+44 (0)20 86848683

Perpetual IT

Category Archives: News

News

Crooks hijack “Black Lives Matter” to spread zombie malware

by

Community-focused cbyersecurity website abuse.ch is warning of a malware spreading campaign that is using “Black Lives Matter” to draw victims in.

Sneakily, the crooks have broadened the reach of their attack by keeping their emails short and objective – the crooks very deliberately haven’t taken a social or political position, but have instead invited recipients to comment anonymously on the issue:

Subject: Vote anonymous about "Black Lives Matter" Leave a review confidentially about "Black Lives Matter"

These crooks aren’t piling on any pressure; they aren’t playing on emotions such as guilt or fear; and they aren’t even requiring you to get involved under your own name.

They’re just inviting comments – in the sample shown by abuse.ch, the file has the unassuming name of e-vote_form_3438.doc.

(We haven’t received one of these ourself, but we’re assuming that the digits at the end of the filename will vary each time to mix things up a bit.)

Don’t open it – it’s a trap!

We opened it so you don’t have to, and we must grudgingly admit that the trick the crooks have used here is easy to fall for.

Remember that Word documents can contain what are commonly known as macros – embedded program code written in the Visual Basic for Applications programming language, or VBA for short.

The problem with macros is that the term sounds safe and innocent – the word harks back to the days of really simple keystroke recorders that you could use to automate simple tasks in word processors or spreadsheets.

But VBA today is as powerful and as dangerous as C, C++, Delphi, Perl, Python or any other programming language that’s associated with full-blown, standalone applications that you install and run locally.

VBA needs an Office application running (usually Word, Excel or PowerPoint) to make it work, but once you agree to let VBA code run from inside an Office file, it has full access to your computer just as if the VBA program were running outside Office.

In other words, VBA inside a Word file isn’t like JavaScript in your browser – there’s no sandbox or walled garden to restrict the damage it can do.

VBA programs can do any and all of these things:

  • Download arbitrary data off the internet into memory.
  • Decrypt or encrypt data using a wide range of cryptographic algorithms.
  • Create new files on your hard disk, or read in data you’ve already got stored there.
  • Modify or delete existing files on your hard disk or across the network.
  • Access memory directly and inject malicious code into Office or other programs without saving that code to disk first.
  • Monitor keystrokes, take screenshots, peek at network traffic, and much more.

That’s why Microsoft sets up Office with macros turned off by default, so that you can’t accidentally run embedded VBA mlaware simply by opening an infected Office file – because rogue macros can do a lot of harm.

Indeed, even though we regularly see VBA macros used inside companies as a way to automate office workflow via internal, trusted documwents…

..every emailed document we’ve ever received with macros in it was harbouring malware.

What if you open this one?

The crooks behind this attack have used to low-pressure tactics inside the document, too, giving you a surprisingly believable reason to let the embdded macros run.

When we opened the sample reported by abuse.ch, we saw this:

New updates are available for Office. They will be downloaded in the background and will not interrupt your work.

That sounds like the sort of advice you should heed, rather than ignore, and the crooks are even polite enough to remind you that:

If your internet connection is limited, be cautious – you can be charged for downloading of this data.

But that’s not all you need to be cautious of – the real danger comes in the innocent-sounding instructions at the end:

Please press “Enable Editing” and then “Enable Content” in the popup window.

As you can see, the yellow popup tries to discourage you from doing what the crooks say, warning you that macros are disabled for security reasons.

Nevertheless, the button to activate the malcious macros in this file is labelled [Enable Content], which we’ve always thought makes it sound more innocent than it really is, as if what you are seeing now were merely a preview.

So our advice is that when you see the words Enable Content, translate them mentally into: Clicking this will extract and run an embedded program that is almost certainly malware.

That will help to remind you just how risky and reckless it is to [Enable Content] just because a document asked you nicely.

What if you do click through?

The first thing you see if you do run the macros in this malware document is a Windows-like error message, complete with one of those eight-digit codes that looks familiar:

That error is fake (as you will see if you search for it online), and it acts as what’s called a decoy – a plausible reason to explain why the promised update didn’t work out.

In fact, it’s just one simple line of VBA code in the malicious macro – the MsgBox command pops up the bogus error message, after which the macro code goes to work unscrambling and running an embedded program, known as shellcode, that is disguised using a weird sort of alphabetic hexadecimal notation:

(In the long string of encoded binary data you see, the letters a to p are used to represent the hexadecimal digits 0 to f and the minus signs mean nothing.)

