Remote working is not something new. Since the Covid19 pandemic started the diversity of remote learning is incomparable. There was always cyber security threat in remote working. However, it increased recently as people were forced to work from home to reduce the spread of virus it caused a rise in the new remote learning landscape, and Ransomware played an important role in this cyber threat push. 

What Ransomware is?

Ransomware is a type of malware from crypto virology that breach victims’ data and block access for the victim and threaten the victim if a ransom is not paid. 

How does Ransomware work?

Ransomware could happen in many ways. However, the most common one is phishing spam emails with an attachment. If the user opens the spam email the attachment will be downloaded into the user’s system without the user’s knowledge, then the malware will encrypt the victim’s files and victims will be instructed to get the decryption upon payment. 

Ransomware and its explosion in recent years!

Ransomware has long posed a cybersecurity threat to remote working and recently it exploded because of Covid 19 pandemic. According to the global security group, the Institute for Security and Technology only in the US $350 was being given to hackers and it’s a 311% increase over 2019. 

One of the most recent ransomware hacks happened because a company employee used a public network. By Which hacker breached into the private network and used remote employees IDs to connect with the company system which forced to shut down a colonial pipeline that used to supply 45% of the eastern United States’ fuel. 

The hack of Twitter in 2020 was not for ransomware but the main breach point of this incident was remote working. Several employees were being called by the hacker and claimed to be IT department support and offered help to connect through the company’s virtual private network being used by employees working from home. From this hack, the hacker was able to seize 117,000 bitcoins. 

We could say remote working is one of the reasons right now which increased the threat of cyber security and Ransomware is one the easiest way for this accomplishment of hackers’.  

How to avoid Ransomware and Remote working threat?

• Wi-Fi:

If an employee uses a home wireless network or public network that will give chance to the malicious actors nearby can easily spy on their connection and harvest confidential information. For this reason, employees should not use unknown Wi-Fi unless they are using VPN. 

• Password:

Using a weak password is one of the reasons for being hacked in remote working. So, employees should practice using a stronger password with the randomly generated number. Moreover, they should practice using a password manager. 

• File-Sharing:

Employees should practice sharing unencrypted data. Companies may be thinking they are because their encrypted data are stored in their server. While The company information can be theft when encrypting data in transit from one place to another.

• Email Scam: 

If any email scam occurred companies should be responsible for that because when remote working started most of the employees did not have enough training and Idea about remote learning. So companies should do a workshop to prevent this situation and educate their employees about cyber security and its threat. 

• Work from home security policy: 

· Clearly state that which positions are eligible for remote work.

· List the tools and platforms they should be using.

· Give guidelines to the employees to follow steps if they have been compromised.

References:

1. https://link-springer-com.ezproxy.lib.ucalgary.ca/chapter/10.1007%2F978-3-030-78645-8_74
2. https://www.theguardian.com/technology/2021/jun/17/ransomware-working-from-home-russia
3. https://heimdalsecurity.com/blog/cybersecurity-issues-with-remote-work/
4. https://en.wikipedia.org/wiki/Ransomware
5. https://www.csoonline.com/article/3236183/what-is-ransomware-how-it-works-and-how-to-remove-it.html

What is Medusa Malware?

Medusa is a mobile banking trojan virus that has near-complete control of a user’s smartphone, with keylogging, spyware, banking trojan activities, and audio and video broadcasting capabilities. It is attracting media attention because it is now distributing over the same SMS-phishing infrastructure as Flubot. As a result, in less than a month, Medusa was able to infect over 1,500 devices in one botnet using this distribution method.

Attacking your mobile apps:

Medusa can take over the victim’s device and allow the virus to alter the text output of any particular comment field to a random value selected by the hacker. Such as, it can edit any fields on the banking application that runs on the machine. This is how a trojan can target banking platforms and steal login credentials through those phishing messages.

The following snippet shows the code that collects the information of an active window by going through its nodes:

In addition, while investigating Medusa’s rear panels, studies found that the malware’s operators are labelling banking software with a “BANK” tag in order to regulate the required data field. Therefore, every financial application can be vulnerable to this attack, even if it is not currently on the target list.

It can also attack your mobile apps with the help of an Android Accessibility Service. By abusing Accessibility Services, Medusa can execute commands on any app that is running on an android device. As a result, it can perform gestures on the screen, take screenshots, lock your screen, stream video or audio live from your device.

