An exploit for a Windows local privilege elevation vulnerability that allows anyone to gain admin privileges in Windows 10 has been publicly disclosed by a security researcher. Threat actors who had access to a compromised device could elevate their privileges to spread laterally within the network, create new administrative users, or perform privileged commands.

What is an LPE bug?

Local privilege escalation happens when one user acquires the system rights of another user. Network intruders have different techniques for increasing privileges once they have gained access to a system. The initial intrusion could start from anywhere. Say a guest account or a local user who has carelessly written a username and password on a Post It note. Regular users typically operate at a relatively low privilege level –usually to prevent someone who obtains their credentials from gaining control of the system. Once inside, the intruder employs privilege escalation techniques to increase the level of control over the system

A windows zero-day vulnerability exploited since mid-2020

Microsoft previously said that a high-severity Windows zero-day vulnerability patched during the February 2021 Patch Tuesday was exploited in the wild since at least the summer of 2020 according to its telemetry data. The actively exploited zero-day bug was tracked as ‘CVE-2021-1732 – Windows Win32k Elevation of Privilege Vulnerability.’ As part of the January 2022 Patch Tuesday, Microsoft fixed a ‘Win32k Elevation of Privilege’ vulnerability tracked as CVE-2022-21882, which is a bypass for the previously patched and actively exploited CVE-2021-1732 bug.

It was first disclosed by RyeLv, a security researcher, who explained, “The attacker can call the relevant GUI API at the user_mode to make the kernel call like xxxMenuWindowProc, xxxSBWndProc, xxxSwitchWndProc, xxxTooltipWndProc, etc. These kernel functions will trigger a callback xxxClientAllocWindowClassExtraBytes. An attacker can intercept this callback through hook xxxClientAllocWindowClassExtraBytes in KernelCallbackTable, and use the NtUserConsoleControl method to set the ConsoleWindow flag of the tagWND object, which will modify the window type”

The bug was being exploited by sophisticated groups as a zero-day issue, Microsoft said.

Microsoft’s diminishing bug-bounty rewards

This same vulnerability was apparently discovered about two years ago by an Israeli security researcher who is also the CEO of Piiano, Gil Dabah, who tweeted that he decided not to report the bug two years ago as Microsoft’s bug-bounty rewards were reduced.

The reason I didn’t disclose it, was because I waited to get paid by Msft for long time for other stuff. By the time they paid they reduced awards to nothing almost. I was already busy with my startup and that’s the story how it went unfixed. @ja_wreck https://t.co/PtRuNDAEYQ

— Gil Dabah (@_arkon) January 28, 2022

Also, RyeLv stated in his technical write up for the CVE-2022-21882 vulnerability, “Improve the kernel 0day bounty, let more security researchers participate in the bounty program, and help the system to be more perfect,”

General precautions

Microsoft improving its bug bounty rewards could potentially lead to more bug reports by motivated researchers.

Many users chose to skip January 2022 updates due to the significant number of critical bugs introduced by the January 2022 updates, including reboots, L2TP VPN problems, inaccessible ReFS volumes, and Hyper-V issues during the installation of these updates. Keeping auto-updates off and researching the latest updates before installing it might be the best course of action until Microsoft updates are deemed reliable.

Sources: https://www.bleepingcomputer.com/news/security/recently-fixed-windows-zero-day-actively-exploited-since-mid-2020/

https://cyber-reports.com/2022/01/30/windows-vulnerability-with-new-public-exploits-lets-you-become-admin/

https://threatpost.com/public-exploit-windows-10-bug/178135/

https://www.admin-magazine.com/Articles/Understanding-Privilege-Escalation#:~:text=Local%20privilege%20escalation%20happens%20when,system%20rights%20of%20another%20user.&text=Everyday%20users%20typically%20operate%20at,gaining%20control%20of%20the%20system.

https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-21882.html

On the 24th of January, 2022, A French mobile-security firm known as Pradeo came out with a statement regarding a 2FA app that surfaced on the google play store. This app which is disguised as a 2FA authentication app was injected with a malware called the “Vulture stealer malware” that had the ability to steal financial data. Even though this app had fully functional 2FA, It was discovered that the app was actually a “trojandropper” which is a tool used by hackers to “drop” malware onto user’s mobile devices.

