Category Archives: Best Practices

New Attack Exploits Microsoft Software Signing Verification

Software released by Microsoft and other vendors is digitally signed so that users can validate that it really came from the vendor in question and that it has not been modified since the vendor created it.

However, hackers have figured out how to bypass the security provided by Microsoft’s digital signature verification process, allowing them to add malware while leaving the signature intact.

According to security firm Check Point, here is how the malware that they have detected works. The problem is, however, much bigger than this. Now that the technique is public, this could be used to modify any already signed software leaving the signature intact.

This particular attack begins by installing Atera software on a victim’s machine. Atera is a legitimate remote maintenance product (like Kasaya, which was compromised last year) used by Managed Service Providers (MSPs). In this case, the victim did not know that they were installing Atera; they thought they were installing a Java update.

Check Point is still trying to figure out exactly how the Atera software was deployed in this case, but in earlier cases, the hacker played a short click of adult content and then told the victim that they needed to install this Java update, which was really malware.

Once the Atera software is on the victim’s computer, the hacker tells Atera to download and run two batch files. One changes Window’s Defender’s preferences to not check certain folders and filetypes and the other installs the malware.

Next the attacker runs MSHTA with a particular DLL as the parameter. The catch is that the DLL had malicious scripts added to it. Due to an oversight by Microsoft, adding the script does not invalidate the signature.

Microsoft FIXED this bug in 2013 – that’s right, 9 years ago, but they changed it in 2014 after discovering that it broke some customer software. Microsoft, in its always effort to be customer friendly, decided to totally compromise their customers’ security rather than telling their customers to re-sign their software.

Now that decision is coming back to bite them in the ….. (fill in the blank).

It looks like the way their disabled it was to change the install of the fix (for CVE-2020-1599, CVE-2013-3900 and CVE-2012-0151) from mandatory to optional. As a result most users do not have it installed.

The fix is to install the update, understanding that it is possible that it might break some stuff: Microsoft Security Advisory 2915720 | Microsoft Docs .

Credit: MSN and Dark reading

Supply Chain Attacks Are Rampant

Today’s supply chain attack is interesting. I guess I can say that because it didn’t happen to a web site that I own and my information didn’t get stolen.

Here is the situation. Many web sites have embedded videos on them. In this case, most of the sites affected were real estate web sites and they often have virtual tour videos on the web page. In order to play a video, you need a video player. There are many video players that you can choose from, but what almost no one does is write their own video player.

Palo Alto Networks found over a hundred web sites, many or most of them (depending on which story you read) belong to the real estate firm Sotheby’s.

What happened? Some how a malicious version of the video player got loaded onto these web sites. When a visitor went to the site, the video player code was downloaded to the visitor’s computer. In this case, the malware was a data skimmer which steals information that the user provides to the website. It could be name and address information or it could be credit card information. The information can be used for social engineering or financial crimes.

The malware is polymorphic, meaning that no two copies of the malware are the same, making it difficult to detect and block. The code is also obfuscated, which makes it difficult to read and understand, so even if tried to figure out if it was malicious, it is unlikely that you could figure that out.

Now that this particular attack has become public, hackers all over the world are going to copy it. All it takes is a web site hosting the code with lax security. The hacker can then compromise the code and wait for a developer to use it.

This is not at all limited to video players, even though there are thousands of them. Any bit of shared code that is hosted in the cloud and linked to by developers is a valid target.

This means that you need to have a robust software supply chain risk management program in place, unless you want to be like these firms and dealing with a shattered reputation.

If you need help with this, please contact us.

Credit Threatpost and Bleeping Computer

Security News for the Week Ending December 31, 2021

W. Va. Hospital Breach Timeline – Way Too Long

The Monongalia Health System was attacked recently and hackers had access to several email accounts, apparently belonging to contractors from May 10 to August 15 or about three months. It took them another 60 days to investigate. They are just not telling us about the breach – more than 7 months after it started. They only figured out that they were hacked because a vendor said that they were not paid (a standard business email compromise attack). They will, no doubt, get whacked by the feds, but this is a lesson to everyone that your vendors are your risk too. Credit: ZDNet

Java Code Repo Riddled with Hidden Log4j Bugs

Remember that you should assume that any code that you download from the net is full of bugs and security holes. If you assume that, and you are lucky, then that is good, if you assume the reverse and you are not lucky, well, not so good. Threatpost is reporting that there are 17,000 unpatched Log4j packages in the Maven Central ecosystem. Many of those will never be patched. CAVEAT EMPTOR

Fallout from Kronos Ransomware Attack – Some Employees Not Receiving Full Pay

Kronos, the international HR firm suffered a ransomware attack several weeks ago. Some employees at appliance maker Electrolux are saying that they are still not receiving their full wages or in some cases, not getting paid at all. In most states the law is pretty specific about paying employees, so if you don’t want to be on the wrong end of an investigation, create a disaster recovery plan. Credit Cyber News

North Korean Hackers Stole $1.7 Billion as an Investment

North Korea considers cryptocurrency a long term investment. As a result, when they steal billions in crypto, instead of selling it, they save it. Maybe that is not a bad strategy. Bitcoin, for example, was worth $313 in 2015, $997 in 2017, $3869 in 2019 and $46,847 right now. So if you stole 1 coin in 2015, your “investment returned 150x today; that is, your $313 crime is worth $46,847. Maybe the North Koreans are onto something. Credit: Dailycoin

Oops, The Dog Ate 77 TB of Our Backups

Well, not exactly, but something ate the backups. Kyoto University in Japan lost 77 terabytes of data when a backup process went wild on their HP supercomputer. The event happened in mid-December when 34 million files were wiped from the system and the backups. The University determined that some of the data cannot be restored. The University has not said how this happened or what the impact of this failed backup process is. Credit: Bleeping Computer

Is Your Data Walking Out With Your Ex-Employees?

