Episode 05: January 30 2022

Segway Hit by Magecart Attack, Work at Home sees a Surge in Insider Threats, Newly Discovered Critical Linux Vulnerability, New Standard Aims To Protect Against Deepfakes, Hackers use Windows Update to deploy malware

Bullet points of key topics + chapter markers
[00:33] Segway Hit by Magecart Attack
[04:45] Work at Home sees a Surge in Insider Threats
[10:12] Newly Discovered Critical Linux Vulnerability
[13:22] New Standard Aims To Protect Against Deepfakes
[17:14] Hackers use Windows Update to deploy malware

NOTES:

Segway Hit by Magecart Attack

  • 2000 Segway company released a personal transporter that would become iconic.
    • 2015 Subsidiary of Ninebot (sells under that brand)
  • Monday Malwarebytes lab announced an ongoing attack on the Segway store website
    • Compromised since January 6
  • Malwarebytes we protection team identified skimmer on Segway’s Online Store
    • Attribute it Magecart Group 12
    • Identified connection to skimmer domain booctstrapt[.]com
      • Domain active since November
  • Site was running Magento
    • Popular CMS
      • Used by many ecomerce sties
      • Favorite target of Magecart threat actors
  • Attack Vector
    • Innocuous Javascript code designed to look like a fie called Copyright
      • File itself isn’t malicious
      • Dynamically loads the skimmer
        • Is not visible if looking at the HTML
        • If you look via browser’s debugger the URL is seen.
    • Embedded the simmer inside faveicon.ico file
      • Favicon file is the small icon image ontop of tabs of website
      • if you were to look at it, you’d not notice anything because the image is meant to be preserved.
      • when you analyze the file with a hex editor, you will notice that it contains JavaScript starting with an eval function.
    • 16 lines of code
    • Skimmer
      • Cropped up in campaigns since 2020
      • Tied to MageCart
      • Only 16 lines of code
    • MageCart
      • continue to get more creative with the techniques
      • Goal to evade detection.
      • Active for years
      • skimmed from many large organizations
        • stealing names
        • emails
        • addresses
        • credit-card information
      • Sell information on Dark web
      • Risk IQ report in December found that a Magecart attack on a website happens once every 16 seconds
  • Lessons
    • must monitor web traffic for applications sending data to unknown locations
    • robust change-management program to monitor code changes to sites
    • E-commerce businesses could also use a a real-time monitoring solution that detects access to sensitive fields and attempts to exfiltrate personally identifiable information from the client side
    • users of Magento understand the need to disrupt the web attack lifecycle by stopping the theft of account and identity information from their site, and implement a solution to help do that.

Work at Home sees a Surge in Insider Threats

  • In 2021, businesses spent $15 million due to insider threats
    • According to Proofpoint’s 2022 Cost of Insider Threats Global Report
    • 34% increase over previous year
      • 11.5M in 2020
      • 15.4m in 2021
      • Overall volume 44% increase for the period
    • Frequent increased
      • 67% of companies
        • Between 21 and 40 incidents per year
        • 60% increase since 2020
  • Negligence
    • continues to account for the majority (56%) of insider threats
      • at the cost of nearly $485,000 per incident.
    • Failure to ensure devices are properly secured or patched
    • Not following corporate security policy
    • especially prevalent as many employees now work from home
      • Harder IT teams to enforce policy effectively.
  • 26% account for Malicious Intent
    • Average cost of $648,000 per incident
    • WFH driven this trend by allowing employees more sensitive access to data
  • Great Resignation
    • Increased the risk
    • People have taken data with them
  • Malicious Actors
    • Target
      • organizational employees
      • contractors
      • third-party vendors
    • an attractive attack vector for cyber-criminals due to their far-reaching access to critical systems, data, and infrastructure.
  • Containment
    • 85 days in 2021
    • 77 days in 2020


  • Lessons
    • Limit access to data
    • Have software to enforce
    • Train your staff
    • Only allow access from company equipment
    • Utilize Remote Desktop


Newly Discovered Critical Linux Vulnerability

  • Called PwnKit
  • sitting in a user policy module used in Linux distros
    • default installations of Ubuntu, Debian, Fedora and CentOS.
    • Other Linux distributions are likely vulnerable and probably exploitable
    • 12 years
      • pkexec since its first version in May 2009
  • Allows unprivileged user to gain Root access
  • Discovered by security researchers at Qualys
  • takes advantage of the pkexec command
    • allows users to execute commands as other users
    • It exists as part of the PolKit privilege control module
  • installed on (for all practical purposes) every single distro, both vendor-specific and open source.
  • This is a serious vulnerability
  • The actual execution isn’t very complicated
    • Linux users with a good understanding of environment variables, user permissions and launching applications with arguments could feasibly craft an exploit that takes advantage of the PwnKit vulnerability


  • Usage
    • using an out-of-bounds write to trick pkexec into looking for a maliciously crafted PATH environment variable
    • Qualys explain it: “If our PATH is “PATH=name=.”, and if the directory “name=.” exists and contains an executable file named “value”, then a pointer to the string “name=./value” is written out-of-bounds to envp[0].”


