The Good, the Bad and the Ugly in Cybersecurity – Week 14

The Good | Developer Uncovers Backdoor Planted in XZ Utils

Over the Easter weekend, software developer Andres Freund uncovered a backdoor hidden within XZ Utils, an open-source data compressor ubiquitous in nearly all Linux-based systems. Currently, the supply chain flaw is tracked as CVE-2024-3094 (CVSS score: 10.0) and is being described as what could have been a highly sophisticated outbreak rivaling even that of the SolarWinds supply chain attack of 2020.

The backdoor was likely a multi-year-long effort, intentionally planted by an XZ Utils project maintainer named Jia Tan (aka Jia Cheong Tan or JiaT75). Tan allegedly worked his way up to this role over the span of two years to establish legitimacy in his role before introducing a series of changes to the software in 2023.

The changes were eventually included in the data compressor’s February 2024 release, affecting XZ Utils versions 5.6.0 and 5.6.1. The backdoor made it to some Linux releases including Debian Unstable, Fedora Linux 40, Kali Linux, and Fedora Rawhide, which have all since been rolled back.

The backdoor targets sshd, the executable file responsible for remote SSH connections. With a specific encryption key, a threat actor could have embedded any code within an SSH login certificate, enabling them to upload and execute it on affected devices. Although no actual code uploads have been observed, the potential risks would have included theft of encryption keys or malware deployment.

Freund’s stroke of luck diverted the potential of a very serious supply chain attack, but the event is a sharp reminder to prioritize security in OSS maintenance. Since the discovery of the XZ Utils compromise, other open source software maintainers have commented on the problem of bullying in OSS projects and raised concerns that the XZ story may not be an isolated incident.

Regular audits, thorough code reviews, and prompt patching are essential to addressing threats effectively.

The Bad | Missouri County Declares State of Emergency After Ransomware Attack

Home to over 717,000 residents, one of the largest counties in Missouri was hit this week with a confirmed ransomware attack, disrupting several critical services. In the wake of the attack, Jackson County offices responsible for tax payment, marriage licensing, and inmate management systems have all shut down until further notice while investigations continue.

So far, law enforcement agencies, including the FBI and the Department of Homeland Security, have been notified, and external IT security experts are assisting in the ongoing incident response. The County Executive has also issued a state of emergency to expedite IT measures and service restoration.

County officials have also assured residents that the compromised systems did not store financial data – specifically, information handled by the Payit payment service provider, which is independently managed outside the county’s network. The county collaborates with Payit to provide secure resident engagement and payment services for property taxes, marriage licenses, and more.

The shutdowns happened on the same day as a special election held by the county to decide on a proposed sales tax aimed at financing a new stadium for the Kansas City MLB and NFL teams. Officials have emphasized that both the Jackson County Board of Elections and the Kansas City Board of Elections remain unaffected by the cyberattack, with no indication of data compromise and both boards continuing their normal operations.

The attack on the Missouri county is now the 18th of ransomware incidents on state and local governments since the start of 2024. Researchers note that government entities will continue to be targeted by transnational threat groups – a reality triggered by aging IT infrastructures of underfunded agencies as well as a widening gap in skilled cybersecurity professionals working in government.

The Ugly | DinodasRAT Backdoor Targets Linux Servers Across Eastern Hemisphere

New findings emerged this week of a Linux variant for DinodasRAT (aka XDealer), a multi-platform backdoor attributed to a number of China-linked APTs. Reporting on the latest series of attacks, security researchers note the new variant to be targeting entities in China, Taiwan, Turkey, and Uzbekistan.

The Linux version primarily targets Red Hat and Ubuntu systems. It establishes persistence using SystemV or SystemD startup scripts and communicates with remote servers for commands over TCP or UDP. Capabilities include file operations, process enumeration, shell command execution, and evasion techniques against detection tools.

An initial Linux variant (V10) was first spotted in early October 2023, with evidence tracing back to a previous version (V7) from July 2021.

DinodasRAT aims to gain and maintain control over infected machines with the main goals of data exfiltration and espionage. The backdoor creates a distinct identification code for every compromised device by combining the infection date, hardware details, and backdoor version. This code is then saved in a concealed configuration file, aiding in the monitoring and control of compromised systems. To operate covertly and avoid discovery, DinodasRAT alters file access timestamps, reducing its traceability and complicating efforts for security experts to identify and counter the threat.

