67.4 F
jacksonville,fl
Sunday, December 15, 2019

Cyber Security

Home Cyber Security

Apple Explains Mysterious iPhone 11 Location Requests

0

KrebsOnSecurity ran a story this week that puzzled over Apple‘s response to inquiries about a potential privacy leak in its new iPhone 11 line, in which the devices appear to intermittently seek the user’s location even when all applications and system services are individually set never to request this data. Today, Apple disclosed that this behavior is tied to the inclusion of a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature, and that a future version of its mobile operating system will allow users to disable it.

Apple Explains Mysterious iPhone 11 Location Requests 1

I published Tuesday’s story mainly because Apple’s initial and somewhat dismissive response — that this was expected behavior and not a bug — was at odds with its own privacy policy and with its recent commercials stating that customers should be in full control over what they share via their phones and what their phones share about them.

But in a statement provided today, Apple said the location beaconing I documented in a video was related to Ultra Wideband technology that “provides spatial awareness allowing iPhone to understand its position relative to other Ultra Wideband enabled devices (i.e. all new iPhone 11s, including the Pro and Pro Max).

Ultra-wideband (a.k.a UWB) is a radio technology that uses a very low energy level for short-range, high-bandwidth communications of a large portion of the radio spectrum without interfering with more conventional transmissions.

“So users can do things like share a file with someone using AirDrop simply by pointing at another user’s iPhone,” Apple’s statement reads. The company further explained that the location information indicator (a small, upward-facing arrow to the left of the battery icon) appears because the device periodically checks to see whether it is being used in a handful of countries for which Apple hasn’t yet received approval to deploy Ultra Wideband.

“Ultra Wideband technology is an industry standard technology and is subject to international regulatory requirements that require it to be turned off in certain locations,” the statement continues. “iOS uses Location Services to help determine if iPhone is in these prohibited locations in order to disable Ultra Wideband and comply with regulations. The management of Ultrawide Band compliance and its use of location data is done entirely on the device and Apple is not collecting user location data.”

Apple’s privacy policy says users can disable all apps and system services that query the user’s location all at once by toggling the main “Location Services” option to “off.” Alternatively, it says, users can achieve the same results by individually turning off all System Services that use location in the iPhone settings.

What prompted my initial inquiry to Apple about this on Nov. 13 was that the location services icon on the iPhone 11 would reappear every few minutes even though all of the device’s individual location services had been disabled.

“It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled,” Apple stated in their initial response. “The icon appears for system services that do not have a switch in Settings” [emphasis added].

Now we know more about at least one of those services. Apple says it plans to include the option of a dedicated toggle in System Services to disable the UWB activity in an upcoming update of its iOS operating system, although it didn’t specify when that option might be available.

The one head-scratcher remaining is that the new iPhone seems to check whether it’s in a country that allows UWB fairly frequently, even though the list of countries where this feature is not yet permitted is fairly small, and includes Argentina, Indonesia and Paraguay. A complete list of countries where iPhones can use UWB is here. The principal remaining concern may be that these periodic checks unnecessarily drain the iPhone 11’s battery.

It is never my intention to create alarm where none should exist; there are far too many real threats to security and privacy that deserve greater public attention and scrutiny from the news media. However, Apple does itself and its users no favors when it takes weeks to respond (or not, as my colleague Zack Whittaker at TechCrunch discovered) to legitimate privacy concerns, and then does so in a way that only generates more questions.


Apple Explains Mysterious iPhone 11 Location Requests 2

Tags: apple, iPhone 11, Techcrunch, Ultra Wideband, Zack Whittaker

You can skip to the end and leave a comment. Pinging is currently not allowed.

Ransomware at Colorado IT Provider Affects 100+ Dental Offices

0

A Colorado company that specializes in providing IT services to dental offices suffered a ransomware attack that is disrupting operations for more than 100 dentistry practices, KrebsOnSecurity has learned.

Multiple sources affected say their IT provider, Englewood, Colo. based Complete Technology Solutions (CTS), was hacked, allowing a potent strain of ransomware known as “Sodinokibi” or “rEvil” to be installed on computers at more than 100 dentistry businesses that rely on the company for a range of services — including network security, data backup and voice-over-IP phone service.

Ransomware at Colorado IT Provider Affects 100+ Dental Offices 3

Reached via phone Friday evening, CTS President Herb Miner declined to answer questions about the incident. When asked about reports of a ransomware attack on his company, Miner simply said it was not a good time and hung up.

