Gaming company targeted by Chinese Winnti hackers

Far from pausing operations during the COVID-19 pandemic, China’s notorious Winnti hacking group has been busy launching new attacks on targets, researchers say.

According to an analysis by QuoIntelligence, as recently as February the group’s signature was detected in an attack against Gravity, the South Korean games company behind the long-running Massive Multiplayer Online Role Playing Game (MMORPG) Ragnarok Online.

Winnti (aka APT41, APT10, Blackfly and BARIUM and many others) is an umbrella name for related hacking groups dating back to 2009 that made their bad name attempting to compromise thousands of companies in search of intellectual property.  Asian games companies have been a recurring specialty.

The main indication found by the researchers was a dropper file (the executable that commences a malware attack) rather than the payload itself (the business end of modern malware).

Nevertheless, a look at the configuration file revealed a string that identified Gravity as the intended target.

Piecing together attacks like this is like asssembling  a puzzle with missing pieces crossed with a detective story. With only fragments to go on, researchers often connect malicious files they find by comparing them with other similar files detected by other security companies.

QuoIntelligence documents a second campaign targeting an unnamed German chemical company, another sector Winnti has taken a strong interest in after a string of attacks dating back to 2013.

This was a well-resourced effort that used a stolen digital certificate to sign Winnti malware drivers although the use of the Windows x64 Driver Signature Enforcement Overrider (DSEFix) bypass, which doesn’t work on Windows 10, suggests the malware is old and most likely targeted Windows 7 machines.

It also seems to have used DNS tunneling, an old technique for sneaking data in and out of networks hidden inside unmonitored traffic to Domain Name Servers.

This hints that although the attack was dated to February this year, it might be linked to operations dating back some years.

As for the difficult issue of connecting all of this to a single group that might be made up of several sub-groups:

While attribution is not concrete due to the complexity of the group, there are links that can be drawn between operations which suggest the threat actors purporting the attacks are likely operating within the Winnti Group, or at least sharing resources.

However, perhaps the biggest thing that marks out the Winnti group hackers is that the individuals alleged to be involved with its activities have been named in at least two lawsuits. The first, from 2017, was launched by Microsoft, the second a year later by the US Justice Department.

It’s a name-and-shame strategy against alleged Chinese hackers that has also seen separate cases brought in relation to attacks on US aerospace companies, and earlier this year for the hacking of Equifax in 2017.


Latest Naked Security podcast

At last – a use for all those phishing emails you’ve been getting!

Hats off to the UK’s National Cyber Security Centre, or NCSC for short.

They’ve just announced a simple-to-follow set of instructions on what you can do with the apparently ever-growing number of scammy, spammy and phishy emails that coronavirus stay-home rules seem to have unleashed on us.

With an admirably broad vision, the NCSC is pitching its new campaign in two complementary articles, headlined:

We approve.

Because the last thing we want to see is that we all end up so focused on coronavirus-themed scams that we inadvertently create a loophole for those crooks who are carefully sending non-coronavirus scams in the hope of attracting less scrutiny – hiding in plain sight, as it were.

We’ve seen this problem before in the history of cybersecurity.

An early example is what many people used to call “Nigerian scams”, which was always a divisive and dangerous term to use.

Firstly, we know many Nigerians who aren’t scammers and at least some non-Nigerians who are, so it’s misleading and xenophobic to apply a criminal epithet to an entire country. (Especially a country as populous as Nigeria and with such a large diaspora.)

Secondly, and ironically, the phrase “Nigerian scammers” ended up playing into the hands of actual Nigerian scammers, who found that by openly claiming to come from one of several other countries in West Africa, they automatically became more believable, without needing to change their scams in any significant way.

In other words, the adjective “Nigerian”, when associated with the sender or the content of an email, became a proxy for “scam”, and therefore by a specious and invalid leap of logic, “non-Nigerian” came to be a proxy for “non-scam”.