The remote access trojan has cropped up in various threat campaigns over the past half year. In October 2023, attackers used DinodasRAT to spy on the Guyanese government. Just earlier this month, the trojan was seen again in the hands of Chinese APT group, Earth Krahang, to compromise both Linux and Windows systems of governments worldwide.

This string of attacks illustrate the maturing of China’s cyber espionage ecosystem, meaning sectors will need to continuously factor in geopolitical risks and focus their cyber strategy on building resilience.

Fake Lawsuit Threat Exposes Privnote Phishing Sites

A cybercrook who has been setting up websites that mimic the self-destructing message service privnote.com accidentally exposed the breadth of their operations recently when they threatened to sue a software company. The disclosure revealed a profitable network of phishing sites that behave and look like the real Privnote, except that any messages containing cryptocurrency addresses will be automatically altered to include a different payment address controlled by the scammers.

The real Privnote, at privnote.com.

Launched in 2008, privnote.com employs technology that encrypts each message so that even Privnote itself cannot read its contents. And it doesn’t send or receive messages. Creating a message merely generates a link. When that link is clicked or visited, the service warns that the message will be gone forever after it is read.

Privnote’s ease-of-use and popularity among cryptocurrency enthusiasts has made it a perennial target of phishers, who erect Privnote clones that function more or less as advertised but also quietly inject their own cryptocurrency payment addresses when a note is created that contains crypto wallets.

Last month, a new user on GitHub named fory66399 lodged a complaint on the “issues” page for MetaMask, a software cryptocurrency wallet used to interact with the Ethereum blockchain. Fory66399 insisted that their website — privnote[.]co — was being wrongly flagged by MetaMask’s “eth-phishing-detect” list as malicious.

“We filed a lawsuit with a lawyer for dishonestly adding a site to the block list, damaging reputation, as well as ignoring the moderation department and ignoring answers!” fory66399 threatened. “Provide evidence or I will demand compensation!”

MetaMask’s lead product manager Taylor Monahan replied by posting several screenshots of privnote[.]co showing the site did indeed swap out any cryptocurrency addresses.

After being told where they could send a copy of their lawsuit, Fory66399 appeared to become flustered, and proceeded to mention a number of other interesting domain names:

You sent me screenshots from some other site! It’s red!!!!
The tornote.io website has a different color altogether
The privatenote,io website also has a different color! What’s wrong?????

A search at DomainTools.com for privatenote[.]io shows it has been registered to two names over as many years, including Andrey Sokol from Moscow and Alexandr Ermakov from Kiev. There is no indication these are the real names of the phishers, but the names are useful in pointing to other sites targeting Privnote since 2020.

DomainTools says other domains registered to Alexandr Ermakov include pirvnota[.]com, privatemessage[.]net, privatenote[.]io, and tornote[.]io.

A screenshot of the phishing domain privatemessage dot net.

The registration records for pirvnota[.]com at one point were updated from Andrey Sokol to “BPW” as the registrant organization, and “Tambov district” in the registrant state/province field. Searching DomainTools for domains that include both of these terms reveals pirwnote[.]com.

Other Privnote phishing domains that also phoned home to the same Internet address as pirwnote[.]com include privnode[.]com, privnate[.]com, and prevnóte[.]com. Pirwnote[.]com is currently selling security cameras made by the Chinese manufacturer Hikvision, via an Internet address based in Hong Kong.

It appears someone has gone to great lengths to make tornote[.]io seem like a legitimate website. For example, this account at Medium has authored more than a dozen blog posts in the past year singing the praises of Tornote as a secure, self-destructing messaging service. However, testing shows tornote[.]io will also replace any cryptocurrency addresses in messages with their own payment address.

These malicious note sites attract visitors by gaming search engine results to make the phishing domains appear prominently in search results for “privnote.” A search in Google for “privnote” currently returns tornote[.]io as the fifth result. Like other phishing sites tied to this network, Tornote will use the same cryptocurrency addresses for roughly 5 days, and then rotate in new payment addresses.

Tornote changed the cryptocurrency address entered into a test note to this address controlled by the phishers.

Throughout 2023, Tornote was hosted with the Russian provider DDoS-Guard, at the Internet address 186.2.163[.]216. A review of the passive DNS records tied to this address shows that apart from subdomains dedicated to tornote[.]io, the main other domain at this address was hkleaks[.]ml.

