Microsoft Identifies new Sysrv-K Botnet Variant

Given the recent tanking of bitcoin value in the open market, you might think that the criminal exploitation of private computers for coin mining might start to slow, but I guess the cyber bad guys in the world need to compensate for their value loses and mine new coins.

This article from the great team over at InfoSecurity is a great overview. Enjoy and beware!

Samsung Confirms Data Breach Affecting Galaxy Product Line

This is especially concerning given other recent issues identified with the Galaxy phone line up. Please take note and watch for updates from the team at Samsung.

The team at Hacker News provide a great overview of the breach:

Space: The New Warfare Frontier – The conflict in Ukraine and its effect on all things space related

All large, modern military operations are heavily reliant on satellites to provide a variety of logistics and planning information related to battlefield operations. That information includes GPS coordination and navigation, topographic imaging, drone command & control, and many other surveillance functions. Threats to Russia’s satellite infrastructure by those in opposition to the invasion and ongoing conflict in Ukraine have prompted Russian officials to respond and to respond harshly.

The following article from the great team at InfoSecurity details the Russian response / denial to hacking attempts against their satellite infrastructure:

Simply put, military conflicts are not what they used to be. So far during the conflict in Ukraine, we have seen the Russian space authority make a less than vailed threat against the safety of the International Space Station. We have also seen the delay and/or cancellation of satellite launches from Russian space facilities for agencies, governments, and organizations that oppose Russian activity in Ukraine. There are many factors to take into consideration, both short term and long term, when considering orbital resources and the effect this ongoing conflict can and will have on national and international assets in space.

Russia is still a primary partner in the ISS program and still provides the primary transportation and recovery services for the space station. Those services will most likely be on hold for the foreseeable future. The Russian space agency also provides satellite launch services for many nations and private agencies around the world. Those services have become a bargaining chip for international negotiations moving forward.

It will be very interesting to watch these situations develop over the weeks and months to come. We are seeing the Cold War rekindle and acts of fiction from recent TV shows and movies begin to come to life as scenarios play out on the “final frontier”.

The Ever Evolving Nature of Warfare: The Conflict in Ukraine and Cyberattacks

As strange as this may sound, military attacks are no longer simply about soldiers and tanks and planes and bombs. Needless to say, there is nothing simple about war, but thanks to state sponsored hacking and the connected nature of critical infrastructure, cyber warfare has become a new front for every new military conflict. The conflict brewing in Ukraine is no different.

Threat levels have been raised by numerous national and international cybersecurity organizations, and malicious cyber activity is already being monitored related to this current conflict. Please remember that the types of attacks associated with these nation state conflicts are not perfectly crafted and restricted to only military targets. They can overflow into civilian networks that can quickly spread around the world in a matter of hours. NotPetya is a wonderful example of targeted cyber warfare run amuck.

Take the time to prepare your environments and make sure all your controls are in place and up to date. The Internet is staged to see quite a bit of malicious cyber activity in the days and weeks to come.

Does the Vendor Matter? – Smartphone and Mobile Security in a Threat Filled World

Recently I was asked to discuss the cybersecurity risks associated with smartphones and the possibility that those devices could be compromised and information stolen. As part of the conversation, an all too familiar story was told about an older gentleman who had been prompted through a fear-based social engineering phone call to go to the bank and withdraw a significant amount of money to avoid some fictitious financial penalty. What was a little more unique in this situation was the fact that the older gentlemen had also been prompted to download an app on his smartphone that had in turn given the attacker control of that device. Fortunately, an alert bank employee noticed something strange during the transaction as the older gentleman continued to receive directions from the attacker via his phone. The bank employee intervened and, after some effort, was able to power off the gentleman’s phone and get to the bottom of the scam.

Sadly, this is not a terribly unique situation. Creative and malicious vishing (voice phishing) attacks take place everyday, targeting young and old alike. What is a little more concerning is the evolution of malicious applications and the use of these applications to take remote control of a device during a social engineering attack, thus giving the attacker near complete control over the situation and ramping up the fear factor for the victim.