The attack on CTS, which apparently began on Nov. 25 and is still affecting many of its clients, comes little more than two months after Sodinokibi hit Wisconsin-based dental IT provider PerCSoft, an intrusion that encrypted files for approximately 400 dental practices.

From talking to several companies hit and with third-party security firms called in to help restore systems, it seems that CTS declined to pay an initial $700,000 ransom demand for a key to unlock infected systems at all customer locations.

Thomas Terronez, CEO of Iowa-based Medix Dental, said he’s spoken with multiple practices that have been sidelined by the ransomware attack, and that some CTS clients had usable backups of their data available off-site, while others have been working with outside experts to independently negotiate and pay the ransom for their practice only.

Many of CTS’s customers took to posting about the attack on a private Facebook group for dentists, discussing steps they’ve taken or attempted to take to get their files back.

“I would recommend everyone reach out to their insurance provider,” said one dentist based in Denver. “I was told by CTS that I would have to pay the ransom to get my corrupted files back.”

“My experience has been very different,” a dental practitioner based in Las Vegas replied. “No help from my insurance. Still not working, great loss of income, patients are mad, staff even worse.”

There is one aspect of this attack has massively complicated restoration efforts, even at practices that have negotiated paying the ransom demand: Specifically, two sources said that victim several offices were left with multiple ransom notes and encrypted file extensions.

As a result, the decryption key supplied by the attackers only unlocked some of the scrambled files, requiring affected dental practices to expend further time, effort and expense to obtain all the keys needed to fully restore access to their systems.

Gary Salman is CEO of Black Talon Security, a cybersecurity firm based in New York that assisted several CTS clients in the recovery process. Salmon said he wasn’t certain why the attackers chose to operate this way, but that the most likely explanation is that the attackers stand to gain more financially from doing so.

“For one network we recovered that had 50 devices in total, they had to turn in more than 20 ransom notes to fully recover,” Salman said, adding that the attackers may just be hedging against the possibility that different affected practices could save money by sharing the same decryption key. “In the end, [the attackers] are going to walk away with a lot more money than they would have gotten had [CTS] just paid the $700,000.”

Salman said the intruders seem to have compromised a remote administration tool used by CTS to configure and troubleshoot systems at client dental offices remotely, and that this functionality did not require additional authentication on the part of the client before that connection could be established.

“What a lot of these IT services companies do is have active sessions back to every single client computer, so that so when someone from a client calls the IT provider can log right in and resolve any of these issues,” he said.

“Many IT providers will use remote administration services that require a unique [one-time code] that the client has to type in before that remote session is initiated,” Salman continued. “But other [IT providers] don’t want to do that because then it’s harder for them to manage these systems after-hours or when the user is away from their system. But ultimately, it comes down to security versus ease-of-use, and a lot of these smaller businesses tend to move toward the latter.”

Medix’s Terronez said the dental industry in general has fairly atrocious security practices, and that relatively few offices are willing to spend what’s needed to fend off sophisticated attackers. He said it’s common to see servers that haven’t been patched for over a year, backups that haven’t run for a while, Windows Defender as only point of detection, non-segmented wireless networks, and the whole staff having administrator access to the computers — sometimes all using the same or simple passwords.

“A lot of these [practices] are forced into a price point on what they’re willing to spend,” said Terronez, whose company also offers IT services to dental providers. “The most important thing for these offices is how fast can you solve their problems, and not necessarily the security stuff behind the scenes until it really matters.”

Update, Dec. 8, 1:21 p.m. ET: Added additional perspective and details gathered by Black Talon Security.Also, an earlier version of this story incorrectly stated that the ransomware attack began this past week. Multiple source now confirm that the Sodinokibi ransomware was initially deployed in the early morning hours of Monday, Nov. 25, and that many victim dental offices are still turning away patients as a result of ongoing system outages.


Ransomware at Colorado IT Provider Affects 100+ Dental Offices 4

Tags: Complete Technology Solutions ransomware, Herb Miner, Medix Dental, PerCSoft, rEvil, Sodinokibi, Thomas Terronez

You can skip to the end and leave a comment. Pinging is currently not allowed.