Over 10K+ Downloads in only 2 weeks

Sadly, this app was active on the google play store for more than 2 weeks and was hidden from the malware detection systems for the duration of it’s stay. In this time frame, the app was downloaded on at least 10,000 devices before it was removed from the store on January 27th, 2022 after Pradeo informed Google about it. This means that the people using this malware could potentially have had access to all these victims’ bank accounts and stolen their money long before anyone ever found out about their existence.

How does it work?

Once downloaded, this app installs the Vultur banking trojan by masking it as an update for the 2FA app. The Vultur remote access trojan (RAT) works by keylogging and screen recording the compromised device in order to read the inputs given by the user when entering their financial information. This method of data theft allowed the group to automate this process and scale it to a mass level. Another way this app compromises your mobile device is by asking for a flurry of permissions which were not included in the app’s google store profile. Once the app gains all these permissions, it can do so much more than just steal financial data. The app can then access your geo-location and even disable its password security measures.

How did this app trick everyone including Google?

This app used the open sourced Aegis Authenticator code to offer real 2FA services. Because of this, people who downloaded the app kept using it thinking it was harmless while their valuable information was being stolen. As for Google, It’s baffling that the google play store could leave such an app on the play store for so long without raising any alarms. Now while the google play store is supposed to filter out malicious apps and protect it’s users from dangers just like this one, the filtering process only works when the store is being monitored heavily, which is not true about the google play store. Even though the google play store does a good job at stopping general malware infected apps from its garden, an app such as this one that does a good enough job at hiding its true motives can slip through Google’s filtration process. Google should definitely do better, considering how many people use its play store and assume that they are safe while doing so. 

So what should I do now

Well, now that the app has been removed from the play store, there are some things to learn from all of this. For one, it’s important for all of us to put less trust in the google play store, and do as much as we can to manually verify any apps we download on our mobile phones. We can do this by using different methods of authenticating ourselves. For one, try to find as much as possible about the developers and teams regarding any app you are trying to download. 

On the 27th of January 2022, Qubit Finance tweeted about the biggest DeFi (Decentralized Finance) exploits of 2022 which resulted in them losing $80 million dollars of cryptocurrency in the form of 206,809 Binance coins.

• https://twitter.com/QubitFin/status/1486870238591594497?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1486870238591594497%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.ndtv.com%2Fbusiness%2Fcryptocurrency-worth-80-million-stolen-from-defi-platform-qubit-finance-2737888

What is Qubit Finance?

Qubit is a decentralized money market platform that takes advantage of the speed, automation, and security of the blockchain to connect lenders and borrowers efficiently and securely. It works like how a normal bank works, by having lenders who can deposit assets to lend out to others and borrowers who can borrow these assets. Qubit Finance uses smart contracts rather than third parties to provide customers with financial services such as trading, lending, and borrowing. QBridge is a cross-chain functionality that allows users to collateralize their assets on other networks without having to move their assets between chains.

How did it get hacked?

According to an “incident analysis” by security firm CertiK, the attacker used a deposit option in the QBridge contract to illegally generate 77,162 qXETH, which is an asset representing Ether bridged over Qubit. The procedure was tampered with to make it appear as if the attackers had made a deposit when they hadn’t. According to CertiK, the hacker carried out these actions numerous times, changing all of the funds to Binance Coin in the process.