Precautions:

1.Opening emails that are sent from unknown senders should be avoided. In most cases, it is seen that opening any web links found in these messages can cause the infection. You should always use official and trustworthy sources, as opposed to third-party websites.

2. You should always keep your software up to date as it will secure your software more from these malware attacks. In addition, you should not use cracking tools, as they might download/install malware rather than activate the licensed products.

3. You should always use reputable anti-virus software on our computers. If your computer gets infected by this malware, then it is recommended to scan your device with the Combo Cleaner Antivirus for Windows so that it can automatically eliminate this virus.

4. To be safe from this virus, always review the permissions before installing an app. In fact, verify if those permissions are needed to use that app. You should not download an app from a third party and never use cracked or unlicensed software.

Your safety is completely in your own hands. Always maintain vigilance and alertness. You should always keep in mind that someone, somewhere is going to hack you, and the fundamental security precautions outlined above can protect you from hackers.

References:

https://www.bleepingcomputer.com/news/security/medusa-malware-ramps-up-android-sms-phishing-attacks/#:~:text=To%20prevent%20being%20infected%20by,invariably%20lead%20to%20malware%20infections

https://thecybersecurity.news/general-cyber-security-news/medusa-android-banking-trojan-spreading-through-flubots-attacks-network-16511/

https://thecybersecurity.news/vulnerabilities/medusa-malware-joins-flubots-android-distribution-network-16501/

https://www.2-spyware.com/medus-malware-now-distributed-via-flubot-android-distribution-network

https://www.pcrisk.com/removal-guides/16113-medusalocker-ransomware

Microsoft recently announced that effective April 2022 all VBA macros retrieved from the web will now be disabled by default for the following five Windows applications: Excel, Word, Access, Powerpoint, and Visio.

What is a VBA Macro?

A macro is a way to record, store, and run a series of commands, most often used to automate repetitive tasks in Office apps. Visual Basic for Applications (VBA) is a programming language used to write Office macros.

Lots of office workers use VBA macros regularly, including me. At my current job I recently wrote some simple code that links a data entry form to a spreadsheet. The macro is embedded in the actual file and runs whatever code is saved on it, once enabled by the user.

What’s the Big Deal?

Malicious agents can take advantage of this feature by embedding malware in any document that supports VBA.

The document is then typically shared online or via email in a phishing/spearphishing¹ campaign. Once the user opens the file and enables macros, the malware executes in the background. This can allow the threat actor access to the user’s stored files, network, personal information, and even gain remote access to their machine.

Since the malware exists within the Office file, it can spread and embed into other files, and compromise all of the user’s Office documents. Since VBA is compatible with all five Office apps, it can also spread across platforms.

The Weakness

While Microsoft already provides a security prompt to users about macros:

This doesn’t seem to be enough of a deterrent. All a threat actor needs to do is convince the unknowing (non-technical) user to Enable Content via some Social Engineering. Once the file is downloaded, the last line of defence between the user and the threat becomes the single click of a mouse.

This creates a huge population of vulnerable users since the Office Suite is a common preference for many organizations, public and private. Too often, many users (and some organizations) are not even aware of this risk, making it (in my opinion) the developer’s responsibility to ensure proper safety measures are enacted.

Microsoft’s Solution

As of Version 2203 (incoming this April), all macros in files retrieved from the internet will be blocked by default.

Users will no longer be able to easily Enable Content, and will be notified with the following prompt:

Clicking Learn More ⁴ links to a web page informing users about the security risks from downloading macros, some safe practices, and how to enable macros once the user is certain the file contents are safe.

Mark of the Web (MOTW)

Any file retrieved from an untrusted source like the internet will be labelled as having the MOTW, automatically blocking all Macros from running. To run Macros, a user must save the file and manually remove the MOTW.

To end on some general tips Microsoft offers⁴:

• Only open file attachments that you are expecting
• Only open files from Trusted Locations/Trusted Publishers
• Be suspicious of files encouraging you to Enable Content
• If you download a file with macros, and you’re unsure what they do, just delete that file

With this new feature, Microsoft hopes to simultaneously deter malicious agents while educating end-users.

