Alleged Member of Neo-Nazi Swatting Group Charged

Federal investigators on Friday arrested a Virginia man accused of being part of a neo-Nazi group that targeted hundreds of people in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios were phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.

In July 2018, KrebsOnSecurity published the story Neo-Nazi Swatters Target Dozens of Journalists, which detailed the activities of a loose-knit group of individuals who had targeted hundreds of individuals for swatting attacks, including federal judges, corporate executives and almost three-dozen journalists (myself included).

A portion of the Doxbin, as it existed in late 2019.

An FBI affidavit unsealed this week identifies one member of the group as John William Kirby Kelley. According to the affidavit, Kelley was instrumental in setting up and maintaining the Internet Relay Chat (IRC) channel called “Deadnet” that was used by he and other co-conspirators to plan, carry out and document their swatting attacks.

Prior to his recent expulsion on drug charges, Kelley was a student studying cybersecurity at Old Dominion University in Norfolk, Va. Interestingly, investigators allege it was Kelley’s decision to swat his own school in late November 2018 that got him caught. Using the handle “Carl,” Kelley allegedly explained to fellow Deadnet members he hoped the swatting would get him out of having to go to class.

The FBI says Kelley used virtual private networking (VPN) services to hide his true Internet location and various voice-over-IP (VoIP) services to conduct the swatting calls. In the ODU incident, investigators say Kelley told ODU police that someone was armed with an AR-15 rifle and had placed multiple pipe bombs within the campus buildings.

Later that day, Kelley allegedly called ODU police again but forgot to obscure his real phone number on campus, and quickly apologized for making an accidental phone call. When authorities determined that the voice on the second call matched that from the bomb threat earlier in the day, they visited and interviewed the young man.

Investigators say Kelley admitted to participating in swatting calls previously, and consented to a search of his dorm room, wherein they found two phones, a laptop and various electronic storage devices.

The affidavit says one of the thumbs drive included multiple documents that logged statements made on the Deadnet IRC channel, which chronicled “countless examples of swatting activity over an extended period of time.” Those included videos Kelley allegedly recorded of his computer screen which showed live news footage of police responding to swatting attacks while he and other Deadnet members discussed the incidents in real-time on their IRC forum.

The FBI believes Kelley also was linked to a bomb threat incident in November 2018 at the predominantly African American Alfred Baptist Church in Old Town Alexandria, an incident that led to the church being evacuated during evening worship services while authorities swept the building for explosives.

The FBI affidavit was based in part on interviews with an unnamed co-conspirator, who told investigators that he and the others on Deadnet IRC are white supremacists and sympathetic to the neo-Nazi movement.

“The group’s neo-Nazi ideology is apparent in the racial tones throughout the conversation logs,” the affidavit reads. “Kelley and other co-conspirators are affiliated with or have expressed sympathy for Atomwafen Division,” an extremist group whose members are suspected of having committed multiple murders in the U.S. since 2017.

Investigators say on one of Kelley’s phones they found a photo of he and others in tactical gear holding automatic weapons next to pictures of Atomwaffen recruitment material and the neo-Nazi publication Siege.

As I reported last summer, several Deadnet members maintained a site on the Dark Web called the “Doxbin,” which listed the names, addresses, phone number and often known IP addresses, Social Security numbers, dates of birth and other sensitive information on hundreds of people — and in some cases the personal information of the target’s friends and family. After those indexed on the Doxbin were successfully swatted, a blue gun icon would be added next to the person’s name.

One of the core members of the group on Deadnet — an individual who used the nickname “Chanz,” among others — stated that he was responsible for maintaining SiegeCulture, a white supremacist Web site that glorifies the writings of neo-Nazi James Mason (whose various books call on followers to start a violent race war in the United States).

Deadnet chat logs obtained by KrebsOnSecurity show that another key swatting suspect on Deadnet who used the handle “Zheme” told other IRC members in March 2019 that one of his friends had recently been raided by federal investigators for allegedly having connections to the person responsible for the mass shooting in October 2018 at the Tree of Life Jewish synagogue in Pittsburgh.

At one point last year, Zheme also reminded denizens of Deadnet about a court hearing in the murder trial of Sam Woodward, an alleged Atomwaffen member who’s been charged with killing a 19-year-old gay Jewish college student.

As reported by this author last year, Deadnet members targeted dozens of journalists whose writings they considered threatening to their worldviews. Indeed, one of the targets successfully swatted by Deadnet members was Pulitzer prize winning columnist Leonard G. Pitts Jr., whose personal information as listed on the Doxbin was annotated with a blue gun icon and the label “anti-white race/politics writer.”

In another Deadnet chat log seen by this author, Chanz admits to calling in a bomb threat at the UCLA campus following a speech by Milo Yiannopoulos. Chanz bragged that he did it to frame feminists at the school for acts of terrorism.

On a personal note, I sincerely hope this arrest is just the first of many to come for those involved in swatting attacks related to Deadnet and the Doxbin. KrebsOnSecurity has obtained information indicating that several members of my family also have been targeted for harassment and swatting by this group.

Finally, it’s important to note that while many people may assume that murders and mass shootings targeting people because of their race, gender, sexual preference or religion are carried out by so-called “lone wolf” assailants, the swatting videos created and shared by Deadnet members are essentially propaganda that hate groups can use to recruit new members to their cause.

The Washington Post reports that Kelley had his first appearance in federal court in Alexandria, Va. on Friday.

“His public defender did not comment on the allegations but said his client has ‘very limited funds,’” The Post’s courts reporter Rachel Weiner wrote.

The charge against Kelley of conspiracy to make threats carries up to five years in prison. The affidavit in Kelley’s arrest is available here (PDF).

Sisense nabs $100M at a $1B+ valuation for accessible big data business analytics

Sisense, an enterprise startup that has built a business analytics business out of the premise of making big data as accessible as possible to users — whether it be through graphics on mobile or desktop apps, or spoken through Alexa — is announcing a big round of funding today and a large jump in valuation to underscore its traction. The company has picked up $100 million in a growth round of funding that catapults Sisense’s valuation to over $1 billion, funding that it plans to use to continue building out its tech, as well as for sales, marketing and development efforts.