• https://twitter.com/CertiKCommunity/status/1486892063006334982?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1486892063006334982%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.ndtv.com%2Fbusiness%2Fcryptocurrency-worth-80-million-stolen-from-defi-platform-qubit-finance-2737888

“Essentially, the attacker took advantage of a logical mistake in Qubit Finance’s code that enabled them to insert fraudulent data and withdraw tokens on Binance Smart Chain while none were placed on Ethereum,” CertiK revealed. Qubit’s QBT was down 34.6 percent at the time of writing, according to CoinGecko statistics. Much of the decrease occurred after the robbery was discovered.

https://www.coingecko.com/en/coins/qubit

What does this incidence says about cybersecurity?

This week, blockchain analysis firm Chainalysis released a report that said more cryptocurrency was stolen from DeFi protocols than any other type of platform last year. 

Chainalysis’s chief of research, Kim Grauer, told ZDNet. “We also know that criminals are the first to adapt to new technology to avoid discovery, and this year was no exception.” This statement explains why DeFi technologies have been the target of so many assaults.

As explained the hacker was able to exploit a logic error made by Qubit’s Team and to tackle that I believe they should have added more layers of security as adding a second layer multiplies the original complexity of the problem and makes it way less likely for hackers to be able to exploit them.

Lastly, I believe that this incident signifies how important cybersecurity is.

How are they solving the problem?

Qubit Finance Team publicly tweeted that they are offering the hackers a generous bounty worth $2 million without prosecution if the attackers return all the stolen money though as of right now the hackers have not responded. Luckily, the money is still on-chain and is being monitored by their team and their partners. The entire incidence shows us how even a small group of attackers can find exploits and get away with millions online with little to no trace left and that is why cybersecurity is of the utmost importance.

Sources:

• https://twitter.com/QubitFin
• https://www.ndtv.com/business/cryptocurrency-worth-80-million-stolen-from-defi-platform-qubit-finance-2737888
• https://www.fxstreet.com/cryptocurrencies/news/largest-defi-exploit-of-2022-wipes-out-80-million-from-qubits-ethereum-bsc-bridge-202201281226
• https://www.zdnet.com/article/qubit-finance-crypto-platform-begs-hacker-to-return-80-million-in-stolen-funds/
• https://docs.qbt.fi/

In the past four years, 16 websites appeared in Iran, Lebanon, and Syria in an attempt to lure those interested in spy/consulting work for Israel. They specifically targeted those who had sensitive security jobs in the Hezbollah group, the Assad regime, and in Iran. These sites were using the same website structures such as logos, images, and phrasing as Israeli websites [1].    

History of Cyberwars between Iran and Israel

In recent history, due to an increasing number of sanctions and the political tension between Iran and Israel, a cyber war has been brewing in the region. These cyber attacks on both fronts aim to disrupt government and/or military facilities. For example, in April 2020, an Israeli water pumping station was hacked and tampered with in an attempt to poison water supplies with higher chlorine levels. Recently, the number and intensity of these attacks has been increasing with the hacking of fuel supply systems, railway controls, and airlines. Not only have these attacks been impacting governmental systems of both countries, but the lives of ordinary citizens have turned chaotic as well. More recently, an Israeli LGBTQ dating app was hacked, and the intimate data, including users’ HIV status, of a million users were leaked by what is assumed to be Iranian actors [2].

An example of these ‘honey-trap’ sites

“VIP Human Solutions” was one of these 16 fake sites. It made an effort to mimic an Israeli consulting agency by incorporating a unique pitch, logos, and it even had its own YouTube and Facebook pages to advertise their services. The site itself featured an Israeli flag as well as a phone number to contact which had Israeli country code. They advertised themselves as a “VIP center for recruitment of the most distinguished in the military and security services of Syria and Hezbollah in Lebanon” and promised high salaries and a quick hiring process [3].

