On January 20, 2022, researchers at Kaspersky discovered a hidden threat entrenched within the firmware of a computer: a rootkit. It’s called “MoonBounce” and is believed to be developed by government-backed Chinese hackers^[6].

So what are rootkits?

Generally, when talking about malware, rootkits are a type of malware designed to conceal itself or traces of other malware. They are usually bundled with other types of malware to work together to achieve one goal — to ensure that it or the malware that it works with exists for as long as possible.

The real danger from rootkits is that it’s usually very hard to tell when you have one as a user, and thus a reason to buy software to detect and remove one. The most primitive of rootkits could modify the ‘ls’ command, common in most UNIX operating systems, to not list infected files. Nowadays, the most dangerous of rootkits have the ability to^[3]:

• Hijack or disable antivirus software (without you knowing)
• Spy on a user’s behavior
• File removal
• Remotely control your computer
• Install additional malware on a computer or system.
• And really anything you can think that malware can do

How rootkits work (at a basic level)

Fundamentally, a rootkit is basically a program that modifies requests made to the operating system. By modifying these requests, a rootkit can provide false data or incomplete data, allowing the rootkit control over the output. This is why it’s very difficult to tell when you have a rootkit because you cannot trust any of the information reported back to the computer since it’s likely to have been modified by the rootkit.^[5]

In the diagram above, the information requested by the application has been modified from being ‘00000000’ to ‘11111111’ by the rootkit, effectively changing what the outputted does.

Back to MoonBounce

MoonBounce is a firmware rootkit, firmware being a type of software used to control the hardware of a computer. These types of rootkits are known to inject themselves into the hard drive, router, or a system’s BIOS (or equivalent)^[4]. Most disturbingly of all, even performing a factory reset on your machine or wiping your hard drives will not remove this type of rootkit^[1].

MoonBounce is known to infect something called the Unified Extensible Firmware Interface (UEFI), a piece of firmware inside computer chips (it’s very similar to a BIOS). It’s a piece of software that boots the system and loads the operating system. Luckily, the researchers who’ve discovered this rootkit suggest that the nature of the attack is very targeted, being detected in only a single case^[6]. However, security researchers say that the code used in MoonBounce is “pretty simple”^[1] and has plenty of room for enhancements, suggesting that malware that targets the UEFI firmware may be much more common in the future.

How to prevent rookits

The capabilities of a rootkit can be frightening. Also, a rootkit is one of the most difficult types of malware to find and remove. So, do yourself a favour and prevent your computer from being infected by a rootkit. Here are several suggestions and recommendations by cybersecurity experts^[1][3][4]:

• Be cautious of links and attachments of emails that you don’t recognize or that seem suspicious.
• Keep applications up to date and remove deprecated applications that you don’t use.
• Download files from trusted sources only
• Scan your systems regularly (Malwarebytes suggests that to use multiple scanners)
• Enable secure boot on your computer
• Encrypt your hardrive
• Monitor your network traffic

References

1. https://www.darkreading.com/threat-intelligence/rare-firmware-rootkit-discovered-targeting-diplomats-ngos
2. https://blog.comodo.com/comodo-news/uh-oh-uefi-rootkit-malware-spotted-in-the-wild/
3. https://www.blog.malwarebytes.com/how-tos-2/2020/01/how-to-prevent-a-rootkit-attack/
4. https://www.kaspersky.com/resource-center/definitions/what-is-rootkit
5. Microsoft Malware Protection Center Threat Report: Rootkits, Microsoft, 2012, https://www.microsoft.com/en-us/download/details.aspx?id=34797
6. https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

Recently, the Malwarebytes Threat Intelligence Team discovered a new spear phishing and malware attack from a notorious hacker group, Lazarus Group, a North Korean state-sponsored APT, or Advanced Persistent Threat.^[1] In a nutshell, an APT is an adversary with many resources and a high level of experience, which it leverages to infiltrate the IT system of an organization to extract information or undermine their mission. They typically hang around in a system for an extended period, adapting to any defenses.^[2] Lazarus is believed to be behind the 2017 WannaCry Ransomware attack; a 2014 cyberattack on Sony Pictures thought to be related to the airing of ‘The Interview’ ^[3], a Sony Pictures film which North Korea was not too pleased about, and various other cybercrimes.^[4]

What is Spear Phishing?

