Senators Urge FTC to Probe ID.me Over Selfie Data

Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for “deceptive statements” the company and its founder allegedly made over how they handle facial recognition data collected on behalf of the Internal Revenue Service, which until recently required anyone seeking a new IRS account online to provide a live video selfie to ID.me.

In a letter to FTC Chair Lina Khan, the Senators charge that ID.me’s CEO Blake Hall has offered conflicting statements about how his company uses the facial scan data it collects on behalf of the federal government and many states that use the ID proofing technology to screen applicants for unemployment insurance.

The lawmakers say that in public statements and blog posts, ID.me has frequently emphasized the difference between two types of facial recognition: One-to-one, and one-to-many. In the one-to-one approach, a live video selfie is compared to the image on a driver’s license, for example. One-to-many facial recognition involves comparing a face against a database of other faces to find any potential matches.

Americans have particular reason to be concerned about the difference between these two types of facial recognition, says the letter to the FTC, signed by Sens. Cory Booker (D-N.J.), Edward Markey (D-Mass.), Alex Padilla (D-Calif.), and Ron Wyden (D-Ore.):

“While one-to-one recognition involves a one-time comparison of two images in order to confirm an applicant’s identity, the use of one-to-many recognition means that millions of innocent people will have their photographs endlessly queried as part of a digital ‘line up.’ Not only does this violate individuals’ privacy, but the inevitable false matches associated with one-to-many recognition can result in applicants being wrongly denied desperately-needed services for weeks or even months as they try to get their case reviewed.”

“This risk is especially acute for people of color: NIST’s Facial Recognition Vendor Test found that many facial recognition algorithms have rates of false matches that are as much as 100 times higher for individuals from countries in West Africa, East Africa and East Asia than for individuals from Eastern European countries. This means Black and Asian Americans could be disproportionately likely to be denied benefits due to a false match in a one-to-many facial recognition system.”

The lawmakers say that throughout the latter half of 2021, ID.me published statements and blog posts stating it did not use one-to-many facial recognition and that the approach was “problematic” and “tied to surveillance operations.” But several days after a Jan. 16, 2022 post here about the IRS’s new facial ID requirement went viral and prompted a public backlash, Hall acknowledged in a LinkedIn posting that ID.me does use one-to-many facial recognition.

“Within days, the company edited the numerous blog posts and white papers on its website that previously stated the company did not use one-to-many to reflect the truth,” the letter alleges. “According to media reports, the company’s decision to correct its prior misleading statements came after mounting internal pressure from its employees.”

Cyberscoop’s Tonya Riley published excerpts from internal ID.me employee Slack messages wherein some expressed dread and unease with the company’s equivocation on its use of one-to-many facial recognition.

In February, the IRS announced it would no longer require facial scans or other biometric data from taxpayers seeking to create an account at the agency’s website. The agency also pledged that any biometric data shared with ID.me would be permanently deleted.

But the IRS still requires new account applicants to sign up with either ID.me or Login.gov, a single sign-on solution already used to access 200 websites run by 28 federal agencies. It also still offers the option of providing a live selfie for verification purposes, although the IRS says this data will be deleted automatically.

Asked to respond to concerns raised in the letter from Senate lawmakers, ID.me instead touted its successes in stopping fraud.

“Five state workforce agencies have publicly credited ID.me with helping to prevent $238 billion dollars in fraud,” the statement reads. “Conditions were so bad during the pandemic that the deputy assistant director of the FBI called the fraud ‘an economic attack on the United States.’ ID.me played a critical role in stopping that attack in more than 20 states where the service was rapidly adopted for its equally important ability to increase equity and verify individuals left behind by traditional options. We look forward to cooperating with all relevant government bodies to clear up any misunderstandings.”

As Cyberscoop reported on Apr. 14, the House Oversight and Reform Committee last month began an investigation into ID.me’s practices, with committee chairwoman Carolyn Maloney (D-N.Y.) saying the committee’s questions to the company would help shape policy on how the government wields facial recognition technology.

A copy of the letter the senators sent to the FTC is here (PDF).

Denonia Malware Targets AWS Lambda Environments

The increased adoption of cloud computing across industries has a significant impact on how businesses manage operations and deliver a strong return on investment. Organizations leverage serverless functions for various use cases, such as developing cloud-native applications, processing event-based tasks, and moving workloads to the cloud.

AWS Lambda is a serverless service from Amazon Web Services that fits into the event-driven paradigm. AWS Lambda offers a powerful toolkit for building secure and scalable applications. But cybercriminals have found a way to exploit and run malware on AWS Lambda since its functions allow code to run for virtually any application or backend service from any web or mobile app.

How Did Denonia Malware Exploit Complex Cloud Infrastructure?

According to the Cado Labs research report, Denonia malware is the first of its kind designed specifically to target the AWS Lambda environment. The malware takes its name from the domain ‘gw.denonia.xyz’ that it communicates with.

The analysis suspects that cybercriminals have compromised AWS access and secret keys and then manually deployed the malware into the compromised AWS Lambda environments.

The dynamic analysis discovered that the sample used DNS over HTTPS (DoH) instead of traditional DNS. DoH encrypts DNS queries and sends the requests out as regular HTTPS traffic to DoH resolvers.