In August 2019, a slew of websites and social media channels dubbed “HKLEAKS” began doxing the identities and personal information of pro-democracy activists in Hong Kong. According to a report (PDF) from Citizen Lab, hkleaks[.]ml was the second domain that appeared as the perpetrators began to expand the list of those doxed.

HKleaks, as indexed by The Wayback Machine.

DomainTools shows there are more than 1,000 other domains whose registration records include the organization name “BPW” and “Tambov District” as the location. Virtually all of those domains were registered through one of two registrars — Hong Kong-based Nicenic and Singapore-based WebCC — and almost all appear to be phishing or pill-spam related.

Among those is rustraitor[.]info, a website erected after Russia invaded Ukraine in early 2022 that doxed Russians perceived to have helped the Ukrainian cause.

An archive.org copy of Rustraitor.

In keeping with the overall theme, these phishing domains appear focused on stealing usernames and passwords to some of the cybercrime underground’s busiest shops, including Brian’s Club. What do all the phished sites have in common? They all accept payment via virtual currencies.

It appears MetaMask’s Monahan made the correct decision in forcing these phishers to tip their hand: Among the websites at that DDoS-Guard address are multiple MetaMask phishing domains, including metarrnask[.]com, meternask[.]com, and rnetamask[.]com.

How profitable are these private note phishing sites? Reviewing the four malicious cryptocurrency payment addresses that the attackers swapped into notes passed through privnote[.]co (as pictured in Monahan’s screenshot above) shows that between March 15 and March 19, 2024, those address raked in and transferred out nearly $18,000 in cryptocurrencies. And that’s just one of their phishing websites.

‘The Manipulaters’ Improve Phishing, Still Fail at Opsec

Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called “The Manipulaters,” a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research suggests that while they have improved the quality of their products and services, these nitwits still fail spectacularly at hiding their illegal activities.

In May 2015, KrebsOnSecurity published a brief writeup about the brazen Manipulaters team, noting that they openly operated hundreds of web sites selling tools designed to trick people into giving up usernames and passwords, or deploying malicious software on their PCs.

Manipulaters advertisement for “Office 365 Private Page with Antibot” phishing kit sold on the domain heartsender,com. “Antibot” refers to functionality that attempts to evade automated detection techniques, keeping a phish deployed as long as possible. Image: DomainTools.

The core brand of The Manipulaters has long been a shared cybercriminal identity named “Saim Raza,” who for the past decade has peddled a popular spamming and phishing service variously called “Fudtools,” “Fudpage,” “Fudsender,” “FudCo,” etc. The term “FUD” in those names stands for “Fully Un-Detectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.

A September 2021 story here checked in on The Manipulaters, and found that Saim Raza and company were prospering under their FudCo brands, which they secretly managed from a front company called We Code Solutions.

That piece worked backwards from all of the known Saim Raza email addresses to identify Facebook profiles for multiple We Code Solutions employees, many of whom could be seen celebrating company anniversaries gathered around a giant cake with the words “FudCo” painted in icing.

Since that story ran, KrebsOnSecurity has heard from this Saim Raza identity on two occasions. The first was in the weeks following the Sept. 2021 piece, when one of Saim Raza’s known email addresses — bluebtcus@gmail.com — pleaded to have the story taken down.

“Hello, we already leave that fud etc before year,” the Saim Raza identity wrote. “Why you post us? Why you destroy our lifes? We never harm anyone. Please remove it.”

Not wishing to be manipulated by a phishing gang, KrebsOnSecurity ignored those entreaties. But on Jan. 14, 2024, KrebsOnSecurity heard from the same bluebtcus@gmail.com address, apropos of nothing.

“Please remove this article,” Sam Raza wrote, linking to the 2021 profile. “Please already my police register case on me. I already leave everything.”

Asked to elaborate on the police investigation, Saim Raza said they were freshly released from jail.

“I was there many days,” the reply explained. “Now back after bail. Now I want to start my new work.”

Exactly what that “new work” might entail, Saim Raza wouldn’t say. But a new report from researchers at DomainTools.com finds that several computers associated with The Manipulaters have been massively hacked by malicious data- and password-snarfing malware for quite some time.

DomainTools says the malware infections on Manipulaters PCs exposed “vast swaths of account-related data along with an outline of the group’s membership, operations, and position in the broader underground economy.”