Sources

• 1: https://www.cynet.com/attack-techniques-hands-on/office-macro-attacks/
• 2: https://therecord.media/microsoft-blocks-internet-macros-by-default-in-five-office-applications/
• 3: https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805
• 4: https://support.microsoft.com/en-us/topic/a-potentially-dangerous-macro-has-been-blocked-0952faa0-37e7-4316-b61d-5b5ed6024216
• 5: https://thehackernews.com/2022/02/microsoft-disables-internet-macros-in.html

Internet censorship is an issue on the rise around the world. The Tor Project is looking to combat this growing threat to freedom by providing users a connection to the internet “with as much privacy as possible” [1], thus giving users the freedom to share what they like, even against the wishes of national agencies in their country. However, access to Tor has been dwindling in Russia. Since December 1st 2021 several internet service providers in Russia have been blocking access to Tor [2]. Thankfully, the community isn’t ready to let go of its Russian userbase just yet (which happens to make up around 15% of all Tor users [2]). First, though, let’s answer the question for the uninitiated: What exactly is Tor?

What is Tor?

Plain and simple, Tor is a web browser that can be used to access sites that aren’t indexed. This means that you aren’t going to be able to find a given .onion site on Google or Bing, only through a browser that’s told exactly where to look. You can also access the “clear net” [3] or regular worldwide web with Tor. It’ll be much slower, however. That’s due to the method through which Tor directs internet traffic with the intent to anonymize users and their browsing data. This means that while you can get access to the “Dark Web” of sorts, be that drugs or other elicit services, there are also plenty of platforms for completely uncensored exchange of information, giving users in countries with heavy censorship a platform to communicate freely.

How Tor keeps your data private:

Tor is built using an idea called “onion routing” [1]. When a user makes a request for a web page their traffic is routed through multiple servers on the way to the destination. At each point, the traffic is encrypted, adding extra layers of privacy to the users request, hence the onion analogy. Tor operates with three nodes in between a user making a request, the entry node, the relay node, and the exit node. [3].

These nodes are used in this manner because this way there is no node that knows both the user and the destination. A given node only sees the traffic it’s receiving and its destination meaning that while an entry node can see the request the user is making, it cannot see the destination of the request. This is essentially how Tor protects user privacy.

Back to Russia

Several countries around the world attempt to censor their citizens’ access to the internet. Russia, for one has been blocking access to relay nodes making it more and more difficult for users in Russia to access Tor. This is where bridges come in. Bridges are hidden relay nodes run by users to help circumvent network proxy’s that are being used to block traffic [3]. Back in November of 2021 we were seeing a trend in the decrease in the number of these very necessary bridges in operation. In response The Tor Project launched an initiative get more bridges online. This campaign recently wrapped up with a reported 2470 running bridges, almost doubling the number of bridges active in November [4]!

This is an overwhelming success for the protection of the uncensored internet. Both awareness and action are very important for this maintained protection, and it’s really encouraging to see how quickly the online community was willing to act in order to protect these freedoms. This isn’t over just yet though. We need a constant trickle of new bridges coming on online to help offset those being blocked in places like Russia and China.

Want to Help?

Does this sound like a movement you can get behind? Do you have a spare computer lying around? Check out this link below and you can decide if you’d like to get your own Tor bridge set up.

https://blog.torproject.org/run-tor-bridges-defend-open-internet/

References:

[1] https://www.torproject.org/about/history/

[2] https://blog.torproject.org/tor-censorship-in-russia/

[3] https://www.comparitech.com/blog/vpn-privacy/ultimate-guide-to-tor/

[4] https://blog.torproject.org/wrapping-up-bridges-campaign/

TW: Mentions of Sexual Abuse

In early February a highly controversial bill was reintroduced into both the House of Commons as well as the Senate in the USA. The EARN IT act also known as the Eliminating Abuse and Rampant Neglect of Interactive Technologies act aims to place responsibility on social media sites for the media it hosts. This act was created in response to the unfortunate rise in child sexual abuse material online. The act garnered bipartisan support in 2020 when it was first introduced but was pushed  aside with the rise of the COVID-19 pandemic. Along with support, came disdain from multiple civil liberties groups as well as many security experts. 

If the EARN IT act were to pass it would remove the immunity currently allowed for online platforms from civil liability in regards to child exploitation. The current legislation that this bill would amend is Section 230 of the Communications Act. Under this act blanket immunity is given to social media sites protecting them from civil lawsuits. The supporters of the EARN IT act argue that as a result of the immunity there is no incentive for social media companies to take down and limit abusive posts. Without the blanket immunity, large social media sites such as Facebook, Instagram and Twitter would be in danger of being sued for any exploitative posts that they host. In addition to the removal of the immunity a National Commission on Online Child Exploitation Prevention would be established to create guidelines for social media sites to prevent and remove exploitative posts. 