Evidence

While there is no concrete evidence of these sites belonging to a group or what their purpose is, cybersecurity specialists have suspected that they are part of a counterintelligence effort launched by Iran or their operatives. These sites have been so broad that many Iranians have expressed their confusion and frustration over social media networks. Experts believe that Israel’s intelligence services would not advertise espionage work in such an indiscreet and non-professional manner. Moreover, after some research, it has been identified that many of these 16 sites are controlled under the same Google Analytics account and when reaching out to them on their Telegram account, no response has been received [3].

Conclusion

These series of websites are a prime example of phishing websites to avoid. It is crucial for ordinary citizens to be trained on phishing tactics and to learn the ability to identify them. On many occasions, phishing websites try to scam people out of their money, but in this case, it could have cost former spies or enemies of a state their lives. 

References:

1. https://www.timesofisrael.com/report-iranian-honey-trap-sites-try-to-enlist-spies-to-ostensibly-work-for-israel/
2. https://www.wired.com/story/hacking-iran-critical-infrastructure-israel/
3. https://www.thedailybeast.com/shady-network-of-fake-mossad-job-sites-target-iranian-spies

Social media scams were reported as a quarter of the frauds in the 2021 fraud losses report in the United States. Ages 18-39 are the ones who are the majority which makes up this group of individuals scammed larger on Facebook and Instagram. ^[2] This is the highest reported amount of cases for fraud up to date. ^[1]

Shopping Scams

The majority of social media scams were categorized as “shopping scams”. ^[2]A bogus ad is put up with other fake accounts commenting about the product, designed to make you trust the ad at first glance, and then the item you buy never shows up, and there are no ways of communication. When prompted to fill out the shipping information, your credit card information is made available to them, and personal information such as address and phone number. The reveal of your phone numbers can lead to phone call scams, having a domino effect on other scams.

Investment Scams

Another category of these scams is investments scams. ^[1] Scammers take ahold of one account get the individual to record a video in a promise to cash out the investment they have made at the end. When individuals try to log into the link that will supposedly give them their money, their Instagram accounts are taken over. The scammers use phishing to figure out the passwords and then post then made on their behalf to their friends, and the cycle continues. In some cases, the individuals whose accounts have gotten taken over lose all the information they had on the account, such as pictures or messages. These pictures can be of their children and family members only intended for friends to see now in the hands of strangers. Not only does the individual lose their money, but their privacy is violated. 

An example of an individuals Instagram account was taken over due to this:

https://abc7.com/video/embed/?pid=11509271

“She’s telling me all the steps and the details and I’m thinking it’s her, but it wasn’t her, it was the scammers.” ^[4]

“OMG you guys! I cannot believe I just made an investment of $1,300,” ^[4]

Statement made by Anderson in an article where she explains what happened to her Instagram account ^[4]

Romance Scams

Romance scams can often be a continuation of the shopping or investment scams. After the personal information is acquired, the scammer either uses the profile of the individuals after gaining access or uses the information to create a new fake account. Scammers will also create completely random profiles and establish a relationship with you. They then ask for money by reaching out to you and giving immense detail into why or what they need. 

Steps You Can Take To Stay Safe

We recently learned in class about identifying and authenticating; these skills can be put to great use in this context.

The first step would be to identify characteristics about the website. Try to look assess the following aspects:

• Do the graphic look well done? Do the pictures look photoshopped and fake or are they real? 
• Are there spelling or grammar mistakes? 
• Look for watermarks or copyright signs and try to identify the return policy and contact information ahead of time. 

The next step would be to authenticate, especially for websites not well known. Try to look assess the following aspects:

• Try to google the website rather than following the direct link to read up on other experiences. 
• Use this link provided by Google to see if the website has been vetted. https://transparencyreport.google.com/safe-browsing/search
• Try to reach out to them ahead of time to ensure they are reliable as an attempt to have them prove their identity.

General Rules of Thumb to Use:

• It’s safer to avoid clicking links from those you don’t know or don’t recognize
• Do not give money or credit card information to anyone unless you have tripled checked their identity.
• Do not invest in anything other than credited and vetted websites or apps.