“Curiously, the large subset of identified Manipulaters customers appear to be compromised by the same stealer malware,” DomainTools wrote. “All observed customer malware infections began after the initial compromise of Manipulaters PCs, which raises a number of questions regarding the origin of those infections.”

A number of questions, indeed. The core Manipulaters product these days is a spam delivery service called HeartSender, whose homepage openly advertises phishing kits targeting users of various Internet companies, including Microsoft 365, Yahoo, AOL, Intuit, iCloud and ID.me, to name a few.

A screenshot of the homepage of HeartSender 4 displays an IP address tied to fudtoolshop@gmail.com. Image: DomainTools.

HeartSender customers can interact with the subscription service via the website, but the product appears to be far more effective and user-friendly if one downloads HeartSender as a Windows executable program. Whether that HeartSender program was somehow compromised and used to infect the service’s customers is unknown.

However, DomainTools also found the hosted version of HeartSender service leaks an extraordinary amount of user information that probably is not intended to be publicly accessible. Apparently, the HeartSender web interface has several webpages that are accessible to unauthenticated users, exposing customer credentials along with support requests to HeartSender developers.

“Ironically, the Manipulaters may create more short-term risk to their own customers than law enforcement,” DomainTools wrote. “The data table “User Feedbacks” (sic) exposes what appear to be customer authentication tokens, user identifiers, and even a customer support request that exposes root-level SMTP credentials–all visible by an unauthenticated user on a Manipulaters-controlled domain. Given the risk for abuse, this domain will not be published.”

This is hardly the first time The Manipulaters have shot themselves in the foot. In 2019, The Manipulaters failed to renew their core domain name — manipulaters[.]com — the same one tied to so many of the company’s past and current business operations. That domain was quickly scooped up by Scylla Intel, a cyber intelligence firm that focuses on connecting cybercriminals to their real-life identities.

Currently, The Manipulaters seem focused on building out and supporting HeartSender, which specializes in spam and email-to-SMS spamming services.

“The Manipulaters’ newfound interest in email-to-SMS spam could be in response to the massive increase in smishing activity impersonating the USPS,” DomainTools wrote. “Proofs posted on HeartSender’s Telegram channel contain numerous references to postal service impersonation, including proving delivery of USPS-themed phishing lures and the sale of a USPS phishing kit.”

Reached via email, the Saim Raza identity declined to respond to questions about the DomainTools findings.

“First [of] all we never work on virus or compromised computer etc,” Raza replied. “If you want to write like that fake go ahead. Second I leave country already. If someone bind anything with exe file and spread on internet its not my fault.”

Asked why they left Pakistan, Saim Raza said the authorities there just wanted to shake them down.

“After your article our police put FIR on my [identity],” Saim Raza explained. “FIR” in this case stands for “First Information Report,” which is the initial complaint in the criminal justice system of Pakistan.

“They only get money from me nothing else,” Saim Raza continued. “Now some officers ask for money again again. Brother, there is no good law in Pakistan just they need money.”

Saim Raza has a history of being slippery with the truth, so who knows whether The Manipulaters and/or its leaders have in fact fled Pakistan (it may be more of an extended vacation abroad). With any luck, these guys will soon venture into a more Western-friendly, “good law” nation and receive a warm welcome by the local authorities.

PinnacleOne ExecBrief | Geopolitical and Cyber Risk in the Portfolio

Last week, PinnacleOne examined the geopolitical dynamics and risks facing firms that do business or have key dependencies in China and highlighted principles to frame a China-for-China strategy given firm-specific threat models.

This week, we focus on the intersection of geopolitical and cyber risks facing western firms investing in strategic technologies and the dangers of oversharing.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | Geopolitical and Cyber Risk in the Portfolio

In today’s rapidly evolving global landscape, the intersection of geopolitical and cyber risks poses significant challenges for private equity, multinational conglomerates, and venture capital firms. As these firms invest in companies operating in strategic technology domains, it is crucial to understand how the changing risk landscape affects their business interests. This week’s ExecBrief sheds light on the increasing threats faced by portcos, particularly those working on critical and emerging technologies and provides guidance on managing these risks effectively.