For context, this is a huge jump: The company was valued at only around $325 million in 2016 when it raised a Series E, according to PitchBook. (It did not disclose valuation in 2018, when it raised a venture round of $80 million.) It now has some 2,000 customers, including Tinder, Philips, Nasdaq and the Salvation Army.

This latest round is being led by the high-profile enterprise investor Insight Venture Partners, with Access Industries, Bessemer Venture Partners, Battery Ventures, DFJ Growth and others also participating. The Access investment was made via Claltech in Israel, and it seems that this led to some details of this getting leaked out as rumors in recent days. Insight is in the news today for another big deal: Wearing its private equity hat, the firm acquired Veeam for $5 billion. (And that speaks to a particular kind of trajectory for enterprise companies that the firm backs: Veeam had already been a part of Insight’s venture portfolio.)

Mature enterprise startups have proven their business cases are going to be an ongoing theme in this year’s fundraising stories, and Sisense is part of that theme, with annual recurring revenues of over $100 million speaking to its stability and current strength. The company has also made some key acquisitions to boost its business, such as the acquisition of Periscope Data last year (coincidentally, also for $100 million, I understand).

Its rise also speaks to a different kind of trend in the market: In the wider world of business intelligence, there is an increasing demand for more digestible data in order to better tap advances in data analytics to use it across organizations. This was also one of the big reasons why Salesforce gobbled up Tableau last year for a slightly higher price: $15.7 billion.

Sisense, bringing in both sleek end user products but also a strong theme of harnessing the latest developments in areas like machine learning and AI to crunch the data and order it in the first place, represents a smaller and more fleet of foot alternative for its customers. “We found a way to make accessing data extremely simple, mashing it together in a logical way and embedding it in every logical place,” explained CEO Amir Orad to us in 2018.

“We have enjoyed watching the Sisense momentum in the past 12 months, the traction from its customers as well as from industry leading analysts for the company’s cloud native platform and new AI capabilities. That coupled with seeing more traction and success with leading companies in our portfolio and outside, led us to want to continue and grow our relationship with the company and lead this funding round,” said Jeff Horing, managing director at Insight Venture Partners, in a statement.

To note, Access Industries is an interesting backer which might also potentially shape up to be strategic, given its ownership of Warner Music Group, Alibaba, Facebook, Square, Spotify, Deezer, Snap and Zalando.

“Given our investments in market leading companies across diverse industries, we realize the value in analytics and machine learning and we could not be more excited about Sisense’s trajectory and traction in the market,” added Claltech’s Daniel Shinar in a statement.

Insight Partners acquires data management company Veeam for $5B

Last year Insight Partners invested $500 million in cloud data management company Veeam. It apparently liked the company so much that today it announced it has acquired the Swiss startup for $5 billion.

Veeam helps customers with cloud data backup and disaster recovery. The company, which has been based in Baar, Switzerland, says that it had $1 billion in revenue last year. It boasts 365,000 customers worldwide, including 81% of the Fortune 500.

Ray Wang, founder and principal analyst at Constellation Research, says that data management is an increasingly important tool for companies working with data on prem and in the cloud. “This is a smart move, as the data management space is rapidly consolidating. There’s a lot of investment in managing hybrid clouds, and data management is key to enterprise adoption,” Wang told TechCrunch.

The deal is coming with some major changes. Veeam’s EVP of Operations, William H. Largent, will be promoted to CEO. Danny Allan, who was VP of product strategy, will be promoted to CTO. In addition, the company will be moving its headquarters to the U.S. Veeam currently has around 1,200 employees in the U.S., but expects to expand that in the coming year.

New CEO Allan says in spite of their apparent success in the market, and the high purchase price, he believes under Insight’s ownership, the company can go further than it could have on its own. “While Veeam’s preeminence in the data management space, currently supporting 81% of the Fortune 500, is undeniable, this commitment from Insight Partners and deeper access to its unmatched business strategy [from its scale-up] division, Insight Onsite, will bring Veeam’s solutions to more businesses across the globe.”

Insight Onsite is Insight Partners’ strategy arm that is designed to help its portfolio companies be more successful. It provides a range of services in key business areas, like sales, marketing and product development.

Veeam has backup and recovery tools for both Amazon Web Services and Microsoft Azure, along with partnerships with a variety of large enterprise vendors, including Cisco, IBM, Dell EMC and HPE.

The company, which was founded in 2006, had a valuation of more than $1 billion prior to today’s acquisition, according to Crunchbase data. The deal is expected to close in the first quarter this year.

How some founders are raising capital outside of the VC world

Hello and welcome back to our regular morning look at private companies, public markets and the gray space in between.

Today, we’re exploring fundraising from outside the venture world.

Founders looking to raise capital to power their growing companies have more options than ever. Traditional bank loans are an option, of course. As is venture capital. But between the two exists a growing world of firms and funds looking to put capital to work in young companies that have growing revenues and predictable economics.

Firms like Clearbanc are rising to meet demand for capital with more risk appetite than a traditional bank looking for collateral, but less than an early-stage venture firm. Clearbanc offers growth-focused capital to ecommerce and consumer SaaS companies for a flat fee, repaid out of future revenues. Such revenue-based financing is becoming increasingly popular; you could say the category has roots in the sort of venture debt that groups like Silicon Valley Bank have lent for decades, but there’s more of it than ever and in different flavors.

While revenue-based financing, speaking generally, is attractive to SaaS and ecommerce companies, other types of startups can benefit from alt-capital sources as well. And, some firms that disburse money to growing companies without an explicit equity stake are finding a way to connect capital to them.

Today, let’s take a quick peek at three firms that have found interesting takes on providing alternative startup financing: Earnest Capital with its innovative SEAL agreement, RevUp Capital, which offers services along with non-equity capital, and Capital, which both invests and loans using its own proprietary rubric.

After all, selling equity in your company to fund sales and marketing costs might not be the most efficient way to finance growth; if you know you are going to get $3 out from $1 in spend, why sell forever shares to do so?