Overall, always do research! If it looks too good to be true, it probably is too good to be true.

To end on not such a scary note and provide more reassurance, below is a link to an additional website that provides a comprehensive walk-through about identifying if a website is safe and credible.

https://www.thesslstore.com/blog/5-ways-to-determine-if-a-website-is-fake-fraudulent-or-a-scam/

Sources

1. https://www.itworldcanada.com/post/95000-americans-lost-770-million-to-social-media-scams
2. https://www.aarp.org/money/scams-fraud/info-2022/social-media-scams-soared-last-year.html
3. https://www.ftc.gov/news-events/blogs/data-spotlight/2022/01/social-media-gold-mine-scammers-2021
4. https://abc7.com/instagram-investment-scam-online-hackers-long-beach-woman/11509192/
5. https://www.complex.com/life/ftc-social-media-scams-cost-people-770-million-2021
6. https://www.popsci.com/technology/ftc-social-media-scams/

What are Apple AirTags and How Do They Work?

Apple advertised the AirTags as a smart tracking device. It is an easy way to keep track of your belongings and help those who have misplaced or had their items stolen. These devices can be attached to your personal belongings, some of the most common options being important assets such as keys, luggage, and valuables. The AirTags are linked via Bluetooth signal, where its location can be actively tracked and detected by nearby Apple devices through the iOS app called Find My ^[2].

How Are AirTags Being Misused?

Rather than being used for their primary advertised function of locating personal goods, they are falling into the wrong hands and being exploited to stalk and track people, locate cars to steal, and conduct phishing attacks.

How are people figuring out that they are being tracked by an Apple AirTag? An individual would receive a phone notification stating that an unidentified AirTag is found moving with them and be informed that the location of the AirTag can be seen by the owner. Some people have found AirTags that they were unaware of attached to their belongings and cars without their acknowledgement or consent. The only way they discovered the device was through the phone notification informing them about it, and or a beeping noise alert from the AirTag if the phone notification goes unnoticed ^[3].

Another misuse in Apple AirTags is that hackers can modify them to perform malicious functions other than those originally intended ^[4]. Hackers can put AirTags into “Lost Mode” and inject a malicious URL into the contact phone number field, and intentionally drop the AirTag somewhere for an unsuspecting individual to pick it up and scan it. From there, the URL could direct users to a payload which distributes malware, phishing websites, or a site asking for credentials.

What Does This Mean for Cybersecurity and Privacy?

The misuse of these devices demonstrates that people’s cybersecurity and privacy can be easily compromised. These devices can be exploited to track and monitor people’s locations, which shows that the victims of these cases have had their personal privacy breached. Such as where they live, work, and frequent are all subject to monitoring without their permission, and this information can be used for various potentially dangerous means.

Regarding the hackers injecting malicious URLs into the contact number field in attempts of phishing, this puts the victim’s personal information and saved credentials at risk, and much more if the URL directs to a malware distribution.

How Is This Issue Being Address by Apple?

Apple claims that privacy is built-in and that the AirTags are designed to discourage unwanted tracking ^[2].

• Apple has created safeguards that would protect people from being tracked. Individuals with iPhones would be notified if an unregistered AirTag was moving with them. However, rather than the notification being immediate, it comes hours later ^[3].

• Another safeguard that was implemented if the phone notification went unnoticed was that people who had an unregistered AirTag moving with them would hear a beeping noise. A sound at 60 decibels ^[3], which could be easily muffled if hidden in an area that would make the sound difficult, if not impossible to hear.

• There could be individuals who are unaware they are being tracked if they do not own an iPhone, such as Android and non-Apple users. Apple has released an app for such users called, Tracker Detect ^[6], which allows users to be notified if they are being followed by AirTags, but only if the app is open. There are around 100k+ downloads ^[3], so only a small number of people are aware of the exploitation/misuse of AirTags. Hopefully, soon, Android and non-Apple systems will implement a feature to protect its users.

