Perpetual IT

Adobe just published a foursome of very tight-lipped security notifications about new patches.

By new we mean that they’ve come out since Patch Tuesday’s updates showed up last week.

In other words, if you are in the habit of only patching monthly, this is one of those times you need to break that habit.

In common parlance, unexpected updates to products that usually stick to a consistent pattern for publishing fixes are known as out-of-band patches, and that’s what we have here.

(That’s not a very precise use of the term “out of band”, by the way – the term usually refers to a special data or control signal that is delivered via a completely separate channel to the main data stream so that the two can’t accidentally be confused – but it’s become an unexceptionable usage in the world of patch labelling.)

The affected products are : Character Animator (CVE-2020-9586), Premiere Pro (CVE-2020-9616), Audition (CVE-2020-9618), and Premiere Rush (CVE-2020-9617).

The bulletins are numbered APSB20-25 and then -27, -28 and -29, with a gap at -26.

The bulletin APSB20-26 actually came out last week, on Patch Tuesday, leaving a gap at -25, suggesting that at least the patch in bulletin APSB20-15 was prepared in time for Patch Tuesday but didn’t make the final cut, perhaps to give it time for additional testing or tweaking.

We mentioned at the start that these notifications are tight-lipped, and by that we mean that Adobe isn’t giving away much about them except that they exist, and isn’t saying whether exploits against them are known or even likely.

Fortunately, only the Character Animator bug is of the “crooks on the outside could implant malware on your computer” sort.

Adobe has released an update for Adobe Character Animator for Windows and macOS. This update resolves a stack-based buffer overflow vulnerability that could lead to remote code execution.

Buffer overflows

Buffer overflows happen when a programmer doesn’t leave enough space in memory for data that might later arrive and therefore creates the possibility for one chunk of malformed data to overwrite other data that’s used elsewhere in the program.

Often, buffer overflows that happen by mistake end up confusing the app that’s had its data mangled and cause a crash.

That’s bad enough because you typically lose unsaved work or end up with messed-up data after a crash, and a buffer overflow that can be abused to trigger crashes at will is the sort of security bug that’s aptly named Denial of Service, or DoS for short.

But with careful attention to detail, attackers can sometimes exploit buffer overflows not only to crash the offending program but also to cause it to fail in a way that lets them take over during the crash.

The data that’s fed in via the buffer overflow can sometimes sneakily be crafted to divert the flow of execution in the crashing software in a predictable but dangerous way.

If that’s possible, attackers can often trick the vulnerable software into performing various rogue actions instead of having its errant behaviour caught and gracefully shut down by the operating system.

If the cunningly-crafted data can be fed in from outside, for example embedded in an image file that’s been downloaded from the internet, then crooks can not only take control of your computer but also do so from outside your network.

In other words, they can use the vulnerability to break into your computer remotely and run some command of their choice – and that command usually ends up implanting malware on your computer without any warning messages or “are you sure” popups.

That’s the most serious sort of exploit, known as RCE, short for remote code execution – the very words you see in Adobe’s brief-as-can-be notification.

Information disclosure

The bugs in the other apps are designated with the words “[these updates resolve] an out-of-bounds read vulnerability that could lead to information disclosure.”

An out-of-bounds read is a bit like lifting up a report that you’ve been invited to take from your boss’s desk (back when we used to visit each other’s desks at work, that is) and noticing that there’s something revealed underneath you weren’t supposed to see but now can’t help staring at.

Interestingly, buffer overflows are often hard to exploit these days because most operating systems try to load programs and their data at randomly varying memory addresses – what’s known as ASLR or Address Space Layout Randomisation.

This makes it hard for attackers to crash buggy programs in an exploitable way, because they can’t predict what’s where and therefore can’t reliably control the flow of program execution in the crashing code – a hack that works on the attacker’s own computer will go haywire on anyone else’s.

This makes information disclosure bugs much more valuable than you might think – crooks often use them not to steal personal data such as passwords but to learn how memory is laid out on the target computer.

So modern attacks often use an information disclosure bug first to make ASLR useless – once the crooks figure out the memory layout, it’s no longer random or unpredictable! – and thereby make any accompanying RCE exploits work reliably.

What to do?

Make sure you’re up to date.

Adobe Creative Suite users can see what software they have installed and whether it’s been updated by clicking on the Creative Cloud icon in the menu bar (macOS) or toolbar (Windows).