Spear phishing is a form of phishing attack, where users are tricked into believing a website or electronic communication is legitimate and click on a link to give over their personal details to an adversary, or inadvertently install malware on their machine. Spear phishing follows these same basic principles, with the key difference being that it is targeted towards a specific individual or organization. By posing as a trustworthy source and using personal information, even vigilant users can fall for this attack, leading to serious data loss, malware, or espionage, if a component of an organization’s IT infrastructure is compromised.^[5]

What exactly did Lazarus do?

Lazarus targeted the US defense industry (a natural target for a government-run cybercrime group) by advertising job opportunities at Lockheed Martin, an American aerospace, arms, and defense corporation. The job opportunities come in the form of a Word document with a malicious macro embedded.

When the macro runs, it hijacks control flow (the flow of code execution) in a novel way and executes its own malicious code to create a DLL (Dynamic-link Library), effectively an extension to an executable file but is not executable by itself. This DLL is initialized by a function in the macro and serves to inject explorer.exe (Windows Explorer) with another DLL, which in turn exploits Explorer to check for and execute yet another DLL that is run using the Windows Update Client. This clever trick is how it bypasses security detection, since Windows Update is assumed to be a trusted process.

At this point in the attack, the malware utilizes GitHub to download a .PNG file which disguises yet another DLL, which retrieves the username, computer name, and list of all running processes on the computer, and commits them to the same GitHub repository.^[1]

Impacts

Unfortunately, the Malwarebytes Team were only able to get their hands on this DLL and were not able to determine any more information about the potential impacts of this malware.^[1] However, considering the history if this APT, it is safe to say that there was something more going on, possibly stealing data or sabotaging operations. Their use of three new techniques, namely the way they hijacked control flow, the use of Windows Update to bypass detection, and using GitHub as a remote server, demonstrates their ability and threat they pose.

In concluding…

I hope this has shed light on this new attack, and that you learned something today. If you are interested in the way Lazarus hijacked control flow, or if you are looking for any further details, I’d recommend you read the Malwarebytes blogpost ([1]).

Finally, be careful about any emails sent to you! You never know what might be hiding beneath the surface.

References

[1] https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/

[2] https://csrc.nist.gov/glossary/term/advanced_persistent_threat

[3] https://resources.infosecinstitute.com/topic/cyber-attack-sony-pictures-much-data-breach/

[4] https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and

[5] https://www.kaspersky.com/resource-center/definitions/spear-phishing

[6] https://asset.unitybank.com.au/images/phishing-vs-spear-phishing.png

Recently, security researchers from IBM have found out that TrickBot has implemented new improvements and defenses once again. To provide context, TrickBot is a Trojan that is capable of delivering malicious malware. It was originally created as a banking Trojan back in 2016 with the sole goal of stealing banking information.^[1] Ever since then, TrickBot has continued to grow into a multi-purpose malware delivery service as well as collaborating with other malware developers to further extend their influence. As of December 2021, TrickBot was able to infect around 140,000 victims across 149 countries^[1].

What are Trojans in general?

The term Trojan is derived from the story of Troy and for good reason. Essentially, a Trojan is designed to trick the user (YOU!) into downloading malware or viruses through deceiving cyber practices. These practices can include:^[4]

• Downloading infected files which are made to look tempting or safe
• Visiting shady and unsecure websites
• Opening infected email attachments which can look important or legitimate

TrickBot is exactly this (as its name implies) and is one of many Trojans out there. What makes it a concerning threat, however, is its ability to adapt and bypass new security techniques which can be a threat to TrickBot itself. In other words, TrickBot is constantly evolving.^[1]

So what are these improvements/defenses?

The new improvements/defenses of TrickBot were mainly created to prevent any further analysis of TrickBot’s code. This was done in an effort to hinder security researchers from figuring out how (or at least making it more difficult) to stop any future TrickBot attacks.

