A perspective on security threats and trends, from inception to impact

Sophos published a report which flags how ransomware and fast-changing attacker behaviors, from advanced to entry level, will shape the threat landscape and IT security in 2021.

security threats and trends

Increased gap between ransomware operators

The gap between ransomware operators at different ends of the skills and resource spectrum will increase. At the high end, the big-game hunting ransomware families will continue to refine and change their tactics, techniques and procedures (TTPs) to become more evasive and nation-state-like in sophistication, targeting larger organizations with multimillion-dollar ransom demands.

In 2020, such families included Ryuk and RagnarLocker. At the other end of the spectrum, Sophos anticipates an increase in the number of entry level, apprentice-type attackers looking for menu-driven, ransomware-for-rent, such as Dharma, that allows them to target high volumes of smaller prey.

Another ransomware trend is “secondary extortion,” where alongside the data encryption the attackers steal and threaten to publish sensitive or confidential information, if their demands are not met. In 2020, Sophos reported on Maze, RagnarLocker, Netwalker, REvil, and others using this approach.

“The ransomware business model is dynamic and complex. During 2020, Sophos saw a clear trend towards adversaries differentiating themselves in terms of their skills and targets. However, we’ve also seen ransomware families sharing best-of-breed tools and forming self-styled collaborative ‘cartels,’” said Chester Wisniewski, principal research scientist, Sophos.

“Some, like Maze, appeared to pack their bags and head for a life of leisure, except that some of their tools and techniques have resurfaced under the guise of a newcomer, Egregor. The cyberthreat landscape abhors a vacuum. If one threat disappears another one will quickly take its place.

“In many ways, it is almost impossible to predict where ransomware will go next, but the attack trends discussed in Sophos’ threat report this year are likely to continue into 2021.”

Everyday threats demand serious security attention

Everyday threats such as commodity malware, including loaders and botnets, or human-operated Initial Access Brokers, will demand serious security attention. Such threats can seem like low level malware noise, but they are designed to secure a foothold in a target, gather essential data and share data back to a command-and-control network that will provide further instructions.

If human operators are behind these types of threats, they’ll review every compromised machine for its geolocation and other signs of high value, and then sell access to the most lucrative targets to the highest bidder, such as a major ransomware operation. For instance, in 2020, Ryuk used Buer Loader to deliver its ransomware.

“Commodity malware can seem like a sandstorm of low-level noise clogging up the security alert system. From what Sophos analyzed, it is clear that defenders need to take these attacks seriously, because of where they might lead.

“Any infection can lead to every infection. Many security teams will feel that once malware has been blocked or removed and the compromised machine cleaned, the incident has been prevented,” said Wisniewski.

“They may not realize that the attack was likely against more than one machine and that seemingly common malware like Emotet and Buer Loader can lead to Ryuk, Netwalker and other advanced attacks, which IT may not notice until the ransomware deploys, possibly in the middle of the night or on the weekend. Underestimating ‘minor’ infections could prove very costly.”

Adversaries evading detection and security measures

All ranks of adversaries will increasingly abuse legitimate tools, well known utilities and common network destinations to evade detection and security measures and thwart analysis and attribution.

The abuse of legitimate tools enables adversaries to stay under the radar while they move around the network until they are ready to launch the main part of the attack, such as ransomware.

For nation-state-sponsored attackers, there is the additional benefit that using common tools makes attribution harder. In 2020, Sophos reported on the wide range of standard attack tools now being used by adversaries.

“The abuse of everyday tools and techniques to disguise an active attack featured prominently in Sophos’ review of the threat landscape during 2020. This technique challenges traditional security approaches because the appearance of known tools doesn’t automatically trigger a red flag. This is where the rapidly growing field of human-led threat hunting and managed threat response really comes into its own,” said Wisniewski.

“Human experts know the subtle anomalies and traces to look for, such as a legitimate tool being used at the wrong time or in the wrong place. To trained threat hunters or IT managers using endpoint detection and response (EDR) features, these signs are valuable tripwires that can alert security teams to a potential intruder and an attack underway.”

