Welcome to Cyber Security Today. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes guest commentator Terry Cutler of Montreal’s Cyology Labs will join me to discuss some of the news of the past seven days. But first a quick look at the headlines:
Another dangerous Android app has been found in the Google Play store. Called 2FA Authenticator, it pretends to be an app you can use for two-factor authentication. But according to researchers at Pradeo, it installs malware. It was only in the Play store for 15 days. But during that time it was downloaded 10,000 times. If you downloaded this app, delete it fast. Security experts regularly warn people to be careful and check independent reviews and friends before downloading mobile apps. Just because it’s in the Google or Apple app stores doesn’t mean it’s safe.
Administrators with hardware and software from some of the world’s biggest IT firms including Microsoft, Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Intel, AMD and Bull Atos are being warned to watch for and install the latest security patches or mitigations. This comes after the discovery of 23 high-impact vulnerabilities in firmware from IT manufacturers that used a software development kit from a company called Insyde.
KP Snacks, a major producer of popular British munchies has been hit by the Conti ransomware group. According to Bleeping Computer, it’s affecting distribution to leading supermarkets. A source says employee records and financial documents are among the encrypted files.
Speaking of ransomware, most people think it hits only the IT side of a company, going after corporate and personal information. But a study done for a cybersecurity company called Claroty shows the operational side of industrial firms also get hit. IT staff in critical infrastructure companies were surveyed. Eighty per cent said their firms experienced a ransomware attack. Of those, 47 per cent said the attack impacted their industrial control systems.
(This transcript has been edited for space and clarity. To hear the full conversation play the podcast)
Howard: Last week’s show focused on Data Privacy Day, so I didn’t get a chance to talk about the closing of a dark web marketplace called the Canadian HeadQuarters that specialized in the buying and selling of things Canadian – like logos of Canadian banks crooks could use in phishing emails, stolen Canadian credit cards and IDs. What did you think when you heard this news?
Terry: I think it’s another win for law enforcement. But it’s far from over. Think of this as a hydra snake: You cut one head off, another one grows back. Ten years ago when we had the Silk Road (dark market) it was taken down and then members just went and flocked over to the Alphabet market. This dark web is not going away anytime soon. There’s so much demand for this that when one of these marketplaces disappeared it’s gonna be soon replaced by others.
These guys [CanadianHQ] were selling things like drugs and specializing in other materials. What was also interesting is that they also were selling access to empty bank accounts in Canadian financial institutions. That way fraudsters can use these accounts for money laundering capabilities.
One of the questions I often get asked is how do guys [running a dark web marketplace] even get caught? They’re using a Tor network, which which is supposed to be untraceable. They’re using VPNs. Sometimes its human error. For example, let’s say like you’re trying to advertise that you have your own [criminal] marketplace, you have to advertise that on places like Google and Bing on the normal web. When that happens you could be tracked easier. Another thing that could happen is law enforcement teams up with [white hat] hackers. If there’s an exploit that’s available in the browsers they’ll start attacking users [of the dark web site]. Whoever gets exploited, it’ll reveal where their possible locations are and their IP address.
We did something similar a couple of years ago with a free Linux distro. It allows you to deploy a honey pot that bites back hackers. We built a fake Cisco control panel on our site and when these folks came in and crawled our pages they found this ‘top-secret’ control panel, and when it prompted them saying, ‘You’re accessing a restricted system. We have the right to scan your computer to see if there’s any antivirus and make sure your patching is up to date. Do you consent.?’ Obviously hackers want access to this control panel. So when they click ‘yes’ it launched a Javascript to his machine, did a site survey and had their laptop show me the WiFi the in area … We triangulated him within five meters of his computer.
The bottom line. It’s going to take international collaboration with law enforcement to bring these groups down. How long do you think it’ll take before other criminal marketplaces go for the Canadian market or that a new Canadian-focused dark web marketplace will appear?
Terry: I don’t think it’s going to be very long. We’ve seen with other marketplaces in the past it’s months later. There’s always there’s so much demand [among criminals] for these types of things, including like access to networks and exploits that have proven access into a corporation.
Howard: The interesting thing is that we’ve seen in other cases when dark marketplaces are shut there have been criminal arrests, there’s been seizures of servers. Not in this case, though. And the closing was done by the [CanadianHQ] site’s administrator after Canada’s telecom regulator, the CRTC, began an investigation under the country’s anti-spam law. So this wasn’t a criminal investigation. And that speaks to how hard it is to do a criminal prosecution in some countries when the servers are in a foreign country and you can’t quite catch the administrator with his hands on the keyboard.