According to abuse.ch, the malicious document is what’s known as a downloader that currently reaches out to one of two different servers (probably hacked for this very purpose) to fetch and install a well-known strain of zombie malware called Trickbot.

Trickbot started life as a banking Trojan, which is malware that, amongst other things, tries to get unauthorised access to your financial accounts.

But as the “bot” part the name tells you, Trickbot’s underlying purpose is to act as a robot agent that can carry out a wide range of commands issued by the crooks, including a general purpose command that tells the bot to download and install some other strain of malware too, often ransomware.

So the problem with bot or zombies is that the question, “What do they do?” cannot reliably be answered in advance, because they are meant to be flexible enough for the crooks to reprogram their behaviour at will.

And the problem with document-based downloaders is that “What do they fetch?” cannot reliably be answered in advance, either, because the file that’s served up for download can be changed by the crooks at will.

What to do?

  • Don’t open attachments you didn’t ask for or expect. Getting unsolicited email is bad enough – so don’t give the spammers yet more time-of-day by opening attachments to help them out even further.
  • Never turn off security features because a document tells you to. Microsoft chose [Disable content] as the default to protect you from unscrupulous documents, especially unscrupulous documents that tell you to [Enable content].
  • Look for an anti-virus with behaviour-blocking and web filtering as well as plain file scanning. The multi-step approach used by malware like this means the crooks need to get away with less at each stage – the DOC file itself doesn’t need the full and final malware built right in. But that means you can stop the attack by blocking any of the stages, while the crooks have to succeed at all of them. You gain the upper hand if you have multiple layers of defence.

PS. Sophos Home is 100% free for Windows and Mac.

Sophos detection names for these threats are as follows:Troj/DocDl-ZGE for the document that does the downloading, and Troj/Trikbot-GB or Troj/Trikbot-GC for the downloaded Trickbot files.

News

Bitcoin scammers take YouTube channels for a SpaceX ride

by

Crypto scammers hijacked three YouTube channels to impersonate Elon Musk’s SpaceX channel, offering bogus BTC giveaways that earned them nearly USD $150,000 over the course of two days.

The scamming channels were first reported on Hacker News. Bleeping Computer followed up with a full report.

According to Bleeping Computer and the reports filed in the BitcoinAbuse database, the scammers took over legitimate YouTube accounts and changed the branding to look like that of Elon Musk’s rocket company. They were caught live-streaming footage of the founder as he spoke at conferences and during interviews.

The hijacked YouTube channels – previously known as Juice TV, Right Human, and MaximSakulevich – were renamed Space X Live or SpaceX after crooks got control of them. Then, the channels were used to push scams that asked for a small amount of Bitcoin in exchange for double their money back.

The hijacked accounts came with sizable numbers of subscribers: one had 230,000 followers, while another had 131,000. The legitimate SpaceX YouTube channel has 4.33 million subscribers.

The ruse worked. As of Tuesday, there were 80,000 people watching the live stream. Since 8 June, the scam had generated close to $150,000 in bitcoins.

Before they got yanked for violating YouTube policy, the channels running these scams were asking people to send bitcoins to two addresses. One wallet recorded 85 transactions, receiving 11.25 BTC, while a second, with 37 transactions, took in 5.51 BTC.

The bitcoin addresses were reported to the BitcoinAbuse database – a good place to check on whether an address has been reported for milking people.

Musk is a tasty target

With a following as big as the legitimate SpaceX, it’s easy to see why this isn’t the first time that Musk and his rocket company have been used to promote a crypto scam.

In October 2018, we saw it happen on Twitter. In spite of only being up for 12 hours, 17 people fell for it. The scammers made 1.623 BTC, which at the time was worth over $10,000 USD.

Cryptocurrency giveaway scams are popular among fraudsters. They typically target users of Ethereum and Bitcoin, two of the most popular cryptocurrencies. They lure in victims by offering free coins online. All the victims have to do is first send a small amount of the cryptocurrency to the address before they receive a beaucoup return. Of course, victims get no beaucoup. Instead, they get bupkus: no double-your-money-back, no return of the money originally sent.

It’s a variant of the age-old 419 scams that have plagued email users. In 419 scams, the crooks claim to be high-ranking officials needing to get money overseas. They ask victims to send them a small amount of money in exchange for millions. Predictably enough, the money never comes.

How scammers hijack accounts

If you’re a scammer looking to fleece a crowd of loyal followers to pitch one of these scams to – as in, somebody else’s loyal followers – the easiest thing to do is take over an existing account. We don’t know how the SpaceX scammers got hold of the YouTube channels they hijacked, but one (unfortunately likely!) possibility is that the channel owners reused their credentials somewhere else.