Your options

Before we dig in, there are many players in what we might call the alt-VC space. Lighter Capital came up again and again in emails from founders. Indie.vc has its own model that is pretty neat as well. In honor of starting somewhere, however, we’re kicking off with Earnest, RevUp and Capital. We’ll dive into more players in time. (As always, email me if you have something to share.)

Lawmakers Prod FCC to Act on SIM Swapping

Crooks have stolen tens of millions of dollars and other valuable commodities from thousands of consumers via “SIM swapping,” a particularly invasive form of fraud that involves tricking a target’s mobile carrier into transferring someone’s wireless service to a device they control. But the U.S. Federal Communications Commission (FCC), the entity responsible for overseeing wireless industry practices, has so far remained largely silent on the matter. Now, a cadre of lawmakers is demanding to know what, if anything, the agency might be doing to track and combat SIM swapping.

On Thursday, a half-dozen Democrats in the House and Senate sent a letter to FCC Chairman Ajit Pai, asking the agency to require the carriers to offer more protections for consumers against unauthorized SIM swaps.

“Consumers have no choice but to rely on phone companies to protect them against SIM swaps — and they need to be able to count on the FCC to hold mobile carriers accountable when they fail to secure their systems and thus harm consumers,” reads the letter, signed by Sens. Ron Wyden (OR), Sherrod Brown (OH) and Edward Markey (MA), and Reps. Ted Lieu (CA), Anna Eshoo (CA) and Yvette Clarke (NY).

SIM swapping is an insidious form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. All too frequently, the scam involves bribing or tricking employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

Once in control of the stolen phone number, the attacker can then reset the password for any online account that allows password resets and/or two-factor verification requests via text messages or automated phone calls (i.e. most online services, including many of the mobile carrier Web sites).

From there, the scammers can pivot in a variety of directions, including: Plundering the victim’s financial accounts; hacking their identities on social media platforms;  viewing the victim’s email and call history; and abusing that access to harass and scam their friends and family.

The lawmakers asked the FCC to divulge whether it tracks consumer complaints about fraudulent SIM swapping and number “port-outs,” which involve moving the victim’s phone number to another carrier. The legislators demanded to know whether the commission offers any guidance for consumers or carriers on this important issue, and if the FCC has initiated any investigations or taken enforcement actions against carriers that failed to secure customer accounts.

The letter also requires the FCC to respond as to whether there is anything in federal regulations that prevents mobile carriers from sharing with banks information about the most recent SIM swap date of a customer as a way to flag potentially suspicious login attempts — a method already used by financial institutions in other countries, including Australia, the United Kingdom and several nations in Africa.

“Some carriers, both in the U.S. and abroad, have adopted policies that better protect consumers from SIM swaps, such as allowing customers to add optional security protections to their account that prevent SIM swaps unless the customer visits a store and shows ID,” the letter continues. “Unfortunately, implementation of these additional security measures by wireless carriers in the U.S. is still spotty and consumers are not likely to find out about the availability of these obscure, optional security features until it is too late.”

The FCC did not immediately respond to requests for comment.

SIM SWAP (CRIM)INNOVATIONS

Legitimate SIM swaps are a common request for all carriers, and they usually happen when a customer has lost their mobile phone or when they need to upgrade to a newer model that requires a different-sized SIM card (the small, removable smart chip that ties the customer’s device to their phone number).

But unauthorized SIM swaps enable even low-skilled thieves to quickly turn a victim’s life upside down and wrest control over a great deal of their online identities and finances. What’s more, the security options available to wireless customers concerned about SIM swapping — such as personal identification number (PIN) codes — are largely ineffective against crooked or clueless mobile phone store employees.

A successful SIM swap may allow tormentors to access a victim’s email inbox even after the target has changed his or her password. For example, some email services allow customers to reset their passwords just by providing a piece of information that would likely only be known to the legitimate account holder, such as the month and year the account was created, or the name of a custom folder or label in the account previously created by the user.

One technique used by SIM swappers to regain access to hacked inboxes is to jot down this information once a SIM swap affords them the ability to reset the account’s password. Alternatively, SIM swappers have been known to create their own folders or labels in the hacked account to facilitate backdoor access later on.

A number of young men have recently been criminally charged with using SIM swapping to steal accounts and cryptocurrencies like Bitcoin from victims. This week, a court in New York unsealed a grand jury indictment against 22-year-old alleged serial SIM swapper Nicholas Truglia, who stands accused of using the technique to siphon $24 million worth of cryptocurrencies from blockchain investor Michael Terpin.

But experts say the few arrests that have been made in conjunction with SIM swapping attacks have pushed many involved in this crime to enlist help from co-conspirators who are minors and thus largely outside the reach of federal prosecutors.

For his part, Terpin sent an open letter to FCC commissioners in October 2019, urging them to mandate that wireless carriers provide a way for customers to truly lock down their accounts against SIM swapping, even if that means requiring an in-person visit to a store or conversation with the carrier’s fraud department.

In an interview with KrebsOnSecurity, Terpin said the FCC has so far abdicated its responsibility over the carriers on this matter.

“It took them a long time to get around to taking robocalls seriously, but those scams rarely cost people millions of dollars,” Terpin said. “Imagine going into a bank and you don’t remember your PIN and the teller says, ‘Oh, that’s okay I can look it up for you.’ The fact that a $9-an-hour mobile store employee can see your high security password or PIN is shocking.”

“The carriers should also have to inform every single current and future customer that there is this high security option available,” Terpin continued. “That would stop a lot of this fraud and would take away the ability of these ne’er-do-well 19-year-old store employees who get bribed into helping out with the scam.”

Want to read more about SIM swapping? Check out Busting SIM Swappers and SIM Swap Myths, or view the entire catalog of stories on the topic here.