If the Creative Cloud icon isn’t there, go to Applications or Program Files and launch the Creative Cloud app in Adobe Creative Cloud folder, which will activate the icon the relevant icon bar.

Latest Naked Security podcast

US states are being flooded by fraudulent unemployment applications in a scam that’s largely orchestrated by a sophisticated Nigerian cybergang and carried out on the ground by money mules, many who’ve previously been involved in romance scams.

Online fraud is, after all, a moveable feast: the crooks pack up shop and move to where the money’s flowing. These days, that means unemployment benefits that have spiked with the pandemic and fattened due to government relief efforts. Beyond regular unemployment payouts, benefits are coming with an extra $600 per week for out-of-work Americans during the pandemic, plus the one-time $1,200 payment eligible adults are receiving under the CARES Act.

Unfortunately, the benefit payouts are sitting ducks when it comes to cybercrooks, given that states’ resources to weed out fraud are lacking. States are vulnerable to getting ripped off because they lack the controls necessary to detect patterns, a federal fraud investigator anonymously admitted to infosec journalist Brian Krebs.

Multiple claims for benefits that have the same IP addresses and/or bank accounts? These should be obvious giveaways, but the scammers are getting away with it as a distracted, resource-strapped country reels with coronavirus.

Over the weekend, Krebs reported on an alert recently issued by the US Secret Service that warned about the gang behind the rampant relief-benefit swindling. It’s pulling off large-scale fraud against multiple state unemployment insurance programs, exploiting the COVID-19 pandemic with fraudulent unemployment and CARES Act claims. Total losses could potentially hit hundreds of millions of dollars, the Secret Service said in its alert.

On Tuesday, researchers at Agari Cyber Intelligence Division (ACID) – which creates technology to protect against phishing, business email compromise (BEC) and other email-inflicted scams – said they’ve recognized, and have been tracking, the crooks who are likely responsible.

In fact, ACID said, it looks like some, if not all, of the threat actors behind the scams are likely part of a known, decade-old business email compromise (BEC) cybergang that it calls Scattered Canary.

The West African gang has run a range of scams over its 10+ year history, including unemployment fraud, social security fraud, disaster relief fraud, and student aid fraud, as detailed in a report ACID published about the group in June 2019.

The group is now targeting states including Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington, and Wyoming. ACID researchers have found evidence that the cybergang has also been involved in previous attacks targeting CARES Act payments, as well as new scams targeting Hawaii unemployment benefits.

ACID says it’s identified the methods the group uses to create accounts on government websites – namely, they’re exploiting a Gmail feature – and where the stolen funds are directed.

Google doesn’t read username dots

The crooks are taking advantage of a Gmail feature in which Google ignores periods when interpreting Gmail addresses. Google gives this example of how dots don’t matter: “if your email is johnsmith@gmail.com, you own all dotted versions of your address,” Google says, including:

• john.smith@gmail.com
• jo.hn.sm.ith@gmail.com
• j.o.h.n.s.m.i.t.h@gmail.com
  

When Google says that John.Smith “owns” the variants, it means that Google is going to funnel all the email from all those variations to one email address: in this example, johnsmith@gmail.com.

To set the stage for its attacks, the group used this ignore-the-dots feature to set up dozens of accounts on state unemployment sites and on the Internal Revenue Service (IRS) site that’s used to process CARES Act payments for people who don’t file taxes.

The fact that the email addresses look different – because of the dots – but Google treats them all like they should go to one email address has enabled the gang to carry out crimes fast and efficiently. It’s been able to funnel all communications from a slew of email accounts to a single Gmail account, which is much easier than having to separately monitor incoming mail for each and every one of the bogus accounts the gang has set up on targeted sites.

ACID has identified 259 variations of a single email address used by the crime ring to create accounts on state and federal websites so as to carry out fraud. Here’s an example, with the email addresses expurgated, that shows benefit applications that were successfully processed using the group’s’s tweaked, dot-stuffed, fraudulent Gmail accounts:

Fraud times X number of dots

ACID researchers have seen four recent examples of the gang’s fraud. They observed one spate of fraud where the group filed at least 82 fraudulent clams for CARES payments. Between 15-19 April, they filed the fraudulent benefit applications using the website the IRS set up to process claims from people who aren’t required to file tax returns.