Furthermore, are these safeguards enough to protect people? What do you think Apple can do to ensure the safety of their customers?

What Can You Do to Protect Yourself from Being Tracked and Phished?

Here are a few ways ^[7]:

• Manually search yourself and check your belongings on a regular basis.

• Invest in a Bluetooth tracker especially if you own an Android or non-Apple device.

• Find the AirTag’s serial number: once you have located the AirTag, you can find the serial number underneath the battery. Removing the battery will make it so the owner cannot see your location. This information can be used if you end up needing to go to law enforcement.

• Disable the AirTag: Can be disabled by removing the battery.

• When scanning an AirTag, make sure the URL is the intended site.

• Call for help if you think you are in immediate danger.

Sources:

1. “Apple AirTag Concept.” Twitter, Apple Tomorrow, twitter.com/AppleTomorrow2.
2. “AirTag.” Apple (CA), www.apple.com/ca/airtag/.
3. James Clayton & Jasmin Dyer. “Apple AirTags – ‘a Perfect Tool for Stalking’.” BBC News, BBC, 20 Jan. 2022, www.bbc.com/news/technology-60004257.
4. Then, Ewdison. “Apple AirTag Lost Mode Bug Turns Helpers into Phishing Victims.” SlashGear, 29 Sept. 2021, www.slashgear.com/apple-airtag-lost-mode-bug-turns-helpers-into-phishing-victims-28693075/.
5. Kateliev, Preslav. “Notification: AirTag Found Moving With You.” PhoneArena, www.phonearena.com/reviews/apple-airtags-review_id5072.
6. Bonifacic, Igor. “Apple Releases Tracker Detect to Protect Android Users from AirTags Stalkers.” Engadget, 13 Dec. 2021, www.engadget.com/apple-detect-tracker-android-release-193850566.html.
7. Rayome, Alison DeNisco. “Apple AirTags Can Be Used to Track You. How to Protect Yourself.” CNET, CNET, 31 Dec. 2021, www.cnet.com/tech/services-and-software/apple-airtags-can-be-used-to-track-you-how-to-protect-yourself/.
8. “How to Find the Serial Number of an AirTag – Apple Support.” Apple, support.apple.com/en-us/HT211658.

As our civilization continues to advance through the age of information, drones technology becomes ever more prominent within our daily lives. Considering that drones are rapidly growing in popularity, its functions could include but are not limited to the production of recreational art, automated labor, or even forms of weaponry^[1]. Their uses can be found worldwide in commercial, industrial, and military applications^[1]. In this article, you will be to learn about how drone technology functions as well as its risks and vulnerabilities and how to combat them.

What are Drones?

Drones are unmanned vehicles that are remotely controlled with varying degrees of autonomy. They come in all shapes and sizes which can be as small as your palm or as large as a private jet. While sometimes referred to as “Unmanned Aerial Vehicles” (UAVs), drones can also have land or even sea variants in order to adapt to its environment and operation objectives. The missions carried about by these drones can range anywhere from most simple to the most dangerous of tasks that could potentially cause bodily injury or even death^[2].

How are Drones Used?

Drones have been around for the better part of two decades with the most common type being capable of flight, but despite their current popularity their history dates back all the way till the First World War^[1]. Today, drones are capable of accomplishing a wide variety of tasks whether it be for simple deliveries, rescue missions, or even military operations such as reconnaissance and airstrikes^[2]. Additionally, most sophisticated modern drones have integrated data-links system allowing for communications between the operator and other drones simultaneously even while actively performing a task.