In the situation with the older gentleman at the bank, his problems did not end once the attack was discovered and his phone was powered off. At that point, his smartphone, a low cost, prepaid Android device, was compromised and unsafe to use. The bank employee rightly recommended he factory reset the device or replace it, but neither option was honestly viable for the victim. He lacked the technical skill to properly reset the device and he could not afford to simply throw it away and buy another one. Because it was a big box store purchased prepaid device, he could not walk into a wireless carrier store and ask for help. He was stuck.

In talking through this situation, several questions came to mind. First and foremost, what can we (the IT security and cybersecurity community) do to help? That question prompted others – are certain mobile devices safer than others in terms of their ability to prevent these types of social engineering and malicious device takeover attacks, is this issue age related or more widespread, and what tips and tricks can we provide to help mitigate these types of cyberattacks? I want to take a moment and work through some of these questions and see if I can provide some answers that will help keep people safer when dealing with these types of attacks.

Are certain mobile devices safer than others?

This is a very loaded question and feeds into the ever present and ongoing debate of Google Android versus Apple iOS. Let me begin by stating that I am not here to advocate for one manufacturer over another – both device families has some great security features and both device families have the potential for compromise by a cyber bad guy. I do want to talk about some features and specific design methodologies provided by each manufacturer that can impact a victim, both positively and negatively, in the scenario we are discussing – vishing and remote device takeover. Let’s look at some relevant statistics to better frame this conversation:

  • Apple iOS is the more prevalent mobile phone operating system in the U.S. at 53% to Google Android’s 46%. (Statista 2022)
  • That said, the Android OS accounts for more than 50% of all malicious infections of devices in the U.S. followed by Microsoft Windows at 23% and Apple iOS at less than 1%. (Nokia Threat Intelligence Report 2021)

So, if Apple leads in terms of market share for smartphones, why is Google Android so far ahead in terms of operating system malicious infections? There are several reasons. First, Google Android, as an operating system, runs on many different platforms beyond smartphones. The Android OS can be found on a variety of IoT devices including smart TV’s, tablets, home automation systems, appliances, and many other Internet-enabled platforms. As such, the attack surface for Android OS is simply larger than Apple iOS. Second, the Google Android OS is a much more open and customizable platform in terms of the sources and types of applications that can be loaded to an Android device. Application downloads for the Android OS are not necessarily restricted to the Google Play Store and, as such, cannot be as closely vetted and verified when compared to the relatively closed application ecosystem of Apple’s iOS. Third, Google does not own and control all of the hardware platforms on which Android OS is loaded. Dozens of smartphone manufacturers use Android OS for their devices, and, therefore, those manufacturers can to an extent control the applications that ship on those devices. Once again, this is very different for Apple iOS as Apple manufactures all smartphones and tablets and devices that run their operating systems. Apple has built a closed, proprietary ecosystem for its “iDevices” and controls all applications that can be listed and downloaded from its App Store. This approach has made it significantly more difficult, though not completely impossible, to load malicious software on an Apple device and facilitate remote control. Given all of this information and each manufacturer’s approach to application installation control, it is a fair statement to say that Apple’s smartphones are a safer platform in this specific situation.

Please do not take this specific conclusion and extrapolate that Android devices are less safe overall when compared to Apple devices. Both operating systems have their specific strengths and weaknesses. Google Android OS, for example, provides one of the most flexible and secure identity management platforms available, providing numerous secure ways to validate the identity of the device user and ensure physical compromise is extremely difficult for the bad guys. Android’s flexibility and portability has also created opportunities for lower cost smartphones and tablets that have brought internet access to people and places it otherwise may not have reached. That said, everyone needs to understand the potential security challenges with these devices in certain situations and take proper precautions.

Is the growth of malicious device infection and the prevalence of social engineering attacks age related?