The improvement TrickBot adds involves injections. For those who don’t know, injections are a certain type of attack which is done by injecting code onto a computer or program. This would allow the attacker to execute remote commands in order to access or modify data.^[5] These injections can either be fetched locally on the infected machine or from the attacker’s injection server (server-side injections). TrickBot uses server-side injections as local injections can be a risk since they need to be kept within the machine itself. Therefore, it’s more likely that the injection can be recovered and used for analysis by security researchers. With server-side injections, however, TrickBot can avoid this risk by implanting a downloader onto the machine. This downloader is then able to use encrypted communications (using HTTPS protocol) with the attacker’s command and control (C2) server in order to inject the malware at the right moment.^[3] As a result, security researchers will not be able to retrieve the injection.

However, if there was a case that security researchers would somehow still get a hand on the injection code, TrickBot would make the analysis difficult or even prevent it from happening.^[3] This is the intention of TrickBot’s new anti-debugging tool which was designed to prevent any attempts in “beautifying” the injected code. But why is there a need to “beautify” the code? Well, it’s because TrickBot deliberately made its code to be messy. This would essentially force security researchers to “beautify” it so they can actually do some analysis. But with the anti-debug tool, this became much more difficult as any attempt in “beautifying” the code would result in a browser crash.^[2]

“TrickBot uses a RegEx to detect the beautified setup and throw itself into a loop that increases the dynamic array size on every iteration. After a few rounds, memory is eventually overloaded, and the browser crashes.”

– IBM security researchers^[3]

How do you prevent these attacks?

TrickBot (or Trojans in general) and its capabilities can be a scary thought but this doesn’t mean they aren’t preventable. In fact, most of these infections are usually caused by the user themselves (through trickery) as mentioned earlier^[4]. So, I’ll add some of my suggestions and recommendations from other sources in order to better protect yourself^[3][4]:

• Enable 2-factor authentication (2FA) or multi-factor authentication (MFA) whenever possible
• Use strong and unique passwords for all your accounts. I recommend using password managers like Bitwarden
• Run periodic diagnostic scans
• Avoid suspicious websites
• Have offline backups and a backup schedule
• Be wary of suspicious links and attachments in emails or online
• Keep your systems updated to ensure any security vulnerabilities are patched

References:

1. https://thehackernews.com/2022/01/trickbot-malware-using-new-techniques.html
2. https://threatpost.com/trickbot-crash-security-researchers-browsers/178046/
3. https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/
4. https://www.malwarebytes.com/trojan
5. https://www.ibm.com/docs/en/snips/4.6.0?topic=categories-injection-attacks
6. https://www.eset.com/fileadmin/ESET/INT/Pages/Features_pages/trojan-horse.png

It has been a recent uprising during the past couple of years that companies and services have encouraged to start rolling out two-factor authentication modalities to its users whether it be in the form of a text-message, email, through an authentication app or via other means.

However, a recent security breach fell upon the hands on a Maltese crypto-coin broker Foris DAX MT Ltd, or known more commonly as Crypto.com released a security report _[1] which outlined the biggest culprit which lost them a total of 4,836.26 Etherium and 443.93 Bitcoin, $66,200 USD in value in other smaller cryptocurrencies; totalling up to nearly $35,000,000 dollars. The culprit was 2FA tokens not being triggered.

So what happened?

This largest finger to point to is Crypto.com themselves due to a misconfiguration of their one-time password approach, which were six-digit codes provided to a user via a text or by a multi-factor authentication application states Zilvinas Bareisis from an interview with American Banker [2]. Bareisis hypothesizes that Crypto.com mistakenly allowed users to authorize transactions without needing this one-time code or that hackers through a more invasive approach, intercepted these one-time passwords; affecting 483 users. Although resolved, Crypto.com and its users were impacted albeit the affected accounts being restored with Crypto’s own funds.

How did they fix this?

Supposedly the company’s risk monitoring systems were able to detect the issue in which they say “triggered an immediate response from multiple teams to assess the impact,” resulting in a 14 hour downtime to precisely locate and fix the issue. Due to this issue, Crypto.com decided to implement a new 2FA infrastructure, which in short means users will now have the chance to enroll in an insurance program to cover up to $250,000 in losses but only if they enable a multi-factor authentication. Also, all current users must-reconfigure their accounts in compliance to this new protocol. On the company side, they are fast-forwarding their transition past 2FA as they “will be releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA)” _[1].