A more recent example is the issue of ransomware, which tends to dominate any modern discussion of malware, to the point that some people think it’s enough to protect specifically against ransomware and to worry much less, or even hardly at all, about all the other malware threats out there.

The problem with that approach is that many, perhaps even most, ransomware attacks actually start with an infection by some other sort of malware such as a keylogger or data-stealing Trojan…

…and in many of those cases, the keylogger or data-stealer originally rode in on the back of a malware infection that arrived before that, for example malware such as the remote-control bot known as Emotet.

In other words, if you focus too narrowly on ransomware alone, then even if you block all the ransomware attacks that come your way, you may end up in very serious trouble from multiple malware infections that preceded them.

Think big!

Cybersecurity responses don’t need to be quite this targeted – because the extra cost of protecting against malware in general is negligible compared to the cost of protecting effectively against ransomware in particular.

Similarly, if you simply redefine “Nigerian scams” as “Advance fee fraud scams” – in other words, you focus on how they work instead of who may or may not be perpetrating them – you learn how to recognise fraudulent money-up-front schemes in general and protect yourself much better.

So we’re happy that the NCSC has identified that their new Suspicious Email Reporting Service (SERS) helps you deal specifically with coronavirus-themed scams.

It’s right to recognise that coronavirus scams have an importance all of their own, and to acknowledge the understandably huge community disgust they attract.

To paraphrase George Orwell, all scams are equal, but some scams are more equal than others.

But it’s also vital to remind people that phishing of all sorts is still a clear and present danger with a very broad reach, and the NCSC has done just that, too.

As the NCSC says:

Cybercriminals love phishing. Unfortunately, this is not a harmless riverbank pursuit. When criminals go phishing, you are the fish and the bait is usually contained in a scam email or text message.

The criminal’s goal is to convince you to click on the links within their scam email or text message, or to give away sensitive information (such as bank details).

So if you see something bogus and want to report it to someone, whether it’s the latest sextortion porn scam, a bogus home delivery or counterfeit face masks for sale…

…you can submit it to the easily remembered email address: report@phishing.gov.uk.

As the NCSC points out, it won’t reply to your submission – but every sample helps, because the long arm of the law says that it’s ready to act on our behalf:

If we discover activity that we believe is malicious, we may:

  • seek to block the address the email came from, so it can no longer send emails
  • work with hosting companies to remove links to malicious websites
  • raise awareness of commonly reported suspicious emails and methods used (via partners)

Whilst the NCSC is unable to inform you of the outcome of its review, we can confirm that we do act upon every message received.

Remember that if ever a bunch of phishing scammers get their day in court, submissions of actual scam emails from real recipients around the world are powerful evidence of the global impact of their crimes.

Latest Naked Security podcast

Facebook to alert us if we’ve been exposed to fake coronavirus news

Has somebody on Facebook tried to convince you that drinking bleach cures COVID-19?

If you’ve had that kind of dangerous misinformation coughed up at you on the platform and have liked, reacted or commented on it, expect to start seeing messages in your newsfeed alerting you and letting you know that Facebook has since removed the effluvium.

On Thursday, Guy Rosen, VP of Integrity, said in a post that the messages will be shown to those who’ve interacted with misinformation that Facebook went on to remove. The alerts will connect people to COVID-19 myths that have been debunked by the World Health Organization (WHO).

We want to connect people who may have interacted with harmful misinformation about the virus with the truth from authoritative sources in case they see or hear these claims again off of Facebook.

Expect to see the messages show up in coming weeks. Facebook gave this example of what the mobile version will look like:

COVID-19 misinformation alert. IMAGE: Facebook

The alerts specifically pertain to coronavirus-related misinformation that could lead to imminent physical harm. When it comes to other misinformation, Facebook CEO Mark Zuckerberg said that after Facebook’s fact-checkers rate it as false, the platform will reduce its distribution, apply warning labels with more context and hunt down duplicates.

Millions and millions of misdirections

Last month, Facebook flagged about 40 million COVID-19-related posts based on around 4,000 articles vetted by its fact-checking partners. That approach is apparently working, it said …

When people saw those warning labels, 95% of the time they did not go on to view the original content.

