted through Zaitsev’s company — Get-net LLC.

“All four sites frequently advertised one another, which is generally atypical for two card marketplaces competing in the same space,” Flashpoint analysts wrote.

Stas Alforov is director of research for Gemini Advisory, a New York firm that monitors underground cybercrime markets. Alforov said it is most unusual for the Russians to go after carding sites that aren’t selling data stolen from Russian citizens.

“It’s not in their business to be taking down Russian card shops,” Alforov said. “Unless those shops were somehow selling data on Russian cardholders, which they weren’t.”

A carding shop that sold stolen credit cards and invoked 45’s likeness and name was among those taken down this week by Russian authorities.

Debuting in 2011, Ferum Shop is one of the oldest observed dark web marketplaces selling “card not present” data (customer payment records stolen from hacked online merchants), according to Gemini.

“Every year for the last 5 years, the marketplace has been a top 5 source of card not present records in terms of records posted for sale,” Gemini found. “In this time period, roughly 66% of Ferum Shop’s records have been from United States financial institutions. The remaining 34% have come from over 200 countries.”

In contrast, Trump’s Dumps focuses on selling card data stolen from hacked point-of-sale devices, and it benefited greatly from the January 2021 retirement of Joker’s Stash, which for years dwarfed most other carding shops by volume. Gemini found Trump’s Dumps gained roughly 40 percent market share after Joker’s closure, and that more than 87 percent of the payment card records it sells are from U.S. financial institutions.

“In the past 5 years, Ferum Shop and Trump’s Dumps have cumulatively added over 64 million compromised payment cards,” Alforov wrote. “Based on average demand for CP and CNP records and the median price of $10, the total revenue from these sales is estimated to be over $430 million. Due to the 20 to 30% commission that shops generally receive, the administrators of Ferum Shop and Trump’s Dumps likely generated between $86 and $129 million in profits from these card sales.”

The arrests of the six men comes less than two weeks after Russian law enforcement officials detained four suspected carders — including Andrey Sergeevich Novak, the reputed owner of the extremely popular and long-running UniCC carding shop.

In 2018, the U.S. Justice Department charged Novak and three dozen other defendants thought to be key members of “Infraud,” a huge cybercrime community online that prosecutors say cost merchants and consumers more than half a billion dollars.

Unicc shop, which sold stolen credit card data as well as Social Security numbers and other consumer information that can be used for identity theft. It was seized by Dept. K in January 2020.

Flashpoint said the recent arrests represent the first major actions against Russia-based cybercriminals since March 2020, when the FSB detained more than thirty members of an illicit carding operation, charging twenty-five of them with “illegal circulation of means of payment.”

Dumps, or card data stolen from compromised point-of-sale devices, have been declining in popularity among fraudsters for years as more financial institutions have issued more secure chip-based cards. In contrast, card-not-present data stolen from online stores continues to be in high demand, because it helps facilitate fraud at online retailers. Gemini says the supply of card-not-present data rose by 50 percent in 2021 versus 2020, fed largely by the success of Magecart e-skimmers that target vulnerabilities in e-commerce sites.

Alforov says while the carding shop closures are curiously timed, he doubts the supply of stolen card data is going to somehow shrink as a result. Rather, he said, some of the lower-tier card shops that were previously just resellers working with Trump’s Dumps and others are now suddenly ramping up inventory with their own new suppliers — very likely thanks to the same crooks who were selling cards to the six men arrested this week in Russia.

“What we’re seeing now is a lot of those reseller shops are coming to the market and saying, ‘We don’t have that order data we were getting from Ferum Shop but now have our own vendors,’” Alforov said. “Some of the lesser tier shops are starting to move up the food chain.”

KPMG Leverages SentinelOne to Tackle Cyber Risk

When it comes to modern cyber attacks, the best offense is a good defense. Every day, more businesses around the globe learn that breach response plans alone aren’t enough to constitute an adequate—let alone comprehensive—cybersecurity capability. To stay protected against increasingly sophisticated and frequent cyber attacks, organizations must build their programs to be resilient today, and prepared for whatever may come tomorrow.

Helping clients securely navigate this digital world is what’s driving the Cyber Security Services practice at KPMG. For over 30 years, KPMG LLP (KPMG) has been a global leader in helping organizations mitigate risk and grasp opportunities. The KPMG Cyber Security Services team has been involved in many of the most high-profile breaches across 16 countries worldwide.

Ed Goings, U.S. & Global Lead of Cyber Response Services, and David Nides, Cyber Security Services Principal, pride themselves on delivering “high quality, highly effective digital forensics and incident response to KPMG clients globally.” Simultaneously, Ed & David’s teams work with clients on building cyber strategy: proactive measures for long-term resilience, such as building and testing cyber incident response plans, performing purple team exercises, creating ransomware resiliency programs, and improving incident preparedness. “Whether they’re new or existing, clients come to KPMG as their trusted advisor for cyber challenges and issues,” emphasizes David.

