This week, we review news about problems with Android apps, including zero-days and apps exposing user data. We also look at some updated ransomware, including one that targets disk partitions and another with worming features, as well as new warnings about Conti. Finally, we review some interesting malware, including a malware campaign that pretends to be ransomware and malware impersonating a major US bank.

• Android Anxiety: Leaks, Vulnerabilities, and Zero-days
• The Ransomware Battle Continues: New Updates, Variants, and Warnings
• RATs in the Sewers: Two Notable RAT Campaigns Disclosed Last Week
• Final Words

Android Anxiety: Leaks, Vulnerabilities, and Zero-days

What You Need to Know

Android figured prominently in the news last week with the announcement that several popular apps were exposing data on over 100M individuals. Android also released patches for four zero-day bugs currently being exploited in the wild. In addition, Android news included the discovery of bugs in stalkerware applications.

Summary

The warnings about the importance of application security appear to be going unheeded among developers of Android applications. Last week, security researchers announced that 23 popular Android apps, some with up to 10 million downloads, were leaking personal information on a total of at least 100 million users. The problems appear to be due to improperly configured third-party cloud services. The data exposed includes emails, chat messages, location, passwords, and photos. In addition, in 13 of the apps, researchers discovered real-time databases lacking authentication, allowing the researchers to obtain passwords simply by sending a request to the database. In the case of two apps, cloud keys were also exposed.

Android also issued patches last week for four Android bugs discovered being exploited in the wild. While it’s rare for Google to discover and disclose bugs (Google disclosed only one zero-day in 2020), these four vulnerabilities are whoppers in terms of impact. All four bugs (CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664) affect the graphics processing unit (GPU) and give threat actors complete control of the Android device. 

Stalker apps (applications installed on a mobile device that enable someone (e.g., a spouse or parent) to spy or monitor the device owner’s activity) have become increasingly popular over the last few years. Proponents of stalkerware argue that the apps are valuable for protecting children or employees. However, the security of these types of apps is questionable, as researchers announced last week the discovery of more than 150 significant security and privacy issues with 58 popular Android stalkerware apps. In some instances, the stalkerware kept information on the user, retaining it on a server even after the user/stalker had requested the data deletion. Other problems included:

• Vulnerabilities that could enable device takeover 
• Data interception
• The uploading of fabricated evidence
• Remote code execution (RCE) on the user’s device 

As of the writing of this article, only six vendors had fixed the issues identified in their applications. 

Next Steps

Businesses need to consider managed detection and response services and effective endpoint security, with particular focus on mobile devices to ensure protection. Services may include email security, cloud security, and data security. In addition, application security is critical to ensuring the safety of applications and software. Businesses doing application development should consider application security as a service and mobile application security support.

Regarding stalkerware, researchers are warning that the limited benefits of these types of applications do not outweigh the risks associated with their use. The ethics of the stalkerware notwithstanding, due to common problems in the application’s security and the likelihood that the app’s developers may have alternative motives in mind to capture and retain personal information, security professionals advise against their use on personal and business devices.

The Ransomware Battle Continues: New Updates, Variants, and Warnings.

What You Need to Know

Researchers announced last week the discovery of a new DarkSide ransomware variant. The FBI is warning organizations against ransomware attacks by the Conti gang. And the MountLocker ransomware is now sporting worming capabilities. 

Summary

DarkSide ransomware just can’t seem to stay out of the news, as researchers disclosed the discovery last week of a new variant. This new variant enables threat actors to target disk partition information and encrypt files. This particular ransomware sample is unrelated to the now notorious Colonial Pipeline attack. While the DarkSide ransomware-as-a-service has reportedly shut its doors, researchers point out that this variant was previously unknown. According to researchers, the variant seeks the domain controller and then connects to the Active Directory via LDAP anonymous authentication. Researchers also point out that the DarkSide ransomware is constructed in an extremely efficient manner, suggesting a level of sophistication and a gang with significant resources.