The malware sends requests using the “doh-go” library to the below URLs:

hxxps://cloudflare-dns[.]com/dns-query?name=gw[.]denonia[.]xyz&type=A
hxxps://dns[.]google[.]com/resolve?name=gw[.]denonia[.]xyz&type=A

The attacker-controlled domain gw.denonia[.]xyz resolves to IP address 116.203.4[.]0 and writes into a config file at /tmp/.xmrig.json. The malware launches XMRig, a software designed to mine for the Monero cryptocurrency from memory, and uses /tmp, the only writable folder in a Lamba environment. The malware then communicates with the IP address obtained from the DNS query on port 3333, a Monero mining pool.

How Does SentinelOne’s Identity Threat Detection Help?

Achieving early detection of insider and external threats with the ability to detect stolen credential attacks can significantly reduce the risk of a successful attack. SentinelOne offers the following solutions to detect anomalous behavior that may indicate attacker presence within the AWS environment.

Cloud Deception

The SentinelOne Hologram solution deploys decoys such as EC2 instances, S3 buckets, Lambda functions, and Dynamo DB databases across various cloud accounts. Cybercriminals attempt to discover cloud resources and services to gain access and exploit. The solution can detect cloud discovery techniques and alerts when an attacker tries to access AWS Lambda functions.

Identity Threat Detection

Cybercriminals use various methods to steal or reuse cloud credentials to access serverless functions from compromised endpoints. The SingularityTM Identity solution helps create and distribute deceptive cloud objects (such as secret keys, credentials, or URLs) as lures on both endpoints and servers. The solution detects and misdirects their lateral movement attempts from the serverless infrastructure to the engagement environment.

It is not the first time that cybercriminals have exploited AWS services. In the past, attackers gained access to an organization’s misconfigured S3 buckets and performed malicious activities. SentinelOne provides visibility to identity entitlement across multi-cloud environments, arming organizations with knowledge of their attack surface and helping mitigate risks associated with users, roles, and entitlements across cloud environments.

Best Practices and Recommendations

Security and compliance are shared responsibilities between AWS and the customer. The shared responsibility model can help relieve an organization’s operational burden. However, following best practices and recommendations can help protect customers from potential compromises.

  • Follow the standard security advice of granting the least privilege or granting only the permissions required to perform a task.
  • Configure AWS Identity and Access Management (IAM) role temporary credentials to access only the resources you need to do your job (granting least privilege).
  • Implement identity threat solutions and continuously monitor cloud service usage for anomalous behavior that may indicate an attacker’s presence within the cloud environment.
  • Review threat events, identify the host used for login, and isolate from the network.

Conclusion

Safeguarding against identity threats requires a multi-layered security strategy. Organizations can reduce their cloud resources risk by deploying SentinelOne identity and deception solutions and creating cloud baits such as deceptive logins and access keys on the endpoints.

Singularity Hologram
Singularity™ Hologram is network-based threat deception that lures in-network and insider threat actors into engaging and revealing themselves.

The Good, The Bad and the Ugly in Cybersecurity – Week 20

The Good

This week, the United States and the European Union confirmed Russian involvement in a series of destructive cyber attacks in February 2022 against Ukrainian organizations and infrastructure.

These attacks targeted commercial satellite communication networks run by Viasat, a US-based communication firm. The actors responsible deployed the AcidRain wiper malware to destroy thousands of satellite modems, and disrupted the operation of over 5,800 wind turbines.

In a statement, US Secretary of State Antony Blinken condemned Russia’s cyber attacks against Ukraine, outlining the “website defacements, distributed denial-of-service (DDoS) attacks, and cyber attacks to delete data from computers belonging to government and private entities” in the months leading up to Russia’s invasion.

Blinken then offered more detail into the United States assessment of the AcidRain campaign, which he said “disabled very small aperture terminals in Ukraine and across Europe. This includes tens of thousands of terminals outside of Ukraine that, among other things, support wind turbines and provide Internet services to private citizens.”

The State Department’s assessment, alongside Viasat’s investigation results, reflects SentinelOne’s analysis of the AcidRain wiper. During this attack, a destructive MIPS ELF binary wiped out filesystems, flash memories, and SD/MMC cards on vulnerable modems.

In response, the United States government is rolling out new measures to help Ukraine with detection, response and recovery. The government is also supporting Ukraine’s communication capabilities by supplying satellite phones and data terminals to support Ukraine’s government and infrastructure.

The Bad

The US Cybersecurity and Infrastructure Security Agency’s (CISA) latest update to its Known Exploited Vulnerabilities Catalog recommends that users of F5 Networks’ BIG-IP iControl REST service patch their systems to address a critical vulnerability.

The bug (tracked as CVE-2022-1388 with a CVSS score of 9.8) allows threat actors to bypass authentication and access vulnerable devices to execute remote code, make configuration changes, move laterally within a compromised network or exfiltrate data.

On May 4, 2022, F5 released initial patches for the vulnerability alongside an advisory disclosing technical details surrounding the flaw to users. While the company has also released indicators of compromise (IOCs) in the past week, its updated advisory still warns that skilled attackers can mask their presence in a system when they gain access.

Despite F5’s attempts to mitigate the fallout, security experts have observed attackers exploiting the critical flaw in the wild this week. Unfortunately, the SANS Internet Storm Center has also discovered attackers leveraging the bug to wipe servers and make them unusable.

Researchers have also expressed concern about the risk that more attackers will attempt to exploit the vulnerability because it requires little technical skill.

Due to the growing risk surrounding this critical vulnerability, CISA and other federal agencies recommend that all impacted users patch their systems as soon as possible.

The Ugly

Over the past few weeks, security researchers have been actively investigating four backdoors discovered within open source code. Analysis showed the actor behind the backdoors was targeting four German companies and using a new form of supply chain attack called “dependency confusion”.