Additional trends

  • Attacks on servers: adversaries have targeted server platforms running both Windows and Linux, and leveraged these platforms to attack organizations from within
  • The impact of the COVID-19 pandemic on IT security, such as the security challenges of working from home using personal networks protected by widely varying levels of security
  • The security challenges facing cloud environments: cloud computing has successfully borne the brunt of a lot of the enterprise needs for secure computing environments, but faces challenges different to those of a traditional enterprise network
  • Common services like RDP and VPN concentrators, which remain a focus for attacks on the network perimeter. Attackers also use RDP to move laterally within breached networks
  • Software applications traditionally flagged as “potentially unwanted” because they delivered a plethora of advertisements, but engaged in tactics that are increasingly indistinguishable from overt malware
  • The surprising reappearance of an old bug, VelvetSweatshop – a default password feature for earlier versions of Microsoft Excel – used to conceal macros or other malicious content in documents and evade advanced threat detection
  • The need to apply approaches from epidemiology to quantify unseen, undetected and unknown cyberthreats in order to better bridge gaps in detection, assess risk and define priorities

70% of organizations experienced a public cloud security incident in the last year

70% of organizations experienced a public cloud security incident in the last year – including ransomware and other malware (50%), exposed data (29%), compromised accounts (25%), and cryptojacking (17%), according to Sophos.

public cloud security incident

Organizations running multi-cloud environments are greater than 50% more likely to suffer a cloud security incident than those running a single cloud.

Europeans suffered the lowest percentage of security incidents in the cloud, an indicator that compliance with GDPR guidelines are helping to protect organizations from being compromised. India, on the other hand, fared the worst, with 93% of organizations being hit by an attack in the last year.

“Ransomware, not surprisingly, is one of the most widely reported cybercrimes in the public cloud. The most successful ransomware attacks include data in the public cloud, according to the State of Ransomware 2020 report, and attackers are shifting their methods to target cloud environments that cripple necessary infrastructure and increase the likelihood of payment,” said Chester Wisniewski, principal research scientist, Sophos.

“The recent increase in remote working provides extra motivation to disable cloud infrastructure that is being relied on more than ever, so it’s worrisome that many organizations still don’t understand their responsibility in securing cloud data and workloads. Cloud security is a shared responsibility, and organizations need to carefully manage and monitor cloud environments in order to stay one step ahead of determined attackers.”

The unintentional open door: How attackers break in

Accidental exposure continues to plague organizations, with misconfigurations exploited in 66% of reported attacks. Misconfigurations drive the majority of incidents and are all too common given cloud management complexities.

Additionally, 33% of organizations report that cybercriminals gained access through stolen cloud provider account credentials. Despite this, only a quarter of organizations say managing access to cloud accounts is a top area of concern.

Data further reveals that 91% of accounts have overprivileged identity and access management roles, and 98% have multi-factor authentication disabled on their cloud provider accounts.

public cloud security incident

Public cloud security incident: The silver lining

96% of respondents admit to concern about their current level of cloud security, an encouraging sign that it’s top of mind and important.

Appropriately, “data leaks” top the list of security concerns for nearly half of respondents (44%); identifying and responding to security incidents is a close second (41%). Notwithstanding this silver lining, only one in four respondents view lack of staff expertise as a top concern.

Fake “DNS Update” emails targeting site owners and admins

Attackers are trying to trick web administrators into sharing their admin account login credentials by urging them to activate DNSSEC for their domain.

fake DNS update

Scam emails lead to fake login pages

The scam was spotted by Sophos researchers, when the admin(s) of their own security marketing blog received an email impersonating WordPress and urging them to click on a link to perform the activation (see screenshot above).

The link took them to a “surprisingly believable” phishing page with logos and icons that matched their service provider (WordPress VIP), and instructed them to enter their WordPress account username and password to start the update.

“The scam then shows you some fake but believable progress messages to make you think that a genuine ‘site upgrade’ has kicked off, including pretending to perform some sort of digital ‘file signing’ at the end,” Sophos’s security proselytiser Paul Ducklin explained.

Finally, either intentionally or by mistake, the victim is redirected to a 404 error page.

Customized phishing pages

The malicious link in the email contained encoded banner and URL information that allowed researchers (and attackers) to customize the scam phishing page with different logos, to impersonate numerous different hosting providers.

“We didn’t even need to guess at the banner names that we could use, because the crooks had left the image directory browsable on their phishing site. In total, the crooks had 98 different ripped-off brand images ready to go, all the way from Akamai to Zen Cart,” Ducklin noted.

The attackers check HTTP headers for information about the target’s hosting provider and customize the scam email and the phishing site accordingly:

fake DNS update

Users who fall for the scam, enter their login credentials into the phishing site and don’t have 2-factor authentication turned on are effectively handing control of their site to the scammers.

Ducklin advises admins never to log in anywhere through links sent via email, to urn on 2FA whenever they can, and to use a password manager.