CISO MAG Honors KrebsOnSecurity

0

CISO MAG, a publication dedicated to covering issues near and dear to corporate chief information security officers everywhere, has graciously awarded this author the designation of “Cybersecurity Person of the Year” in its December 2019 issue.

CISO MAG Honors KrebsOnSecurity 5KrebsOnSecurity is grateful for the unexpected honor. But I can definitely think of quite a few people who are far more deserving of this title. In fact, if I’m eligible for any kind of recognition, perhaps “Bad News Harbinger of the Year” would be more apt.

As in years past, 2019 featured quite a few big breaches and more than a little public speaking. Almost without fail at each engagement multiple C-level folks will approach after my talk, hand me their business cards and say something like, “I hope you never have to use this, but if you do please call me first.”

I’ve taken that advice to heart, and now endeavor wherever possible to give a heads up to CISOs/CSOs about a breach before reaching out to the public relations folks. I fully realize that in many cases the person in that role will refer me to the PR department eventually or perhaps immediately.

But on balance, my experience so far is that an initial outreach to the top security person in the organization often results in that inquiry being taken far more seriously. And including this person in my initial outreach makes it much more likely that this individual ends up being on the phone when the company returns my call.

Too often, these conversations are led by the breached organization’s general counsel, which strikes me as an unnecessarily confrontational and strategically misguided approach. Especially if this is also their playbook for responding to random security researchers trying to let the company know about a dangerous security vulnerability, data breach or leak.

At least when there is a C-level security person on the phone when that call comes in I can be relatively sure I’m not going to get snowed on the technical details. While this may be a distant concern for the organization in the throes of responding to a data security incident, the truth is that the first report is usually what gets repeated in the media — whether or not it is wholly accurate or fair.

This year’s CISO MAG awards also honor the contributions of Rik Ferguson, vice president security research at Trend Micro, and Troy Hunt, an expert on web security and author of the data breach search website Have I Been Pwned? More at cisomag.com.


CISO MAG Honors KrebsOnSecurity 6

Tags: CISO MAG

You can skip to the end and leave a comment. Pinging is currently not allowed.

Patch Tuesday, December 2019 Edition

0

Microsoft today released updates to plug three dozen security holes in its Windows operating system and other software. The patches include fixes for seven critical bugs — those that can be exploited by malware or miscreants to take control over a Windows system with no help from users — as well as another flaw in most versions of Windows that is already being exploited in active attacks.

Patch Tuesday, December 2019 Edition 7By nearly all accounts, the chief bugaboo this month is CVE-2019-1458, a vulnerability in a core Windows component (Win32k) that is present in Windows 7 through 10 and Windows Server 2008-2019. This bug is already being exploited in the wild, and according to Recorded Future the exploit available for it is similar to CVE-2019-0859, a Windows flaw reported in April that was found being sold in underground markets.

CVE-2019-1458 is what’s known as a “privilege escalation” flaw, meaning an attacker would need to previously have compromised the system using another vulnerability. Handy in that respect is CVE-2019-1468, a similarly widespread critical issue in the Windows font library that could be exploited just by getting the user to visit a hacked or malicious Web site.

Chris Goettl, director of security at Ivanti, called attention to a curious patch advisory Microsoft released today for CVE-2019-1489, which is yet another weakness in the Windows Remote Desktop Protocol (RDP) client, a component of Windows that lets users view and manage their system from a remote computer. What’s curious about this advisory is that it applies only to Windows XP Service Pack 3, which is no longer receiving security updates.

“The Exploitability Assessment for Latest Software Release and Older Software Release is 0, which is usually the value reserved for a vulnerability that is known to be exploited, yet the Exploited value was currently set to ‘No’ as the bulletin was released today,” Goettl said. “If you look at the Zero Day from this month (CVE-2019-1458) the EA for Older Software Release is ‘0 – Exploitation Detected.’ An odd discrepancy on top of a CVE advisory for an outdated OS. It is very likely this is being exploited in the wild.”

Microsoft didn’t release a patch for this bug on XP, and its advisory on it is about as sparse as they come. But if you’re still depending on Windows XP for remote access, you likely have bigger security concerns. Microsoft has patched many critical RDP flaws in the past year. Even the FBI last year encouraged users to disable it unless needed, citing flawed encryption mechanisms in older versions and a lack of access controls which make RDP a frequent entry point for malware and ransomware.