The main criticism against the act is that it would encourage social media companies to decrease the amount of encryption and security on their sites. In order to ensure that no harmful media or messages are being sent or posted, social media companies would need to decrease encryption in their messaging services.  Advocacy groups have argued that those in vulnerable communities such as the LGBTQ+ community rely heavily on encrypted messaging systems to access resources and support networks. Removing or decreasing the encryption would put these individuals in danger. On the other hand, the act would also increase the amount of censorship on social media sites which have already been criticized for silencing vulnerable voices. There have also been remarks on increasing prosecution efforts and punishments for those that choose to engage in abusive child focused media instead of attempting to pass acts such as the EARN IT act. 

In my opinion, I agree with those that are looking for increased prosecution and investigative efforts towards those who post and interact with sexually exploitative media. In regards to the EARN IT act, I think that the USA should implement a similar style of act where social media companies need to proactively remove and prevent any type of exploitative content regardless of age. If they do not comply they would be at risk of prosecution as well as civil lawsuits. This act would also come with assurances that encryption and security measures would not be sacrificed in order to comply with the new legislation. This opinion is a best of both worlds option which may not be realistically feasible or possible but one can always hope.

References Used

1. https://www.nextgov.com/policy/2022/02/earn-it-act-reintroduced-draws-criticism-over-encryption-implications/361437/
2. https://www.nexttv.com/news/computer-companies-slam-earn-it-act
3. https://www.protocol.com/bulletins/earn-it-act-back
4. https://www.schneier.com/blog/archives/2022/02/the-earn-it-act-is-back.html

Just last month, there have been uncountable cyber terrorist attacks. One news shows, Chinese hacking group breached several German pharma and tech firms. It was claimed by the German government that the hack into networks of service providers and companies was an attempt to steal intellectual property. 

Another news shows that there was shutting down of internet traffic to and from North Korea twice in two weeks which was likely a series of DDoS attacks. The second attack came just after North Korea’s 5th missile test of the month. There were apparently many more incidents that took place in different places in the world. These two incidents demonstrate cyber terrorism. 

What is Cyber Terrorism?

Cyber terrorism is defined as a religious or politically motivated attack against information security, programs and data to cause severe disruptions or widespread threat in society. 

Computer technology is exploited for money and power. The most common means of cyber terrorism include disruption of various major websites to cause a public panic, unauthorized access to critical infrastructure systems to disrupt cities, factories, etc. Cyber Terrorism expands to more violent terrorist attacks taking place instead of just non-violent political agenda.

How big is the threat of Cyber Terrorism? 

The roots of cyber terrorism trace back to early 1990s in the age of rapid growth of Internet. Today, the threat of Cyber Terrorism is more than ever.

One of the most commonly and frequently used cyber terrorist activity is Hacktivism. This is because the most common target of cyber terrorism is password attack. Usually it occurs at a great frequency. Hacktivism is defined as use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change. Even though it has limitations, hacktivism may be used to post propaganda on target sites, such as the posting of successful insurgent attacks in Iraq on US.

It forces data on the web pages of vulnerable government websites and other popular western web forums. The same techniques are used to leave encrypted messages on public sites and transmitting a number of communications from manuals to execution orders to coordination strategies for an attack.

Cyber terrorism holds the power to bring down any country or city to absolute crushes. Internet can be used by cyber terrorists to hack and cause damage into a city’s or country’s transportations, water supplies, electricity supplies, etc.

How to prevent getting involved and being more secure?

The amount of trust and dependence we put on technology today has made us vulnerable to giving a chance to terrorists to make us a target. The threat of cyber terrorism might be exaggerated or manipulated but we can not ignore or deny it. If you are on the internet, you are prone to getting involved.

Some of the ways to keep yourself away from getting involved in cyber-terrorism are:

1. Being more secure with your data by limiting the personal information you share online.
2. Being aware of the email bombs.
3. Installing anti-malware software in your devices. 
4. Being aware of scam websites and companies online.
5. Changing your password frequently.
6. Avoiding usage of public Wi-Fi’s.
7. Not trusting third party or pirated software.