Password managers not only pick strong and random passwords automatically, but also associate each password with a specific URL. That makes it much harder to put the right password into the wrong site, because the password manager simply won’t know which account to use when faced with an unknown phishing site,” he noted.

Paying the ransom = paying double

Paying cybercriminals to restore data encrypted during a ransomware attack is not an easy and inexpensive path to recovery, a Sophos survey reveals.

paying the ransom

In fact, the total cost of recovery almost doubles when organizations pay a ransom. The survey polled 5,000 IT decision makers in organizations in 26 countries across six continents, including Europe, the Americas, Asia-Pacific and central Asia, the Middle East, and Africa.

51% of organizations had experienced a significant ransomware attack in the previous 12 months, compared to 54% in 2017. Data was encrypted in 73% of attacks that successfully breached an organization.

The cost

The average cost of addressing the impact of such an attack, including business downtime, lost orders, operational costs, and more, but not including the ransom, was more than $730,000. This average cost rose to $1.4 million, almost twice as much, when organizations paid the ransom. 27% of organizations hit by ransomware admitted paying the ransom.

paying the ransom

“Organizations may feel intense pressure to pay the ransom to avoid damaging downtime. On the face of it, paying the ransom appears to be an effective way of getting data restored, but this is illusory.

“Sophos’ findings show that paying the ransom makes little difference to the recovery burden in terms of time and cost. This could be because it is unlikely that a single magical decryption key is all that’s needed to recover.

“Often, the attackers may share several keys and using them to restore data may be a complex and time-consuming affair,” said Chester Wisniewski, principal research scientist, Sophos.

paying the ransom

Recovering encrypted data

56% the IT managers surveyed were able to recover their data from backups without paying the ransom. In a very small minority of cases (1%), paying the ransom did not lead to the recovery of data. This figure rose to 5% for public sector organizations. In fact, 13% of the public sector organizations surveyed never managed to restore their encrypted data, compared to 6% overall.

However, contrary to popular belief, the public sector was least affected by ransomware, with just 45% of the organizations surveyed in this category saying they were hit by a significant attack in the previous year.

At a global level, media, leisure and entertainment businesses in the private sector were most affected by ransomware, with 60% of respondents reporting attacks.

Attackers exploiting a zero-day in Sophos firewalls, have yours been hit?

Sophos has released an emergency hotfix for an actively exploited zero-day SQL injection vulnerability in its XG Firewalls, and has rolled it out to all units with the auto-update option enabled.

zero-day Sophos firewalls

Aside from plugging the security hole, the hotfix detects if the firewall was hit by attackers and, if it was, stops it from accessing any attacker infrastructure, cleans up remnants from the attack, and notifies administrators about it so that they can perform additional remediation steps.

About the vulnerability and the attack

The flaw, which has yet to be assigned a CVE identification number, was previously unknown to Sophos and turned out to be a pre-auth SQL injection vulnerability that was exploited for remote code execution.

The zero-day affects all versions of XG Firewall firmware on both physical and virtual Sophos firewalls.

“Sophos received a report on April 22, 2020, at 20:29 UTC regarding an XG Firewall with a suspicious field value visible in the management interface. Sophos commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units,” the company shared.

“The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected.”

The company says that the attack used a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for SFOS, the Sophos Firewall Operating System (i.e., the firmware).

zero-day Sophos firewalls

The goal of the attack was to deliver malware that is able to collect information such as:

  • The firewall’s public IP address
  • Its license key
  • The email addresses of user accounts that were stored on the device as well as that of the administrator account
  • Firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password
  • A list of the user IDs permitted to use the firewall for SSL VPN and accounts that were permitted to use a “clientless” VPN connection
  • Additional information about the firewall (e.g., firmware version, CPU type, etc.)
  • A list of the IP address allocation permissions for the users of the firewall

All this information was written in a file, which was compressed, encrypted, and uploaded to a remote machine controlled by the attacker(s).


Those admins that have disabled the (default) auto-update option are advised to implement the hotfix.

The admins whose firewalls have been compromised should reset device administrator accounts, reboot the affected device(s), reset passwords for all local user accounts and for any accounts where the XG credentials might have been reused.

Sophos also advises admins to reduce attack surface by disabling HTTPS Admin Services and User Portal access on the WAN interface (if possible).

“While customers should always conduct their own internal investigation, at this point Sophos is not aware of any subsequent remote access attempts to impacted XG devices using the stolen credentials,” the company added.