As the name suggests, dependency confusion relies on tricking targets into downloading dependent, third-party code from the wrong location.

But in a surprising turn of events, the “threat actor” behind these particular backdoors came forward to reveal themselves. Code White, a penetration testing firm, announced that they were “trying to mimic realistic threat actors for dedicated clients as part of [their] Security Intelligence Service,” and that the “malicious actor” in question was an intern for the firm. Code White’s CEO confirmed that the affected companies had requested penetration testing exercises and that the firm had assembled the code dependencies to simulate real threats.

The public nature of the attacks meant others aside from Code White’s clients were unwittingly pulled into the exercise and arguably wasted valuable research time [1, 2] analysing what appeared to be real threats delivering malware via an open source public repository.

On the other hand, perhaps this unusual incident may help raise awareness of dependency confusion attacks among other organizations, too. Security experts have noted that although the Code White dependency confusion exercises don’t count as a sign that these types of attacks are on the rise, it’s possible that attackers will begin leveraging this attack vector in the future.

Threat Landscape | The Most Dangerous Cloud Attack Methods In The Wild Today

The cybersecurity threat landscape is vast, and we are often faced with the challenge of keeping in touch with novel attack techniques and new attack surfaces. As enterprises continue to transition to storing data and offering services through the cloud, we will continue to see an increase in threat activity relevant to all forms of cloud technology. In this post, I want to share a summary of the most dangerous cloud attack methods observed in the wild today, and offer some insight into how we at SentinelLabs perceive them. The examples included in this post are based on both active opportunistic and targeted attackers we observe.

1. Vulnerable Services

One of the most commonly observed attacks in cloud networks is compromise through vulnerable services. Consequently, the criticality of running updated systems can not be overstated. What makes this particularly important for cloud services is the post-compromise actions often available to the attacker, such as lateral movement to major business systems and resources hosted in a cloud network, and the challenge victims face to respond effectively and in a timely manner.

One well known example of this type of attack was the immediate exploitation of the Apache Log4J vulnerability. Apache had a single vulnerability with massive impact across the world when it was discovered, yet there are so many other common services ripe for such attacks too. Victim organizations that relied on vulnerability scanners to identify and defend against the likes of Log4j were exposed to increased risk across their networks as the vulnerability was exploited a week before it was disclosed.

Log4J, like many other n-day vulnerabilities, was quickly abused by attackers. In this case, both opportunistic and targeted attackers made use of the vulnerability to achieve their objectives. The majority of observed attacks were opportunistic; however, in some rare cases, well resourced APTs also exploited the vulnerability, including those attributed to China and Iran.

The severity of attacks that occurred on the back of a vulnerability like this shows just how vital it is for enterprises to be able to detect malicious activity before a service is known to be vulnerable.

2. Cloud Misconfigurations

Configuration oversight is the most common cause of the vast majority of cloud storage data leaks. Organizations mistakenly leaving customer data publicly accessible, or easily accessible to attackers, has led to a climb in data leaks over the years. Again, this is not unique to the cloud. It is increasingly common due to the ease and hidden complexity of cloud storage configurations.

Additionally, configuration oversight is not limited to causing data leaks. In many cases, we have observed cloud hosts become infected with malware or further network access due to an attacker’s ability to inflict change on a system. For example, an opportunistic threat actor known as TeamTNT has been observed accessing unsecured Docker daemons to install and execute their own malicious images, infecting victims with a botnet and cryptocurrency miners. This is a simple but highly effective technique against organizations with misconfigured cloud services.

The range of applications common to cloud networks that can be abused when misconfigured is too large to dive into here. However, the takeaway is that a configuration oversight not only allows for commodity abuse but an extremely simple intrusion vector for a more capable threat actor. There is a reason we continue to observe the most dangerous APTs scanning the internet for such open doors: It is worth the effort.

3. Supply Chain Attacks

Supply chain attacks hold a special place in the heart of attackers. While supply chain intrusions have been heavily reported on with the likes of Solarwinds, which was attributed to a Russian APT, there are others which are isolated to cloud networks and services.

One increasingly common supply chain attack method is the compromise of Docker Hub images. The previously mentioned TeamTNT has and continues to compromise Docker Hub images, leading to the infection of anyone installing and updating those trusted images. In their case, primary objectives include more generic botnet functionality and the use of miners. Docker admins should exercise caution when intaking new images, similar to the install of outside software into your network. Proper endpoint telemetry from hosts running such images is an ideal way to ensure nothing malicious activates after a delay in these types of deployments.

In terms of software supply chain, we are often faced with an ever growing set of opportunities for the attacker. As we observed in the 2021 compromise of the Codecov bash uploader, software can be compromised in such simple yet effective ways. In the Codecov compromise, a tool commonly used in the software development lifecycle was modified through an update to include a single line of code which went undiscovered for months. The code enabled the attacker to collect environment secrets. At this time we can not speak to the true intent of these attackers; however, it’s hard to disregard the simplicity and success of the intrusion. Such attacks will continue to be more common, particularly through open source software used globally.

4. Cloud Management Platform Access

Examples like those above can teach us an important lesson: So much of the cloud threat landscape centers around the desire to access the cloud management platform, especially privileged cloud accounts. It’s so critical to defend against cloud threats because they offer the attacker an opportunity to break the barrier of accessing information or control over a powerful, normally-trusted service.