Why is this a big deal?

As a huge player in the cryptocurrency game with crypto coins being a nearly untraceable and non-reversible, having their security breach due to two-factor authentication issues sheds a new look to the transition of having more options to secure your own account. As an avid user of password managers (Bitwarden in my case) I believe that with the rise of database breaches and data being worth more than oil, it is absolutely mandatory for user sensitive data to be protected at a higher cost, even if the minimum requirement is simply a two-factor authentication. Passwords have never been enough for the past couple of years and two-factor authentication is starting to show weaknesses that can cause catastrophic damages to assets, users and company reputation. The ability to layer on an extra layer of protection greatly reduces the risk of even the slightest system error, as an intruder would have to identify and try to bypass a multitude of unique authentication methods which could range from sms + a physical form (yubikey), sms + email, email + physical form + security questions, etc or even more than three at the same time. The importance of security is more prevalent than ever now and services should start standardizing giving users the ability to protect themselves which as a byproduct protects the companies image as well.

References:

[1] Crypto.com Security Report & Next Steps – Jan 20, 2022

[2] Crypto.com hack exposes shortcomings of multifactor authentication | American Banker – Jan 26, 2022

[3] Cryptocoin broker Crypto.com says 2FA bypass led to $35m theft – Naked Security (sophos.com) – Jan 21, 2022

With the advent of technology, smartphones have changed the way we think, work, and socialize. They have started to provide numerous advantages, including accessibility and easier communication. People started saving all their personal information and some of their passwords in some security apps on their phones. In addition, many individuals rely on their phones for banking, shopping, etc.. . Consequently, phones have become such an important part of our daily lives. We can say that “Most people can’t live without their phones nowadays. “

How Does SIM Swapping Work?

SIM-Card swapping is one of the easiest scams that hackers can use to deceive the phone holder. A recent article [3] published on 22nd of January 2022 stated that the hacker may have multiple ways, but the most common way is that the hacker may have a direct call– just talking to a person. They may start talking with the victim and acquire the knowledge they need from them through some indirect questions. They may be able to collect some personal information about an individual; for example, getting a person’s birthdate, full name, or address from his public social media accounts. Then, the hacker will call the victim’s phone company in an attempt to impersonate them and answer some security questions gathered from social media. If they succeeded, they will be able to declare that the victim’s phone has been lost.[2] Consequently, the victim will realize that they have lost the mobile device services as it have been linked to a new SIM card and controlled by the hacker.

In August 2019, hackers took over the Twitter account of Twitter’s chief executive, Jack Dorsey, and used the account to post a lot of racist messages and bomb threats. Twitter declared that the account had been compromised. Although Mr. Dorsey’s account was only compromised for a few minutes, it was enough for the hackers to post some offensive tweets. In testimony before a Senate committee held in September 2019, Mr. Dorsey said that he used two-factor authentication to secure his account, so the hackers had been able to trick phone company employees into transferring Mr. Dorsey’s phone number to a new SIM card and using his phone number to access some of the platform accounts associated to the number.[4]

Signs that you are a victim?

• Sudden loss of cellular phone services, including the inability to make phone calls or send text messages, that happens because the hacker must transfer the cellular service to another SIM card and phone to take over a person’s account. As a result, the victim’s phone is left out of service.[2] 

•Another approach to find out is if you notice any changes on your social media accounts that you use. If you observe transactions or posts that you didn’t make, someone else is using your account.[3]

Preventing SIM Swapping

Begin by trying to change all the mobile apps and social media accounts associated with that number or by contacting your mobile service provider. You can inquire about their security measures against SIM swapping and the types of information they want before moving your phone number to a new SIM card.

I would agree that it’s usually a good idea to keep your internet accounts as private as possible. It’s unsafe to post a lot of your personal information on public platforms. Furthermore, you can’t trust any social networking platform to keep your information safe. In addition, I would much rather avoid revealing too much of my personal information to the majority of individuals.