What is the True Cost of a Ransomware Attack? | 6 Factors to Consider

The end of year summary season is gone, and among all the scary and shocking statistics, there is one number that looms above all others. It is estimated that ransomware has cost the United States more than $7.5 billion last year. And indeed, we’ve heard of countless ransomware incidents and seen an explosion of build-your-own ransomware RaaS projects making it easier for unsophisticated criminals to get in on the act. And yet, when you add up the numbers and calculate the average payout, those dollar amounts don’t paint the entire picture of the financial burden suffered by organizations hit by these kinds of criminal attack. In this post, we’ll look at the six true costs of a ransomware attack.

image of true cost of ransomware

1. Direct Cost: The Ransom Payment 

Of course, the up-front ransomware payment is the headline figure, but it’s only one – and not necessarily the largest – factor in the overall cost that ransomware imposes on its victims.

That said, in Q3 of 2019, we saw the average ransom payment increase by 13% to $41,198 compared to $36,295 in Q2 of 2019

Ryuk ransomware is largely responsible for the massive increase in ransomware payments. The malware operators demand an average of $288,000 for the release of systems, compared to the $10,000 average price demanded by other criminal gangs. 

2. Indirect Cost: Enforced Downtime

Indirect costs are the costs of business interruption associated with a ransomware attack. Business interruption costs are often five to ten times higher than direct costs.

Calculating the actual cost of downtime can be challenging as it has different effects on different businesses and organizations. For SMBs, the average cost of downtime in 2019 comes out at $141,000, a more than 200 percent increase over last year’s average downtime cost of $46,800. This is more than 20 times higher than the average ransom request from SMBs, which is $5,900.

In the public sector, 42% of organizations have suffered a ransomware incident in the last 12 months, with 73% of those experiencing two or more days of downtime as a result. For enterprise, the average downtime in Q3 2019 was 12.1 days, according to a Ponemon Institute study, and the overall cost estimated at $740,357. This leads to the additional cost of operational shutdown, which can have a truly staggering impact on the bottom line, as aluminum manufacturer Norsk discovered when it suffered from a ransomware attack that caused cumulative damage of $55 million. Attacks on municipalities can be costly as well. A recent attack on New Orleans is estimated to have cost the city $1 million, and an earlier attack on Baltimore is estimated to total $18 million in damage.   

3. Indirect Cost: Reputation Loss

Ransomware attacks are unlike stealthy cyber attacks of the past. As such, they are both highly destructive and visible, leaving victims with no choice but to make it known to the public that they have been breached.

That public admission can often result in outcry and disapproval from customers, investors and other stakeholders. While the data can be restored, it’s not always so easy to restore public trust, particularly if disclosure is not handled in a timely and transparent manner. This can have adverse effects on retaining existing clients, generating future business and even negatively affect the company’s stock prices.

4. Indirect Cost: Liability 

Ransomware attacks can lead to very unhappy clients, and these clients in turn could resort to legal means for some compensation. That’s what happened to DCH Health Systems after a ransomware attack on Alabama Hospitals in December 2019. Subsequently, patients filed a class action lawsuit against the company, alleging privacy violations, negligence and medical care disruption.

While it’s always possible that companies can fall foul of libel suits for such issues without ransomware being involved, the fact that ransomware was involved made the incident public and the case for compensation easier. In addition, cyber criminals have started to expose stolen data, which could lead to potential embarrassments for the victimized organization and further law suits from clients’ whose data is leaked.  

5. Indirect Cost: Collateral Damage

As with any type of cyber infection, victims should expect the full gamut of damage, even if it’s not directly related to the attack. In one such incident, as reported by Brian Krebs, a company initially infected with Ryuk ransomware had its entire credentials stolen and then reused for all sorts of malicious activities, in part with the help of another notorious malware family, Emotet.

While this may not be typical behaviour of many ransomware-related hackers, who usually go directly for the quick payout, it does show the potential for further collateral damage from such incidents. 

6. Indirect Cost: Data Loss

And unfortunately, after all the damage caused by the attack itself, paying the ransom does not guarantee the safe retrieval of the victim’s encrypted data. Recently, it was discovered that the data recovery mechanism used by Ryuk is faulty, causing an incomplete recovery of some types of files and leading to data loss even if the victim had paid the ransom demand.

In other cases, hackers have been known to simply walk away and never bother to provide the decryption keys, leaving the hapless victim out of pocket and their data lost forever.  

Is This The End?

Ransomware attacks can be deadly for businesses, which might never recover from the financial burden caused by the direct and indirect damage inflicted. In one such case, a US fundraising firm has been forced to close its doors after more than 60 years in business following a crippling ransomware attack in October. The company had paid the ransom, but nonetheless it was unable to get back on its feet and had to close shop in late December, making it a very unhappy Christmas for all its employees.   

Summary 

When trying to assess the potential risk emanating from ransomware attacks, businesses should factor in all these aspects: the payout, downtime, damage to reputation, data loss and more. Once all these have been taken into consideration, it is advisable to seek a trusted endpoint solution to provide maximum security against ransomware and complement it with proper backup systems and business continuity procedures. It’s also advised to purchase suitable cyber insurance to reduce the risk even further. 


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Tricky Phish Angles for Persistence, Not Passwords

Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password. The phishing lure starts with a link that leads to the real login page for a cloud email and/or file storage service. Anyone who takes the bait will inadvertently forward a digital token to the attackers that gives them indefinite access to the victim’s email, files and contacts — even after the victim has changed their password.

Before delving into the details, it’s important to note two things. First, while the most recent versions of this stealthy phish targeted corporate users of Microsoft’s Office 365 service, the same approach could be leveraged to ensnare users of many other cloud providers. Second, this attack is not exactly new: In 2017, for instance, phishers used a similar technique to plunder accounts at Google’s Gmail service.

Still, this phishing tactic is worth highlighting because recent examples of it received relatively little press coverage. Also, the resulting compromise is quite persistent and sidesteps two-factor authentication, and it seems likely we will see this approach exploited more frequently in the future.

In early December, security experts at PhishLabs detailed a sophisticated phishing scheme targeting Office 365 users that used a malicious link which took people who clicked to an official Office 365 login page — login.microsoftonline.com. Anyone suspicious about the link would have seen nothing immediately amiss in their browser’s address bar, and could quite easily verify that the link indeed took them to Microsoft’s real login page:

This phishing link asks users to log in at Microsoft’s real Office 365 portal (login.microsoftonline.com).