… which is in welcome contrast to the “Disputed” tags Facebook started applying in 2017 and which it mothballed after they made things worse.

Besides flagging what could potentially be fake news, Rosen said that Facebook also removed hundreds of thousands of pieces of misinformation that could lead people to physical harm.

Examples of misinformation we’ve removed include harmful claims like drinking bleach cures the virus and theories like physical distancing is ineffective in preventing the disease from spreading.

Just the facts, ma’am

Facebook is also working to make accurate pandemic information easier to find. To do so, it plans to launch a new section on its COVID-19 Information Center called Get the Facts. Available in the US, it will feature articles fact-checked by its partners that debunk misinformation about the coronavirus.

Facebook’s news curation team selects the articles and updates the section weekly. Soon, Get the Facts will also be added to Facebook News in the US.

Keeping people safe from crisis-related quackery is a top priority, Zuckerberg said:

Through this crisis, one of my top priorities is making sure that you see accurate and authoritative information across all of our apps. I hope all of you are staying safe, healthy and informed.

Just one battle in the Infodemic war

Facebook is far from alone in waging war against the data-driven dangers of the pandemic. Once COVID-19 got the world’s attention in March, we saw a slew of coronavirus-related scams, myths and misinformation waft out from crooks’ test tubes or from people who’ve blindly forwarded messages without vetting either the information or the source.

There’s been an onslaught of myths about how to cure the disease. There have been rumors blaming Muslims for spreading it. There have been YouTube videos claiming a connection between the virus and the new super-fast 5G wireless technology: videos that have racked up hundreds of thousands of views and which have led to attacks on cell towers.

This isn’t just a problem for Facebook, of course: all of the social networks are wrestling with it.

One tweet asking for journalists and Muslims to be lined up and shot stayed up on Twitter for almost a full day before the platform got around to deleting it and permanently suspending the account.

For its part, Facebook Messenger said last month that it was considering a ban on mass-forwarding of messages.

Two weeks ago, YouTube said it would limit the spread of the false 5G theory by suppressing content that spreads the conspiracy theory.

Pandemic scams

Besides misinformation and hoaxes, there’s been a rash of pandemic-related dangers that fall into the realm of cybercrime. We’ve seen extortion emails that threaten to give your family coronavirus, the phishing attack purporting to be a coronavirus safety advisory, a sextortion/ransomware pandemic-themed malware campaign, mobile malware and password stealing tricks to exploit people’s fear and uncertainty.

SophosLabs and its data science and threat response teams have created a “living article” where you can quickly access regularly updated information about the expanding cybercorona threat, including:

  • An industry discussion channel of the latest threat intelligence.
  • A Github repository of indicators of compromise (IoCs).
  • Updated statistics on the volume of pandemic-related cybercriminality.

Latest Naked Security podcast

Maze ransomware hits US giant Cognizant

The latest company to fall victim to a ransomware attack is Cognizant, a large US IT services company which admitted at the weekend that it had fallen victim to Maze.

The three-paragraph statement offers little detail except, perhaps, the most telling:

Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack.

That one word, Maze, hints that the company is already steeling itself to report the ransomware attack as a full-blown data breach.

Maze has been blamed for extorting a succession of large organisations since last summer, and is known for stealing as well as encrypting files in an innovation used by the criminals to increase the pressure on victims to pay up: We’ve scrambled your sensitive files but will also leak them to the world if we don’t get what we want.

For US companies, a data breach is a big deal which brings with it regulatory oversight as well as hefty potential costs if any customer information is found to be part of the stolen data.

It’s also commercially awkward to admit an attack is causing problems for customers even if the company is far from the only prominent name affected by Maze in recent months.

In late March, Swiss cyber-insurance company Chubb admitted it had been hit by an unidentified attack, which some took to confirm an unverified claim by the Maze gang that it had successfully stolen data from the company weeks earlier.

