Cybersecurity Week in Review: 9/21
Posted by: GuidePoint Security
Welcome back to another week in review. It’s absolutely mind-boggling that we are about to close out September of 2020. The stories keep rushing in, and it seems that we are busier than ever in security. Let’s dive in and look at some of the more newsworthy situations that showed up over the last seven days.
A Wolf in Sheep’s Clothing
With most of us changing the way we work and shifting to our home offices, one technology has reigned supreme, the Virtual Private Network (VPN). Most need it to access files on their corporate networks or communicate privately over the internet. With the need for these tools increasing, it makes perfect sense that threat actors would find ways to trick users into downloading and installing malicious files by bundling them in with VPN installers.
Recently, a report was released about a new backdoor trojan being bundled into a VPN installer. The backdoor, named Backdoor.MSIL.BLADABINDI.THA, is either placed on a user’s system by other malware or by the user downloading it from a malicious site. The application will place three files on the user’s system: the legitimate VPN installer, a malicious file (lscm.exe) with the backdoor inside, and the script to run the malicious file (win.vbs).
When the install process kicks off, users will see an installation window appear on their screen, probably to make everything seem legitimate. As this is going on, the executable downloads the payload and redirects the user to a webpage. Then it downloads an encrypted file called Dracula.jpg. Once that’s complete, the backdoor is in place. This allows the threat actor to perform commands on the user’s machine, such as update files, screenshots, and executing additional commands. The malware will also gather information about the user’s device, things like the operation system, username, machine name, and any antivirus software installed.
Researchers were able to capture and decrypt much of the information and have provided useful and actionable Indicators of Compromise (IOCs) for the malware.
You can read the full report here.
Another Dark Market Bites the Dust!
Being in cybersecurity, it is not always easy to find good news every day, so when I can get a chance to share some, I do.
Recently an alliance of law enforcement agencies worldwide arrested 179 different vendors involved in selling illicit goods on the Dark Web in Europe and the United States. The operation, known as DisrupTor, followed up on a previous takedown from last year of the Wall Street Market, then the second-largest dark web online marketplace. With information from that bust, the various agencies involved provided data and materials to identify the people behind the dark web accounts. Of the 179 arrests, 121 were from the United States, 42 in Germany, 8 in the Netherlands, 4 out of the United Kingdom, Austria housed 3, and only one from Sweden. The operation was also able to seize over $6.5 Million in both Cash and virtual currencies, along with a slew of drugs and weapons.
The head of Europol’s European Cybercrime Centre (EC3), Edvardas Šileris, had this to say on the operation:
“Law enforcement is most effective when working together, and today’s announcement sends a strong message to criminals selling or buying illicit goods on the dark web: the hidden internet is no longer hidden, and your anonymous activity is not anonymous. Law enforcement is committed to tracking down criminals, no matter where they operate – be it on the streets or behind a computer screen.”
Read the full story here.
Failed Auction Leads to Free Malware Release
We have all, in some way, shape, or form, been involved in an auction. eBay brought digital auctions to the forefront of the bidding marketing place when it came online in 1995. Since then, many others have popped up and become popular with online shoppers. But, just as with about everything in the world, where there is good, there is also bad.
Recently in one of these “Bad” auctions, a pretty nasty banking trojan named Cerberus was placed up for bid, according to a ZDNet article. This trojan is not new by any means, as it was identified in July 2019. This RAT or Remote Access Trojan operates by secretly surveilling your Android phones. It can intercept communications, tamper with the device, and steal banking credentials along with other data. Further to that, Cerberus can read your text messages that could contain two-factor authentication (2FA) codes and one-time passcodes (OTP).
Avast security researchers discovered that the trojan was wrapped up and disguised as a legitimate currency converter in the Google Play Store. The theory is that to bypass the code checking process with Google, none of the malicious code was present. Once there was a large download base for the app, the actors sent an update package containing the trojan.
After discovering the app on Google Play, Cerberus was seen going to auction because the development team was splitting up. According to the advertisement promoting the auction, the starting price was set at $50,000 for the source code, client lists, servers, and the administrator panel code. The auctioneer claimed that Cerberus generated $10,000 in revenue a month to add to his sales pull.
This is where things get a little interesting, and quite troublesome for many people. Nobody wanted to pony up for the information. This led the author to release the code for free on a popular Russian underground platform. Thus, leading to a spike in mobile app infections, mainly across Europe and Russia. The real worry is not necessarily that we may see more rises in Cerberus infections, but the unknown variants people will make with the source code floating free on the internet.
Read the ZDNet article here.
Final Words
As with every week, there was a ton going on in the world of security, and these stories are the ones that stood out to me. The more we stay informed about our surroundings, the better off we will be when it comes to protecting our systems, organizations, and data.
When we traverse the world wide web searching for tools and applications to help us in our daily lives, we need to be aware that not everything is as it seems. Sometimes we may encounter a wolf in sheep’s clothing. We can’t always see inside applications when we download the installer, but we can scan them for viruses or look for reviews of the program. As the old adage goes, never trust a book by its cover. This couldn’t be more true in technology.
Being in this industry can feel overwhelming at times. So many new and damaging threats continuously bombard us. Sometimes it can feel like we never get a win. So when we do, celebrate it. Whether that is taking down a criminal underground on the dark web, successfully executing a lockout campaign against a threat actor, or finally finishing that security training, always remember to stay informed, stay safe, and be prepared.
As always friends, security is an action. We get out what we put into it.