Risks and Vulnerabilities

Considering that drones are operated remotely, they require a connection to the ground operator in order to perform maneuvers, but if one operator can control a drone another one could do so as well. With today’s technology, hackers are able to access and hijack drone networks without even having to own a drone^[3]. In order for drones to autonomously operate on large scale operations, drones will use integrated GPS or similar systems in order to actively communicate to the controller and other drones within the fleet^[2]. This creates a vulnerability allowing for multiple drones to be hacked simultaneously which could not only disrupt operations but also cause irreparable damage or even take a life^[3]. Within the cyber domain, some of the major threats to drones includes but are not limited to^[4]:

• GPS spoofing which is an attack that feeds false GPS coordinates to drones in order to take over a platform.
• Downlink interception which involves accessing the transmitted data between the controller and the drones.
• Data exploitation which involves the use of a drone to mimic network connections such as Wi-Fi or Bluetooth to steal data.

Preventative Measures

In order to mitigate the cybersecurity risk posed to drones, there are a few things to consider. How secure is the platform and the transmission of data, and how to counter drone platforms^[4]. Drone security is similar to the security you would find on a computer device as the drone itself is just a mobile computer. Kaspersky has proposed some useful tips that could be used to not only to secure but also to combat these hacking attempts^[5]:

• Active firmware patches in order to fix bugs and prevent potential exploits.
• Strong access keys on the application and the drone to add a layer of authentication.
• Implementing an anti-virus software to fight off and block hacking attempts.
• Using VPNs in order to encrypt connections between the operator and the drone.
• Automated return modes which forces the drone to return to you should it ever lose connection.

Sources

[1]: https://www.businessinsider.com/drone-technology-uses-applications
[2]: https://builtin.com/drones
[3]: https://uk.pcmag.com/security-devices-2/8285/skyjack-software-finds-and-hijacks-drones
[4]: https://www.tripwire.com/state-of-security/security-data-protection/cybersecurity-and-drones-how-to-address-the-security-threats/
[5]: https://www.kaspersky.com/resource-center/threats/can-drones-be-hacked

As we know technology has been increasing and there have been various advantages like you could save your information in security apps so next time when you open it ; it would be easily accessible and would save time and almost everybody would rely on their electronic gadgets by saving their bank information, personal data etc. These security apps have also made our life easier since we think it’s protecting our data. ^[1]

Microsoft’s MFA phishing attacks

Microsoft has recently uncovered a large-scale, multi-phase campaign that adds a novel technique to traditional phishing tactics by joining an attacker-operated device to an organization’s network to further propagate the campaign. We observed that the second stage of the campaign was successful against victims that did not implement multi factor authentication (MFA), an essential pillar of identity security. Without additional protective measures such as MFA, the attack takes advantage of the concept of bring-your-own-device (BYOD) via the ability to register a device using freshly stolen credentials. 

The attacks were carried out in two parts. “The first campaign phase involved stealing credentials in target organizations located predominantly in Australia, Singapore, Indonesia, and Thailand,” as stated by the Microsoft 365 Defender Threat Intelligence Team. “Stolen credentials were then leveraged in the second phase, in which attackers used compromised accounts to expand their foothold within the organization via lateral phishing as well as beyond the network via outbound spam.”

Users were sent a DocuSign-branded phishing bait with a link that, when clicked, took them to a fraudulent website impersonating the Office 365 login page, allowing the attackers to steal their credentials. The hack of over 100 mailboxes across several firms happened because of credential theft, allowing attackers to establish an inbox rule to avoid detection. The malicious messages were subsequently propagated by a second attack wave that leveraged the lack of MFA safeguards by enrolling an unmanaged Windows device in the company’s Azure Active Directory (AD) instance and exploiting the lack of MFA protections.

The unique approach allowed the attackers to expand their footing, secretly disseminate the attack, and move laterally throughout the targeted network by linking the attacker-controlled device to the network.^[2]

How can we prevent phishing attacks?