The Evolving Threat Landscape

Geopolitical dynamics driving strategic technology competition and the proliferation of offensive tools has created an increasingly hostile environment for high-growth firms. These companies are targeted for their valuable intellectual property (IP) in strategic technologies, their role in the digital supply chain, and their market position. In particular:

  1. The loss of critical IP or talent at an early stage can be devastating for a company, leaving it unable to compete or see its Total Addressable Market cut substantially by a fast-following (foreign) competitor (that may also receive covert state support).
  2. The impact of a cyber event can immediately threaten net asset values booked on the balance sheet. As seen in the case of the SolarWinds attack, a cyber incident can result in a significant drop in company value and create costly litigation expenses.
  3. The increasing scrutiny on board members’ roles and responsibilities in cybersecurity oversight, exemplified by the SEC’s additional rules for public companies, further emphasizes the importance of proactive cyber risk management and governance.

Geopolitical-Cyber Risk Factors

Companies working on critical and emerging technologies will find themselves in the geopolitical bullseye for targeting. No firm is too small to warrant the attention of nation-state actors if their IP, products, military/critical infrastructure customers, or talent are deemed strategically important. This heightened risk requires investment firms to be vigilant in assessing and managing the geopolitical-cyber risks faced by their portcos and strategic business units.

Furthermore, the evolving regulatory landscape–driven by national security, AI risk, and data privacy concerns–introduces additional challenges for multinationals and investment firms. Increasingly stringent policy regulations, export controls, and investment screening policies can impact:

  1. Portco operations
  2. Investment firm growth strategies
  3. IT infrastructures, and
  4. Portco security postures

The Danger of Oversharing

At the frontier of strategic technology investment, there is often an incentive for portcos and their funders to “hype” their capabilities and broadcast technical details and staffing information through media channels. While this may serve to attract investors and customers, success can also inadvertently draw the attention of malicious actors.

This is especially true for those firms conspicuously advertising themselves as aligned with and supporting national defense or intelligence interests. Traditionally, such firms in the Defense Industrial Base follow very strict operational security and eschew publicity for key innovations, except where used for strategic communications or political signaling.

Publicly sharing sensitive information about a company’s technical capabilities, key personnel, and ongoing projects can provide valuable intelligence to potential attackers. This information can be used to:

  1. Target specific individuals,
  2. Identify potential vulnerabilities in a company’s systems and facilities, and
  3. Justify to the attacker’s bureaucracy the prioritization of resources to target the firm.

Investment firms must be aware of these risks and work with their portcos to develop prudent operational security practices. This may involve:

  1. Establishing guidelines for public communications,
  2. Training employees on the risks of oversharing, and
  3. Implementing strict controls on the dissemination of sensitive information.

Managing Geopolitical-Cyber Risks

To effectively manage geopolitical-cyber risks, investment firms must adopt a comprehensive approach that integrates geopolitical-cyber risk intelligence, business strategy, and technology security considerations. This approach should be tailored to the specific composition of the firm’s portfolio and business units.

  1. Developing strategic threat models is a crucial first step in prioritizing risks to portco value chains. By considering the threat landscape, third-party/supply chain exposure, and shared customer exposure, firms can identify the most pressing risks and allocate resources accordingly.
  2. Capability assessments ensure that business objectives align with the security program and existing technical controls, given the identified threat model. This alignment is essential for maintaining the integrity and resilience of portcos in the face of evolving threats.
  3. Mitigating risks and strengthening resilience requires a combination of tactical control improvements and strategic security posture changes. Investment firms should provide business justification for these changes to ensure buy-in from portco leadership.

Finally, establishing cyber risk management programs is essential for long-term success. By integrating continuous geopolitical-cyber risk management into risk governance frameworks, diligence activities, training & exercises, security vendor selection, and strategic investment decision-making, firms can proactively address risks and maintain the value of their investments.

Navigating Towards Safety

The intersection of geopolitical and cyber risks presents significant challenges for private equity, multinational conglomerates, and venture capital firms operating at the technology frontier. As the threat landscape continues to evolve, it is imperative that firms adopt a proactive and comprehensive approach to managing these risks.

By understanding the unique risks faced by portcos operating in strategic technology domains, including the dangers of oversharing sensitive information, firms can take steps to mitigate threats, strengthen resilience, and protect the value of their investments.

Through the integration of geopolitical-cyber risk intelligence, business strategy, and technology security considerations, firms can navigate the complex risk landscape and position themselves for long-term success.