To follow through on this objective, KPMG must be empowered by technology that delivers visibility, ease of deployment, ease of use, and quality of service they need across a comprehensive Cyber Security Services portfolio. SentinelOne, an industry leader in detection and response technology, has emerged as a piece of this puzzle.

Identifying, Understanding, and Closing Security Gaps with Compromise Assessment

If ransomware has taught us anything, it’s that the cost of cybersecurity only grows by waiting until the moment of impact. Conducting a compromise assessment across the full enterprise estate can help us understand our current risk posture and identify if any active threats are present in the environment. While these assessments can be particularly insightful for incoming CISOs wanting an accurate baseline of their inherited environment or for organizations with new and changing risk following a merger or acquisition, there’s never a bad time to do due diligence.

At KPMG, data-rich compromise assessments start with deploying SentinelOne’s Sentinel Agent across the complete enterprise environment. This rollout is markedly faster than what’s possible with most compromise assessments, thanks to the agent’s Singularity Ranger capability. What might otherwise take days, if not weeks, now takes just a handful of hours.

Ranger, SentinelOne’s network discovery and attack surface control solution, “enables us to provide the client a means of self-deploying SentinelOne within the environment through self-propagation of the agent. Ranger covers not only known assets, but also unknown assets,” says David.

“Especially in larger IT estates, there tends to be a bit of shadow IT, which often stems problems and poses a significant risk. These types of environments or the systems within them are usually an afterthought or candidly not even known. With Ranger Pro, as long as those assets are deployed to the network, they’re covered in an automated fashion.”
David Nides, Cyber Security Services Principal, KPMG

Proactive Monitoring and Threat Hunting to Uncover Hidden Threats

Following deployment, the team performs a short period of active monitoring and proactive threat hunting as part of the compromise assessment. A critical component of threat hunting is having the data to baseline ‘normal’ and find outliers. Attackers often want to blend in with ordinary users to acquire user credentials from phishing campaigns, so understanding a user’s typical behavior is a useful benchmark for investigating anomalous file access or login events.

SentinelOne’s EDR and XDR telemetry and intuitive hunting workflows enable even the most covert attacker activity to be uncovered. With the ability to retain raw, benign data for extended periods of time, KPMG can also leverage historical data that can be leveraged to map advanced threat campaigns across time. It also enables the performance of post-breach monitoring for extended periods of days after the security incident, to sustain containment and eradication of the threat actor.

Investigating and Analyzing Threats at Enterprise Scale

While proactive security practices will take you a long way in staying protected against threats, incidents are almost as certain as death and taxes. For KPMG, lending authority and expertise to clients in response to an imminent security event is its bread and butter. Whether a client wants to dive deeper into a potential email compromise that led to money transfer out of the organization or contain and identify the root cause of a proliferating ransomware attack, Ed & David’s team relies on solid, scalable EDR technology to drive their breach response operations from one end of the incident response lifecycle to the other.

“We leverage SentinelOne as one of our EDR platforms. In many responses, our clients may already have an EDR in their environment, but if they’re calling us, it’s normally because they do not have a mature solution or an effective solution that has the desired coverage. SentinelOne is one of our go to solutions to deploy.”
Ed Goings, U.S. & Global Lead of Cyber Response Services, KPMG

Since the name of the game is rapid response and recovery, KPMG particularly values toolsets and workflows that will accelerate their incident response process.

Having the Right Data for Streamlined Investigations

With SentinelOne’s data platform following the acquisition of Scalyr, David and the team have been able to integrate KPMG’s proprietary Digital Responder (KDR) tool for triaging forensic endpoint data at scale with SentinelOne’s data ingestion, correlation, and analysis capabilities. “More times than not, we get pulled into an incident after it’s already occurred,” David explains. “SentinelOne’s data platform provides the ability to go back in time en masse and deploy tools and scripts to do true enterprise forensics.”

When KPMG Digital Responder forensic data is sent to data platform for investigation and analysis—it can be done all within the same SentinelOne ecosystem, without sending data back and forth to KPMG for processing. This availability has significantly streamlined investigations for KPMG, turning what used to take days into mere minutes. The result is getting more clients—no matter how expansive their environment—from deployment and investigation to containment and eradication faster.

Monitoring for Threats and Maintaining Risk Posture

Since cyber risk mitigation isn’t just a point-in-time exercise, it’s crucial to have a program in place for around-the-clock security monitoring, especially if your operations span the globe. In both pre-and-post-breach scenarios, KPMG helps clients build and manage their security operations, as well as the intelligence and response workflows underlying them, using EDR technology they trust for immediate breach response.

If you would like to learn more about Ranger, STAR, and the SentinelOne Singularity XDR platform, contact us for more information or request a free demo.

Microsoft Patch Tuesday, February 2022 Edition

Microsoft today released software updates to plug security holes in its Windows operating systems and related software. This month’s relatively light patch batch is refreshingly bereft of any zero-day threats, or even scary critical vulnerabilities. But it does fix four dozen flaws, including several that Microsoft says will likely soon be exploited by malware or malcontents.