Sipping from the Coronavirus Domain Firehose

Security experts are poring over thousands of new Coronavirus-themed domain names registered each day, but this often manual effort struggles to keep pace with the flood of domains invoking the virus to promote malware and phishing sites, as well as non-existent healthcare products and charities. As a result, domain name registrars are under increasing pressure to do more to combat scams and misinformation during the COVID-19 pandemic.

By most measures, the volume of new domain registrations that include the words “Coronavirus” or “Covid” has closely tracked the spread of the deadly virus. The Cyber Threat Coalition (CTC), a group of several thousand security experts volunteering their time to fight COVID-related criminal activity online, recently published data showing the rapid rise in new domains began in the last week of February, around the same time the Centers for Disease Control began publicly warning that a severe global pandemic was probably inevitable.

The total number of domains registered per day that contain a COVID-19 related term, according to DomainTools. The red line indicates the count of domains that DomainTools determined are “likely malicious.” The blue line refers to domains that are likely benign.

“Since March 20th, the number of risky domains registered per day has been decreasing, with a notable spike around March 30th,” wrote John Conwell, principal data scientist at DomainTools [an advertiser on this site]. “Interestingly, legitimate organizations creating domains in response to the COVID-19 crisis were several weeks behind the curve from threat actors trying to take advantage of this situation. This is a pattern DomainTools hasn’t seen before in other crises.”

Security vendor Sophos looked at telemetry from customer endpoints to illustrate the number of new COVID-related domains that actually received traffic of late. As the company noted, one challenge in identifying potentially malicious domains is that many of them can sit dormant for days or weeks before being used for anything.

Data from security vendor Sophos, published by the Cyber Threat Coalition, shows the number of Coronavirus or COVID-19 themed domains registered per week that received traffic.

“We can see a rapid and dramatic increase of visits to potentially malicious domains exploiting the Coronavirus pandemic week over week, beginning in late February,” wrote Sophos’ Rich Harang. “Even though still a minority of cyber threats use the pandemic as a lure, some of these new domains will eventually be used for malicious purposes.”

CTC spokesman Nick Espinosa said the first spike in visits was on February 25, when group members saw about 4,000 visits to the sites they were tracking.

“The following two weeks starting on March 9 saw rapid growth, and from March 23 onwards we’re seeing between 75,000 to 130,000 visits per weekday, and about 40,000 on the weekends,” Espinosa said. “Looking at the data collected, the pattern of visits are highest on Monday and Friday, and the lowest visit count is on the weekend. Our data shows that there were virtually no customer hits on COVID-related domains prior to February 23.”

Milwaukee-based Hold Security has been publishing daily and weekly lists of all COVID-19 related domain registrations (without any scoring assigned). Here’s a graph KrebsOnSecurity put together based on that data set, which also shows a massive spike in new domain registrations in the third week of March, trailing off considerably over the past couple of weeks.

Data: Hold Security.

Not everyone is convinced we’re measuring the right things, or that the current measurements are accurate. Neil Schwartzman, executive director of the anti-spam group CAUCE, said he believes DomainTool’s estimates on the percentage of new COVID/Coronavirus-themed domains that are malicious are too high, and that many are likely benign and registered by well-meaning people seeking to share news or their own thoughts about the outbreak.

“But there’s the rub,” he said. “Bad guys get to hide amidst the good really effectively, so each one needs to be reviewed on its own. And that’s a substantial amount of work.”

At the same time, Schwartzman said, focusing purely on domains may obscure the true size and scope of the overall threat. That’s because scammers very often will establish multiple subdomains for each domain, meaning that a single COVID-related new domain registration could eventually be tied to a number of different scammy or malicious sites.

Subdomains can not only make phishing domains appear more legitimate, but they also tend to lengthen the domain so that key parts of it get pushed off the URL bar in mobile browsers.

To that end, he said, it makes perhaps the most sense to focus on new domain registrations that have encryption certificates tied to them, since the issuance of an SSL certificate for a domain is usually a sign that it is about to be put to use. As noted in previous stories here, roughly 75 percent of all phishing sites now have the padlock (start with “https://”), mainly because the major Web browsers display security alerts on sites that don’t.

Schwartzman said more domain registrars should follow the example of Los Angeles-based Namecheap Inc., which last month pledged to stop accepting the automated registration of website names that include words or phrases tied to the COVID-19 pandemic. Since then, a handful of other registrars have said they plan to manually review all such registrations going forward.

The Internet Corporation for Assigned Names and Numbers (ICANN), the organization that oversees the registrar industry, recently sent a letter urging registrars to be more proactive, but stopped short of mandating any specific actions.

Schwartzman called ICANN’s response “weak tea.”