Only by copying and pasting the link or by scrolling far to the right in the URL bar can we detect that something isn’t quite right:

Notice this section of the URL (obscured off-page and visible only by scrolling to the right quite a bit) attempts to grant a malicious app hosted at officesuited.com full access to read the victim’s email and files stored at Microsoft’s Office 365 service.

As we can see from the URL in the image directly above, the link tells Microsoft to forward the authorization token produced by a successful login to the domain officesuited[.]com. From there, the user will be presented with a prompt that says an app is requesting permissions to read your email, contacts, OneNote notebooks, access your files, read/write to your mailbox settings, sign you in, read your profile, and maintain access to that data.

Image: PhishLabs

According to PhishLabs, the app that generates this request was created using information apparently stolen from a legitimate organization. The domain hosting the malicious app pictured above — officemtr[.]com — is different from the one I saw in late December, but it was hosted at the same Internet address as officesuited[.]com and likely signed using the same legitimate company’s credentials.

PhishLabs says the attackers are exploiting a feature of Outlook known as “add-ins,” which are applications built by third-party developers that can be installed either from a file or URL from the Office store.

“By default, any user can apply add-ins to their outlook application,” wrote PhishLabs’ Michael Tyler. “Additionally, Microsoft allows Office 365 add-ins and apps to be installed via side loading without going through the Office Store, and thereby avoiding any review process.”

In an interview with KrebsOnSecurity, Tyler said he views this attack method more like malware than traditional phishing, which tries to trick someone into giving their password to the scammers.

“The difference here is instead of handing off credentials to someone, they are allowing an outside application to start interacting with their Office 365 environment directly,” he said.

Many readers at this point may be thinking that they would hesitate before approving such powerful permissions as those requested by this malicious application. But Tyler said this assumes the user somehow understands that there is a malicious third-party involved in the transaction.

“We can look at the reason phishing is still around, and it’s because people are making decisions they shouldn’t be making or shouldn’t be able to make,” he said. “Even employees who are trained on security are trained to make sure it’s a legitimate site before entering their credentials. Well, in this attack the site is legitimate, and at that point their guard is down. I look at this and think, would I be more likely to type my password into a box or more likely to click a button that says ‘okay’?”

The scary part about this attack is that once a user grants the malicious app permissions to read their files and emails, the attackers can maintain access to the account even after the user changes his password. What’s more, Tyler said the malicious app they tested was not visible as an add-in at the individual user level; only system administrators responsible for managing user accounts could see that the app had been approved.

Furthermore, even if an organization requires multi-factor authentication at sign-in, recall that this phish’s login process takes place on Microsoft’s own Web site. That means having two-factor enabled for an account would do nothing to prevent a malicious app that has already been approved by the user from accessing their emails or files.

Once given permission to access the user’s email and files, the app will retain that access until one of two things happen: Microsoft discovers and disables the malicious app, or an administrator on the victim user’s domain removes the program from the user’s account.

Expecting swift action from Microsoft might not be ideal: From my testing, Microsoft appears to have disabled the malicious app being served from officesuited[.]com sometime around Dec. 19 — roughly one week after it went live.

In a statement provided to KrebsOnSecurity, Microsoft Senior Director Jeff Jones said the company continues to monitor for potential new variations of this malicious activity and will take action to disable applications as they are identified.

“The technique described relies on a sophisticated phishing campaign that invites users to permit a malicious Azure Active Directory Application,” Jones said. “We’ve notified impacted customers and worked with them to help remediate their environments.”

Microsoft’s instructions for detecting and removing illicit consent grants in Office 365 are here. Microsoft says administrators can enable a setting that blocks users from installing third-party apps into Office 365, but it calls this a “drastic step” that “isn’t strongly recommended as it severely impairs your users’ ability to be productive with third-party applications.”

PhishLabs’ Tyler said he disagrees with Microsoft here, and encourages Office 365 administrators to block users from installing apps altogether — or at the very least restrict them to apps from the official Microsoft store.

Apart from that, he said, it’s important for Office 365 administrators to periodically look for suspicious apps installed on their Office 365 environment.

“If an organization were to fall prey to this, your traditional methods of eradicating things involve activating two-factor authentication, clearing the user’s sessions, and so on, but that won’t do anything here,” he said. “It’s important that response teams know about this tactic so they can look for problems. If you can’t or don’t want to do that, at least make sure you have security logging turned on so it’s generating an alert when people are introducing new software into your infrastructure.”

macOS Security Updates Part 1 | Discovering Changes to XProtect & Friends

Researching threats on macOS involves not only keeping up with what threat actors are doing but also with what Apple are doing in terms of updating their built-in tools like XProtect, Gatekeeper, and MRT.app. Apple is renowned (or perhaps notorious…) for its tendency toward security opacity and obfuscation, and it has long had an aversion to publicly sharing its threat intel with the wider security community. Given both Apple’s vast resources and its privileged position in vetting developers and signed software, the company has a unique ability to see threats addressing its platform that other security researchers do not. For this reason, it is important that researchers tap into Apple’s security updates to see what new threats they may have found, and to check that their own solutions already have such threats covered in the event that Apple’s own tools fail to protect the end user.