While none of the patches address bugs that earned Microsoft’s most dire “critical” rating, there are multiple “remote code execution” vulnerabilities that Redmond believes are ripe for exploitation. Among those is CVE-2022-22005, a weakness in Microsoft’s Sharepoint Server versions 2013-2019 that could be exploited by any authenticated user.

“The vulnerability does require an attacker to be authenticated in order to exploit it, which is likely why Microsoft only labeled it ‘Important,’” said Allan Liska, senior security architect at Recorded Future. “However, given the number of stolen credentials readily available on underground markets, getting authenticated could be trivial. Organizations that have public-facing SharePoint Servers should prioritize implementing this patch.”

Kevin Breen at Immersive Labs called attention to CVE-2022-21996, an elevation of privilege vulnerability in the core Windows component “Win32k.”

“In January we saw CVE-2022-21882, a vulnerability in Win32k that was being actively exploited in the wild, which prompted CISA to issue a directive to all federal agencies to mandate that patches be applied,” Breen said. “February sees more patches for the same style of vulnerability in this same component. It’s not clear from the release notes whether this is a brand new vulnerability or if it is related to the previous month’s update. Either way, we have seen attackers leverage this vulnerability so it’s safer to err on the side of caution and update this one quickly.”

Another elevation of privilege flaw CVE-2022-21989 — in the Windows Kernel — was the only vulnerability fixed this month that was publicly disclosed prior to today.

“Despite the lack of critical fixes, it’s worth remembering that attackers love to use elevation of privilege vulnerabilities, of which there are 18 this month,” said Greg Wiseman, product manager at Rapid7. “Remote code execution vulnerabilities are also important to patch, even if they may not be considered ‘wormable.’ In terms of prioritization, defenders should first focus on patching server systems.”

February’s Patch Tuesday is once again brought to you by Print Spooler, the Windows component responsible for handling printing jobs. Four of the bugs quashed in this release relate to our friend Mr. Print Spooler. In July 2021, Microsoft issued an emergency fix for a Print Spooler flaw dubbed “PrintNightmare” that was actively being exploited to remotely compromise Windows PCs. Redmond has been steadily spooling out patches for this service ever since.

One important item to note this week is that Microsoft announced it will start blocking Internet macros by default in Office. This is a big deal because malicious macros hidden in Office documents have become a huge source of intrusions for organizations, and they are often the initial vector for ransomware attacks.

As Andrew Cunningham writes for Ars Technica, under the new regime when files that use macros are downloaded from the Internet, those macros will now be disabled entirely by default. The change will also be enabled for all currently supported standalone versions of Office, including versions 2021, 2019, 2016, and 2013.

“Current versions of the software offer an alert banner on these kinds of files that can be clicked through, but the new version of the banner offers no way to enable the macros,” Cunningham wrote. “The change will be previewed starting in April before being rolled out to all users of the continuously updated Microsoft 365 version of Office starting in June.”

January’s patch release was a tad heavier and rockier than most, with Microsoft forced to re-issue several patches to address unexpected issues caused by the updates. Breen said while February’s comparatively light burden should give system administrators some breathing room, it shouldn’t be viewed as an excuse to skip updates.

“But it does reinforce how important it is to test patches in a staging environment or use a staggered rollout, and why monitoring for any adverse impacts should always be a key step in your patching policy,” Breen said.

For a complete rundown of all patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.

10 Assumptions About macOS Security That Put Your Business At Risk

Macs are great, aren’t they? I have many. Aside from the two provided by my employer, I have five working Macs of my own, ranging from 2009 to 2021. I also run macOS on a number of virtual machines for research purposes. In fact, give me a few minutes and I could spin you up an instance of any version of macOS from 10.5.8 Leopard (circa 2008!) right through to the latest beta of macOS 12 Monterey. Yep, I’m an Apple nerd, a Mac geek, a macOS enthusiast, and I’ve spent over a decade now learning how Macs and macOS work. I’m also a Mac security researcher and having a catalogue of older versions of macOS is part of my arsenal of tools when it comes to understanding how to keep Macs and Mac users safe.

Most of my work nowadays revolves around identifying, tracking, and understanding Mac malware in the enterprise, and in the course of my work I inevitably come across more than my fair share of infected Macs. The users of these Macs are more often than not surprised to learn that their Mac got a dose of some nasty adware or malware.

Few ever know how the malware got on their device. Most thought that they didn’t need to take any special security precautions when using a Mac. Some said that not having to run AV products was precisely the reason why they chose a Mac and ditched their previous Windows machine. All had no idea how to remove the infection, or verify that the Mac was indeed healthy after they had tried. Often, IT teams trained and tasked with ironing out problems with Windows devices are equally uncertain.

In this post, I will share with you what I have told those users and many others about macOS security. I will debunk some widely held myths about how to use and administrate Macs safely, and I will explain how you can ensure those in your organization are not the next unfortunate Mac users to begin dangerously searching the internet for a solution to a problem they barely knew they had.

1. I don’t Need to Update My System

Many people believe that older versions of macOS are just as safe to run as the latest versions. While currently macOS Monterey, Big Sur and Catalina are still receiving critical security updates, anything older than that is certainly riddled with vulnerabilities.