“It’s absolutely ludicrous that ICANN hasn’t stepped up, and they will bear significant responsibility for any deaths that may happen as a result of all this,” Schwartzman said. “This is a CYA response at best, and dictates to no one that they should do anything.”

Michael Daniel, president of the Cyber Threat Alliance — a cybersecurity industry group that’s also been working to fight COVID-19 related fraud — agreed, saying more pressure needs to be applied to the registrar community.

“It’s really hard to do anything about this unless the registrars step up and do something on their own,” Daniel said. “It’s either that or the government gets involved. That doesn’t mean some [registrars] aren’t doing what they can, but in general what the industry is doing is nowhere near as fast as the bad guys are generating these domains.”

The U.S. government may well soon get more involved. Earlier this week, Senators Cory Booker (D-N.J.), Maggie Hassan (D-N.H.) and Mazie K. Hirono (D-Hawaii) sent letters to eight domain name company leaders, demanding to know what they were doing to combat the threat of malicious domains, and urging them to do more.

“As cybercriminals and other malevolent actors seek to take advantage of the Coronavirus pandemic, it is critical that domain name registrars like yours (1) exercise diligence and ensure that only legitimate organizations can register Coronavirus-related domain names and domain names referencing online communications platforms; (2) act quickly to suspend, cancel, or terminate registrations for domains that are involved in unlawful or harmful activity; and (3) cooperate with law enforcement to help bring to justice cybercriminals profiting from the Coronavirus pandemic,” the senators wrote.

No, Corona Antivirus can’t fight COVID-19

COVID-19-themed scams are exploding both online and offline. Hijacked Twitter accounts peddling fake cures, scammy sites offering emergency supplies, misinformation campaigns, phishing emails and – can you believe it? – even a computer antivirus solution that protects against COVID-19! What will online scammers think of next?

Corona Antivirus, compromised routers and fake apps

Malwarebytes researchers have spotted a website advertising “Corona Antivirus -World’s best protection” – a digital antivirus that supposedly protects against the actual COVID-19.

Corona Antivirus

The software offered for download (update.exe) is malware that turns the victim’s computer into a DDoS-capable bot. It can also take screenshots, steal saved passwords, log keystrokes, steal Bitcoin wallets and execute scripts.

Bitdefender warns about attackers hijacking Linksys routers through brute-forcing and altering their DNS server settings so that they point users towards malicious Coronavirus-themed webpages. The pages in question are prompting victims to install the “COVID-19 Inform App”:

Corona Antivirus

What they will download and install is relatively new information-stealing malware called Oski, which can extract and steal credentials saved in browsers and cryptocurrency wallet passwords.

Charity and supply scams

Cybercriminals are trying to impersonate charities and the WHO to get users’ money, but Sophos researchers have also spotted scammy emails trying to sell “insider information” from a “military source” on how to survive COVID-19:

Corona Antivirus

They are also warning about hijacked Twitter accounts advertising “a dodgy looking face mask/toilet paper/digital forehead thermometer online store.”

Europol has recently busted a global counterfeit medicine operation selling bogus “Corona sprays”, counterfeit surgical masks and testing kits, and unauthorised antiviral medications online.

Phishing emails offering checks

The FBI is urging users to be on the lookout for phishing emails asking them to verify their personal information in order to receive an economic stimulus check from the government.

“While talk of economic stimulus checks has been in the news cycle, government agencies are not sending unsolicited emails seeking your private information in order to send you money,” the Bureau noted.

Abnormal Security researchers have spotted a similar scheme in the form of fake emails from a major financial institution.

“This attack leverages the economic uncertainty around COVID-19. As the economy has come to a standstill, the attackers realize that many will be seeking relief from their credit card bills, especially if they are one of the many workers whose hours have been reduced or who have been laid off,” the researchers noted.

“The attacker created a very convincing email and landing page that appeared to come from a major financial institution. The email they created indicated that this financial institution was offering financial relief to their current credit card customers if those customers completed a form.”

Those who fall for the scheme will have their name, address, phone number, credit card number, expiration date, and the CVV code stolen.

Tips on avoiding online and offline COVID-19 scams

United States attorneys from various US districts have shared helpful advice for avoiding COVID-19 scams, and so has the US Federal Trade Commission (FTC) and the Better Business Bureau (BBB).

Users are urged to be very skeptical of any offers they get and to check their legitimacy – whether these are products, treatments, checks, or investment opportunities.