If there was a breach at one of the other places where the rightful account holders used the same username/password, then automated tools could have made it a snap for crooks to take the breached credentials and plug them in to see what other accounts they’d unlock. It’s why password reuse=rotten idea!

Another possibility: the rightful account holders might have used flimsy passwords that were easy to guess. Don’t know how to pick a strong password? Here’s how.

Overwhelmed by your ever-swelling collection of passwords? By all means, use a password manager. They might not be perfect, but they’ve stood strong against flaws.

While you’re at it, turn on two-factor authentication (2FA) for any online accounts that support it – it’s a minor inconvenience for you, but a significant stick to poke between crooks’ spokes.

Latest Naked Security podcast

News

Microsoft squishes 129 bugs with Patch Tuesday updates

by

Whoosh. You hear that? It’s the sound of Microsoft’s security fire hose spraying out a river of CVE fixes. That’s right – Patch Tuesday was this week and the software giant released patches to fix 129 CVEs.

The lion’s share of the bugs are rated important, but there are 11 CVEs rated critical. They are remote code execution flaws, enabling attackers to execute their code on victims’ systems. These bugs require user interaction, though, meaning that the bad guys would have to persuade the victim to do something like opening a file or visiting a website. They’re very serious, but don’t quite reach the klaxon-sounding, flashing-red-light level of the wormable Bluekeep bug.

CVE-2020-1286 is a Windows shell RCE triggered by improper file path validation, while CVE-2020-1299 is an RCE bug that an attacker could exploit using a malicious .LNK file and associated binary. They’d put it in a removable drive or network share, warns Microsoft, adding that clicking on the .LNK file would run the binary’s malicious code.

CVE-2020-1281 is a vulnerability in the Windows Object Linking and Embedding (OLE) code stemming from poor input validation and it’s exploitable via a malicious website, file, or email message. CVE-2020-1248 is a memory object handling bug in the Graphics Device Interface (GDI), deliverable via a website, instant message, or document file.

These are all bugs affecting Windows 10, and many also affected the latest 2004 build. Internet Explorer had its own gaggle of critical vulnerabilities too. Versions 9 and 11 were susceptible to the RCE bug in CVE-2020-1216, which is another memory handling error affecting VBScript, as were CVE-2020-1213 and CVE-2020-1260.

Edge had a critical vulnerability too in the form of CVE-2020-1073, which is a memory handling bug in its underlying ChakraCore scripting engine. CVE-2020-1219 affects both IE and EdgeHTML, and again involves memory handling issues.

CVE-2020-1181 is a SharePoint Server bug, triggered by unsafe ASP.Net controls that it doesn’t filter properly. Attackers can upload a malicious page to the server for pwnage. Admins managing SharePoint Enterprise Server 2016, Foundation 2010 SP2 and 2013 SP1, or SharePoint Server 2019 should patch now.

CVE-2020-1300 affects most versions of Windows from version 7 through to the latest Windows 10 2004 build, and also Windows Server. It’s a bug in the OS’s handling of cabinet files.

So, those were all the critical CVEs that the company released patches for. There were also some other non-critical CVEs that it didn’t release separate security updates for, including the batch’s only bug rated with moderate severity: CVE-2020-1195. This affects the Chromium-based version of Microsoft Edge, which the company released in February. CVE-2020-1163 details how MpCmdRun.exe, which is a binary in Windows Defender, allows for arbitrary file deletion. Instead of patches, Microsoft fixed these bugs with product updates.

Compared to Microsoft’s patchnami, Adobe trickled out just 11 CVE fixes across three advisories: APSB20-30, for Flash Player, addresses a critical use after free vulnerability (CVE-2020-9633) that could lead to arbitrary code execution. APSB20-32 fixes three critical bugs in its Framemaker product for Windows: a memory corruption issue (CVE-2020-9636) and two out-of-bounds write bugs (CVE-2020-9634 and CVE-2020-9635). APSB20-31 fixes six vulnerabilities in the company’s Experience Manager product rated important. They render it vulnerable to server-side request forgery, cross-site scripting, and blind server-side request forgery attacks.

Latest Naked Security podcast

News, Phishing

‘Bot or Not?’ – a game to train us to spot chatbots faking it as humans

by

Who doesn’t know their mother’s maiden name?!

A bot that’s trying to convince you it’s human but which hasn’t been programmed to answer that question or improvise very convincingly, that’s who. Or, as I said when I finished playing a new online Turing Test game called Bot or Not, NAILED IT!!