It was a snap to pull off, given that all the crooks needed was the kind of personally identifiable information (PII) that’s regularly stolen in identity theft:

The only information needed by the gang to file these claims was an individual’s name, address, date of birth, and social security number.

At least 30 of the 82 claims were accepted by the IRS and presumably paid out.

Another example: consistent with the recent US Secret Service warning – which mentioned Washington state as being a primary target – the criminal group has filed at least 174 fraudulent claims for unemployment with the state of Washington since 29 April. The claims were eligible to receive up to $790 a week for a total of $20,540 over a maximum of 26 weeks, according to the email sent to the cybergang. The CARES Act also includes $600 per week in pandemic-related unemployment compensation through 31 July.

The total maximum potential loss resulting from these fraudulent claims: $4.7 million.

ACID published this example email from Washington Employment Security Department (ESD) as a result of a fraudulent unemployment claim from the cybercrooks:

Massachusetts is also a primary target. The cybercrooks filed at least 17 fraudulent claims for employment with the state between 15-16 May. ACID said it couldn’t see the exact benefit amount for each claim, but that the maximum weekly benefit is $823 and can last 26 weeks. Adding in the $600 pandemic unemployment payment brings the maximum potential loss for the state’s claims to nearly $500,000.

The network’s next target is apparently Hawaii – a state that’s escaped its claims-fraud attention until now, from what ACID has seen. The cybergang filed its first two bogus unemployment claims on Hawaii’s Department of Labor and Industrial Relations website on 17 May, and more will likely follow.

They’re using prepaid cards to cash out

The criminals are using Green Dot prepaid cards to cash in on their fraudulent claims. Such cards have been used to divert payroll in BEC attacks, since they can be used to receive direct deposit payments. Green Dot cards are also advertised as being able to receive government benefits, such as unemployment payments, up to four days before they’re due to be paid.

The payment cards are part of a bigger trend: the FBI has warned that BEC crooks are increasingly going after payroll funds. As of August, the bureau reported seeing a spike in spoofed emails sent to companies’ human resources or payroll departments. The emails look like they’re coming from employees requesting a change to their direct deposit account – a tweak to a related scheme, in which a crook gains access to an employee’s direct deposit account and alters the routing to another account.

ACID has identified 47 Green Dot accounts that the organized crime group has used to receive fraudulent payments. All of the accounts were set up under the name of the individual on whose behalf the group filed a fraudulent claim.

Expect more to come

This is far from the first time that crooks have wrung whatever they can out of the coronavirus. We’ve seen malware pretending to be from John Hopkins University that used a subject header about “horrible” pandemic charts as a lure. In April, the IRS warned about a rash of coronavirus-themed tax fraud attacks.

As of March, thousands of COVID-19 scam and malware sites were being pumped out on a daily basis: people going online to put up coronavirus scam sites or to sell counterfeit surgical masks; fake self-testing kits for HIV and glucose monitoring; and/or bogus antiviral meds, chloroquine, Vitamin C or other food supplements.

This isn’t stopping anytime soon. ACID has seen a more than 3,000% increase in COVID-19-themed phishing attacks since the beginning of February. The phishing attacks are targeting the newly enlarged remote workforce. ACID says BEC actors are also evolving their tactics to adapt to stay-at-home orders.

Latest Naked Security podcast

After delays to Chrome version 81 in March, and the scrapping of version 82 a month later, this week sees the early arrival of Chrome 83 with a longer list of new security features than originally planned.

As browser updates go, it’s a lot to take in although some of them are more tweaks to existing features than anything radically new.

It’s hard to pick out a single big feature, although for some it will be upgraded support for DNS-over-HTTPS (DoH), a privacy technology that makes it much harder for third parties (ISPs, the Government, malevolent parties) to see which web domains someone is visiting.

See our previous coverage for more explanation of the benefits of DoH (and forthcoming support for it in Windows 10) but be aware that Google still doesn’t make using this as easy as it should be.

First, it’s not turned on by default, and might not even be visible under Settings > Privacy and security > Advanced (type chrome://flags/ into the address bar and search for Secure DNS > Enable if that’s the case).

On Chrome, unlike Firefox, users still have to set up a DNS provider that supports DoH via the OS. You can test it’s working using Cloudflare’s security check.