Phishing continues to be the most dominant means for attacking enterprises to gain initial entry. This campaign shows that the continuous improvement of visibility and protections on managed devices has forced attackers to explore alternative avenues. The potential attack surface is further broadened by the increase in employees who work-from-home which shifts the boundaries between internal and external corporate networks. Attackers deploy various tactics to target organizational issues inherent with hybrid work, human error, and “shadow IT” or unmanaged apps, services, devices, and other infrastructure operating outside standard policies. In addition to enabling MFA, implementing best practices like strong credential hygiene and network segmentation might raise the ‘cost’ to attackers attempting to spread malware throughout the network. Microsoft explained that these best practices could limit an attacker’s ability to move laterally and compromise assets after an initial intrusion. They should be supplemented with advanced security solutions that provide visibility throughout domains and synchronize threat data across protection components.^[3]

References:

1. https://thehackernews.com/2022/01/hackers-using-device-registration-trick.html
2. https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/
3. https://cyberintelmag.com/attacks-data-breaches/hackers-employing-device-registration-trick-to-launch-lateral-phishing-attacks-against-businesses/

Anyone who keeps up to date with technology is likely very familiar with software updates. Generally speaking, updates are considered good things, delivering new features, fixing glitches, optimizing how a program runs, or closing security exploits. It follows of course that malicious software also receives updates, although coverage of those is more sparse, partially due to disinterest, but mostly due to the fact that those who maintain malware don’t try to publicize their changes. This blog post will cover recently discovered updates to KONNI.

What is KONNI?

KONNI is a remote administration tool (RAT) that has been linked to North Korean hackers and has been used for at least 8 years. RATs are often used to grant a technician access to a device remotely to facilitate troubleshooting, as they allow for remote control of another device. Unfortunately, they are also commonly exploited and used as ransom or spyware. Analysis of KONNI attacks over the years has led to the belief that KONNI is intended as spyware, specifically targeting government agencies. KONNI is a trojan, meaning it is generally disguised as a legitimate file, with known examples being screensavers and office documents. When the file is opened, multiple steps are executed to grant privileges, evade detection, and initialize needed files. The goal of the attack is to install Konni RAT, a .dll file supported by a .ini file.

Why is KONNI still relevant?

As mentioned, KONNI has been around for over 8 years, more than enough time for the exploits it uses to be patched, and for security software to learn to detect it. In spite of this, KONNI attacks remain a threat and have been discovered as recently as January 2022. Analysis of recent attacks has found that the current iteration of KONNI being used in attacks has significant differences from previous ones. This is not the first time updates to KONNI have been discovered, in August 2021, it was discovered that an attack that had taken place a month prior used a newer variant of KONNI. KONNI is clearly an actively supported piece of software that has to be monitored. Each update it receives seeks to make it more efficient at infiltrating, and harder to detect.

Improved Encryption

For the most part, KONNI’s functionality remains unchanged. One major change is how strings in KONNI’s files are encrypted. Previous iterations featured custom alphabets (frequently changed) encoded in Base64 to protect strings. The strings are now AES encrypted, and the service names they hold are the keys for decryption, so analyzing the code is complicated by the need for the service name as well. Files have also been AES encrypted.

As filenames are also generated according to timestamp, the keys are different with every request, as are the contents of the requests. This may allow malicious activity to fly under the radar.

Removal of RunDLL functionality

Prior versions of KONNI allowed for execution through the windows RunDLL file. This functionality has been completely removed, and attempting to use RunDLL to run KONNI will cause an exception to be thrown. In all recent attacks, KONNI Rat was launched by creating a windows service. The removal is thus partially to eliminate redundancy, but also has the benefit of potentially throwing off sandbox analysis of code samples.

Ramifications of Changes

These changes were not arbitrary choices, all of them were made to mitigate the chances of detection. Execution varying from what is produced in sandbox environments, stronger encryption that also covers crucial parts of the program, and dynamic requests all present a risk. Security software that may have previously detected KONNI may fail to detect the newest iteration, and if not, they must be wary of the next, as KONNI shows no signs of being abandoned.