Always consider that no matter how we try to make our accounts secure and how many passwords we add to our online accounts, it’s still possible for a hacker to find a way to gain access. We can take some preciousness. For example, by setting a different passcode for each of your account, enabling two-factor authentication  on every account that offers it, making sure you’re not falling for scam text messages, and finally knowing what to do if you find yourself a victim of SIM swapping, you’re probably safe![1]

References:

[1]https://www.cnet.com/tech/mobile/t-mobile-data-breach-and-sim-swap-scam-how-to-protect-your-identity/

[2]https://www.priv.gc.ca/en/blog/20200312/

[3]https://www.idropnews.com/news/sim-swapping-explained-whats-sim-swapping-and-why-is-it-so-dangerous/176490/

[4]https://www.nytimes.com/2019/08/30/technology/jack-dorsey-twitter-account-hacked.html

On Monday, January 24^th, a group of hackers claimed to have launched a successful ransomware attack against Belarusian Railways, the state-run national train system of Belarus. In their posted screenshots, the group appears to have gotten access to the backend systems of the railway and has claimed to have encrypted the system with malware^[1]. One of their initial statements can be seen in the screenshot below:

Who are they?

Known as the “Belarusian Cyber-Partisans”, they are a group of politically minded, cyber-activists out of Belarus^[2]. The group staunchly opposes the Belarusian president and dictator, Alexander Lukashenko, who won office after reportedly rigging the election in 2020. The Cyber-Partisans have launched several successful hacks against the government, since their first appearance after a number of anti-Lukashenko protests during that time^[3].

What do they want?

The decryption keys to return the train network to normal, according to the Cyber-Partisans, will only be provided if the Belarus government meets a list of demands^[1]. The group has called for the release of 50 political prisoners in need of medical care, who were detained along with over 900 others during the country’s protests against the president^[3]. In addition, they want a commitment that Belarusian Railways will not transport Russian troops, preventing their presence in the country^[1].

Why?

Belarus is a country in eastern Europe, that borders both Ukraine and Russia. One main factor in the protests that arose after the election of Lukashenko was opposition to plans of greater economic and political integration of Russia and Belarus into a “union state”^[3].

Meanwhile, tensions between Russia and Ukraine have only been intensifying over the last month as Russia has amassed thousands of troops near their shared border. If Russia is able to attack from both Russia and Belarus, Ukrainian forces would be forced to spread thin across both borders^[2].

The attack by the Cyber-Partisans appears to be a bid at disrupting Russian troop movements and attempting to halt the buildup of Russian troops and military weaponry in Belarus^[2].

“We don’t want Russian soldiers in Belarus since it compromises the sovereignty of the country and puts it in danger of occupation. It also pulls Belarus into a war with Ukraine. And probably Belarusian soldiers would have to participate in it and die for this meaningless war.”^[3]

– A member of the Cyber-Partisans, told the Guardian

What does this mean for cybersecurity?

According to Brett Carlow, a ransomware-focused researcher at security firm Emsisoft, the Cyber-Partisans’ method of using reversible encryption rather than merely wiping targeted machines would represent a new evolution in hacktivist tactics. Going on to say “This is the first time I can recall non-state actors having deployed ransomware purely for political objectives.”^[1]

Cybersecurity experts have said that it is too early to know whether this attack will be fully successful or not, however, this attack does mark a possible new evolution for both cyber-activism and cyber-terrorism. Juan Andres Guerrero-Saade, a researcher at security firm SentinelOne, says that this tactic could soon bleed out to other groups who see the power of ransomware to achieve political coercion, for good and for ill.^[1]

“The looming horror of ransomware is precisely just how many systems are out there about whose criticality we don’t understand until they’re unavailable. So, if this is a continued tactic of theirs, I think we’ll definitely see a ratcheting up of the pressure on both sides.”^[1]

– Juan Andres Guerrero-Saade

Sources:

1. Greenberg, Andy. “Why the Belarus Railways Hack Marks a First for Ransomware.” Wired, Conde Nast, 25 Jan. 2022, https://www.wired.com/story/belarus-railways-ransomware-hack-cyber-partisans/.
2. Muncaster, Phil. “Belarus Activists Fire Ransomware at State Railway.” Infosecurity Magazine, 25 Jan. 2022, https://www.infosecurity-magazine.com/news/belarus-activists-fire-ransomware/.
3. Roth, Andrew. “’Cyberpartisans’ Hack Belarusian Railway to Disrupt Russian Buildup.” The Guardian, Guardian News and Media, 25 Jan. 2022, https://www.theguardian.com/world/2022/jan/25/cyberpartisans-hack-belarusian-railway-to-disrupt-russian-buildup.
4. Pietsch, Bryan. “Hacking Group Claims Control of Belarusian Railroads in Move to ‘Disrupt’ Russian Troops Heading near Ukraine.” The Washington Post, WP Company, 25 Jan. 2022, https://www.washingtonpost.com/world/2022/01/25/belarus-railway-hacktivist-russia-ukraine-cyberattack/.