But a bigger concern is devices that get the shiny upgrades but don’t keep up with the mundane updates. From a security perspective, point updates  (e.g., from Monterey 12.1 to 12.2 and so on) are far more important than OS upgrades, at least so long as you’re not more than N-2 (more than two major upgrades behind the current OS). If you’re still running Catalina or Big Sur, the only safe versions of those OSs are the most recent ones: 10.15.7 + the January 26 Security Update, and 11.6.3, respectively. At the time of writing, Monterey is on 12.2.

The reason point updates are far more critical is that unlike major OS upgrades, which are timed for marketing reasons and are generally built to add new (and sometimes buggy!) features, point updates are typically focused on fixing bugs and security vulnerabilities, including vulnerabilities known to be actively exploited in the wild. For example, in the recent 12.2 update, Apple patched CVE-2022-22587, of which they said they were “aware of a report that this issue may have been actively exploited”. That update also addressed twelve other CVEs including:

  • CVE-2022-22586 – AMD Kernel: A malicious application may be able to execute arbitrary code with kernel privileges
  • CVE-2022-22584 – ColorSync: Processing a maliciously crafted file may lead to arbitrary code execution
  • CVE-2022-22591 – Intel Graphics Driver: A malicious application may be able to execute arbitrary code with kernel privileges

Recently, I walked into an Apple Reseller store and noted with some surprise that, next to the Mac that was running the point-of-sale software, other staff were using what appeared to be a vintage 2012 MacBook Pro. How did I know? Because the last year Apple made a MacBook with an internal CD drive was 2012, and I could see the tell-tale slot on the side of the machine as I waited to make my purchase.

It’s a testament to the longevity of Apple hardware that in 2022 a business can still use a 2012 machine for productive tasks, but it’s also a potential problem. The mid-2012 MBP was released with OS X 10.8 Mountain Lion! The latest version of macOS that a mid-2012 MacBook Pro could run is Big Sur. I sure hope they updated to that 11.6.3 release the other week!

Apple doesn’t release point updates on a schedule like Microsoft’s “Patch Tuesday”. They release them when there’s something urgent that needs fixing, and typically that’s a security vulnerability. The bedrock of all computer security is to stay up to date with software updates. Make sure your users are updating!

2. Mac Malware is Rare

The amount of malware that is targeted at Windows machines is truly staggering. It’s no wonder that every year a not-insignificant number of computer buyers turn to Macs for relief from the constant security headaches associated with Windows. While the amount of malware targeted at Macs is a small percentage of that, a small percentage of a large number can still be a large number. Relative to Windows, Mac malware is far less common, but it’s a long way from ‘rare’.

Last year, we saw 10 new targeted macOS malware families emerge, along with the continued expansion of adware delivery platforms like Shlayer, Bundlore, Surfbuyer, Pirrit, WizardUpdate and Adload.

In 2021, Craig Federighi – Apple’s VP of Software Engineering – said that he’d “had a couple of family members who have gotten some malware on their Macs”. In comments that surprised many Mac users but absolutely no security researchers, Federighi further noted that “Each week, Apple identifies a couple of pieces of malware on its own or with help of third parties” and that Apple was fighting “an endless game of whack-a-mole” and facing a “significantly larger malware problem” now than in the past.

Listen to Craig. Funnily enough, he knows what he’s talking about! Take the threat of macOS malware seriously.

3. Adware Isn’t Dangerous

To those that hold this view, my first reaction is: define ‘Dangerous’.

Adware is code running on your machine, often without your knowledge or consent, that fingerprints your device and collects PII about you, exfiltrates it to unknown 3rd parties and installs persistence agents, makes itself difficult to remove, and – as the name suggests – serves up unwanted adverts while you’re browsing by hijacking your searches.

Adware like Adload and Shlayer typically contact obscure URLs and download unwanted software in the background without informing the user.

Some adware is akin to spyware, and some adware developers take such extreme measures to avoid detection by security software or analysis by security professionals that they could legitimately go into business teaching malware authors a few new tricks. So, what’s your definition of ‘dangerous’?

Any 3rd party code that runs on your machines without the user’s and/or the company’s express and explicit permissions should be considered a danger to the business. From that perspective, adware is just a kind of malware and should be treated as so.

4. Apple Is All The Security You Need

Apple has worked hard to establish the reputation of “the safe Mac”, but the gap between the marketing message and the reality is increasingly clear to see. It’s not that Apple doesn’t take security seriously – it really does, and we are always pleased to support Apple’s product security team by sharing intelligence when we can. The problem is that Apple’s security technologies on macOS are easily defeated, and it’s worth exploring for a moment why that is the case.

Unlike iOS and Apple mobile devices, macOS and the Mac provide – and we hope always will provide – an environment where device owners are able to customize and use their computers in all sorts of novel, interesting and creative ways. The use case for a powerful computing platform is utterly different from that of a mobile device, and for that reason there is only so much Apple can do with security without falling into the trap that Microsoft has fallen into of becoming an after-sales vendor to shore up the security of its own OS.