An attacker with privileged access to the management platform of a cloud service, be it AWS GCP or Azure, can weave their way into many difficult-to-identify places. Thanks to the use of open source tools like Purple Panda, an attacker with their hands on stolen credentials can automate cloud privilege escalation and identify opportunities for lateral movement.

The ways that attackers seek such access are, again, quite vast. For example, we know opportunistic attackers scan online code and image repositories (Github, Docker Hub) for mistakenly leaked keys. This has allowed them to kick off supply chain attacks and general bulk data theft. Additionally, highly capable and well resourced targeted attackers like APT29 also place a deliberate effort into seeking such access for state-sponsored missions. Overall, this is a highly desirable level of access any attacker would enjoy, so it should be of the utmost importance for defenders to track.

Conclusion

Cloud-focused attacks are a rapidly growing area of interest to opportunistic and targeted attackers alike. While the techniques used in such attacks are vast and varied, they typically rely heavily  on the fact that cloud networks are large, complex, and onerous to manage. This makes agent and container security solutions critical for the defense of any organization against all cloud platforms. Keep up with SentinelLabs as we share our latest findings with the wider community of defenders and stay tuned as we share information on new cloud threats.

Singularity Cloud
Simplifying security of Cloud VMs and containers, no matter their location, for maximum agility, security, and compliance.

DEA Investigating Breach of Law Enforcement Data Portal

The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets.

Unidentified hackers shared this screenshot of alleged access to the Drug Enforcement Administration’s intelligence sharing portal.

On May 8, KrebsOnSecurity received a tip that hackers obtained a username and password for an authorized user of esp.usdoj.gov, which is the Law Enforcement Inquiry and Alerts (LEIA) system managed by the DEA.

KrebsOnSecurity shared information about the allegedly hijacked account with the DEA, the Federal Bureau of Investigation (FBI), and the Department of Justice, which houses both agencies. The DEA declined to comment on the validity of the claims, issuing only a brief statement in response.

“DEA takes cyber security and information of intrusions seriously and investigates all such reports to the fullest extent,” the agency said in a statement shared via email.

According to this page at the Justice Department website, LEIA “provides federated search capabilities for both EPIC and external database repositories,” including data classified as “law enforcement sensitive” and “mission sensitive” to the DEA.

A document published by the Obama administration in May 2016 (PDF) says the DEA’s El Paso Intelligence Center (EPIC) systems in Texas are available for use by federal, state, local and tribal law enforcement, as well as the Department of Defense and intelligence community.

EPIC and LEIA also have access to the DEA’s National Seizure System (NSS), which the DEA uses to identify property thought to have been purchased with the proceeds of criminal activity (think fancy cars, boats and homes seized from drug kingpins).

“The EPIC System Portal (ESP) enables vetted users to remotely and securely share intelligence, access the National Seizure System, conduct data analytics, and obtain information in support of criminal investigations or law enforcement operations,” the 2016 White House document reads. “Law Enforcement Inquiry and Alerts (LEIA) allows for a federated search of 16 Federal law enforcement databases.”

The screenshots shared with this author indicate the hackers could use EPIC to look up a variety of records, including those for motor vehicles, boats, firearms, aircraft, and even drones.

Claims about the purloined DEA access were shared with this author by “KT,” the current administrator of the Doxbin — a highly toxic online community that provides a forum for digging up personal information on people and posting it publicly.

As KrebsOnSecurity reported earlier this year, the previous owner of the Doxbin has been identified as the leader of LAPSUS$, a data extortion group that hacked into some of the world’s largest tech companies this year — including Microsoft, NVIDIA, Okta, Samsung and T-Mobile.

That reporting also showed how the core members of LAPSUS$ were involved in selling a service offering fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms, mobile telephony providers and other technology firms, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.

From the standpoint of individuals involved in filing these phony EDRs, access to databases and user accounts within the Department of Justice would be a major coup. But the data in EPIC would probably be far more valuable to organized crime rings or drug cartels, said Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley.

Weaver said it’s clear from the screenshots shared by the hackers that they could use their access not only to view sensitive information, but also submit false records to law enforcement and intelligence agency databases.

“I don’t think these [people] realize what they got, how much money the cartels would pay for access to this,” Weaver said. “Especially because as a cartel you don’t search for yourself you search for your enemies, so that even if it’s discovered there is no loss to you of putting things ONTO the DEA’s radar.”

The DEA’s EPIC portal login page.

ANALYSIS

The login page for esp.usdoj.gov (above) suggests that authorized users can access the site using a “Personal Identity Verification” or PIV card, which is a fairly strong form of authentication used government-wide to control access to federal facilities and information systems at each user’s appropriate security level.

However, the EPIC portal also appears to accept just a username and password, which would seem to radically diminish the security value of requiring users to present (or prove possession of) an authorized PIV card. Indeed, KT said the hacker who obtained this illicit access was able to log in using the stolen credentials alone, and that at no time did the portal prompt for a second authentication factor.

It’s not clear why there are still sensitive government databases being protected by nothing more than a username and password, but I’m willing to bet big money that this DEA portal is not only offender here. The DEA portal esp.usdoj.gov is listed on Page 87 of a Justice Department “data inventory,” which catalogs all of the data repositories that correspond to DOJ agencies.

There are 3,330 results. Granted, only some of those results are login portals, but that’s just within the Department of Justice.

If we assume for the moment that state-sponsored foreign hacking groups can gain access to sensitive government intelligence in the same way as teenage hacker groups like LAPSUS$, then it is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements tied to any government portals that traffic in sensitive or privileged information.