Bot or Not asking for my mother's maiden name
Bot or Not asking for my mother’s maiden name

Bot or Not is an online game that pits people against either bots or humans. It’s up to players to figure out which they’re engaging with in the 3-minute game, in which they’re forced to question not only whether their opponent is human but exactly how human they themselves are.

The creators of Bot or Not – a Mozilla Creative Awards project that was conceived, designed, developed and written by the New York City-based design and research studio Foreign Objects – say that these days, bots are growing increasingly sophisticated and are proliferating both online and offline. It’s getting tougher to tell who’s human, which can come in handy in customer service situations but is a bit scary when you think about scam bots preying on us on Tinder and Instagram, or corporate bots that try to steal your data.

The friendly face of pervasive surveillance

In their explanation of Bot or Not’s purpose, the game’s creators point to a recent Gartner industry report that predicted that by 2020, the average person will engage in more conversations with bots than with their spouses.

Think about it: how often do you talk to voice assistants like Siri or OK Google? Chatbots have become seamlessly integrated into our lives, presenting what Foreign Objects calls “a massive risk to privacy” and will remain so for as long as collecting personal data remains the primary business model for major tech platforms.

Big tech knows that in order to get the most data out of our daily lives, they need us to invite bots into our homes, and to enjoy ourselves while we do so.

One example: smart speakers, those always-listening devices that are constantly surveilling our homes. As we’ve reported in the past, smart speakers mistakenly eavesdrop up to 19 times a day. They record conversations when they hear their trigger words… or by something that more or less sounds like one of their trigger words. Or by a burger advertisement. Or, say, by a little girl with a hankering for cookies and a dollhouse.

Last year, smart-speaker makers found themselves embroiled in backlash over privacy after news that smart speakers from both Apple and Google were capturing voice recordings that the companies were then letting their employees and contractors listen to and analyze. Both companies suspended their contractors’ access.

What does Bot or Not have to do with all that? Foreign Objects says that while government regulation is struggling to keep up with new technologies, there’s little public awareness or legal resistance to stop companies from developing a global surveillance network on an unprecedented scale – something that’s already been done on a massive scale with the plethora of devices with smart assistants.

Governments are not only lagging behind on policy, they are also part of the problem.

This is about more than these devices listening in on our private moments. It’s about big-tech corporations willingly handing over citizens’ private data to police without consent, Foreign Objects says.

As chatbots slide seamlessly into our personal and domestic lives, it has never been more important to demand transparency from companies and policy initiative from regulators.

Smart speakers running on artificial intelligence (AI) are one thing. Chatbots, however, are taking data interception to a whole new level, say the creators of Bot or Not:

In the hands of big platforms, chatbots with realistically human-like voices are openly manipulative attempts to gather our data and influence our behaviours.

They point to advanced “duplex” chatbots released in the last few years by Microsoft and Google, so-called because they can speak and listen at the same time, mimicking the experience of human conversation. If you’re wondering how that might feel, you can look to Google’s Duplex neural network AI, introduced last year and designed to sound and respond like a human being, down to all the “umms” and “aahs.”

It was too real. Google faced a backlash over its failure to disclose that the person on the other end of the line – a supposedly human hairdresser taking a customer booking was one such – was actually a bot.

Sociologist of technology Zeynep Tufecki’s response at the time:

[The lack of disclosure is] horrifying. Silicon Valley is ethically lost, rudderless and has not learned a thing.

Deception: “It’s a feature, not a bug”

Google later added a disclosure feature to Duplex’s interactions, but Bot or Not’s creators aren’t sure that a warning label is enough. They liken these human-like voice chatbots to deepfakes in their potential to give rise to entirely new forms of deception and abuse, particularly to those who are already vulnerable to bot-based scams, such as the elderly.

These things are meant to trick us into thinking they’re human, Foreign Objects points out. Google didn’t screw up with those “umms” and “aahs.” Deception is part of parcel of the design:

There is a fundamental contradiction in human-like service bots. On one hand, legally and ethically, they need to disclose their artificiality; on the other, they are designed to deceive users into thinking, and acting, as if they were also humans. Duplex stunned audiences because its ‘um’s and ‘ah’s’ mimic the affect and agency of a fellow human being.

I found Bot or Not pretty easy to nail as a bot. I mean, come on, it didn’t know its own mother’s maiden name.

But would I have the same ease with Google Duplex? … and what does it all matter?

It matters when bots/AI/voice assistants get pulled into court to provide evidence in trials, for one. It’s happened before, Foreign Objects points out: in 2017, Amazon had to fight to keep recordings from its Echo IoT device out of court in a murder case.