With the Mac, Apple tread lightly. Gatekeeper, Codesigning and Notarization provide barriers to entry but they do not keep out professional adware and malware authors. On-device protection like XProtect and MRT.app also help clean up some of the main discovered malware and adware variants, but there are many that they do not. XProtect is an old-fashioned file scanning technology that needs to be updated (something Apple does silently in the background, more or less once a month or so) after new malware has already struck some hapless victims.

Crucially, it’s simple for malware authors to inspect XProtect on their own machines and see how the signatures are catching their work. MRT.app is a little more obtuse to inspect, but regardless of how well Apple tries to obfuscate their signatures, there’s always a simple test available to a malware author: test your malware on your Mac and if it’s removed or blocked, adjust it till it isn’t.

Malware authors always have direct access to the very software that Apple is using to block or remove malware. In part, notarization was supposed to help Apple get around this, but threat actors soon discovered that the automated malware service could be beaten, and the game of ‘whack-a-mole’, as Mr Federighi rightly described it, goes on.

If you want to help your Macs stay secure, get some additional security!

5. I’d Know If My Mac Was Infected

One of the most overlooked weaknesses of the Mac is the paucity of end user tools it provides both for security and administration purposes. The once useful Console.app is now a no-go zone for anyone other than the most masochistic of Mac diehards; the Terminal provides some useful but obscure command line tools for examining things like running processes, listing open files and ports and gathering certain kinds of system and user data.

But – and it’s a big but – none of these provide users or admins with any actual way to look at, track or identify malicious changes. None of the native tools allow a user to see what process was responsible for changing which file(s), executing which binaries, or changing what system data.

Deep-dive IR and digital forensics investigations can, sometimes, recreate certain historical chains of events, but these require expertise, time and money.

In short, the question that no Mac user can really answer without adding some 3rd party software is: how would I know if my Mac was infected by some backdoor such as SysJoker or spyware like DazzleSpy or XcodeSpy?

For businesses, the only sensible choice is a security solution that offers deep visibility as well as advanced protection and detection.

6. My Data Is Safe On My Mac

Data privacy has become increasingly important, and increasingly targeted, in recent years as almost all of us have moved some or all of our most sensitive data onto our devices.

In line with this trend, Apple has made a number of changes to macOS to try and protect PII and other data on our Macs, but the results have been less than stellar. In the first instance, all Apple’s user privacy protections are bypassed by any app that requests, and is granted by the user, Full Disk Access (FDA). Apple’s default assumption is that user’s won’t grant that permission without understanding the risks, but that’s an assumption that is fatally flawed. Many common apps request this permission to function properly, and users are more interested in having the apps work than making detailed inquiries of developers about how that permission will be used or could be abused.

One app that has Full Disk Access regardless of the user’s preference is Apple’s own Finder. This allows a sneaky backdoor via automation that only requires a consent click (rather than a password authorization) to get past the users.

Further, in many enterprise settings, administrators will require the Terminal to have Full Disk Access. Unfortunately, there’s no granularity here, so when one user grants FDA to the Terminal, it’s now available to all users (and all processes).

As we’ve noted before, this isn’t an accident or a bug, it’s by design, but bugs in the same framework (aka TCC) responsible for user data privacy protection have become so common they are almost uninteresting!

Be sure that you understand just what and what isn’t protected by the operating system and under what conditions.

7. Criminals Aren’t Interested in Mac Users

It’s a common myth in computer security that most malware authors aren’t interested in Mac users because “the market is too small” to be worth their time. After all, it is supposed, it takes a considerable investment in resources to develop, distribute and manage malware infections, and for that effort criminals want a good ROI. Consequently, it’s assumed, they don’t bother targeting Macs and stick to the easier pickings of Windows users.

There’s plenty of fallacy to unpack here. First, the market is too small? This thinking is about 15 years out of date, or pre-iPhone’s 2007 launch to be accurate. Macs may have once been the niche buy of certain kinds of ‘creatives’ and a few vociferous enthusiasts, but their market share has steadily increased over the last decade or so.

At first, this was off the back of iOS/macOS (or OS X as it was then) ecosystem integration, but it’s long been the case that Macs have become popular in their own right for their longevity, stability and – relative to Windows – security. Developers of all stripes love them, executives love them, and this last quarter Apple reported that Mac sales alone accounted for more than $10 billion of revenue. That’s a pretty healthy-sized market to attack for any malware author, just ask the developers of XLoader, XCSSET and OSAMiner.

Second, mac malware isn’t particularly difficult to create. If you can create any kind of Mac app, making it do something malicious is a fairly trivial tweek (an unfortunate fact that makes macOS malware difficult to catch for certain kinds of security solutions that rely on identifying malware by file characteristics rather than behavior). Add to that that macOS malware is increasingly cross-platform – malware authors are targeting multiple platforms with the same source code written in languages like Java, Go and Kotlin – and the “heavy investment for no return” argument doesn’t really hold any water.

