Cybersecurity Week in Review: 11/30

In this week’s cybersecurity news roundup, we highlight stories about the increased activity with the notorious malware as a service (MaaS) known as “TrickBot”, including a pretty large ransomware attack that originated with the botnet. We also describe recently released details on iOS exploits.

$12.6M Ransomware Attack Hits IoT Chipmaker

A ransom of an estimated $12.6 million (750 bitcoins) is what the Conti cybercriminal gang is demanding after a ransomware attack on major industrial automation and Internet of Things (IoT) chipmaker. If paid, the criminals claim they will provide full data decryption of 3 GB of information and the removal of the stolen data from the criminal’s server. 

As proof their decryption system worked, the Conti gang offered to decrypt two files prior to making a ransomware payment. In addition, the criminal gang also claimed that if the ransom were paid immediately, they would remove any backdoors they had deployed on the IoT company’s network and provide security “tips” on how to secure the network against future attacks. 

While there is no information on exactly how the Conti ransomware got onto the IoT chipmaker’s systems, the criminal gang’s modus operandi appears to be targeting corporate networks to gain access to domain admin credentials, which they then use to distribute ransomware payloads.

Reports suggest that the stolen data constituted confidential, but low-value corporate documents. While the IoT chipmaker has confirmed the attack, there was no information on whether the company has paid the ransom. In a statement, the IoT chipmaker indicated they have since put into place new detection, protection, and response solutions to mitigate the risk of future attacks.

Notably, the Conti ransomware shares some of the same code with the Ryuk ransomware. Security researchers first identified the Conti ransomware in December 2019, with attacks increasing in June 2020. After Ryuk activity dwindled in July 2020, researchers noted the Conti ransomware being distributed through reverse shells that were opened by the TrickBot trojan.

You can read more information on this story here.

TrickBot up to its old tricks again

A good thing can only last so long.

There is increasing evidence that the large-scale botnet known as ‘TrickBot’—which a U.S. Cyber Command/Microsoft coalition partially disabled this fall—is coming back to life.

TrickBot hit the news with a bang back in October when Microsoft announced a partial disabling of the IP addresses associated with the botnet’s command and control servers. (You can read GuidePoint Security’s analysis of the takedown here.) However, the takedown of the botnet’s activities didn’t last long, as activities have appeared to ramp up again.

In early November security researchers identified a new version of the TrickBot malware (its 100^th). The most recent version of the malware has several new features including the ability to hide its activity, which researchers believe was a direct attempt by the cybercriminals to prevent future disruptions. TrickBot’s new obfuscation feature takes advantage of an MSWindows command prompt (cmd.exe) and scripting language that is available on virtually every computer running the Windows operating system.

In addition, the criminal creators behind Trickbot have expanded the botnet’s toolset to focus on system vulnerabilities by deploying “bootkits”. This functionality (dubbed “TrickBoot”) uses established tools to look for specific vulnerabilities in target systems and then injects malicious code in the device’s UEFI/BIOS firmware. Researchers have called TrickBoot, with its UEFI-level implants, one of the stealthiest and formidable forms of bootkits, since not only does it enable specific targeting of victims, but also allows the malicious code to persist, even after re-imaging or device bricking capability. By leaving a hidden UEIF bootkit for later use, researchers also believe this gives criminals more leverage during ransom negotiations.

Although originally designed as a banking trojan in 2016, TrickBot has evolved into a multi-purpose malware-as-a-service (MaaS) tool with payloads that steal credentials and information and distribute ransomware like Conti and Ryuk. Researchers believe that TrickBot malware has been installed on over one million computers worldwide.

Researchers still assess Trickbot as “weakened”, however most believe that botnet activity may soon be back to pre-takedown levels.

You can read more about TrickBot’s comeback, with its enhanced malicious features here and here.

Details on several iPhone iOS bugs emerge

While many Apple product users believe the iOS system to be fairly safe from hacker and malware penetration, several researchers released exploit details last week, which suggest that a little creativity can make the iOS system as vulnerable to attack as other operating systems.

Exploit CVE-2020-3843

The first exploit (tracked as CVE-2020-3843 and patched by Apple earlier this year in iOS 13.3.1, macOS Catalina 10.15.3, and watchOS 5.3.7 releases), could have enabled complete and total takeover of any iOS device via wifi, giving the attacker the ability access all information and monitor activity on the phone in real-time.

According to a white hat hacker, the bug originates with a relatively minor buffer overflow programming error in a wifi driver associated with Apple Wireless Direct Link (AWDL), a mesh networking protocol used to facilitate communication between Apple devices.

Using only an iPhone 11 Pro along with a Raspberry Pi and two different wifi adapters, the white hat described how an attacker would have the ability to read and write remotely in the arbitrary kernel memory, then use this access to avoid sandbox protections and inject shellcode payloads. The process looks like this:

1. The attacker targets the AirDrop BTLE framework.
2. He enables the AWDL interface by brute-forcing a random contact’s hash value.
3. He exploits the AWDL buffer overflow to gain access.
4. Finally, he runs an implant as a root to take control of the device.

Following these steps, the attacker now has full control over anything contained in the iOS device, including emails and iCloud data. 

While the white hat had no evidence that the vulnerability had been exploited in the wild, he did note that Apple took notice and fixed the bug.

Bugs in Apple’s AWDL protocol aren’t new. Other patched AWDL vulnerabilities have enabled attackers to track users and intercept file transfers between devices using man-in-the-middle (MitM) attacks.

Exploit CVE-2020-27950

In another iOS exploit disclosure, details emerged on CVE-2020-27950, one of three actively exploited flaws patched by Apple in November. This bug appeared to be the result of a memory corruption problem in the FontParser library, which enabled remote code execution and a subsequent memory leak granting malicious application kernel privileges to run arbitrary code. Researchers discovered the details of the exploit by comparing the two kernel binaries associated with iOS 12.4.8 and 12.4.9. They then traced the roots of the memory leak, discovering that the hack altered the kernel processing of machine messages.

Remember to update

The details on both of these patched exploits remind us that iOS devices are not impervious to attacks, and device users need to be sure to install Apple software updates regularly.

More on the Apple iOS vulnerabilities can be found here.

Final Words

I was struck this week by the sheer creativity of individuals and groups working in the world of cyber vulnerabilities and exploits. Regardless of whether the hackers are university-led security researchers or full-blown cybercriminals, two consistent traits emerge—that of ingenuity and tenacity.

In the case of TrickBot, the criminal gang behind the botnet’s operation clearly went into overdrive mode after the October U.S. Cyber Command/Microsoft takedown. Based on reports, they’ve enhanced the obfuscation of some of TrickBot’s malicious code and buried additional code deep within the operating systems of targeted devices so the code can be triggered at a future time. The message here: TrickBot isn’t going down without a fight and the criminal operation behind the botnet is completely dedicated to ensuring their MaaS cashflow doesn’t dry up. 

Security researchers and white hackers demonstrated that same level of ingenuity and tenacity with the details that emerged around the Apple exploit disclosures. 

The moral of the story? If someone wants to access your system, they WILL figure out a way to do it.

Better than anything, this week’s stories remind us that security is action, and you get out what you put into it.