I’ll say it because it needs to be said: The United States government is in urgent need of leadership on cybersecurity at the executive branch level — preferably someone who has the authority and political will to eventually disconnect any federal government agency data portals that fail to enforce strong, multi-factor authentication.

I realize this may be far more complex than it sounds, particularly when it comes to authenticating law enforcement personnel who access these systems without the benefit of a PIV card or government-issued device (state and local authorities, for example). It’s not going to be as simple as just turning on multi-factor authentication for every user, thanks in part to a broad diversity of technologies being used across the law enforcement landscape.

But when hackers can plunder 16 law enforcement databases, arbitrarily send out law enforcement alerts for specific people or vehicles, or potentially disrupt ongoing law enforcement operations — all because someone stole, found or bought a username and password — it’s time for drastic measures.

Microsoft Patch Tuesday, May 2022 Edition

Microsoft today released updates to fix at least 74 separate security problems in its Windows operating systems and related software. This month’s patch batch includes fixes for seven “critical” flaws, as well as a zero-day vulnerability that affects all supported versions of Windows.

By all accounts, the most urgent bug Microsoft addressed this month is CVE-2022-26925, a weakness in a central component of Windows security (the “Local Security Authority” process within Windows). CVE-2022-26925 was publicly disclosed prior to today, and Microsoft says it is now actively being exploited in the wild. The flaw affects Windows 7 through 10 and Windows Server 2008 through 2022.

Greg Wiseman, product manager for Rapid7, said Microsoft has rated this vulnerability as important and assigned it a CVSS (danger) score of 8.1 (10 being the worst), although Microsoft notes that the CVSS score can be as high as 9.8 in certain situations.

“This allows attackers to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication,” Wiseman said. “This is very bad news when used in conjunction with an NTLM relay attack, potentially leading to remote code execution. This bug affects all supported versions of Windows, but Domain Controllers should be patched on a priority basis before updating other servers.”

Wiseman said the most recent time Microsoft patched a similar vulnerability — last August in CVE-2021-36942 — it was also being exploited in the wild under the name “PetitPotam.”

“CVE-2021-36942 was so bad it made CISA’s catalog of Known Exploited Vulnerabilities,” Wiseman said.

Seven of the flaws fixed today earned Microsoft’s most-dire “critical” label, which it assigns to vulnerabilities that can be exploited by malware or miscreants to remotely compromise a vulnerable Windows system without any help from the user.

Among those is CVE-2022-26937, which carries a CVSS score of 9.8, and affects services using the Windows Network File System (NFS). Trend Micro’s Zero Day Initiative notes that this bug could allow remote, unauthenticated attackers to execute code in the context of the Network File System (NFS) service on affected systems.

“NFS isn’t on by default, but it’s prevalent in environment where Windows systems are mixed with other OSes such as Linux or Unix,” ZDI’s Dustin Childs wrote. “If this describes your environment, you should definitely test and deploy this patch quickly.”

Once again, this month’s Patch Tuesday is sponsored by Windows Print Spooler, a core Windows service that keeps spooling out the security hits. May’s patches include four fixes for Print Spooler, including two information disclosure and two elevation of privilege flaws.

“All of the flaws are rated as important, and two of the three are considered more likely to be exploited,” said Satnam Narang, staff research engineer at Tenable. “Windows Print Spooler continues to remain a valuable target for attackers since PrintNightmare was disclosed nearly a year ago. Elevation of Privilege flaws in particular should be carefully prioritized, as we’ve seen ransomware groups like Conti favor them as part of its playbook.”

Other Windows components that received patches this month include .NET and Visual Studio, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Office, Windows Hyper-V, Windows Authentication Methods, BitLocker, Remote Desktop Client, and Windows Point-to-Point Tunneling Protocol.

Also today, Adobe issued five security bulletins to address at least 18 flaws in Adobe CloudFusion, Framemaker, InCopy, InDesign, and Adobe Character Animator. Adobe said it is not aware of any exploits in the wild for any of the issues addressed in today’s updates.

For a more granular look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the skinny on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.

From the Front Lines | Unsigned macOS oRAT Malware Gambles For The Win

By Dinesh Devadoss and Phil Stokes

Researchers looking into a new APT group targeting gambling sites with a variety of cross-platform malware recently identified a version of oRAT malware targeting macOS users and written in Go. While neither RATs nor Go malware are uncommon on any platform, including the Mac, the development of such a tool by a previously unknown APT is an interesting turn, signifying the increasing need for threat actors to address the rising occurrence of Macs among their intended targets and victims. In this post, we dig deeper into the technical details of this novel RAT to understand better how it works and how security teams can detect it in their environments.

oRAT Distribution

The oRAT malware is distributed via a Disk Image masquerading as a collection of Bitget Apps. The disk image contains a package with the name Bitget Apps.pkg and the distribution identifier com.adobe.pkg.Bitget.

The disk image and installer package are notable for two reasons: neither has a valid developer signature, and the latter doesn’t actually install any files and only contains a preinstall script.

The preinstall script is a succinct bash shell script whose purpose is to deliver a payload to the /tmp directory, give the payload executable permissions, and then launch it.

Precisely what kind of lure the threat actors use to convince targets to download and launch the dropper is unknown at this time, but given that the target would need to override default security warnings from Gatekeeper, it is likely either that the users are sourcing the malware from an environment where this is typical (e.g., a 3rd-party software distribution site that regularly delivers unsigned software) or users have been pre-groomed to bypass Gatekeeper during a social engineering engagement of some kind.