“Ignore offers for a COVID-19 vaccine, cure, or treatment. Remember, if there is a medical breakthrough, you won’t hear about it for the first time through an email, online ad, or unsolicited sales pitch,” the US DOJ notes.

Also: “Be cautious of ‘investment opportunities’ tied to COVID-19, especially those based on claims that a small company’s products or services can help stop the virus. If you decide to invest, carefully research the investment beforehand.”

Needless to say, all scams and fraud attempts should be reported to the authorities.

Coronavirus-themed scams and attacks intensify

Scammers and other criminals are always quick to take advantage of crises, and this latest – centered around the spread of the deadly Covid-19 coronavirus around the world – is no exception.

With the Western world conducting a considerable chunk of its day-to-day life online, with the help of computers, mobile phones and email, they are open to a variety of coronavirus-related cyber scams and schemes.

A rising threat

Aside from those who (legally) exploit the crisis by gouging the panicking public on the price of face masks, disinfectants, and similar items that are currently in big demand, there are fraudsters who ostensibly sell masks but never send the hugely overpriced items to those who have paid for them.

According to Reuters, victims in the United Kingdom have lost more than 800,000 pounds ($1 million) to coronavirus-linked scams since last month.

And then there are the phishers and malware peddlers: since the very beginning of Covid-19’s surge in Wuhan, they’ve been tricking users with fake email notifications and fake alerts impersonating local authorities, the US Centers for Disease Control and Prevention (CDC), and the World Health Organization (WHO) to deliver malware or to steal email credentials.

New twists and warnings

As predicted, more localized variants of these malicious emails have been spotted as the virus spread to other countries: malware peddlers are delivering Trickbot to Italian-speaking victims, Sophos researchers warn.

coronavirus scams

(In Italy, thieves have also been impersonating Red Cross workers via phone, targeting old people and trying to trick them into letting them inside their apartments, ostensibly to do a free test for the coronavirus).

The WHO has already warned about criminals posing as WHO representatives, delivering malware and asking for login information and donations.

The US Cybersecurity and Infrastructure Security Agency (CISA) is also counseling individuals to remain vigilant for scams related to Covid-19.

“Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19,” the agency advised.

They also urge users to use trusted sources for up-to-date, fact-based information about the virus and its spread, and to verify a charity’s authenticity before making donations.

CISA has also published a document detailing risk management actions for executives to consider “to help them think through physical, supply chain, and cybersecurity issues that may arise from the spread of Novel Coronavirus.”

Google fixes another Chrome zero-day exploited in the wild

For the third time in a year, Google has fixed a Chrome zero-day (CVE-2020-6418) that is being actively exploited by attackers in the wild.


About CVE-2020-6418

No details have been shared about the attacks and about the flaw itself, apart from the short description that says it’s a type confusion flaw in V8, the JavaScript engine used by the Chrome browser.

The vulnerability was discovered and reported to the Chromium team by Clement Lecigne of Google’s Threat Analysis Group on February 18.

The fix was already in place a day later but, as the code is public, researchers from Exodus Intelligence managed to analyze it and develop proof-of-concept exploit code.

They released the exploit – which works only if Chrome’s sandbox is disabled or can be bypassed via another vulnerability – and pointed out that it’s a good thing Google has managed to reduce Chrome’s “patch gap” to two weeks.

“It took us around 3 days to exploit the vulnerability after discovering the fix. Considering that a potential attacker would try to couple this with a sandbox escape and also work it into their own framework, it seems safe to say that 1day vulnerabilities are impractical to exploit on a weekly or bi-weekly release cycle,” they noted.

This, of course, does not mean much in this particular instance, as CVE-2020-6418 was a zero-day to begin with (i.e., the exploit for it existed and was used before the patch).

Security update

The Chrome release (v80.0.3987.122) fixing CVE-2020-6418 and two other high-risk flaws was released for Windows, Mac, and Linux and will roll out over the coming days/weeks.

Those users and admins who have disabled the auto-updating feature on Chrome would do well to implement the update as soon as possible.

Sophos’ Paul Ducklin also pointed out that V8 is used in other applications and runtime environments, including the Chromium-based Microsoft Edge browser. (Brave, Opera, and Vivaldi are also Chromium-based web browsers and use V8).

“We’re assuming that if other V8-based applications do turn out to share this bug, they will soon be patched too – but as far as we know now, the in-the-wild exploit only applies to V8 as used in Chrome itself,” he added.

What is flowing through your enterprise network?