Enhanced Safe Browsing

Chrome’s Settings pane now includes an enhanced browsing mode which monitors whether the pages a user is visiting, or downloads, have been marked by Google’s Safe Browsing as malicious or suspect.

It’s still optional which raises the issue of why users wouldn’t want this protection. One answer might simply be privacy – turned on, Google will be checking every URL and download against its own database.

Extensions

The user is now made more aware of Chrome extensions, which are now accessible through an icon in the toolbar. This is positive – numerous incidents underline that untended extensions represent a security risk.

Users can now monitor permissions from a simple toolbar icon rather than having to dig into menus, which few are inclined to do. Judging from the experimental ‘extensions checkup’ feature accessible via chrome://flags, Google plans to expand the capabilities of this in future versions.

Cookie control

It’s now possible to allow or block cookies for individual sites, including in incognito mode. The ‘clear browser data’ has now been moved to the top of Settings > Privacy and security.

Safety check

This seems to work like a one-stop check on important settings, including telling users whether specific passwords have been compromised (using the Password Checkup technology added in Chrome 79). It also checks for malicious extensions, makes sure the user is running the latest versions of Chrome, and will tell you whether Safe Browsing is turned off.

This is all good, right?

It never hurts to have more security and privacy but some of the new features (blocking cookies in incognito mode, for example) are already implemented by rival browsers. Some of what’s on offer is playing catch up.

But browser makers know most users don’t delve deeply into many of these features, so the battle has become making security and privacy easier to access in the hope this means it will be more likely to be used.

Endnote: if your Chrome install says ‘your browser is managed by organization’ (type chrome://management into address bar) then some of the features mentioned in this article might not appear immediately.

This might be because it is managed by an employer, or simply a relic of a security program that set a policy in the past. On Windows, deleting this setting requires delving into Windows regedit with respect for the adage there be dragons.

Latest Naked Security podcast

Microsoft is warning of a coronavirus themed malware distribution campaign with a bit of a twist.

We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments. pic.twitter.com/kwxOA0pfXH

— Microsoft Security Intelligence (@MsftSecIntel) May 18, 2020

This one claims to come from the highly regarded US institution Johns Hopkins University, an organisation that has become a household name during the current coronavirus pandemic.

The jargon term “malspam” has caught on in recent years to describe this sort of attack – unwanted mass email that is malevolent by design because it actively aims to disseminate malware.

(Most of us probably regard all spam as malicious as a matter of definition – it’s illegal in many jurisdictions, after all – but it’s handy to have a word to denote spam that goes way beyond being merely unwanted and unlawful, and that will immediately try to harm you if you do what it suggests.)

Like many malspam campaigns, such as those described in the recent SophosLabs report from a gang of crooks we dubbed RATicate, this one tempts you with an attachment that looks legitimate enough at first glance.

According to Microsoft, the attachment says it’s a spreadsheet, and it really is: if you open it you will see a genuine-looking graph of coronavirus statistics for the USA.

One giveaway of scamminess here is that Johns Hopkins itself runs a world-renowned Coronavirus Resource Center, yet the data in the spreadsheet claims to be from the New York Times.

Another giveaway in the email sample chosen by Microsoft is that the subject line reads as follows:

Covid-19: [Month Day] horrible Charts

A respectable research group would simply not use terminology of that sort – charts themselves are entirely neutral.

Although the adjective “horrible” here might grab your attention, it’s a good sign that you are talking to someone whose goal is to scare you rather than to inform you in a reliable and objective way.

The twist in the tale of this malspam is that although it downloads and delivers a number of different files, just like the examples in our RATicate report, including a “zombie” component, or Remote Access Trojan (RAT), that lets crooks secretly control your computer remotely…

…it also includes a remote access program that’s neither malware in its own right, nor secretive.

Along with the pure-play malware part, says Microsoft, the booby-trapped spreadsheet also installs components from a legitimate remote support software product called NetSupport Manager.

Living off the land

Like many other remote assistance systems such as TeamViewer, Logmein and the QuickAssist software built into Windows itself, NetSupport Manager is a blessing when there’s a trusted friend on the other end helping you figure out why your printer isn’t working.

Unfortuntely, remote access tools are a security crisis if your “assistant” is a technical support scammer “searching” for problems you don’t have, to trick you into spending hundreds or thousands of dollars on nothing, or a more determined cybercrook looking for an easy way to rifle through everything on your computer for juicy data to steal.