Terry: And that’s where the CASL (Canadian Anti-spam Legislation) law comes. If there’s enough probable cause they can launch an investigation and seize the machines that it has access to. What’s great about that is once they have access to these computers they might actually find the links to all of the other sellers and buyers. That will allow them to unmask where the other groups are. That’s why I think [the admin] closed the CanadianHQ down. Once you’ve been tagged by law enforcement or intelligence agencies, you’re going to be monitored going forward. They’re going to see how your IP address or your activities tie in with other groups.
Howard: When I heard about this closing I was reminded of how in the United States the police caught Ross Ulbricht, who was the operator of the original Silk Road dark marketplace. Police had been tracking him and they realized that he sometimes worked remotely outside of his house. He would go to a public library. So they set a trap for him. He was in a library, they knew he was online running the dark website and they managed to catch him when he wasn’t paying attention. He didn’t have time to shut his laptop and therefore erase any links that he had open. And they literally caught him red-handed. He was sentenced to a long prison term.
…
Howard: Let’s move on to another story: A security researcher found a windows vulnerability that could allow anyone to gain administrative privileges in Windows 10. What can you tell us about this bug.
Terry: Anybody can launch an application that typically doesn’t have administrative access on the machine to actually now become an administrator. So for example, they did a demonstration with Notepad. They’re able to launch Notepad as a system administrator, and then can start executing other commands with it or start opening documents that it typically wouldn’t have access to.
Howard: And I understand that there’s already exploits for this vulnerability that threat actors can take advantage of.
Terry Cutler: Yes. Because once they [hackers] have system-level access on your machine they open up back channels so they can get into the machine as much as they want. One thing they might do is create new users with administrative privileges. Or launch some backdoors that allows them in and out whenever they want. If you’re a system-level user you can pretty much do anything you want.
Howard: Well, one good thing is is that this vulnerability was patched in Microsoft’s January 11th security updates. So that means by now companies and individuals who work from home have no excuse for not having it installed.
Terry: Here’s the catch: There were a lot of reports of significant problems once people or companies installed some of the patches. So when IT administrators see these types of problems they don’t want to deal with them because their phones are gonna be lit up by all these users who can’t work. So a lot of IT administrators skipped this update. So during this time the machines remained unprotected and vulnerable.
Howard: One other angle on this story is it’s also been reported that this bug was found two years ago by an Israeli researcher, but he didn’t disclose it to Microsoft because he didn’t think Microsoft was paying enough for bug bounties.
Terry: In the end, it’s a business right? So if Microsoft usually pays 10, 20 K, maybe he felt that you know because it’s such a core function he wanted $200,000 and Microsoft wouldn’t give it to him.
Howard: That’s rather selfish.
Terry: He’s not the only one. There’s been a bunch of researchers that have been complaining about this. Their goal is to make make it easier for the bug bounty program to be accessible and pay more.
Howard: Finally, we should talk about another wave of ransomware attacks on firms and individuals that use the QNAP network-attached storage devices. Last year there was a big wave of ransomware attacks against them. Apparently last month there was another wave. One of the problems is these are storage devices that are left open to the internet and the Qlocker ransomware gang has been targeting them for some time. But the point is if you’ve got a storage device it shouldn’t be open to the internet.
Terry: You would think so. Our phones have been lighting up in the last month or so with this type of attack, and unfortunately once they got access to NAS there’s not much you can do. In fact, some folks even had their NAS re-initialized and completely wiped out. Again, it’s targeting internet-facing NAS. This is where there’s a disconnect between cybersecurity specialists and IT specialists. The IT guys didn’t know they shouldn’t do this [have a NAS open to the internet. They told their management team it’s gonna be good, it’s gonna be very convenient, you’ll be able to back up your computers from home, you can access the files from the office whenever you want — but if it’s misconfigured. you’re gonna get hit. This thing started last year. We’re seeing a lot of credential stuffing attacks where passwords being reused [by employees] help access the NAS. The bottom line is just get a vulnerability assessment on your infrastructure to see what’s visible.
Qnap also came out with a bunch of recommendations to help protect your NAS and make sure it’s configured properly. One of the things they suggest is to remove any unknown or suspicious accounts. Also, remove any unknown and suspicious applications. Disable your autorouter configuration and set up device access controls in the MyQNAP cloud app. Disable port forwarding on the router. This is important because sometimes if you have any camera systems turned on in the network that can be accessed through the QNAP device, they can be turned off.
Change the system port number. So instead of using the default ports, change that. Change the default passwords to all the accounts. This is an important one. When we do our penetration tests we look for default passwords people think oh yeah I changed the web application password to the system. So we’re safe. But they forgot to change the telnet and SSH passwords (which were also admin|admin). Make sure your QNAPs are up to date, run your snapshots regularly to back up your QNAPs. And, of course, you want to subscribe to their advisory newsletter that comes down all the time.