Sources:

In many parts of the world, tax season has arrived, and millions of people in the United States and Canada are preparing to file their taxes. We are all aware of the importance of filing taxes. I’m sure we can all recall the disappointment on our faces when we received our first pay checks and discovered that a significant portion had gone to taxes. The only way to recover a portion of our hard-earned money back is by submitting our taxes either through an accountant or solely by yourself with the help of popular tax filing apps such as TurboTax, TaxtAct etc and wait for a refund.

1.1 What is TurboTax? What info goes in there?

The world is digital now. No one wants to pay a hefty fee to an accountant to submit their tax files to Canada Revenue Agency (CRA). Over the years many online tax filing websites and apps have been built so that filing tax is self-explanatory and free of any charge. One such software is known as TurboTax owned by the parent company Intuit.According to TurboTax, more than 5 million Canadians use their software to get their maximum tax refund, every single year. 

Almost every possible personal detail that you can think of, goes into your tax file. When you file your taxes, you declare anything from your name to confidential information like your SIN and income. At this point, TurboTax might know you better than yourself. 

You might be wondering, then is my data safe with TurboTax? Let’s find out!

1.2 TurboTax phishing scam: Background

Recently the parent company of TurboTax, Intuit has started to warn their customers about a new phishing scam that uses a fake link to the Intuit website. The scammer’s goal behind the phishing fraud is yet unknown to Intuit. However, they believe the scammers are attempting to get TurboTax users to give their Intuit login and password. It’s just the tip of the iceberg, Intuit also controls the QuickBooks accounting software and the Mint personal finance app, both of which may be accessed with the Intuit password. If the scammers gain access to the consumers’ Intuit accounts, the amount of sensitive data they can access is unimaginable. Ranging from identity theft to stealing the tax refund, the options are endless. The phoney Intuit website even tricks you to download malware-infected TurboTax software.

1.3 The phishing emails

According to two Intuit security notices released online this week, the fraud takes the disguise of an email message with subject lines like “Critical: Action Required” or “Critical: Suspension.” The emails appear to be from “Intuit Accountants,” but in reality, they were sent from other email servers that were maybe hacked.

The emails warn:

 “We have temporarily disabled your account due to inactivity. It is compulsory that you restore your access within next 24 hours. “

The messages direct users to certain URLs in order to “restore your access,” and the visible links provided — intuit.com/Pro/Update.asp and proconnect.intuit.com/Pro/Update — are indeed part of the Intuit.com domain. 

Neither address, however, leads anywhere. It’s safe to assume that the fraudsters set up the links to appear to be from Intuit, but they actually go to other websites impersonating as Intuit pages.

1.4 Precautions

Scammers are everywhere. That does not mean you have to live in fear everyday, of getting scammed. Here are some tips you can follow to stay safe:

• Learn about phishing techniques: Every day, new phishing techniques are invented. It’s nearly impossible to avoid becoming a victim of a scam if you don’t understand how it works.
• Rethink what are you clicking: When you’re on a trusted website, it’s fine to click on links. However, clicking on links in random emails and instant messages isn’t such a good idea.
• Never Give Out Personal Information: If you’re unsure, go to the company’s main website, get their phone number, and call them. Most phishing emails will drive you to a page that requires you to enter financial or personal information.
• Delete suspicious email: This will prevent your system from being infected with malware or being routed to a phishing landing page
• Use Antivirus Software: By blocking attacks, firewall security restricts access to dangerous files. Antivirus software examines all files that arrive on your computer over the Internet and prevents any harm.

Even though “Prevention is better than cure” but it is also true that “To err is human”. Mistakes happen. Perhaps while you are reading this blog, you realize “OMG, I fell this scam.”.

According to Intuit, here is what you should do now:

• Delete any downloaded file on your computer from that link
• Use an anti-malware software to scan the computer thoroughly
• Change your passwords 

Despite the fact that phishing has been around for over two decades, it remains a problem for two reasons: it is simple to carry out – even by one-person operations – and it succeeds because there are still lots of individuals on the internet who are unaware of the threats they face. These scams will continue, but it is our obligation to spread awareness so that no one falls victim.