In this new series of posts, I want to share some examples of how you can go about staying informed of what Apple update and when they do it. Although there are some commercial tools and scripts that either do or have tried to address these questions, it’s a simple enough matter to “roll your own” check and notification scripts, which we will look at in this post. Later, we’ll look at how to run diffs on the plists, SQL databases and binaries involved to see what changes have been made. These should serve well enough to help you build your own tools to check on and analyse new Apple security updates.

image of macos security updates part 1

Discovering macOS Security Updates: the Hard Way

Unlike on some other platforms, Apple’s security updates are invisible to users. They occur transparently in the background without notification or user interaction, unless the user happens to have disabled these updates in System Preferences (not recommended, by the way), in which case they don’t happen at all.

image of system preferences advanced

In that case, or if you just want to manually check what’s going on, you can run software update check from the Terminal. Although the software update tool isn’t specifically limited to security updates, there are some useful commands available here that allow you to drill down on those in particular. The man page is informative, but there are also some hidden commands, such as background-critical that it doesn’t mention. If you’re interested try running strings on the binary and perusing what you find. For example

$ strings -a $(which softwareupdate) | grep -A10 -B10 critical

You can also check the history of earlier security updates that the machine has received in a couple of ways, too. From the command line, you could explore system_profiler:

$ system_profiler SPInstallHistoryDataType | grep -i -A2 -B2 xprotect

image of system profiler

Alternatively, if you prefer the GUI, check out opt- > System Information… and scroll downwards to “Installations”. Incidentally, I regard it as a bug (one reported many years ago) that these two methods don’t show equivalent timestamps for the same installation, even after accounting for the two methods’ use of different timezones and locales.

image of system information

Automating Security Update Checks

While those mechanisms are all well and good for their intended purpose, they won’t help us keep informed of changes as they happen, unless we have little else to do than constantly check for updates, and they won’t offer us the fine-grained detail we need to see what has actually changed in the latest update, either. Fortunately, we can do better. We can build a script that will pull Apple’s software update catalog and parse it for the specific kinds of updates that we’re interested in, namely, XProtect, MRT and Gatekeeper.

At this point, some readers might be thinking: why not just monitor the local version of these files for changes? Indeed, several years ago I built and distributed a free tool that did just that, but there’s a problem with that approach. Apple do not role out these updates evenly. Geographically, users in different regions can see these updates sometimes days apart, and there’s plenty of anecdotal evidence in various user forums of some machines not receiving updates when others do, even on the same network. For those reasons, simply waiting for the updates to arrive on your local machine isn’t a particularly reliable or punctual way to find out what new threats Apple’s security updates are addressing.

Returning to our script, then, once we’ve built and tested it, there’s a couple of other tasks we’ll need to take care of. The first is setting up a schedule to run the script at a chosen interval. The second is to implement some form of notification to alert us that an update has been posted. Beyond that, we will also want some “quick wins” for parsing the differences found in each update. That’ll be the subject of further posts. For now, let’s take a look at how to build a script to look for changes, run it on a schedule and get notifications of updates.

Finding Apple’s Software Update Catalog

To build our script, the first thing we need is the URL of Apple’s software update catalog. To find that, let’s see what the softwareupdate utility can tell us.

Running strings on the utility and grepping it for https turns out not to be very helpful.

image of software update

Since we know the utility has to reach out to a download server at some point, perhaps it’s called with code from a shared library. Let’s check to see what shared libraries the utility calls with otool and the L switch.

image of otool

That private framework looks promising. Let’s try grepping that for network calls.

image of private framework

Bingo! As you can see, there’s more than one, and the URL does change from time to time, so it’s worth knowing how to find this catalog address. The latest one available on this system a (10.14 macOS install) is the final sucatalog entry shown above. However, if we run the same technique on a 10.15 machine you’ll find we get:

https://swscan.apple.com/content/catalogs/others/index-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog

Fortunately, I don’t need to be running a 10.15 machine to download and parse that 10.15 catalog file, so we’ll use this URL so that we can see changes made for 10.15 as well. To see what the catalog looks like, change to a convenient working directory in Terminal and issue a CURL command to download it; it’s simply an ASCII text file of around 6MB.

$ curl -sL https://swscan.apple.com/content/catalogs/others/index-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog -o sucatalog_latest

Yes, that’s a pretty large text file, containing some 90,000+ lines!

$ cat sucatalog_latest | wc -l
-> 90151

That’s because the catalog contains entries for a wide variety of software updates going as far back as 2008 and, as the name implies, covering versions as far back as Snow Leopard! Let’s find the date of the last posted update:

$ grep -A1 PostDate sucatalog_latest | tail -n 1
-> 2019-12-18T19:16:33Z

Creating a Script To Check for Apple Security Updates

Great. Now from here on in, better scripters than I will have their own ideas on how best to parse this, and no doubt some will prefer to use python, or perl or whatever their favorite scripting langauge is. When it comes to this kind of thing, I’m a “quick and dirty” scripter focused on getting the result rather than the niceties or aesthetics of efficient coding. In short, I don’t promise this is the best way of parsing the catalog so feel free to adapt or improve the ideas here for your own use case.

To make a quick and easy tool that can notify us of changes to the catalog, we’ll do a diff on the latest version and a locally saved one. If you’ve already pulled down the catalog from above, make sure you rename it to sucatalog to be consistent with the script that follows and save it in ~/Documents/Security_Updates/. Inside that folder, create another folder called Changes.

The script will begin by changing the current working directory to the Security_Updates folder. It’ll then pull down the most recent copy of the catalog and diff it against the previous one that you saved earlier. If there’s any changes, our script will first write these out to a temporary file, called diff.txt.

image of bash script start

As a quick check we ensure the diffs, if any, contain a new PostDate (we don’t care if there’s been some other change that wasn’t a new item posted to the catalog). Then, we’ll use some regexs to search for the kind of changes we’re interested in. If we find any, we’ll pull out the URLs and save them to a separate file.

image of bash script middle

After the conditional has been evaluated, we’ll clean up any of our temp files and replace the local saved copy of the sucatalog with the one we just downloaded, ready for the next time.

image of bash script end

Setting Up a Schedule

Setting up a schedule to run the script can be as easy or as hard as you like. The ‘proper’ way is probably to run it as a user Launch Agent. These aren’t that hard to create, but it’s easy to make tiny errors in the XML that can be difficult to debug. You can make your life easier if there’s some already existing agents in your ~/Library/LaunchAgents folder. If so, make a copy of any one of them, rename it, and then replace the label and appropriate keys with your own values. Delete any keys you don’t need.