In either case, the fact that there’s no deliverable from the user’s perspective is a risky gamble on the part of the threat actors. After running the installer and finding that it did not provide whatever they were expecting, users are likely to become suspicious. This might suggest the campaign was broadly targeted and that the threat actors were playing a numbers game, happy to sweep up opportunistic infections as they occurred.

The oRAT Payload

Things get more interesting when we examine the darwinx64 payload dropped in the /tmp folder. The binary doesn’t define any Symbols, and outputting the list of Sections tells us that the file has been packed with UPX.

Packed files like this are opaque to static analysis, but fortunately standard UPX is very easy to unpack thanks to the UPX utility itself. Dumping the strings tells us that it was packed with UPX 3.96, the most recently released version available.

The packed binary is around 3MB in size, but after unpacking we are presented with a massive ~10MB file. Such large file sizes are typical of cross-platform malware, particularly when binaries are compiled in Go, since they contain the entire run-time for the language along with a number of supporting libraries.

Fortunately, from a reverse engineering perspective, we can easily ignore most of the standard code that is common to all Go bins and focus on what is unique to the sample at hand. For IDA Pro users, see here; for r2 users, we can start by printing out a list of the functions flagged with sym._main.

In Go binaries, the program code entrypoint is at main.main, and we can work our way through there to see what other functions, packages and modules are called. Below, we see that the main.main function calls out to another custom package, orat_utils.

The orat_utils package contains several interesting functions and gives us an entry into understanding how the RAT works.

Of particular interest is the LoadConfig function. This is used to parse a blob of data appended to the binary which turns out to be an encrypted malware configuration. The encrypted data at the end of the unpacked binary occupies 166 bytes and consists of the data, an AES key, and two bytes representing the entire blob size.

Once decrypted, the blob turns out to contain configuration data for the malware C2.

After the malware decodes the config, it calls into sym._orat_cmd_agent.app and begins a number of loops through sys._orat_protocal.Dial. Depending on the config, it will call one of orat_protocol.DialTCP, orat_protocol.DialSTCP or orat_protocol.DialSUDP to establish a connection. The TCP protocols leverage smux while the SUDP protocol leverages QUIC. The malware loops with a sleep cycle of 5 seconds as it waits for a response.

The sym._orat_cmd_agent.app contains the primary RAT functionality of the malware and defines the following functions.

orat/cmd/agent/app.(*App).DownloadFile
orat/cmd/agent/app.(*App).Info
orat/cmd/agent/app.(*App).Join
orat/cmd/agent/app.(*App).KillSelf
orat/cmd/agent/app.(*App).NewNetConn
orat/cmd/agent/app.(*App).NewProxyConn
orat/cmd/agent/app.(*App).NewShellConn
orat/cmd/agent/app.(*App).Ping
orat/cmd/agent/app.(*App).PortScan
orat/cmd/agent/app.(*App).registerRouters
orat/cmd/agent/app.(*App).run
orat/cmd/agent/app.(*App).Screenshot
orat/cmd/agent/app.(*App).Serve
orat/cmd/agent/app.(*App).Unzip
orat/cmd/agent/app.(*App).UploadFile
orat/cmd/agent/app.(*App).Zip

Detecting oRAT in the Enterprise

The SentinelOne agent detects the oRAT payload as malicious when it is written to disk, protecting SentinelOne customers from this threat.

The SentinelOne agent also detects the malware on execution.

For those not protected by the SentinelOne platform, security teams are advised to hunt for artifacts as listed in the Indicators of Compromise section at the end of this post.

Conclusion

The oRAT malware targets macOS users using a combination of custom-written code and public Golang repos. The developers are clearly familiar with using sophisticated features of Go for networking and communications, but due to the simplistic way the malware dropper was packaged, unsigned and with no observable install to distract the victim, it would seem they are less experienced with the challenges of infecting Mac users. Unfortunately, other threat actors have provided plenty of examples from which this new player can learn, and security teams should expect to see any future campaigns from this actor using more sophisticated droppers.

Indicators of Compromise

Filename SHA1
bitget-0.0.7 (1).dmg 3f08dfafbf04a062e6231344f18a60d95e8bd010
Bitget Apps.pkg 9779aac8867c4c5ff5ce7b40180d939572a4ff55
preinstall 911895ed27ee290bea47bca3e208f1b302e98648
darwinx64 (packed) 26ccf50a6c120cd7ad6b0d810aca509948c8cd78
darwinx64 (unpacked) 9b4717505d8d165b0b12c6e2b9cc4f58ee8095a6
Paths
/tmp/darwinx64

Your Phone May Soon Replace Many of Your Passwords

Apple, Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. Experts say the changes should help defeat many types of phishing attacks and ease the overall password burden on Internet users, but caution that a true passwordless future may still be years away for most websites.

Image: Blog.google

The tech giants are part of an industry-led effort to replace passwords, which are easily forgotten, frequently stolen by malware and phishing schemes, or leaked and sold online in the wake of corporate data breaches.

Apple, Google and Microsoft are some of the more active contributors to a passwordless sign-in standard crafted by the FIDO (“Fast Identity Online”) Alliance and the World Wide Web Consortium (W3C), groups that have been working with hundreds of tech companies over the past decade to develop a new login standard that works the same way across multiple browsers and operating systems.

According to the FIDO Alliance, users will be able to sign in to websites through the same action that they take multiple times each day to unlock their devices — including a device PIN, or a biometric such as a fingerprint or face scan.

