Routers turned into zombie cryptojackers – is yours one of them?

By Paul Ducklin

We’ll start this story right at the end:

• Users and sysadmins. Patch early, patch often.
• Vendors and programmers. Don’t store plaintext passwords.

In this particular case, the vulnerable devices under attack are Mikrotik routers that haven’t been patched since April 2018.

Security researcher Simon Kenin at Trustwave pieced the story together, following reports that there seemed to be a surge of web-based cryptojacking in Brazil.

Kenin quickly realized that Brazil was something of a red herring in the story, because the attack was happening wherever the crooks could find unpatched Mikrotik routers.

Brazil just happened to be where the story broke – it is, after all, the fifth most populous country in the world, so there are a lot of Brazilian home and small business networks for crooks to find and attack.

Here’s how this cryptojacking attack seems to have gone down.

Back in April 2018, Mikrotik patched a remote access vulnerability in its products.

As far as we can tell, Mikrotik discovered the security flaw itself, describing it in basic terms as a vulnerability that “allowed a special tool to connect to the [administration] port, and request the system user database file.”

As it turned out, there was a bit more to it than that – the bug allowed any file to be read off the router, effectively giving crooks who knew the trick the opportunity to leech any data they wanted.

The user database file just happened to be the crown jewels, because Mikrotik had stored both usernames and passwords in plaintext.

Read more at https://nakedsecurity.sophos.com/2018/08/03/routers-turned-into-zombie-cryptojackers-is-yours-one-of-them/

Alleged “high-ranking” members of the Fin7 cybercrime group arrested

By Lisa Vaas

The DOJ announced on Wednesday that three alleged, “high-ranking” members of the notorious Fin7 cybercrime organization have been arrested.

According to three federal indictments, Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30, are allegedly members of a prolific, professional, highly adaptable hacking group widely known as Fin7, though it’s also referred to as the Carbanak Group and the Navigator Group, among many other names.

The DOJ says that since 2015, Fin7 has engaged in “a highly sophisticated malware campaign” targeting more than 100 US companies, predominantly in the restaurant, gaming, and hospitality industries, hacking into thousands of computer systems and stealing millions of customer credit and debit card numbers in order to sell them.

Security groups have been tracking the actors for longer than that, however: the thinking is that Fin7 evolved from malware campaigns between 2013 and 2015 that used the banking Trojans Carberp and Anunak to attack financial institutions.

Fin7 doesn’t just work in the US, but the DOJ says that just its US sprees alone have included raids on the networks of companies in 47 states and the District of Columbia, with the theft of more than 15 million credit card records from 6,500 Point-of-Sale (PoS) terminals at more than 3,600 separate business locations.

The organization has also ransacked computer networks in the UK, Australia and France. Publicly disclosed hacks attributable to Fin7 include Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli.

Read more at https://nakedsecurity.sophos.com/2018/08/03/alleged-high-ranking-members-of-the-fin7-cybercrime-group-arrested/

How safe is your DNA data?

By Danny Bradbury

As concerns mount over DNA privacy, a group of DNA collection and genealogy websites has released a set of best practice guidelines for handling sensitive genetic and family data. Will it give consumers much more protection though? Probably not.

23andMe, Ancestry, Helix, MyHeritage, and Habit worked with the Future of Privacy Forum to release the guidelines, which explain how to handle information about a family’s genetic makeup. Sites like 23AndMe offer genetic tests to consumers who send in a simple saliva swab. They can then use this to tell you about your ancestry and to let you know about genetic health risks.

The guidelines apply to any data about an individual’s inherited genetic characteristics. This includes three types: Data that comes directly from sequencing a person’s DNA, data that a company can create by analyzing that raw data (such as particular gene information or data about physical characteristics) and finally data that a person reports about their own health conditions.

The document broadly replicates many of the rules laid down by the EU’s General Data Protection Regulations (GDPR), which any company holding data on EU residents is already beholden to. It also draws on other guidance, including the Health Insurance Portability and Accountability Act (HIPAA), the Genetic Information Nondiscrimination Act and the Americans with Disabilities Act.

It includes statements on accountability (companies should release reports on what they’re doing with peoples’ data) and privacy by design (implementing technical controls to support the other rules) among others. It also says:

Genetic Data, by definition linked to an identifiable person, should not be disclosed or made accessible to third parties, in particular, employers, insurance companies, educational institutions, or government agencies, except as required by law or with the separate express consent of the person concerned.