Amazon claimed that Alexa’s data was in fact part of Amazon’s protected speech. … which, some have argued, might in fact bestow First Amendment protections. And this is why that matters, according to Foreign Objects:

In the US, First Amendment protections would mean that the makers of bots, like Google, Amazon and countless others, could not be held responsible for the consequences of their creations, even if those bots act maliciously in the world. All the same, … insisting that expressions made by ‘bots’ are strictly the speech of their creators comes wrapped up in its own complications, especially when humans are conversing daily with bots as friends, therapists, or even lovers.

In light of AI advancement, it’s important to be on guard as we engage with these chatbots in ever more intimate contexts such as these. We should all bear in mind that no matter how “LOL,” “IDK” and “ahhh”-ish they come off as, they are, in fact, surveillance-gathering tools. Does it matter whether they’re corporations or crooks trying to get at our data?

Either way, Foreign Objects says, this is privacy invasion in the ever-growing web of pervasive surveillance.

News

Babylon mobile health app mixes up patient consultation videos

by

Mobile health app Babylon, which states its company mission as putting “an accessible and affordable health service in the hands of every person on earth”, has admitted to a software bug that went one step further than that.

According to a BBC report, an app user in the UK ended up with other people’s health service data in his hands.

The user, named by the BBC as Rory Glover from Leeds in England, apparently used the app to check up on a prescription of his own, only to find that the “Consultation Replays” feature of the app contained a list of 50 videos for him to review.

As you can imagine, he went to check out what the videos were about – a screenshot shared by the BBC shows that they were identified only as “Replay N”, where N is a counter, so there was nothing to suggest that the data belonged to someone else.

Clicking on one of them made the nature of the unexpected videos clear: it was a recording of someone else’s video chat with a doctor made via the service.

Glover contacted someone he knew who used to work at Babylon, and that person did the right thing by alerting the company to the breach.

As far as we can tell, Babylon acted quickly to remove the rogue videos from Glover’s “Replays” gallery, as well as reporting itself to the Information Commissioner’s Office (ICO), the UK’s privacy and data protection authority.

Babylon doesn’t yet seem to have a statement about what happened on its own blog or website [2020-06-10T11:00Z], but is widely reported as saying that this “was the result of a software error rather than a malicious attack.”

That may sound like cold comfort but it does imply that we’re not looking at a situation where crooks made off with a bunch of video files that they could sell on or use for cyberextortion in the future.

The company also says that its investigations suggest that just three users in total (of whom Mr Glover was one) received links to other patients’ videos, and that the other two users never actually got round to looking at any of the videos they weren’t supposed to see.

We don’t yet know how many different patients’ videos were on the lists that were exposed, but Babylon has blamed the blunder on a “new feature” whereby someone talking to a doctor via the app can switch up to video mode during the call.

Quickly fixed

We don’t want to put too much thought into the reasons why, after talking through a patient’s symptoms, a doctor might want to switch to video mode – or what squeamish sights might end up being filmed in such a call.

Nevertheless, we’re relieved to hear that this problem seems to have been fixed quickly enough that only one video was viewed by the wrong person, so any real-world damage was very limited and swiftly contained.

We’re also relieved because the person who viewed the wrong video decided to do something positive by getting the issue reported, and because the person who reported it seems to have been able to make contact with Babylon quickly and effectively.

(We’re aware that the reporter used to work for Babylon, which probably made it easier to find the right person to talk to, but we also note that Babylon’s bug reporting pages are pretty easy to find by clicking on the Regulatory link on its home page.)

The big question, though, is how this data leakage bug got through software testing, and what Babylon will do to avoid this kind of bug getting out into the wild in future, given the ultra-personal nature of the data that was exposed.

What to do?

  • If you’re a Babylon app user, there doesn’t seem to be anything you need to do – as far as we can tell, the problem was caused by a bug on the server side, meaning that fixing it could be handled centrally without an app update.
  • If you’re a mobile app developer, don’t rely on the coding mantra from the early days of cloud development that said, “Move fast and break things.” That was never a good mantra for anyone; was never appropriate in fields like healthcare; and has long been set to one side. Security should never be an add-on component that you mix in later when you think your new software features are complete. (Without security baked in, they can never be complete.)
  • If you’re a service provider, make sure there’s a clear process that your users can follow to report software bugs or privacy problems. If you can, consider running a bug bounty system that gives an incentive for professional bug hunters to look for and report possible problems in your product in a responsible way.

Latest Naked Security podcast

Latest Blog

View All
go top