Last weekend, a massive-scale tournament was hosted on the popular PC game Minecraft in which 150 competitors vied for the grand prize of $100,000.^[2] The tournament in question was inspired by the hit Netflix show Squid Game and was set to take place on the mega streaming platform Twitch.^[1]

The Game Begins… 🦑👀

$100,000. 150 creators. Winner take all, in Twitch Rivals: Squidcraft Games ft @Komanch

Watch Day 1 now at https://t.co/9sYRVK7cHB pic.twitter.com/oKFlS6ySor

— Twitch Rivals (@TwitchRivals) January 19, 2022

However, things quickly went awry when the tourney was subjected to a cyberattack^[2] that proved to be more fatal than expected.

The Extent of the Attack

This attack in particular took the form of a distributed denial of service, or more commonly known, a DDoS. The target? A small country on the Iberian peninsula named Andorra. As a result, at least a dozen Andorran competitors were forced to pull out of the tournament.^[1] However, the scale of this attack was not limited to just a few households. The damage in question extended to the entire country, having taken down Andorra Telecom, the country’s only internet service provider and leaving thousands cut off from the internet. It is said that the attack took place over the course of four days.^[1]

The link between the attack and the Minecraft tournament was further solidified after an internet outage tracker NetBlocks^[3], tweeted out a statement confirming the connection. One can see that at the height of the attack, there was less than 50% connectivity.

ℹ️ Confirmed: Internet disruption registered on #Andorra Telecom (AS6752) on Saturday evening; the incident is attributed by the state telco to a DDoS attack targeting the high-stakes #SquidCraftGames Minecraft Twitch competition, resulting in the elimination of Team Andorra 📉📈 pic.twitter.com/RCsJu2DYpH

— NetBlocks (@netblocks) January 23, 2022

Fortunately, the attack was swiftly dealt with and the country recuperated only after a short time.^[2] The identity of the attackers is still unknown^[3], but it said that the source of the DDoS could be traced back to a known DDoS-for-hire service.^[1]

What exactly is a DDoS?

A Distributed Denial of Service (DDoS) attack is a type of attack that targets the specific capacity limits of a network’s resources.^[4] How it works is these network resources in question can only process a finite number of requests at a time. Exceeding these limits will have the effect of preventing the targeted server, service or network^[5] from functioning properly. A DDoS attack will exploit this vulnerability by sending requests at an extremely high rate and quantity. As as a result, users experience connectivity issues as the network traffic becomes congested. Usually, this is made achievable by remotely-controlling multiple computers that have been compromised by malware. This collective of devices is called a botnet.

It is clear how this type of attack has the capability of affecting a network on a national level. With that being said, being a victim of a DDoS attack is not to be taken lightly. Especially with the rise of employees having to work remotely due to COVID-19, companies are at high risk of losing out on major revenue in the event of an attack. Made worse is the fact that being at the mercy of the attacker means your computer or network system may be held for an unreasonable ransom. This is why it is important to have defenses and contingency plans in the case of a potential DDoS.

References

1. https://threatpost.com/cyberattacks-squid-game-minecraft-andorra-internet/177981/
2. https://today.in-24.com/News/903725.html
3. https://www.ign.com/articles/minecraft-tournament-cyberattack-internet-outage
4. https://www.kaspersky.com/resource-center/threats/ddos-attacks
5. https://www.cloudflare.com/en-ca/learning/ddos/what-is-a-ddos-attack/

Ozzy Osbourne, a famous musician and TV personality from the 70’s decided to launch a new NFT project called CryptoBatz. “I’ve been trying to get in on the NFT action”^[2] said Ozzy, after his wife Sharon didn’t allow him to buy a Bored Ape NFT for christmas, Ozzy decided to “Make his own”^[2] .