References:

1. https://www.tomsguide.com/news/intuit-turbotax-phishing-scam
2. https://www.bleepingcomputer.com/news/security/intuit-warns-of-phishing-emails-threatening-to-delete-accounts/
3. https://www.phishing.org/10-ways-to-avoid-phishing-scams
4. https://money.cnn.com/2015/02/10/pf/taxes/turbotax-fraud/
5. https://www.cbc.ca/news/business/taxes/filing-online-a-guide-to-the-latest-tax-software-1.1285455
6. https://turbotax.intuit.ca/personal-tax-software/cra/ty15/windows.jsp

A prominent Italian art gallery has been in the center of a recent scam, as individuals associated with the gallery had been receiving emails with offers that seemed “too good to be true”—and indeed, it was. 

An offer difficult to come by

T293, an art gallery based in Rome, Italy is well-known for housing some of the art world’s most prevalent and in-demand artists. One such artist—Anna Park, was the focus for a German art collector. He had made attempts over the past two to three years to buy Park’s work from the gallery with no success, stating that it was almost impossible to get ahold of. 

However, after consistently keeping in contact with the art gallery, he received an email in early January from who he believed to be Marco Altavilla—one of the gallery’s co-founders with an offer for two of Park’s drawings. After several correspondences, the German art collector had finalized the deal, agreeing on a total price of $33,000, which he stated was a “very good primary market price”. It was only when the gallery had offered to pay the shipping—something that never happens, did the art collector realize that something was off. At this time however, it was too late—the money had already been sent out.

What the German art collector failed to recognize was that the email address which he had been in contact with was a fake—info@t292.it, one digit off from the gallery’s real address.  

An art advisor’s fortunate realization

An art advisor from the U.S. was another individual contacted by the perpetrators. She had received an email claiming to be from T293’s director, Alessandro Cazzola. With the email came an offer of $28,500 with a 5 percent discount for three of the works of Trey Abdella—another artist represented by the gallery. “This is too good to be true, I thought, but I played it out” she said. 

The art advisor hadn’t been in touch with the gallery since 2020, when she inquired about pieces from both Park and Abdella. The sudden offer had only fueled her suspicions, which were confirmed after looking over the details from an invoice. 

The private account listed was not located in Rome, but was for a Wells Fargo account in Mills Valley, California. It was only then that she noticed that she was in contact with a “t292” email account, not “t293”.

In attempts to contact the actual art director, she scrolled back through her emails and messaged the proper address—requesting that Cazzola calls her as soon as possible. To her surprise she received an email shortly after from the person posing as Cazzola. She was informed by them that “t292” was a secondary email used alongside the “t293” address. From this she determined that her email had been intercepted by a hacker, preventing her from falling victim to the scam. 

“Someone would have had to go deep into the email history to find out I had requested  work,” she said. So, how exactly were the perpetrators able to compromise and intercept emails between T293 and their clients? 

What is a Man-in-the-Middle attack?

The art gallery and it’s customers were caught up in something known as a man-in-the-middle (MITM) attack—a type of session hijacking where attackers interrupt an existing conversation or data transfer. The perpetrator inserts themselves into the “middle” to either eavesdrop or impersonate one or both of the parties [3], thus, it grants the illusion that a normal exchange of information occurs. 

In a sense, it is similar to if your mailman opens up your confidential mail and either writes down the information for himself or changes the contents of the mail, sealing it back then delivering it to you (very not cool of them). Of course, however, it is probably easier to tell whether or not a paper envelope has been tampered with compared to something online.

The appearance of a normal exchange of information often makes these attacks unnoticeable on the surface, which can result in the compromise of:

• personal information 
• login credentials
• financial information
• etc. 

In emails, this can take the form of malicious links or altered information being sent to either of the parties involved. With MITM attacks, unlike receiving emails with links or information from unknown senders (clearly very suspicious), both parties are under the impression that they are in contact with an individual or organization that they are familiar with. This makes it easy to go undetected until it is too late. 

MITM Attack: Basics

MITM attacks have two distinct phases: interception and decryption

Interception:

• This phase involves intercepting user traffic through an attacker’s network before it reaches its intended destination [4]
• The easiest way this is done is through free, malicious wifi hotspots set up by an attacker—allowing attackers full visibility to any online exchange
• More active approaches include: IP spoofing, ARP spoofing, and DNS spoofing [4]

Decryption

• Following interception, two way SSL traffic needs to be decrypted without alerting the user or application
• Methods include: HTTPS spoofing, SSL BEAST (browser exploit against SSL/TLS), SSL hijacking, and SSL stripping [4]

Examples of MITM attacks

How to prevent MITM attacks

Fortunately, the German art collector’s private bank account was deactivated on January 31st, and his money was returned to him. Currently the scheme is being investigated by law enforcement with the cooperation of T293. But what can people do to avoid occurrences such as these?