Sure, the most common and profitable threats found on Macs are adware, but they didn’t get that way by being stopped by nothing more than ‘a savvy user’.

8. Nation-States Don’t Target Mac Users

Well, if the criminals looking to make a quick buck are on board, what about the APTs? As noted above, developers and execs love to buy Macs – they’re powerful and chic – and they have a reputation for being secure (although we note it’s Chromebooks that now enjoy the “these don’t get viruses” meme).

APTs have always been busy targeting Macs just as they have any other devices used by “persons of interest”. This past year, we saw not only targeted attacks against political activists but also what was very likely an espionage attack against a US business.

We also learned last month that, while most Mac malware requires some level of social engineering, there are in-the-wild exploits that can infect a Mac user who simply visits the wrong website. Both macOS.Macma and OSX.DazzleSpy were delivered by leveraging exploits to drop and execute code with privileges in a watering-hole attack. And as noted above, CVE-2022-22587 patched a few weeks ago was an actively exploited zero-day that allowed malicious attackers to execute arbitrary code with kernel privileges. At this time, we have no idea who the targets were.

Want to stop targeted malware? Invest in an EDR that offers agents built natively to run on Mac architectures, both Intel and arm64 (aka Apple silicon)

9. Apps Downloaded from the App Store are Safe

The Mac App Store, and its counterpart the iOS App Store, occupy a special place in Apple’s ecosystem. Such apps run in sandbox environments on the user’s device, are vetted by Apple, and distributed by identified developers. The vast majority are, indeed, safe, there’s no questioning that. But there are, nevertheless, questions about a small minority.

App Store apps are mostly safe, but the origin of the download doesn’t guarantee that you’re not getting malware. Developers of legitimate App Store apps have noticed scam apps on the App Store blatantly copying legitimate apps and being boosted with fake ratings and reviews, themselves purchased in bulk from other criminals. It’s been estimated that such apps could be scamming users out of $2 million a year or more.

If Apple’s built-in defenses are not going to recognize and block scams and malware, users without other defenses are left pretty much exposed.

10. The Best Security Apps Are in the App Store

If you’re thinking you want some extra security solution for your Macs, the one place not to look is the App Store. This has nothing to do with our previous point about the dubiousness of some App Store apps, but rather the nature of what kind of apps are allowed in the App Store.

As we already said, App Store apps must be sandboxed – that’s one of Apple’s conditions of entry – but a good security app by definition can’t operate in a sandbox environment. A sandbox is like a container that isolates an app from other apps and other data on a device. It’s one of a number of techniques that can be utilized to help make certain kinds of apps safer.

However, there’s no such thing as an effective sandboxed security app. So-called “security apps” found in the App Store have no visibility into other processes and no capability to block or remove malware (itself almost always unsandboxed) on your device. They are, by and large, at best useless, and at worst fraudulent.

If you want effective security, you need a solution that can actually protect your device against threats and offer visibility into malicious actions; in other words, you need something that runs outside of a sandbox.

You won’t find anything like that in the App Store.

Conclusion

Macs are great. Let’s not forget that! But we can admire our Macs as great work machines without falling into the naive belief that they are some kind impregnable fortresses that don’t need any help to keep them secure against a growing crowd of threat actors.

Computer security is a moving target, and certainly in the enterprise that requires a dedicated security solution provider who is at the forefront of keeping up with the latest threats. Help your Macs – and your Mac users – to help themselves by being aware of the reality of the macOS security threatscape and being proactive in your security posture.

If you would like to see how SentinelOne can help protect your macOS devices, contact us or request a free demo.

IRS To Ditch Biometric Requirement for Online Access

The Internal Revenue Service (IRS) said today it will be transitioning away from requiring biometric data from taxpayers who wish to access their records at the agency’s website. The reversal comes as privacy experts and lawmakers have been pushing the IRS and other federal agencies to find less intrusive methods for validating one’s identity with the U.S. government online.

Late last year, the login page for the IRS was updated with text advising that by the summer of 2022, the only way for taxpayers to access their records at irs.gov will be through ID.me, an online identity verification service that collects biometric data — such as live facial scans using a mobile device or webcam.

The IRS first announced its partnership with ID.me in November, but the press release received virtually no attention. On Jan. 19, KrebsOnSecurity published the story IRS Will Soon Require Selfies for Online Access, detailing a rocky experience signing up for IRS access via ID.me. That story immediately went viral, bringing this site an almost unprecedented amount of traffic. A tweet about it quickly garnered more than two million impressions.

It was clear most readers had no idea these new and more invasive requirements were being put in place at the IRS and other federal agencies (the Social Security Administration also is steering new signups to ID.me).

ID.me says it has approximately 64 million users, with 145,000 new users signing up each day. Still, the bulk of those users are people who have been forced to sign up with ID.me as a condition of receiving state or federal financial assistance, such as unemployment insurance, child tax credit payments, and pandemic assistance funds.

In the face of COVID, dozens of states collectively lost tens of billions of dollars at the hands of identity thieves impersonating out-of-work Americans seeking unemployment insurance. Some 30 states and 10 federal agencies now use ID.me to screen for ID thieves applying for benefits in someone else’s name.