The collection consisted of 9666 NFT bats, each of which have their own unique colorway and design. Below are some examples of the NFT’s up for grabs.

Stutter Systems, the company who was helping Osbourne launch the NFT project, setup a discord server to gain leeway and popularity among the crypto community, this would also serve as a place for interaction between fans and crypto nerds alike. Everything seemed to be going well until a group of scammers noticed a crucial mistake that left a back door open.

The Crypto Batz project had, at some point, changed it’s old Discord URL for a new one. Usually this isn’t an issue, however, Stutter Systems forgot to delete several tweets that contained links to the old URL!

Before they knew it, scammers had setup a new Discord server using the old Crypto Batz URL. Victims naturally came across and clicked on the links on the official Stutter Systems Twitter account which redirected them to the bogus Discord server.

Once they had joined the server, they were prompted to link their crypto wallet address and provide their “seed phrase”, a series of words that form a password for crypto wallets. The scammers then took this information and began emptying crypto wallets of unsuspecting individuals.

Shortly after, Stutter Systems realized what had happened and they quickly got in contact with discord to take down the fake server. In the short time that the fake discord server was up, over 1330 users had joined, many of which submitted their information.

It’s estimated that over $150,000 US dollars worth of Ethereum was stolen within the short time frame that the server was up. Since then, Stutter Systems has been attempting to reach out to users effected by the scam in the hopes of reimbursing what had been stolen from them.

The team behind the scam claimed that “they are not responsible for Discord’s mistakes”^[2] and that not taking advantage of such a situation would be allowing poor security practice.. So who do you think is at fault? Discord for leaving a backdoor open? Stutter Systems for not deleting links to old URL’s? or the Cyber criminals for taking advantage of the situation?

Regardless of who’s to blame, pointing fingers doesn’t help the victims. And it goes to show that even a project run by “known entities can easily wander into a bad NFT situation”^[1] .

Sources:

1. https://threatpost.com/ozzy-osbourne-nfts-cryptocurrency/177969/
2. https://www.rollingstone.co.uk/music/news/exclusive-ozzy-osbourne-announces-nfts-cryptobatz-collection-8800/
3. https://blog.malwarebytes.com/crypto/2022/01/discord-scammers-go-cryptobatz-phishing/

Google Chrome, one of the most used browsers with an estimated 3.2 billion users, has recorded around 26 security breaches. Google stated that the one of these issues is rated as “critical”. Usually, chrome’s vulnerabilities are not often rated as “critical”, this is already the second one this year. This critical vulnerability is a use after free bug in Safe Browsing feature. Google has found several ‘Inappropriate implementation’ flaws within Chrome that can be exploited in storage, fenced items and push messaging.

What is vulnerability?

A vulnerability in the context of computer security is a weakness, flaw, or error found within a security system which could compromise a secure network. The computer security flaws that are publicly disclosed are listed in the Common Vulnerabilities and Exposures (CVE) database. This helps to share data across separate vulnerability capabilities. The vulnerability that has been rated critical is assigned CVE-2022-0289. This is reported by Sergei Glazunov of Google Project Zero. This vulnerability does not require any user interaction after the user has visited malicious website. Any RCE (Remote Code Execution) vulnerability has the power to take over the affected browser and can gain complete access of the system.

What is Use after free (UAF)?

Use after free is a vulnerability that results due to dynamic memory in a program execution. If, a memory location is freed and the pointer pointing to that memory location isn’t cleared, then the attacker can you use that error to manipulate the program and gain the access to the system. The total number of Use after free attacks on chrome adds to 60 since September.

What is Safe Browsing?

Safe Browsing is a feature that give users a warning when they try to browse through dangerous sites or download dangerous file. Google has also provided a public API for Safe Browsing service. If you’re a Chrome user, you should always try to have your Safe Browsing feature enabled. You can find it by clicking Setting > Security and Privacy > Security.

How to protect yourself?