There tends to be certain interactions more susceptible to MITM attacks, such as:

• internet messaging systems
• ecommerce sites
• financial sites

There are certain actions that can be taken to help prevent these attacks from occurring.

For individuals:

• Avoid wifi connections that aren’t password protected
• Pay attention to browser notifications that report websites as unsecured
• Log off immediately from secure applications when not in use
• Avoid public networks when conducting sensitive transactions
• Pay attention possible to suspicious links and information

For website operators:

• Use secure communication protocols, including TLS and HTTPS—this encrypts and authenticates data transmitted [4]

References

1. https://news.artnet.com/art-world/t293-hack-2066827
2. https://www.thesslstore.com/blog/man-in-the-middle-attack-2/
3. https://www.veracode.com/security/man-middle-attack
4. https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/

Attackers have been increasingly uploading malicious packages to the popular JavaScript package repository, npm, in order to gain access to sensitive information, set up botnets, steal cryptocurrency, and more.

‘npm’, what is it?

Node Package Manager, better recognized by its acronym ‘npm’, is a free, open source software registry that was recently acquired by Microsoft-owned GitHub. Upwards of 32,000 packages are uploaded monthly and an average of 17,000 package updates daily, npm hosts over 1.8 million JavaScript packages. Created in 2009, it has grown to become the center of JavaScript code sharing. With more than 11 million developers relying on its service, there is no doubt that attackers will aim to take advantage of this.

Why attackers choose npm

The nature of being open-source and free gives rise to one of technology’s greatest fears; a lack of security. Most of the packages uploaded to npm are maintained and verified by users and open-source communities, making the JavaScript ecosystem ‘ripe for exploitation by attackers’, according to open source security and management firm WhiteSource. A huge problem with npm packages is that they don’t need to be run or used – as long as they’re on the system, they are automatically given permission to do whatever they want.

It is estimated that there will be more than 2 billion websites by the end of 2022 and almost 98% of them will depend on JavaScript. The popularity and dependence of npm across numerous systems and applications provides exactly what attackers are looking for: quick distribution with a large audience.

And indeed, attackers are taking advantage of the malicious opportunity that npm presents, having already targeted its popular registries to attack Discord in January and December last year.

Attackers are utilizing the distributive nature of npm and focusing their attacks upstream to ‘infect existing components that are distributed downstream and installed potentially millions of times’, according to this npm Threat Report by WhiteSource. In the last six months, WhiteSource identified more than 1,300 malicious packages that were uploaded to npm in 2021. Of the 1,300 packages, about 14 percent were found to steal sensitive information such as credentials while nearly 82 percent were acting as spies and trackers – passively or actively gathering information on unsuspecting clients.

The malware, and more

As stated in this threatpost article, here are some of the malware that WhiteSource detected and identified in their report:

• mos-sass-loader and css-resources-loader, which engage in brandjacking for remote code execution (RCE);
• circle-admin-web-app and browser-warning-ui, which select external packages including malware for download;
• @grubhubprod_cookbook, which engages in dependency confusion aimed at entering Grubhub company data
• H98dx, a remote shell executable that runs upon install to infect machine; and
• Azure-web-pubsub-express, which enables data aggregation that collects host information.

Earlier this year, researchers also observed a software supply chain attack in October which leveraged a popular npm library, ua-parser-js, used to parse user agent strings to identify various user attributes, in order to gain access to sensitive data and vulnerable resources stored in the cloud. After they supposedly took control of the developers’s account, attackers managed to upload three versions of ua-parser-js, which at the time saw upwards of 8 million downloads a week, each containing malicious code that could allow attackers to steal sensitive information or even take control of the system. GitHub issued an advisory for the package, warning users to migrate their secrets and keys and consider their computer compromised. A quick response from the developer mitigated damage but the affected software had already remained in the popular repository for over three hours.

What does this mean for users?

Fortunately for us, WhiteSource reports all its findings to npm, who removes the malicious packages from its registry. However, this process is not instantaneous. If a malicious package is detected and reported on a Friday, it is unlikely that the package is removed until the following Monday. Unfortunately, this means that it could have been downloaded thousands or even millions of times over the weekend. Unsurprisingly, WhiteSource also reports that Friday is a popular day for attackers to make their move.