But ID.me has been problematic for many legitimate applicants who saw benefits denied or delayed because they couldn’t complete ID.me’s verification process.  Critics charged the IRS’s plan would unfairly disadvantage people with disabilities or limited access to technology or Internet, and that facial recognition systems tend to be less accurate for people with darker skin.

Many readers were aghast that the IRS would ask people to hand over their biometric and personal data to a private company that begin in 2010 as a way to help veterans, teachers and other public servants qualify for retail discounts. These readers had reasonable questions: Who has (or will have) access to this data? Why should it be stored indefinitely (post-verification)? What happens if ID.me gets breached?

The Washington Post reported today that in a meeting with lawmakers, IRS officials said they were considering another identity verification option that wouldn’t use facial recognition. At the same time, Senate Finance Committee Chairman Ron Wyden (D-Ore.) challenged the Treasury Department and IRS to reconsider the biometric requirements.

In a statement published today, the IRS said it was transitioning away from using a third-party service for facial recognition to help authenticate people creating new online accounts.

“The transition will occur over the coming weeks in order to prevent larger disruptions to taxpayers during filing season,” the IRS said. “During the transition, the IRS will quickly develop and bring online an additional authentication process that does not involve facial recognition. The IRS will also continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.”

“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” IRS Commissioner Chuck Rettig wrote. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

The statement further stressed that the transition announced today does not interfere with the taxpayer’s ability to file their return or pay taxes owed. “During this period, the IRS will continue to accept tax filings, and it has no other impact on the current tax season,” the IRS said. “People should continue to file their taxes as they normally would.”

It remains unclear what other service or method the IRS will use going forward to validate the identities of new account signups. Wyden and others have urged the IRS to use Login.gov, a single sign-on service that Congress required federal agencies to use in 2015.

“Login.gov is already used to access 200 websites run by 28 Federal agencies and over 40 million Americans have accounts,” Wyden wrote in a letter to the IRS today. “Unfortunately, login.gov has not yet reached its full potential, in part because many agencies have flouted the Congressional mandate that they use it, and because successive Administrations have failed to prioritize digital identity. The cost of this inaction has been billions of dollars in fraud, which has in turn fueled a black market for stolen personal data, and enabled companies like ID.me to commercialize what should be a core government service.”

Login.gov is run by the U.S. General Services Administration, which told The Post that it was “committed to not deploying facial recognition…or any other emerging technology for use with government benefits and services until a rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations.”

The Good, the Bad and the Ugly in Cybersecurity – Week 5

The Good

This week brings another welcome victory for law enforcement. This time around we focus on darknet market site CanadaHQ (Canadian Headquarters) and individuals connected to the site. CanadianHQ was notorious for trading in spamming services, phishing kits, stolen credentials and access to compromised computers before it was taken offline.

The CRTC (Canadian Radio-television and Telecommunications Commission) provided an update this past week stating that four suspects involved with the site, including the creator of the market, had been handed penalties for violating Canada’s Anti Spam Legislation (CASL) totaling $300,000.

The CRTC indicated that these individuals were responsible for sending “emails mimicking well-known brands in order to obtain personal data including credit card numbers, banking credentials, and other sensitive information”. The individuals charged in violation of the CASL are:

  • Chris Tyrone Dracos (aka “Poseidon”)
  • Marc Anthony Younes (aka “CASHOUT00” and “Masteratm”)
  • Souial Amarak (aka “Wealtyman” and “Supreme”)
  • Moustapha Sabir (aka “La3sa”)

It is alleged that Dracos was the creator and primary administrator of the market. As such, he received the harshest penalty with a fine of $150,000. The three remaining individuals were given fines of $50,000 each. Chief Compliance Officer of the CRTC, Steven Harron, indicated that this was one of the more “challenging and complex” cases they had worked on under the Canada Anti-Spam Legislation.

However, there is indication of a broader scope to these actions as CRTC also indicate they have “identified a number of other vendors…actions will be taken against them in the near future”. It sounds like we can look forward to more of these efforts and resulting market closures in the future.

The Bad

The FBI on Tuesday released a new PSA (public service announcement) around the ongoing tactics used by scammers and cybercriminals. PSA I-020122-PSA focuses on the exploitation of security weaknesses on job recruitment websites. Scammers use these to post fraudulent job postings with the intention of extracting personal information or money from would-be applicants. According to the FBI, on average, victims are duped out of almost $3000 a time.

While the tactic is hardly new, it continues to pay rich dividends for cybercriminals precisely because many employment-oriented networking sites fail to use strong security verification measures. Scammers have exploited such weaknesses to post fake job offerings on legitimate company pages alongside genuine job postings. Users of such sites are left to determine the real from the fake for themselves, with predictably unfortunate outcomes.

Similarly, scammers reproduce genuine job postings on other sites, changing the contact details to capture interested job seekers. They even go so far as to spoof the identity of legitimate company employees, conduct fraudulent interviews, and even make fake job offers to victims in their quest to gather as much PII as possible. The PII is then later sold or used in additional scams.