  • Lessons
    • Patch now, no matter what
      • All Major distros released update
    • ZDNet’s Steven Vaughan-Nichols said in a story about PwnKit: You can actually chmod yourself out of trouble if you can’t find or install patches immediately using the following root-powered shell command:
      • # chmod 0755 /usr/bin/pkexec
      • makes it so that no one except for the owner (in this case, root) can write data to pkexec. This should only be considered a stop-gap until an actual patch can be installed.
    • JFrog has released a tool that Linux users can use to determine whether their systems are vulnerable to PwnKit
      • Link in Show Notes


New Standard Aims To Protect Against Deepfakes

  • Coalition for Content Provenance and Authenticity (C2PA)
    • Adobe, Microsoft, Arm, Intel TruePic and the BBC among its members
  • standard will allow content creators and editors to create media that can’t secretly be tampered with.
  • It allows them to selectively disclose information about who has created or changed digital content and how it has been altered.
  • Platforms can define what information is associated with each type of asset
    • images, videos, audio, or documents
    • how that information is presented and stored
    • how evidence of tampering can be identified.
  • Jeff McGregor, CEO of Truepic
    • “We have long believed that secure media provenance is the best way to relay high-integrity, authentic digital content online”
    • An open standard in which any platform, website, app, or organization can ingest, preserve, and publish that content to consumers will be critical to achieving trust at internet scale
  • Leonard Rosenthol
    • chair of the C2PA technical working group and senior principal scientist, Adobe.
    • “As the C2PA pursues the implementation of open digital provenance standards, broad adoption, prototyping and communication from coalition members and other external stakeholders will be critical to establish a system of verifiable integrity on the internet,”
  • Royal Society Report
    • Discovered most people can’t detect a deepfake
      • Even when they’ve been warned the video might have been altered
      • When people were shown deepfake videos of Tom Cruise created by VFX artist Chris Ume, nearly eight out of ten failed to spot them as fake, even when they had been warned that they might be.
  • Last summer, Facebook teamed up with Michigan State University to create a new reverse-engineering research method to detect and attribute deepfakes, even when they haven’t been seen by the detector before.
  • The success of the C2PA specification will depend on the extent to which it’s taken up by content creators and understood by the general public.

Hackers use Windows Update to deploy malware

  • North Korean-backed hacking group Lazarus
  • added the Windows Update client to its list of living-off-the-land binaries (LoLBins)
  • now actively using it to execute malicious code on Windows systems.
  • new malware deployment method was discovered by the Malwarebytes Threat Intelligence team
    • Analyzing a January spearphishing campaign
    • impersonating Lockheed Martin.
  • victims open the malicious attachments and enable macro execution
    • embedded macro drops a WindowsUpdateConf.lnk file in the startup folder
    • a DLL file (wuaueng.dll) in a hidden Windows/System32 folder.
    • the LNK file is used to launch the WSUS / Windows Update client (wuauclt.exe) to execute a command that loads the attackers’ malicious DLL.
  • used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms
  • The researchers linked these attacks to Lazarus based on several pieces of evidence, including infrastructure overlaps, document metadata, and targeting similar to previous campaigns.
  • This can be done by loading an arbitrary specially crafted DLL using the following command-line options (the command Lazarus used to load their malicious payload):
    • wuauclt.exe /UpdateDeploymentProvider [path_to_dll] /RunHandlerComServer


  • Lazarus Group
    • tracked as HIDDEN COBRA by US intel agencies
    • North Korean military hacking group
    • active for more than a decade, since at least 2009.
    • operators coordinated the 2017 global WannaCry ransomware
    • attacks against high-profile companies such as Sony Films and multiple banks worldwide
    • Last year, Google spotted Lazarus targeting security researchers in January as part of complex social engineering attacks and a similar campaign during March.
    • They were also observed using the previously undocumented ThreatNeedle backdoor in a large-scale cyber-espionage campaign against the defense industry of more than a dozen countries.