Since Edward Snowden’s revelations of sweeping internet surveillance by the NSA, the push to encrypt the web has been unrelenting.

firewall TLS inspection

Bolstered by Google’s various initiatives (e.g., its prioritizing of websites that use encryption in Google Search results, making Chrome mark HTTP sites as “not secure,” and tracking of worldwide HTTPS usage), CloudFlare’s Universal SSL offer and the advent of Let’s Encrypt, nearly seven years later various sources put the percentage of encrypted internet traffic between 80% and 90% across all platforms.

That’s good news for end users who wish their interactions with various websites to be safe from eavesdropping by third parties – whether they be hackers, companies or governments.

Exploited encryption

But with the sweet comes the sour: criminals are exploiting users’ erroneous belief that a site with HTTPS in its URL can be considered completely safe to trick them into trusting phishing sites.

According to SophosLabs, nearly one-third of malware and unwanted applications enter the enterprise network through TLS-encrypted flows.

Also, nearly a quarter of malware now communicates over HTTPS connections, making it more difficult for businesses to spot active infections within their networks, especially because – a recent survey has revealed – only 3.5% of organizations are actually decrypting their network traffic to properly inspect it.

Why so few? What’s stopping them? The number one reason is that they are concerned about firewall performance, but they also cite privacy concerns, degraded user experience (websites not loading properly) and complexity as important factors for their decision to not do it.

Covert malicious activity

Malware that communicates via TLS-secured connections includes well-known and nasty malware families like TrickBot, IcedID and Dridex.

The use of transport-layer encryption is just one of the methods for keeping the malware’s existence on compromised systems secret, but it helps it covertly download additional modules and configuration files and send the collected data to an outside server.

“We’ve also observed that, increasingly, more malicious functions are being orchestrated from the command and control server, rather than implemented in the malware binary, and the C2s make decisions about what the malware should do next based on the exfiltrated data, which increases the volume of network traffic,” Sophos researcher Luca Nagy pointed out.

“Malware authors also want to empower their binaries with newer features and refresh them more often, which also increases the need for secure network communication, to prevent network-level protection tools from discovering an active infection inside the network every time it downloads an updated version of itself.”

Performance before protection? It doesn’t have to be

Some respondents in the previously mentioned survey were also unaware of the need to decrypt network traffic, even though it’s (or should be) common knowledge that malware often uses encrypted connections for communication.

Connections to “safe” destinations like financial websites may, perhaps, be exempted from inspection, but most other encrypted traffic coming in and going out of the corporate network should be decrypted and analyzed.

The problem with this is that many firewall offerings are not up to the task of inspecting a huge volume of encrypted sessions without causing applications to break or degrade network performance.

Not all, though: Sophos’ XG Firewall, with its new “Xstream” architecture, was architected from the ground up with performance in mind, allowing users to decrypt and see all traffic at a performance level that is just about wire speed.

A new firewall for your traffic decryption needs

“With Sophos XG Firewall, IT managers can immediately deploy TLS inspection without concerns over performance or breaking incompatible devices on the network, and they can turn it on for different parts of the network with flexible policy setting options,” Dan Schiappa, chief product officer at Sophos, told Help Net Security.

firewall TLS inspection

“We’ve created the ability to inspect all TLS traffic across all protocols and ports, eliminating enormous security blind spots. Sophos XG Firewall scans all TLS encrypted traffic – not just web traffic. This is important because criminals are constantly trying to avoid attention and use non-standard communication ports to evade detection.”

Other new features include support for TLS 1.3 (which many other solutions don’t have); FastPath policy controls that accelerate performance of SD-WAN applications and traffic, including Voice over IP, SaaS and others, to up to wire speed; and an enhanced Deep Packet Inspection (DPI) engine that dynamically risk-assesses traffic streams and matches them to the appropriate threat scanning level.

Schiappa also said that they’ve wired data science and threat intel much deeper than ever before: AI-enhanced threat intelligence from SophosLabs provides insights needed to understand and adjust defenses to protect against a constantly changing threat landscape.

Finally, user-friendliness should not be discounted: Sophos XG Firewall is simple to use and manage on a single cloud-based platform – Sophos Central – where organizations can easily layer and manage multiple firewalls as well as synchronize their security applications.

Ransomware uses vulnerable, signed driver to disable endpoint security

Ransomware-wielding attackers have devised a novel tactic for disabling security protections that might get in their way: they are using a deprecated, vulnerable but signed driver to deliver a malicious, unsigned one that allows them to kill processes and files belonging to Windows endpoint security products.

ransomware signed driver

Disabling security solutions

The tactic, as described by Sophos researchers, is used by attackers to deliver the RobbinHood ransomware – infamous for hitting the City of Baltimore and many other local government and municipal targets.