To protect yourself from this issue, Google has responded with an update of version to Chrome 97. Usually, Chrome updates automatically. But if you chrome isn’t updated automatically, you can update it manually by clicking Settings > About Chrome or open the page chrome://settings/help. If your Chrome browser is listed as 97.0.4692.71 or above, you are safe. If an update is available, Chrome will notify you and start downloading it. Once the update is downloaded you will have to relaunch the browser.

The year 2021 was a record-breaking year for the number of Chrome hacks and Chrome hacks in 2022 have started rising. It is important to keep your browser up to date.

Stay safe everyone!

References:

1. https://www.forbes.com/sites/gordonkelly/2022/01/21/google-chrome-warning-security-new-hacks-update-chrome-browser/?sh=7052be351cee
2. https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/01/update-now-chrome-patches-critical-rce-vulnerability-in-safe-browsing/
3. https://www.rapid7.com/fundamentals/vulnerabilities-exploits-threats/
4. https://www.techtarget.com/searchwindowsserver/definition/remote-code-execution-RCE
5. https://helpdeskgeek.com/help-desk/google-chrome-crashing-freezing-or-not-responding-7-ways-to-fix-it/
6. https://www.statista.com/statistics/543218/worldwide-internet-users-by-browser/#:~:text=In%202021%2C%20there%20were%20an,users%20for%20Chrome%20and%20Safari.

The largest humanitarian network has had their information compromised and thousands of people will continue to suffer because of it. Although the hackers use of the sensitive information is yet to be discovered, countless troubles have come from the attack.

What is the ICRC?

The International Committee of the Red Cross (ICRC) is a neutral organization based of off the Geneva Conventions of 1949. ^[1] It responds to conflict and promotes humanitarian law and principles. As summarized in the below tweet, the ICRC has many different focuses:

The main topic of the current news regards their missing persons mission. The Restoring Family Links program ^[2] works to find and – if possible – reconnect missing persons to their families. The Red Cross and Red Crescent Groups set out to assist those caught in the middle of war, natural disaster, migration or other conflict. On average this movement helps reunite 12 missing people with their families each day. Without this program families are forced to live with the uncertainty of their loved ones fates, while still dealing with the external conflict that put them in such a situation.

The Breach

On January 19th, the ICRC announced that a cyber-attack breached their servers, exposing the personal information of over 515,000 individuals. The information contained names, contact information, and locations of half a million highly vulnerable people and their families, as well as the login information of around 2,000 staff and volunteers. ^[3] This attack forced the ICRC to take all of the compromised servers offline, halting the Restoring Family Links program.

“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families, behind the information you stole are among the world’s least powerful.”

– Robert Mardini, Director-General of the ICRC

The breach was executed on the Switzerland-based contractor responsible for storing the non-profits data. The hackers are yet to be identified and the information has yet to be leaked but the attack was specifically aimed at the ICRC’s systems. This targeted attack could only lead to more suffering.

We are appalled that this humanitarian information has been compromised.

Our most pressing concern now is the potential risks for people that the Red Cross and Red Crescent network seeks to protect and assist.@RMardiniICRC's response to the cyber attack 👇 pic.twitter.com/lBBGlnMf1p

— ICRC (@ICRC) January 20, 2022

The ICRC’s Concerns

The ICRC’s response of taking down the affected servers disrupted the work of the Restoring Family Links program, but the ICRC worries that this will not be the only created issue. Work arounds for the Family Links program can be created, data can be stored in new secure systems, but one thing that may prove harder to reinstate is the trust of vulnerable populations with the Red Cross.

“Stolen information could be used to phish or scam those looking for friends and family. We saw multiple cases of this during the Japan earthquake and tsunami in 2011, with fake Red Cross websites, emails, and more.”

Chris Boyd, lead analyst at Malwarebytes [4]

Sensitive information may seem to no longer have a safe place. With the violation of sensitive data, and the possibility of misuse, the ICRC has urged the perps not to share or leak the stolen information. This information has weaponized the little power the powerless have and surely has taken away their hope.

References

1. https://www.icrc.org/en/who-we-are
2. https://www.icrc.org/en/what-we-do/restoring-family-links
3. https://www.zdnet.com/article/red-cross-worried-about-misuse-of-stolen-data-by-nation-states-cybercriminals/
4. https://techhq.com/2022/01/anguish-and-suffering-experts-analyze-the-massive-red-cross-data-breach/