“This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS,” the alliance wrote on May 5.

Sampath Srinivas, director of security authentication at Google and president of the FIDO Alliance, said that under the new system your phone will store a FIDO credential called a “passkey” which is used to unlock your online account.

“The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone,” Srinivas wrote. “To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer.”

As ZDNet notes, Apple, Google and Microsoft already support these passwordless standards (e.g. “Sign in with Google”), but users need to sign in at every website to use the passwordless functionality. Under this new system, users will be able to automatically access their passkey on many of their devices — without having to re-enroll every account — and use their mobile device to sign into an app or website on a nearby device.

Johannes Ullrich, dean of research for the SANS Technology Institute, called the announcement “by far the most promising effort to solve the authentication challenge.”

“The most important part of this standard is that it will not require users to buy a new device, but instead they may use devices they already own and know how to use as authenticators,” Ullrich said.

Steve Bellovin, a computer science professor at Columbia University and an early internet researcher and pioneer, called the passwordless effort a “huge advance” in authentication, but said it will take a very long time for many websites to catch up.

Bellovin and others say one potentially tricky scenario in this new passwordless authentication scheme is what happens when someone loses their mobile device, or their phone breaks and they can’t recall their iCloud password.

“I worry about people who can’t afford an extra device, or can’t easily replace a broken or stolen device,” Bellovin said. “I worry about forgotten password recovery for cloud accounts.”

Google says that even if you lose your phone, “your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.”

Apple and Microsoft likewise have cloud backup solutions that customers using those platforms could use to recover from a lost mobile device. But Bellovin said much depends on how securely such cloud systems are administered.

“How easy is it to add another device’s public key to an account, without authorization?” Bellovin wondered. “I think their protocols make it impossible, but others disagree.”

Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, said websites still have to have some recovery mechanism for the “you lost your phone and your password” scenario, which he described as “a really hard problem to do securely and already one of the biggest weaknesses in our current system.”

“If you forget the password and lose your phone and can recover it, now this is a huge target for attackers,” Weaver said in an email. “If you forget the password and lose your phone and CAN’T, well, now you’ve lost your authorization token that is used for logging in. It is going to have to be the latter. Apple has the infrastructure in place to support it (iCloud keychain), but it is unclear if Google does.”

Even so, he said, the overall FIDO approach has been a great tool for improving both security and usability.

“It is a really, really good step forward, and I’m delighted to see this,” Weaver said. “Taking advantage of the phone’s strong authentication of the phone owner (if you have a decent passcode) is quite nice. And at least for the iPhone you can make this robust even to phone compromise, as it is the secure enclave that would handle this and the secure enclave doesn’t trust the host operating system.”

The tech giants said the new passwordless capabilities will be enabled across Apple, Google and Microsoft platforms “over the course of the coming year.” But experts said it will likely take several more years for smaller web destinations to adopt the technology and ditch passwords altogether.

Recent research shows far too many people still reuse or recycle passwords (modifying the same password slightly), which presents an account takeover risk when those credentials eventually get exposed in a data breach. A report in March from cybersecurity firm SpyCloud found 64 percent of users reuse passwords for multiple accounts, and that 70 percent of credentials compromised in previous breaches are still in use.

A March 2022 white paper on the FIDO approach is available here (PDF). A FAQ on it is here.

The Good, the Bad and the Ugly in Cybersecurity – Week 19

The Good

On May 3, 2022, the United States Security and Exchange Commission (SEC) announced that it is adding twenty roles to their specially focused Crypto Assets and Cyber Unit.

The SEC formed its Cyber Unit in 2017, and recently renamed the division to reflect a new focus on investigating securities law violations as they relate to crypto asset offerings and exchanges, crypto-lending and staking products, and digital assets, along with up-and-coming platform offerings like non-fungible tokens (NFTs), decentralized finance (DeFi) platforms and stablecoins.

According to a statement by SEC chair Gary Gensler, “As more investors access the crypto markets, it is increasingly important to dedicate more resources to protecting them.”

The statement also noted that the Crypto Assets and Cyber Unit has already brought dozens of cases against SEC registrants and public companies that sought to take advantage of investors in crypto markets and failed to maintain adequate security measures.

Gensler added, “By nearly doubling the size of this key unit, the SEC will be better equipped to police wrongdoing in the crypto markets while continuing to identify…issues with respect to cybersecurity.”

In other news, CyberWire announced that it will be releasing CISA Flash cybersecurity alerts in audio form. The alerts are available in downloadable or podcast form on the CyberWire website. Many thanks to CyberWire for providing this free public service. It is a great example of community members working for the greater good of the threat landscape.

The Bad

Sixt, a large player in the car rental and ride-hailing industry with approximately 2,000 locations in over 100 countries, disclosed that it was heavily impacted by a ransomware attack this week.

Reports indicate that an attack occurred on April 29, 2022. As a result, Sixt was forced to restrict access to all but the most critical IT systems.

Since then, the company has been working to remedy the disruption that Sixt employees and customers are facing. While the company claims they kept all outages to a minimum, Sixt cautioned that their customer care centers and branches could see temporary disruptions as remediation continues.

Reports indicate that Sixt was responding to phone inquiries with a recorded message stating that services were unavailable due to technical issues, and prompted callers to send their questions via email. In the interim, the company has also had to resort to processing bookings and transactions through pen and paper.

At the time of publication, there is little public information with regards to attribution or the source of the attack.