As Americans are quitting their jobs in record numbers this year, is your data going with them?

The exodus is being called the great resignation. We (the U.S.) set new monthly records for the number of workers leaving their jobs three times this year. In September, over 4 million workers quit their jobs.

If you have intellectual property, customer data and partner information, it is likely going out with those exiting employees.

A study by Tessian says that 45 percent of ex-employees ADMIT to downloading, saving or sending work data out of the network before leaving their job. That only represents those who admit to doing it.

Why are they doing this?

Possibly they feel like they own intellectual property that they created.

They may think it will help them in their new job or new start-up company.

Maybe they are disgruntled and want to do harm.

In the worst case, they may be cybercriminals-for-hire who infiltrate organizations with the intention of stealing data.

Maybe your strategy up till now was to hope that nothing important was lost or stolen. Probably not the best strategy.

Waiting until after the employee leaves to examine their computer is also not a great strategy.

Before you start looking for insider activity, figure what you want to do and what you need to communicate to employees.

If you want to be successful, you need to start weeks before the employee leaves.

In fact, many companies have an ongoing data loss prevention program. That is probably the optimal way to handle this because the smart employee will steal whatever he or she plans to take long before he or she tells you they are quitting.

There are tools that will tell you about data in email, data sent to personal cloud servers (like Dropbox) and different tools that can detect files copied to USB drives.

Assuming that you see that an employee is stealing data, what is your plan?

Some employees may not know that downloading company data is a crime.

In the worst case scenario, a lawsuit may be required.

The first thing to do is to scope out the issues and decide what you want to try and do.

For more information, see this Help Net Security article.

Why the Internet Does Not Replace Common Sense

Some people say that common sense isn’t so common anymore. Sometimes the Internet doesn’t seem to have much common sense, so those people might be right.

Hopefully most adults can distinguish between smart things to do and not so smart things to do, but not always.

Right after Apple and Google split over Google maps and Apple tried to create their own version of it, the maps told people to do things that they shouldn’t and the term death by GPS was coined. It is a thing and it really happened. More than once.

But kids do not have the experience, sometimes, to figure out the difference between smart and not so smart.

Enter Amazon.

According to Kristin Livdahl, a mother of a 10-year-old child and a writer, her daughter asked Alexa, a digital Amazon Echo assistant, for a challenge to do. Kristin and her daughter were doing physical challenges to warm up and her 10-year-old asked Alexa for more.

Here is what Alexa suggested:

“The challenge is simple: plug in a phone charger about halfway into a wall outlet, then touch a penny to the exposed prongs,” Alexa said and set the timer for 20 minutes to complete the challenge.

Besides the possibility of setting the house on fire or electrocuting herself, it seems like an okay challenge – not.

Apparently Alexa stole it from an old challenge that was circulating on TikTok a while back.

Amazon told the BBC that they are fixing the problem. Good plan.

This just points out the fact that you should not trust everything you read or hear. Hopefully most adults already understand this, but given the number of adults that fall for a whole variety of scams, I am not so sure about that. More importantly, you need to train your kids not to. Kids don’t have the experience you do and kids are subject to peer pressure, among other things. Just think about what might have happened to this 10-year-old might if things went a little differently. Luckily, it did not. That doesn’t mean that next time won’t be different. Credit: Cyber News

Senator to Introduce ‘Comprehensive’ Crypto Legislation

Senator Lummis from Wyoming plans to introduce legislation in early 2022 to attempt to rein in some of the wild west of the cryptocurrency world. Stay tuned.

Rumor is that it will add investor protections, rein in stablecoins and create a self-regulatory body under the SEC and the CFTC. That might be a tall order since a lot of crypto is peer to peer. Still, if we at least have some clarity over who gets to be the regulator, that would be good.

An aide to the Senator said that the proposal would fully integrate digital assets into the US financial system. If Congress can actually pull that off, then cryptocurrency could operate under similar rules to banks.

Still, what is different here is that cryptocurrency can be fully decentralized with no middleman to regulate. Do they plan to regulate software somehow? Software that, potentially, is not even made in the US? That sounds like a tall order.

What they might have is, rather than as the senator is calling it, comprehensive, a start to working on the problem.

Most consumers do go through crypto exchanges and at least those in the US would be relatively simple to regulate.

It also, could, possibly, cut down on crypto scam. It is possible.

As a example of how hard this is, many are suggesting that just the tax reporting requirements that are already in the just passed Infrastructure Investment and Jobs Act cannot be met. Imagine what happens if you want to take an entire industry that has never been regulated and try to regulate it. What could go wrong?

A group of Senators already wrote a letter to Secretary Yellen says that the current (new) law already tries to classify software developers as brokers, which it seems to me, they are not. You want software developers to send 1099s to people who download their software? Really?

Other members of the current administration are concerned as well and the Senate held hearings earlier this month on stablecoins. Senator Warren said that (in her view), the peer to peer nature of DeFi – decentralized finance – is the most dangerous part of the crypto world.

Visa just announced that it will partner with 60 cryptocurrency exchanges to allow consumers to make purchases with digital currency at more than 80 million global merchant locations. I want to see how that works out.

You might remember that cryptocurrency started out as a way to get around the banking system.

Now, like with Star Trek’s Borg, crypto looks like it could be assimilated into the banking system, basically eliminating any possible benefit that the people who originally championed it might be interested in.

It sounds like the crypto players may have gotten outplayed.

Credit: Data Breach Today