The vulnerable driver they are misusing was created by Taiwan-based motherboard manufacturer Gigabyte, found to be vulnerable in 2018 and later deprecated, but the signing certificate was never revoked (as other software was signed with it).

Sophos does not say how the attackers gained access to the targeted Windows machines, but once on it, they dropped an executable (STEEL.EXE) that consists of several additional files, which are extracted into Windows’s TEMP folder.

The STEEL.EXE application first deploys a driver installer (ROBNR.EXE), which deploys the benign, signed third-party driver (GDRV.SYS) and the criminals’ unsigned kernel driver (RBNL.SYS).

“The properly signed third party GDRV.SYS driver contains a privilege escalation vulnerability as it allows reading and writing of arbitrary memory. The malware authors abuse this vulnerability in order to (temporarily) disable driver signature enforcement in Windows – on-the-fly, in kernel memory. Once driver signature enforcement is disabled, the attackers are able to load their unsigned malicious driver,” the researchers explained.

“Once this driver is installed, STEEL.EXE reads the PLIST.TXT file and instructs the driver to delete any application listed in PLIST.TXT, then killing their associated processes. If the process was running as a service, the service can no longer automatically restart as the associated file has been deleted. Once the STEEL.EXE process exits, the ransomware program can perform its encryption attack without being hindered by the security applications that have been taken out decisively.”

Attack prevention advice

The benign but vulnerable Gigabyte driver was obviously not blacklisted by Microsoft when it was deprecated and the attackers decided to take advantage of this decision.

“There are many other vulnerable drivers (with a similar vulnerability) in addition to the Gigabyte driver that these or other attackers may choose to abuse later, such as ones from VirtualBox (CVE-2008-3431), Novell (CVE-2013-3956), CPU-Z (CVE-2017-15302), or ASUS (CVE-2018-18537),” the researchers worry.

Hopefully, Microsoft will re-consider its current policy for revoking its trust in software that has been deprecated because of security vulnerabilities.

In the meantime, users/organizations should focus on disrupting as many stages in any ransomware attack as possible by deploying a range of technologies, the researchers advised. Use MFA, complex passwords, limit access rights, make regular backups (and keep them offline), lock down your RDP if you don’t need it, and ensure tamper protection for endpoint protection is enabled.

Phishers impersonate WHO, exploit coronavirus-related anxiety

Media outlets are reporting daily on the coronavirus outbreak in Wuhan and the emergency repatriation of foreign citizens that found themselves in the thick of it.

As cases of the virus infection keep popping up across the world – demonstrating just how small (i.e., well-connected) our planet is – so do fake news and videos about the situation on social media, as well as malware, phishing schemes and other scams in people’s inboxes.

The latest example of the latter are fake emails purportedly coming from the World Health Organisation (WHO), which is, ironically, engeaged in fighting an “infodemic” of fake coronavirs-themed news online.

Emails impersonating the WHO

The email, spotted by the Sophos Security Team, uses a trick lately favored by phishers and scammers: “Click here to download safety measures to prevent the spread of the coronavirus.”

coronavirus fake emails

The link takes the potential victim to a compromised web page containing a frame that renders the legitimate WHO page, which currently and prominently sports a link to information about this novel coronavirus.

Unfortunately, it also shows a simple pop-up asking the potential victim to “verify” their email by entering their email address and password. Those who fall for the trick are redirected to WHO’s legitimate page, while their email login credentials end up in the phishers’ hands.

Spotting fake emails

As Sophos’ Paul Ducklin pointed out, most English-speaking recipients will likely notice the spelling and grammatical mistakes in the email.

They might also wonder why the WHO is sending them an email and why it’s asking them to verify their email, or notice that the landing page has no HTTPS and no obvious connection to the health organization. Those are unlikely to fall for this type of trick.

Unfortunately, there are always some recipients that are too distracted, panicked or simply haven’t yet learned to be careful when it comes to unsolicited emails, and those might end up handing over their credentials.

Attack tools and techniques used by major ransomware families

Ransomware tries to slip unnoticed past security controls by abusing trusted and legitimate processes, and then harnesses internal systems to encrypt the maximum number of files and disable backup and recovery processes before an IT security team catches up, according to a new Sophos report. Main modes of distribution for the major ransomware families Ransomware is typically distributed in one of three ways: as a cryptoworm, which replicates itself rapidly to other computers for maximum … More

The post Attack tools and techniques used by major ransomware families appeared first on Help Net Security.