I am sure many people will read the details of the incident at the start of this article and focus on the word “older” that was used to describe the victim and draw the conclusion that this type of scheme is designed to prey on novice internet users. Those people would be both right and wrong. This type of scam is often targeted at older Americans, but not because of a lack of internet experience. Consider these statistics:

  • 10 years ago, less than 46% of Americans over the age of 65 used the Internet. That number is now greater 75%. (Pew Research)
  • Over 61% of Americans over the age of 65 have a smartphone. (Pew Research)

Older Americans are quickly becoming savvy Internet consumers, but this same demographic has a specific set of fear triggers that make them particularly susceptible this is type of social engineering attack including a fear of lost income or the failure to meet a particular commitment. Younger Americans also fall prey to these types schemes on a regular basis. The cyber criminals simply make a few tweaks to the script based on clues gathered during the initial conversation. Younger people tend to fear a loss of services or damage to their reputation via social media or a threat to their children. At the end of the day, it is important to remember that the cyber bad guys have developed strategies to adapt their attacks based on the audience they reach and all of us are targets.

Tips and Tricks to Stay Safe

Here are a few tips that can help you avoid the pitfalls of this type of social engineering attack and keep you and your personal information safe:

  • Do your own research – When you receive a call from someone supposedly representing Microsoft or Amazon or another merchant claiming some type of issue (fraudulent transaction, late shipment, account compromise, etc.), pause, take a moment to think about the situation, and question what you are being told. DO NOT take any action based on the recommendations of the person on the other end of the phone call. Politely tell them you will research the issue and call them back on a publicly published phone number. Go to the merchant or organization’s website. Check your account. Call or chat with their publicly listed support team. At the end of the day, very few if any merchants will call you with these types of issues and they will always provide valid information via legitimate websites.

  • Think before you download – Never download applications for your smartphone or tablet via a link sent to you or from an unknown website. Use the Apple App Store or the Google Play Store for all application downloads. Read and verify the app reviews and the number of historical downloads.

  • Be willing to hang up – As mentioned earlier, do not allow yourself to feel pressured to do something that makes you uncomfortable. It is ok to hang up, look up a valid phone number for the organization in question, and call that number back once you have more information.

  • Multi-factor authentication is your friend – One of the most important things you can do to protect your identity and the applications and services you use on your smartphone and/or via the web is to set up multi-factor authentication (MFA) for all associated accounts. From Amazon to PayPal to your local Bank, nearly all major websites and services support multiple MFA options for authentication. Most can leverage a token or randomly generated code from your smartphone as the second factor of authentication. This will prevent access to your accounts by the cyber bad guys even if they get access to your username and password.

  • Use unique passwords for all websites and services – It is very important to NOT reuse the same password for multiple websites, services, and applications. Most usernames are tied to a person’s email address, so if a cybercriminal gets a password for one site or application, it is not hard to use that same email address and password to access that same user’s other services and websites. In order to make the use of unique passwords for all websites and applications easier to manage, I highly recommend pairing this strategy with a reliable, encrypted and secure password manager. This tool will allow you to store and easily recall all your unique accounts in a safe and secure manner. 1Password, LassPass, and KeePass are good options to consider.

  • Secure your mobile devices with passcodes / passwords – Modern smartphones and tablets have made local device authentication very easy, so there is no good reason not to protect your devices with a passcode or password. This level of protection better secures your device in the event it is lost or stolen or if it is accessed in some way remotely and the screen is locked. This can be as simple as a 6-digit code or as complicated as a long alphanumeric passphrase. Fortunately, most current smartphones and tablets can frontend this code with facial recognition authentication like FaceID or biometric authentication like a fingerprint reader.

In talking through all of the factors and mitigation strategies associated with this particular type of social engineering attack, the most important piece of advice I can share is this – “learn to control your fear”. Bad guys prey on fear. They manufacture fearful situations. If you can remain calm, take a deep breath, ask a few relevant questions, and do a little research, you should be able to safely navigate these types of threats without any harm.

Stay Safe!

Disaster Recovery Testing is Much More Than Technical Controls

This article from the team at Dark Reading is an excellent overview of the challenges and approaches to DR testing as well as great reminder of the value and influence of the human factor. All successful disaster recovery planning starts with people – its all about teamwork, collaboration, and communication during an event.

Enjoy the read!

Log4j / Log4Shell – Week 2 Update

We are well into the second week of reaction and remediation associated with the Apache Log4j vulnerability, so I wanted to pause and take a moment to recap what we know, what we should be doing now, and what we should be considering moving forward. Let us start with what we know.