The attackers even, cheekily, justified their actions in a statement that reportedly began:

We want to show that the system is unreliable. The cybersecurity is weak. The people who should care about the security of the information are unreliable. We want to show that nobody cares about the users. […] Now it’s our turn. We will change the situation by making irresponsible companies pay for every data leak.

In January, Naked Security reported on a confirmed Maze attack in December which so annoyed the victim company, cable maker Southwire, that it filed a civil suit against its makers that mentioned the ransom demand of $6 million in Bitcoins.

If these and a series of others credited to Maze in recent weeks serve as a warning, what are they a warning against?

The short answer is a ragbag of tactics that read like a penetration test gone rogue.

That could include known vulnerabilities in any kind of privileged asset such as load balancers to Microsoft Remote Desktop Protocol (RDP) servers. If it can’t reach these directly, there’s always standard phishing attacks and boobytrapped Word attachments to fall back on in the search for a network foothold.

None of this is exactly hard to predict. In December, the FBI even put out a private warning about Maze tactics to US organisations.

The challenge is that today’s successful compromises reflect the security weaknesses that have built up from yesteryear. Companies sometimes suspect that they have weaknesses but simply fail to find them as quickly as the attackers do.

How to protect yourself from ransomware

  • Pick strong passwords. And don’t re-use passwords, ever.
  • Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
  • Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
  • Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off Remote Desktop Protocol (RDP) if you don’t need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
  • Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

For more advice, please check out our END OF RANSOMWARE page.


Latest Naked Security podcast

Fan vibrations can be used transmit data from air-gapped machines

Those wacky researchers at Ben-Gurion University of the Negev are at it again. The Israeli scientists, best known for dreaming up ways to transmit software from computers that aren’t networked, have figured out a way to do it using the vibrations in computer fans.

Mordechai Guri, professor at the University’s Cyber-Security Research Center, revealed the technique on 13 April in his latest paper, AiR-ViBeR: Exfiltrating Data from Air-Gapped Computers via Covert Surface ViBrAtIoNs.

Most computers have at least one fan, which they use to cool their internal components by introducing air to them. Some higher-end components like graphics cards come with their own dedicated fans to keep their silicon from overheating. Guri realised that these fans create vibrations in any structure supporting the computer (like a table).

This attack focuses on changing the speed of the chassis fan. It generates the most vibration, points out the paper, presumably because it’s embedded right into the case that sits on the table, unlike say a GPU fan that typically sits inside the machine.

Malware running on the computer changes the speed of the fan, which makes the table vibrate at different frequencies. A device that could pick up those vibrations could interpret them as data, he deduced. He also figured out the perfect device to make this work: a smartphone.

Smartphones these days ship with accelerometers that are great at recognizing vibrations. They also offer some advantages for attackers, he points out. First, Android and iOS consider these sensors safe, so they don’t ask for user permissions to access them. Second, there’s no visual indication that a smartphone is using a sensor. Third, you can access the sensor using JavaScript in a web browser, meaning that you don’t technically have to infect the smartphone with a malicious app to pick up the vibrations.

The attacker still has to get malware onto the airgapped computer that’s going to transmit the data, but as Guri points out, this has been done before in incidents such as the Stuxnet attack. The malware must then gather the data that the attacker wants, and this would have to be coded in advance as there’s no command and control capability in an airgapped environment.

The malware then vibrates the fans at set frequencies, creating the appropriate vibration in the underlying table which can be picked up by the malicious code running on the smartphone. From there, the phone can communicate the data to the attacker over the internet.

Don’t expect great transmission speeds if you decide to try this attack at home. Guri demonstrated a communication speed of about half a bit per second in an average workplace scenario. Assuming all the stars aligned, you could still score some SSH keys in decent time, though.

Researchers at Ben-Gurion University have used fans to transmit data before, but they concentrated on the noise that they made. They have also used screen brightness, keyboard LEDs, speakers, and infra-red cameras, among others. Other researchers have also created attacks that used accelerometers to listen to your calls instead of getting microphone permission.


Latest Naked Security podcast

go top