Businesses and individuals alike should be especially mindful when downloading packages on weekends, as that is when attackers are most likely to release malicious packages. Naturally, users should always take precautions when downloading software from open-source repositories such as npm and only update when you are confident in the content.

References

https://threatpost.com/malicious-npm-packages-web-apps/178137/

https://www.securityweek.com/1300-malicious-packages-found-popular-npm-javascript-package-manager

https://www.npmjs.com/about

Background

When abroad, travelers are often caught up with their itinerary and enjoying their new surroundings. Cybersecurity is the last thing on their mind.  For those at the 2022 Beijing Winter Olympics, this is a cause for concern. This event will be used to explore the dangers to privacy and data when abroad.

Issue

All attendees (athletes, coaches, audience members) at the Games must download an app called MY2022 to declare their health status [1]. The main function of this app is to collect a list of medical information for health monitoring to reduce the spread of the COVID-19 virus. An abundance of personal data, such as addresses, flight details, name, phone number is passed through this app. 

However, the MY2022 app has two significant flaws: failure to validate SSL certificates, and failure to encrypt sensitive data. These allow for vulnerabilities in data transmission.

The MY2022 app demonstrates a failure to validate SSL certificates, which means that although there is an encrypted communication with a host, it may be an unintended host and in fact an attacker intercepting traffic between the user and server. The app can be ‘tricked’ into transmitting to a malicious host, which can result in the compromise of confidential files or information.

The MY2022 app also fails to encrypt sensitive data before transmission. It was discovered that sensitive data is transmitted without any SSL encryption or any type of security at all [3]. This means that anyone in range of an unsecured wifi access point, operating a wifi hotspot, ISP or telecommunications company is privy to information being transmitted through the application. 

Addressing the Cybersecurity Concerns

Clearly, there is more than meets the eye to the dangers of digital privacy and cybersecurity when traveling abroad as shown above. The most effective suggestion to protect visitors’ personal data from being accessed by malicious actors is to leave personal devices (phones, laptops) in home countries [2]. A burner phone can be used to fulfill the mandatory MY2022 app requirement. If personal devices are chosen to be brought, a Virtual Private Network (VPN) can also be used to encrypt internet traffic, to keep data protected from prying eyes.  

There is speculation of the government intentionally sabotaging the MY2022 application encryption for surveillance reasons. This may be due to recurring evidence of local governments using data interception technology to sniff wifi traffic [3]. China does not have an upstanding track record of respecting digital privacy. Thus, it is important to be wary of government regulations and the amount of respect they have in regard to digital privacy. Furthermore, it is a reason to be cautious of using public wifi, especially unencrypted networks, and to check security protocols before connecting to them. If absolutely needed, it would be wise to avoid accessing personal accounts or sensitive data such as banking and financial information.

The main takeaway from the MY2022 Olympics situation is that being in another country poses significant risk to cybersecurity due to the potential use of unencrypted applications and networks and non-stringent regulations that allow surveillance to occur. There are many ways to keep your digital privacy intact, with leaving devices in home countries at the top of the list, while being conscious of connecting to new networks or using VPNs. Keep yourself safe when travelling!

References

[1] Blewett, T. (2022, February 3). Don’t forget your burner phone: Why cybersecurity in China is an olympic event in itself. nationalpost. Retrieved February 6, 2022, from https://nationalpost.com/sports/olympics/2022-winter-olympics-china-cybersecurity-burner-phones

[2] Cybersecurity concerns, both internal and external, Run High at Beijing Olympics. Marketplace. (n.d.). Retrieved February 6, 2022, from https://www.marketplace.org/shows/marketplace-tech/cybersecurity-concerns-both-internal-and-external-run-high-at-beijing-olympics/

[3] Knockel, J. (2022, January 21). Cross-country exposure: Analysis of the MY2022 olympics app. The Citizen Lab. Retrieved February 7, 2022, from https://citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/

[4] Yahoo! (n.d.). China is watching: Olympians go to great lengths to avoid stolen data at 2022 games. Yahoo! Sports. Retrieved February 6, 2022, from https://ca.sports.yahoo.com/news/china-is-watching-olympians-go-to-great-lengths-to-avoid-stolen-data-065952595.html