MountLocker, a relatively new ransomware operation that began operations in July 2020, now appears to use enterprise Windows Active Directory APIs to worm its way through networks. The worm is enabled by running the malware sample with the /NETWORK command-line argument, suggesting that MountLocker uses the Active Directory Service Interface API to worm. Researchers explain that by using the API the ransomware can locate any devices on the compromised Windows domain and encrypt them using stolen domain credentials.

In an alert published Thursday, 20 May 2021, the FBI has warned that Conti Ransomware attacks are targeting healthcare and first responder networks. According to the alert, at least 16 Conti ransomware attacks were focused on law enforcement, emergency medical services, and 911 dispatch centers. Ransomware attacks on healthcare have delayed and interrupted critical care services to patients and pose a substantial risk to human health and safety. Ransom demands have been as high as $25 million, with members of the Conti gang resorting to contacting victims using Voice Over Internet Protocol (VOIP) to put pressure on the victim organization to pay. The Conti gang is also known for its use of ‘double-extortion,’ in which they threaten to release stolen sensitive information and withhold the decryptor key until the ransom is paid. 

Next Steps

As ransomware attacks continue to increase, cybersecurity professionals are urging businesses to patch bugs and vulnerabilities immediately, as well as engaging a vulnerability management service. Endpoint security is also a key tool in the fight against ransomware. If organizations believe they have been victims of a ransomware attack, they are urged to work with a professional ransomware investigation and response team.

RATs in the Sewers: Two Notable RAT Campaigns Disclosed Last Week

What You Need to Know

In malware news, criminals are shifting it up a bit by delivering RAT malware that pretends to be ransomware. And in a Private Industry Notification, the FBI warns of a spear-phishing attack impersonating financial institutions and aimed at getting recipients to download RAT malware in the form of a fake Windows application.

Summary

Microsoft is warning customers of a new Java-based STRAT RAT malware campaign. Discovered in a massive spam email campaign containing malicious PDF documents, the STRAT malware imitates ransomware behavior by appending the file name extension, a technique common in ransomware attacks. As a remote access trojan (RAT), the malware can abscond with browser credentials, gain remote access, and log keystrokes. Researchers believe that the STRAT RAT malware is designed to fake a ransomware attack while stealing data and credentials in the background. 

In more RAT malware news, the FBI released a private industry notification last week notifying individuals of a RAT malware attack perpetrated via spear-phishing and impersonating several financial institutions, including Truist Bank and FNB America. According to the FBI, the threat actors tailored the campaign “to spoof the financial institution through registered domains, email subjects, and an application, all appearing to be related to the institution. The phishing email contained two PDF attachments imitating official documents and a link to download an application to access and complete a loan approval process. The malware itself was deployed after the recipient clicked on the malicious link, which connected to a domain called secureportal(.)online. The RAT is capable of privilege escalation, system registry manipulation, keylogging, file downloads/droppers, and listening for incoming communications, among other things.

Next Steps

Businesses are advised to remind employees not to click links in unsolicited emails. To protect from phishing attacks, businesses should use some form of email security, as well as other security technologies. 

Final Words

The recent cybersecurity executive order from the Biden administration has tremendous potential to improve the overall security posture of the United States. While the EO will primarily impact the federal government, this is the first major national strategy announcement on cybersecurity in a while. And there is hope that a national focus on cybersecurity will help private industry take threats and mitigations more seriously. (You can get more perspective and insight on the recent Cybersecurity Executive Order in these great articles here and here.)

The executive order, along with other industry actions such as the new Ransomware Task Force, is a great step in the right direction. But the billion-dollar question remains: Does industry understand the scope and scale of the threat and are they ready to do something about it?

Preparing for the next threat or attack is crucial—and that is where the idea of business or cyber-resilience comes in. Employing key security strategies and tools such as zero trust and cloud security, as well as engaging in key processes such as disaster recovery evaluation and planning, risk assessment, security architecture evaluation and business continuity planning, can help block or mitigate the effects of an attack should one occur.

The route to improved security isn’t about one tool, technology, or task force. It’s a team effort involving internal and external security professionals, employees, and researchers all working together to better understand and combat cybercrime.