In other bad news this week, security experts noticed the emergence of Mindware, a new ransomware variant. Samples were observed as early as April 4th. The group responsible launches multi-pronged attacks, encrypting, extorting and publicly posting victims’ data.

The Ugly

According to a recent report from the Internet Crime Complaint Center (IC3), Business Email Compromise (BEC) still looms large as a major presence in the threat landscape.

The IC3’s newest data indicates that BEC accounts for the highest total victim losses across multiple categories of cyber crime. The report also states that BEC campaigns increased 65% between mid 2019 and the end of 2021, with yearly losses reaching approximately 26 billion USD.

Source: IC3

The IC3 also detailed how BEC threat actors have evolved to get around existing preventative measures. To provide one example, the IC3 discussed a case where fraudsters leveraged virtual meeting platforms to hack emails, spoof business leaders’ credentials, and initiate fraudulent wire transfers. The transferred funds were immediately directed to cryptocurrency wallets and quickly dispersed, complicating recovery efforts.

There are a number of startling and unsettling results in this report. For example, the IC3 found that healthcare, public health, financial services, government facilities and critical manufacturing are the top targeted infrastructure verticals victimized by ransomware.

The IC3’s report goes on to indicate that Hong Kong and Thailand appear to be the top “final destinations” for fraudulently acquired funds. The report also provides updates on how attackers are using RATs more aggressively, as well as the ongoing use of COVID-19 as a social engineering lure.

The updated 2021 Internet Crime Report is currently available from the IC3 website. We encourage all to review the report and take any necessary action.

XDR Meets Identity Threat Detection and Response (ITDR)

Endpoint security is a significant concern for today’s organizations and has only grown more complex with the institutionalization of hybrid working. Cybercriminals also engage in modern attack tactics that include reusing stolen credentials, exploiting zero-day vulnerabilities, employing ransomware, and exploiting trusted insiders. Unfortunately, it only takes one mistake, poorly-secured device, or weak password to give attackers the opening they need to get inside the network. And once they’re in, they can move laterally with little resistance, seeking privileges and valuable data to encrypt or exfiltrate.

Identifying these threats early is critical. However, identity-based threat detection requires a different approach not found in traditional defenses. Organizations use Endpoint Detection and Response (EDR) platforms as a primary incident response tool for most security teams, alongside Endpoint Protection Platforms (EPPs) and other valuable tools. These solutions are a good starting point, but stopping today’s threats requires a more unified approach. Extended Detection and Response (XDR) solutions can improve the reliability and efficiency of security operations with enhanced detection and response capabilities. XDR solutions are a natural evolution of EDR, consolidating multiple security products into a single security incident detection and response platform capable of identifying suspicious activity in near-real-time.

Why XDR for Threat Detection and Incident Response?

Gartner refers to XDR solutions as “a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components.” This description effectively gets to the heart of the benefit that XDR offers. Today’s cybersecurity teams often employ many different tools, but XDR provides the ability to unify multiple telemetry streams and present options for numerous forms of detection and response.

It might sound similar to Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solutions, and while this is in some ways accurate, speed and effectiveness matter. For example, organizations often use SIEM tools primarily for log storage and compliance, collecting information for later analysis but not offering real-time detection capabilities, limiting the value of such implementations.  XDR solutions focus mainly on threat detection and incident response use cases, allowing them to add significant value to security deployments from the moment of installation.

Whether the attacker is human or automated, XDR solutions provide early and accurate threat detection and can quarantine a compromised endpoint instantly. Whereas reviewing logs or SIEM data might only reveal an attacker’s presence after leaving the endpoint, XDR solutions can lock them down in real-time.

How ITDR and Deception Fits With XDR

Identity Threat Detection and Response (ITDR) and cyber deception-based detections can enhance XDR platforms, which can correlate additional attack data and activate incident response actions.

ITDR solutions add layers of defense by efficiently detecting and responding to identity-based attacks. They protect against credential theft or privilege escalation on the endpoints and derail Active Directory identity compromises.

Deception technology provides a comprehensive detection fabric that blankets the network with deceptive credentials, shares, bait, and other decoys likely to draw an attacker’s attention early in the attack life cycle.  Deception has proven to be a highly efficient way to trick attackers into revealing themselves. Traditional deception technology can also pair with concealment technology, which hides and denies access to production network assets, stopping attackers from leveraging credential stores, Active Directory objects, and data.

In addition to a high-fidelity detection alert, deception can also safely engage the attacker by steering them into a decoy and then sharing TTPs and IoCs with an XDR platform.

The Future of XDR

Attackers have learned how to evade security controls over the years. Compromising an endpoint and using stored credentials, querying Active Directory, moving laterally, and escalating the privileges are hallmarks of today’s attackers. The extra intelligence that modern XDR solutions provide can make a significant difference in helping defenders identify and respond to suspicious or attack-related activity quickly before adversaries can significantly infiltrate the network. However, as Peter Firstbrook from Gartner has stated, “XDR is not complete without ITDR.” Augmenting XDR with identity security and cyber deception can further enhance the effectiveness of this critical modern cybersecurity tool, improving the efficiency and capabilities of an already indispensable resource. As time goes on and attackers continue to grow more sophisticated, XDR, ITDR, and the adversary intelligence that deception technology provides will go a long way in preventing attackers from completing their mission successfully.

In May of 2022, we became the first XDR provider to natively include identity security for endpoints, identity infrastructure (Active Directory), and cloud environments with its acquisition of Attivo Networks.

Attivo’s Identity Suite
Ready to experience Attivo Networks, the market’s leading identity security suite?