A more efficient method, at least to my mind, is to run a cronjob. These are trivially easy to create with a one-liner. Assuming you call the script suCatalogScript.sh and insert your own username as appropriate, the following command will install a cronjob that calls the script 5 minutes past every hour while you’re logged in:

$ echo '05 */1 * * * /Users//Documents/Security_Updates/suCatalogScript.sh' | crontab -

Note: if you have existing cron jobs don’t use this method, as it’ll overwrite them! Instead, use the -e switch to edit your crontab. See man crontab page for more details.

Setting Up Notifications

The final thing we need to set up is a notification system. We have a couple of choices. We could simply add some osascript to the suCatalogScript.sh that will fire off a notification banner. This is certainly the easiest solution.

image of osascript display notification

Alternatively, you could plump for a dialog alert, replacing the osascript above with that shown below, making sure to escape all those quote marks and the exclamation mark, if you use it.

image of osascrpt display dialog

The advantage of a dialog alert over a display notification is you can use an arbitrarily long message, perhaps reminding yourself where to look to view the changes, and dialog alerts are not so easy to miss as notifications can be.

Personally, I prefer to keep the script and the notification mechanisms separate, which was the reason for saving the Latest_Changes.txt file to a separate Changes folder. With that folder dedicated to only holding this file, we can set up a Folder Action that will alert us whenever that folder is modified. Not so long ago, Folder Actions were a bit flakey, but they’ve become much more reliable in recent versions of macOS. Folder Actions are also pretty simple to set up and manage. You can learn about them and how to set them up here.

Conclusion

In this post, we’ve “rolled our own” notification system to tell us when Apple have made changes to Gatekeeper, MRT and XProtect. But simply being notified of the changes is only half (or less than half!) of the task. The major work involves finding out what has changed. Deobfuscating and running diffs on XProtect’s property list files, Gatekeeper’s SQL databases and MRT.app’s macho binary involves a variety of different techniques, given the different file structures and formats involved, and that’s exactly what we’ll start getting into in the next post!

If you enjoyed this post on Apple’s macOS Security Updates and would like to be notified of when the next one is up, please subscribe to the blog’s weekly newsletter (form to the left) or follow us on social media (links below the line). I hope to see you next time!


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Despite JEDI loss, AWS retains dominant market position

AWS took a hard blow last year when it lost the $10 billion, decade-long JEDI cloud contract to rival Microsoft. Yet even without that mega deal for building out the nation’s Joint Enterprise Defense Infrastructure, the company remains fully in control of the cloud infrastructure market — and it intends to fight that decision.

In fact, AWS still owns almost twice as much cloud infrastructure market share as Microsoft, its closest rival. While the two will battle over the next decade for big contracts like JEDI, for now, AWS doesn’t have much to worry about.

There was a lot more to AWS’s year than simply losing JEDI. Per usual, the news came out with a flurry of announcements and enhancements to its vast product set. Among the more interesting moves was a shift to the edge, the fact the company is getting more serious about the chip business and a big dose of machine learning product announcements.

The fact is that AWS has such market momentum now, it’s a legitimate question to ask if anyone, even Microsoft, can catch up. The market is continuing to expand though, and the next battle is for that remaining market share. AWS CEO Andy Jassy spent more time than in the past trashing Microsoft at 2019’s re:Invent customer conference in December, imploring customers to move to the cloud faster and showing that his company is preparing for a battle with its rivals in the years ahead.

Numbers, please

AWS closed 2019 on a $36 billion run rate, growing from $7.43 billion in in its first report in January to $9 billion in earnings for its most recent earnings report in October. Believe it or not, according to CNBC, that number failed to meet analysts expectations of $9.1 billion, but still accounted for 13% of Amazon’s revenue in the quarter.

Regardless, AWS is a juggernaut, which is fairly amazing when you consider that it started as a side project for Amazon .com in 2006. In fact, if AWS were a stand-alone company, it would be a substantial business. While growth slowed a bit last year, that’s inevitable when you get as large as AWS, says John Dinsdale, VP, chief analyst and general manager at Synergy Research, a firm that follows all aspects of the cloud market.

“This is just math and the law of large numbers. On average over the last four quarters, it has incremented its revenues by well over $500 million per quarter. So it has grown its quarterly revenues by well over $2 billion in a twelve-month period,” he said.

Dinsdale added, “To put that into context, this growth in quarterly revenue is bigger than Google’s total revenues in cloud infrastructure services. In a very large market that is growing at over 35% per year, AWS market share is holding steady.”

Dinsdale says the cloud infrastructure market didn’t quite break $100 billion last year, but even without full Q4 results, his firm’s models project a total of around $95 billion, up 37% over 2018. AWS has more than a third of that. Microsoft is way back at around 17% with Google in third with around 8 or 9%.

While this is from Q1, it illustrates the relative positions of companies in the cloud market. Chart: Synergy Research

JEDI disappointment

It would be hard to do any year-end review of AWS without discussing JEDI. From the moment the Department of Defense announced its decade-long, $10 billion cloud RFP, it has been one big controversy after another.

The Hidden Cost of Ransomware: Wholesale Password Theft

Organizations in the throes of cleaning up after a ransomware outbreak typically will change passwords for all user accounts that have access to any email systems, servers and desktop workstations within their network. But all too often, ransomware victims fail to grasp that the crooks behind these attacks can and frequently do siphon every single password stored on each infected endpoint. The result of this oversight may offer attackers a way back into the affected organization, access to financial and healthcare accounts, or — worse yet — key tools for attacking the victim’s various business partners and clients.

In mid-November 2019, Wisconsin-based Virtual Care Provider Inc. (VCPI) was hit by the Ryuk ransomware strain. VCPI manages the IT systems for some 110 clients that serve approximately 2,400 nursing homes in 45 U.S. states. VCPI declined to pay the multi-million dollar ransom demanded by their extortionists, and the attack cut off many of those elder care facilities from their patient records, email and telephone service for days or weeks while VCPI rebuilt its network.

Just hours after that story was published, VCPI chief executive and owner Karen Christianson reached out to say she hoped I would write a follow-up piece about how they recovered from the incident. My reply was that I’d consider doing so if there was something in their experience that I thought others could learn from their handling of the incident.