Log4j is a remote code execution (RCE) vulnerability that can force the download of a malicious payload on vulnerable web servers and computers depending on the presence and/or configuration of certain server components.  Specifically, exploitation of the vulnerability requires a single HTTP request containing malicious input from anywhere in the world, to an internet-facing server that is running a vulnerable instance of log4j, or the same HTTP request sent to a vulnerable computer within a compromised local network. The result is a full system compromise, and the exploit requires no authentication.  It is important to stress that the Log4j vulnerability is not limited to Internet-facing web servers only. If a bad actor gains access to a local network, the same HTTP requests can be sent internal to IP-enabled devices on that network to compromise vulnerable systems. This is a very serious potential attack vector, and all of us should be working diligently to ensure all our devices and those of our friends, family, and clients are safe and properly protected.

So what should we be doing now. First and foremost, we should all be scanning our computers, servers, and other IP-enabled devices to look for vulnerable versions of Log4j. At this point, there are numerous scanning tools available from security experts, RMM vendors, and other platforms from which to choose. Please remember that these scanning tools take different approaches to identifying potentially vulnerable systems and devices. Some look for the presence of Log4j associated jar files. Others look for log entries on the device indicating the presence of malicious inbound activity. And then others actually send crafted HTTP requests looking for vulnerable system responses. Given these different detection methods, make sure to understand your scan results and take the time to verify the findings before you start pulling systems, servers, and devices offline.

Once you verify the presence of a vulnerable Log4j component, the next step involves determining why the component is present on that system or device and then reaching out to the application or device vendor to find updates, patches, and/or mitigation instructions. Log4j is so ubiquitous in applications, servers, and IP-enabled appliances, and application vendors and IoT vendors have embedded it and leveraged it hundreds of different ways, so vendor support may be a necessity to ensure you properly remediate the problem.

Once you have remediated the Log4j vulnerability on all your IP-enabled systems and devices, what do you do next? It is at this point that we all need to stop, document what we have done, take stock of what worked and what did not, and then be prepared to do it all over again in the future. The Log4j vulnerability is not going away. Scanning for this particular vulnerability needs to become part of your overall vulnerability management program. You will inevitably purchase new applications, devices, and systems and you need to ensure Log4j, if used, is properly updated (version 2.16 or later at this point in the component evolution). Also, as you work with your application vendors moving forward, some may try to convince you that the risk of Log4j only applies to web-exposed servers and devices. This statement is simply not true. Push back against these statements. Push back hard.

Nothing I have said about vulnerability management in this article is new, and nothing is particularly unique to Log4j. Scan your networks regularly (at least quarterly – more frequently if possible) and review those scan reports. Remediate your findings. If a finding cannot be remediated, budget for a replacement application or device. Keep your applications, components, and operating systems up to date. Cybercriminals are not going away. They don’t take vacations, and they don’t care how many other projects you are working on that prevented you from vulnerability remediation this month or this quarter. The threats are real and we all have to keep playing great defense. Good Luck!

The following is a great webpage from U.S. CERT on Log4j and associated resources:

Cybersecurity Awareness Month – Don’t Tip Off the Phishing Test!

October is Cybersecurity Awareness Month and as such I am going to make an effort to post as many awareness and training tips and tricks as I can throughout the month. This great article from the team over at Tripwire provides some sound advice – let the phishing test run its course! Enjoy the read and share what you learn. We are all in this cybersecurity battle together!

No, It does not appear Facebook was hacked yesterday

Given the timing of the outage for many of Facebook’s platforms yesterday – in the middle of the media storm surrounding a whistleblower from within the company sharing details of the social media giant’s potentially selfish decision making processes – lot’s of people were questioning whether this was a malicious attack against the company’s infrastructure. Alas, it was not, at least according to the engineering team at Facebook.

According an Infrastructure VP at Facebook, this outage stemmed from human error associated with a misconfigured BGP routing update. To be honest, this makes more sense versus a successful targeted external attack. Now, if you really wanted to go full on conspiracy theory, one could question whether the human error was intentional or unintentional, aka a distraction from the press coverage of the whistleblower. But that is not within my prevue.

Enjoy this read on the outage –