This document still leaves some privacy concerns. Let’s start with the timing of its release.

Read more at https://nakedsecurity.sophos.com/2018/08/03/how-safe-is-your-dna-data/

Amnesty International spearphished with government spyware

By Lisa Vaas

Amnesty International has been spearphished by a WhatsApp message bearing links to what the organization believes to be malicious, powerful spyware: specifically, Pegasus, which has been called History’s Most Sophisticated Tracker Program.

On Wednesday, the human rights-focused NGO said in a post that a staffer received the link to the malware in June. It was baited with a message written in Arabic that implored the group to cover a protest for “your brothers detained in Saudi Arabia in front of the Saudi embassy in Washington.”

My brother is detained in Ramadan and I am on a scholarship here so please do not link me to this [link]

Cover the protest now it will start in less than an hour

We need your support please

Pegasus is a tool sold by NSO Group, an Israeli company that sells off-the-shelf spyware. It enables governments to send a personalized text message with an infected link to a blank page. Click on it, whether it be on an iOS or Android phone, and the software gains full control over the targeted device, monitoring all messaging, contacts and calendars, and possibly even turning on microphones and cameras for surveillance purposes.

Pegasus at one point even worked on non-jailbroken iOS devices. In 2016, Citizen Lab and Lookout discovered that the spyware was exploiting three critical iOS zero-day vulnerabilities to slip past Apple’s device security and install itself. Apple quickly fixed the vulnerabilities when alerted to them, according to Lookout.

This isn’t the first time that a group or individual who isn’t supposed to be a target of Pegasus has alleged they have been. NSO Group’s response to incidents like this has been consistent on each occasion: the company points to the fact that Pegasus is supposed to be used solely by governments, to enable them to invisibly track criminals and terrorists.

Read more at https://nakedsecurity.sophos.com/2018/08/03/amnesty-international-spearphished-with-government-spyware/

Reddit’s serious “security incident” – what you need to know

By John E Dunn

Reddit has suffered a “serious” data breach but seems unwilling or unable to put a figure on its size.

There are two parts to this story – who is affected and the weakness the company says led to the breach itself.

Dealing with users first, there are two groups in the firing line, arguably the most important being the unknown number of Reddit users who received an email digest between 3 and 17 June this year. If you’re one of those, the attackers know your email address and username but not your password, which has potentially troubling implications discussed below.

The second group at risk is anyone who registered with the site between 2005 (when it launched) and May 2007.

In this case, data accessed includes account username and password, the email address used at that time, and any content posted including private as well as public messages.

Passwords were salted and hashed, which sounds vaguely reassuring until you realise it covers a continuum of possibilities from very safe to not very safe at all.

If the salting and hashing was done in thousands of iterations by an algorithm like bcrypt then you can feel reassured. If it simply means the site used a hashing algorithm like SHA-1, the kind of password security that was already out of date but not uncommon at that time, then you can’t.

Sadly, we don’t know which it is.

If it’s the latter then the risk here would be for the probably small group of users who haven’t changed their password since then or did change it but used it on other sites without updating it there too.

Read more at https://nakedsecurity.sophos.com/2018/08/02/reddits-serious-security-incident-what-you-need-to-know/

How to defend yourself against SamSam ransomware

By Mark Stockley

On Tuesday 31 July 2018 Sophos released the largest and most comprehensive research paper ever compiled on SamSam, a sophisticated and highly destructive piece of ransomware noted for its ability to put entire organisation’s under siege.

SamSam is different from most other ransomware – it’s used sparingly, in a relatively small number of targeted attacks by a skilled team or individual. They break into and survey a victim’s network before deploying and running the ransomware, just like a sysadmin deploying legitimate software.

Those unusual tactics create advantages for both attacker and defender.

The good news is that the SamSam attackers aren’t looking for a challenge. They want easy targets, which means that getting a few of the basics right gives you a very good chance of keeping them out.

The bad news is that if they do get a foothold in your organization they can dig in quickly. They don’t deploy the SamSam malware until they’re able to act as a Domain Admin, which gives them high ground from which to attack.

SamSam hackers have been seen changing their tactics during attacks and they will spend hours, and perhaps days, getting it right. If one approach doesn’t work they’ll try another and another, and if security software stops the malware from running, they’ll look for ways to disable it.

Read more at https://nakedsecurity.sophos.com/2018/08/02/how-to-defend-yourself-against-samsam-ransomware/