The technique of using legitimate tools in unlawful and unexpected ways – which even includes ransomware crooks using pirated copies of genuine backup and encryption tools so they don’t need to write their own file scrambling software – is known as “living off the land.”

Here, the metaphor is not so much one of an alternative lifestyle that involves living off-grid and rarely visiting towns or stores, as you might interpret that term in real life.

For cybercriminals, “living off the land” means almost exactly the opposite: it’s analogous to carefully avoiding an alternative lifestyle, staying on-grid, wearing conventional clothes, using the same shops as everyone else, and fitting in as unexceptionably as possible.

In this case, there is a bit of subterfuge in the “living off the land” part, inasmuch as the malware gives the NetSupport Manager tool a filename of dwm.exe.

This means the sneakily installed support tool doesn’t look out of place if you use Task Manager to view the list of running processes.

The filename dwm.exe usually refers to a standard Windows component found in C:\Windows\System32 that is the Desktop Window Manager – as the name suggests, it’s one of the programs responsible for what shows up, and how it looks, on your Windows desktop.

What to do?

The good news is that this malspam campaign can’t install and activate the malware unless you help it along.

In particular, you can avoid this sort malware and its “living of the land” companion program if you:

• Don’t open documents or spreadsheets attached to unsolicited emails. Even if they promise news you are interested in, any information in the attachment will almost certainly be available from a more direct source, via a link of your own choosing. If you are genuinely interested to know the official Johns Hopkins coronavirus figures, find your own way to the real site. That will not only avoid malware or phishing attacks but also protect you from manipulated data and fake news.
• Don’t enable macros in Office files on the say-so of an email. “Enable macros” sounds innocent, and crooks often tell you that you have to do it in order for Word or Excel to display the file properly. Don’t do it! “Macro” is a jargon word that really means “an embedded program that can do almost anything, including downloading malware, installing new software and stealing files”.

Note that this malware involves a booby-trapped spreadsheet, a rogue software download from a rogue website controlled by the crooks, and the installation of software that isn’t itself malware but isn’t something your IT team would probably be very happy about.

So look for an anti-virus program that can eliminate both known and unknown malware samples, that includes web filtering to block rogue downloads, and that has behavioural features that can detect suspicious activities such as the right sort of software being installed in the wrong sort of way.

If you’re a system administrator using a Sophos endpoint product, consider using our Application Control feature to prevent the unauthorised use of legitimate but unauthorised utilities on company-managed computers, including remote access and configuration tools.

Latest Naked Security podcast

As the well-worn internet saying goes – there is no cloud, it’s just someone else’s computer.

It opens our coverage of the news last February that some Google Photos data had been inadvertently made accessible to the wrong users.

Now Microsoft has suffered its own smaller version of the same phenomenon on the Office 365 platform (or Microsoft 365 as its business versions are now called).

The Register reported that an admin was told that their company’s internal search results had been made visible when queries were run by users from another company.

The glitch was temporary, and any files displayed were not accessible:

At no time were the files that were displayed accessible to the user who received the incorrect search results.

It’s not clear how many accounts were caught up in the incident but Microsoft is said to have made available the URL paths and metadata associated with the results so admins could “identify the exact search query results data which were inadvertently viewed.”

Microsoft acknowledged the problem, describing it as “resolved.”

In fact, the cloud is more like everyone’s computer. Underlying much cloud storage is that data can use shared physical storage with logical separation between them maintained by software.

In this incident, the problem is more likely to be connected to a misconfiguration or bug in the applications keeping tabs on where everything is – the application searched for something in Azure Active Directory (AD) but misunderstood the permissions connected to what it had found.

The incident reminds us that as the walls that segment the cloud into separate units are only as solid as the code they’re written in. Separation in the cloud is not infallible.

More broadly, is Microsoft 365 security as watertight as it could be? The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) recently drew attention to the security of Microsoft 365. But its concern was hasty deployments, resulting from the sudden need for lots of people to work from home, rather than because of any underlying weakness in the platform:

CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks.

Office 365’s search issue is minor but disconcerting. It’s a paradoxical aspect of any well-oiled machine that the user only notices how well-oiled it is on the odd occasion the wheels come off.

Latest Naked Security podcast