I had no inkling at the time of how much I would learn in the days ahead.

EERIE EMAILS

On December 3, I contacted Christianson to schedule a follow-up interview for the next day. On the morning of Dec. 4 (less than two hours before my scheduled call with VCPI and more than two weeks after the start of their ransomware attack) I heard via email from someone claiming to be part of the criminal group that launched the Ryuk ransomware inside VCPI.

That email was unsettling because its timing suggested that whoever sent it somehow knew I was going to speak with VCPI later that day. This person said they wanted me to reiterate a message they’d just sent to the owner of VCPI stating that their offer of a greatly reduced price for a digital key needed to unlock servers and workstations seized by the malware would expire soon if the company continued to ignore them.

“Maybe you chat to them lets see if that works,” the email suggested.

The anonymous individual behind that communication declined to provide proof that they were part of the group that held VPCI’s network for ransom, and after an increasingly combative and personally threatening exchange of messages soon stopped responding to requests for more information.

“We were bitten with releasing evidence before hence we have stopped this even in our ransoms,” the anonymous person wrote. “If you want proof we have hacked T-Systems as well. You may confirm this with them. We havent [sic] seen any Media articles on this and as such you should be the first to report it, we are sure they are just keeping it under wraps.” Security news site Bleeping Computer reported on the T-Systems Ryuk ransomware attack on Dec. 3.

In our Dec. 4 interview, VCPI’s acting chief information security officer — Mark Schafer, CISO at Wisconsin-based SVA Consulting — confirmed that the company received a nearly identical message that same morning, and that the wording seemed “very similar” to the original extortion demand the company received.

However, Schafer assured me that VCPI had indeed rebuilt its email network following the intrusion and strictly used a third-party service to discuss remediation efforts and other sensitive topics.

‘LIKE A COMPANY BATTLING A COUNTRY’

Christianson said several factors stopped the painful Ryuk ransomware attack from morphing into a company-ending event. For starters, she said, an employee spotted suspicious activity on their network in the early morning hours of Saturday, Nov. 16. She said that employee then immediately alerted higher-ups within VCPI, who ordered a complete and immediate shutdown of the entire network.

“The bottom line is at 2 a.m. on a Saturday, it was still a human being who saw a bunch of lights and had enough presence of mind to say someone else might want to take a look at this,” she said. “The other guy he called said he didn’t like it either and called the [chief information officer] at 2:30 a.m., who picked up his cell phone and said shut it off from the Internet.”

Schafer said another mitigating factor was that VCPI had contracted with a third-party roughly six months prior to the attack to establish off-site data backups that were not directly connected to the company’s infrastructure.

“The authentication for that was entirely separate, so the lateral movement [of the intruders] didn’t allow them to touch that,” Schafer said.

Schafer said the move to third-party data backups coincided with a comprehensive internal review that identified multiple areas where VCPI could harden its security, but that the attack hit before the company could complete work on some of those action items.

“We did a risk assessment which was pretty much spot-on, we just needed more time to work on it before we got hit,” he said. “We were doing the right things, just not fast enough. If we’d had more time to prepare, it would have gone better. I feel like we were a company battling a country. It’s not a fair fight, and once you’re targeted it’s pretty tough to defend.”

WHOLESALE PASSWORD THEFT

Just after receiving a tip from a reader about the ongoing Ryuk infestation at VCPI, KrebsOnSecurity contacted Milwaukee-based Hold Security to see if its owner Alex Holden had any more information about the attack. Holden and his team had previously intercepted online traffic between and among multiple ransomware gangs and their victims, and I was curious to know if that held true in the VCPI attack as well.

Sure enough, Holden quickly sent over several logs of data suggesting the attackers had breached VCPI’s network on multiple occasions over the previous 14 months.

“While it is clear that the initial breach occurred 14 months ago, the escalation of the compromise didn’t start until around November 15th of this year,” Holden said at the time. “When we looked at this in retrospect, during these three days the cybercriminals slowly compromised the entire network, disabling antivirus, running customized scripts, and deploying ransomware. They didn’t even succeed at first, but they kept trying.”

Holden said it appears the intruders laid the groundwork for the VPCI using Emotet, a powerful malware tool typically disseminated via spam.

“Emotet continues to be among the most costly and destructive malware,” reads a July 2018 alert on the malware from the U.S. Department of Homeland Security. “Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat.”

According to Holden, after using Emotet to prime VCPI’s servers and endpoints for the ransomware attack, the intruders deployed a module of Emotet called Trickbot, which is a banking trojan often used to download other malware and harvest passwords from infected systems.

Indeed, Holden shared records of communications from VCPI’s tormentors suggesting they’d unleashed Trickbot to steal passwords from infected VCPI endpoints that the company used to log in at more than 300 Web sites and services, including:

-Identity and password management platforms Auth0 and LastPass
-Multiple personal and business banking portals;
-Microsoft Office365 accounts
-Direct deposit and Medicaid billing portals
-Cloud-based health insurance management portals
-Numerous online payment processing services
-Cloud-based payroll management services
-Prescription management services
-Commercial phone, Internet and power services
-Medical supply services
-State and local government competitive bidding portals
-Online content distribution networks
-Shipping and postage accounts
-Amazon, Facebook, LinkedIn, Microsoft, Twitter accounts

Toward the end of my follow-up interview with Schafer and VCPI’s Christianson, I shared Holden’s list of sites for which the attackers had apparently stolen internal company credentials. At that point, Christianson abruptly ended the interview and got off the line, saying she had personal matters to attend to. Schafer thanked me for sharing the list, noting that it looked like VCPI probably now had a “few more notifications to do.”

Moral of the story: Companies that experience a ransomware attack — or for that matter any type of equally invasive malware infestation — should assume that all credentials stored anywhere on the local network (including those saved inside Web browsers and password managers) are compromised and need to be changed.

Out of an abundance of caution, this process should be done from a pristine (preferably non-Windows-based) system that does not reside within the network compromised by the attackers. In addition, full use should be made of the strongest method available for securing these passwords with multi-factor authentication.