The PSA provides several further examples of these tactics in use over the past three years, and they go on to outline how the scams also impact the reputation of businesses that are repeatedly scammed. The PSA contains a set of recommendations for both companies and job seekers to assist in curtailing the impact or damage caused via this tactic and to avoid falling victim to such scams. We encourage all to read and review the PSA for further guidance.

The Ugly

This week saw one of the UK’s largest food and snack companies, Leicester-based KP Snacks (aka Kenyon Produce), provide further details around last Friday’s ransomware attack. On Wednesday, the company informed partners that as a result of the attack, it was unable to “safely process orders or dispatch goods”.

According to reports, the Conti ransomware group, which is developed and maintained by the same team that brings us Trickbot, was behind the attack. The operators are said to have breached KP Foods’ internal network and gained access to sensitive files such as employee details, credit card statements, birth certificates and financial documents, exfiltrating the data before encrypting it.

The Conti leaks site listed KP Snacks with the usual countdown timer for payment, which is due to “expire” around February 6th. It is not known at this time whether the company is negotiating with the attackers, but per their official statement they have initiated their “cybersecurity response plan and engaged a leading forensic information technology firm and legal counsel to assist” them in their investigation. The company has also said that “it is unknown when this will be resolved”.

Once again, such attacks only highlight the need for companies to deploy security solutions that can truly prevent ransomware attacks, while also ensuring all staff are given good cybersecurity awareness training on a regular basis. The ransom amount is only part of the cost of failure here, and often not even the most significant part at that.

How Phishers Are Slinking Their Links Into LinkedIn

If you received a link to LinkedIn.com via email, SMS or instant message, would you click it? Spammers, phishers and other ne’er-do-wells are hoping you will, because they’ve long taken advantage of a marketing feature on the business networking site which lets them create a LinkedIn.com link that bounces your browser to other websites, such as phishing pages that mimic top online brands (but chiefly Linkedin’s parent firm Microsoft).

At issue is a “redirect” feature available to businesses that chose to market through LinkedIn.com. The LinkedIn redirect links allow customers to track the performance of ad campaigns, while promoting off-site resources. These links or “Slinks” all have a standard format: “https://www.linkedin.com/slink?code=” followed by a short alphanumeric variable.

Here’s the very first Slink created: http://www.linkedin.com/slink?code=1, which redirects to the homepage for LinkedIn Marketing Solutions.

The trouble is, there’s little to stop criminals from leveraging newly registered or hacked LinkedIn business accounts to create their own ad campaigns using Slinks. Urlscan.io, a free service that provides detailed reports on any scanned URLs, also offers a historical look at suspicious links submitted by other users. This search via Urlscan reveals dozens of recent phishing attacks that have leveraged the Slinks feature.

Here’s one example from Jan. 31 that uses Linkedin.com links to redirect anyone who clicks to a site that spoofs Adobe, and then prompts users to log in to their Microsoft email account to view a shared document.

A recent phishing site that abused LinkedIn’s marketing redirect. Image: Urlscan.io.

Urlscan also found this phishing scam from Jan. 12 that uses Slinks to spoof the U.S. Internal Revenue Service. Here’s a Feb. 3 example that leads to a phish targeting Amazon customers. This Nov. 26 sample from Urlscan shows a LinkedIn link redirecting to a Paypal phishing page.

Let me be clear that the activity described in this post is not new. Way back in 2016, security firm Fortinet blogged about LinkedIn’s redirect being used to promote phishing sites and online pharmacies. More recently in late 2021, Jeremy Fuchs of Avanan wrote that the use of a LinkedIn URL may mean that any profession — the market for LinkedIn — could click.

“Plus, more employees have access to billing and invoice information, meaning that a spray-and-pray campaign can be effective,” Fuchs wrote. “The idea is to create a link that contains a clean page, redirecting to a phishing page.”

In a statement provided to KrebsOnSecurity, Linkedin said it has “industry standard technologies in place for URL sharing and chained redirects that help us identify and prevent the spread of malware, phishing and spam.” LinkedIn also said it uses 3rd party services — such as Google Safe Browsing, Spamhaus, Microsoft, and others — to identify known-bad URLs.

KrebsOnSecurity couldn’t find any evidence of phishers recently using LinkedIn’s redirect to phish LinkedIn credentials, but that’s certainly not out of the question. In a less complex attack, an adversary could send an email appearing to be a connection request from LinkedIn that redirects through LinkedIn to a malicious or phishous site.

Also, malicious or phishous emails that leverage LinkedIn’s Slinks are unlikely to be blocked by anti-spam or anti-malware filters, because LinkedIn is widely considered a trusted domain, and the redirect obscures the link’s ultimate destination.

Linkedin’s parent company — Microsoft Corp — is by all accounts the most-phished brand on the Internet today. A report last year from Check Point found roughly 45 percent of all brand phishing attempts globally target Microsoft. Check Point said LinkedIn was the sixth most phished brand last year.

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.