Speaking of no-longer-supported Microsoft operating systems, Windows 7 and Windows Server 2008 will cease receiving security updates after the next decade’s first Patch Tuesday comes to pass on January 14, 2020. While businesses and other volume-license purchasers will have the option to pay for further fixes after that point, all other Windows 7 users who want to stick with Windows will need to consider migrating to Windows 10 soon.

Windows 10 likes to install patches and sometimes feature updates all in one go and reboot your computer on its own schedule, but you don’t have to accept this default setting. Windows Central has a useful guide on how to disable or postpone automatic updates until you’re ready to install them. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Keep in mind that while staying up-to-date on Windows patches is a good idea, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re probably not losing your mind when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

And as always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may even chime in here with some helpful tips.

Finally, once again there are no security updates for Adobe Flash Player this month (there is a non-security update available), but Adobe did release critical updates for Windows and macOS versions of its Acrobat and PDF Reader that fix more than 20 vulnerabilities in these products. Photoshop and ColdFusion 2018 also received security updates today. Links to advisories here.


Patch Tuesday, December 2019 Edition 8

Tags: Microsoft Patch Tuesday December 2019, Recorded Future

You can skip to the end and leave a comment. Pinging is currently not allowed.

The Great $50M African IP Address Heist

0

A top executive at the nonprofit entity responsible for doling out chunks of Internet addresses to businesses and other organizations in Africa has resigned his post following accusations that he secretly operated several companies which sold tens of millions of dollars worth of the increasingly scarce resource to online marketers. The allegations stemmed from a three-year investigation by a U.S.-based researcher whose findings shed light on a murky area of Internet governance that is all too often exploited by spammers and scammers alike.

The Great $50M African IP Address Heist 9

There are fewer than four billion so-called “Internet Protocol version 4” or IPv4 addresses available for use, but the vast majority of them have already been allocated. The global dearth of available IP addresses has turned them into a commodity wherein each IP can fetch between $15-$25 on the open market. This has led to boom times for those engaged in the acquisition and sale of IP address blocks, but it has likewise emboldened those who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

Perhaps the most dogged chronicler of this trend is California-based freelance researcher Ron Guilmette, who since 2016 has been tracking several large swaths of IP address blocks set aside for use by African entities that somehow found their way into the hands of Internet marketing firms based in other continents.

Over the course of his investigation, Guilmette unearthed records showing many of these IP addresses were quietly commandeered from African businesses that are no longer in existence or that were years ago acquired by other firms. Guilmette estimates the current market value of the purloined IPs he’s documented in this case exceeds USD $50 million.

In collaboration with journalists based in South Africa, Guilmette discovered tens of thousands of these wayward IP addresses that appear to have been sold off by a handful of companies founded by the policy coordinator for The African Network Information Centre (AFRINIC), one of the world’s five regional Internet registries which handles IP address allocations for Africa and the Indian Ocean region.

That individual — Ernest Byaruhanga — was only the second person hired at AFRINIC back in 2004. Byaruhanga did not respond to requests for comment. However, he abruptly resigned from his position in October 2019 shortly after news of the IP address scheme was first detailed by Jan Vermeulen, a reporter for the South African tech news publication Mybroadband.co.za who assisted Guilmette in his research.

KrebsOnSecurity sought comment from AFRINIC’s new CEO Eddy Kayihura, who said the organization was aware of the allegations and is currently conducting an investigation into the matter.

“Since the investigation is ongoing, you will understand that we prefer to complete it before we make a public statement,” Kayihura said. “Mr. Byauhanga’s resignation letter did not mention specific reasons, though no one would be blamed to think the two events are related.”

Guilmette said the first clue he found suggesting someone at AFRINIC may have been involved came after he located records suggesting that official AFRINIC documents had been altered to change the ownership of IP address blocks once assigned to Infoplan (now Network and Information Technology Ltd), a South African company that was folded into the State IT Agency in 1998.

“This guy was shoveling IP addresses out the backdoor and selling them on the streets,” said Guilmette, who’s been posting evidence of his findings for years to public discussion lists on Internet governance. “To say that he had an evident conflict of interest would be a gross understatement.”

For example, documents obtained from the government of Uganda by Guilmette and others show Byaruhanga registered a private company called ipv4leasing after joining AFRINIC. Historic WHOIS records from domaintools.com [a former advertiser on this site] indicate Byaruhanga was the registrant of two domain names tied to this company — ipv4leasing.org and .net — back in 2013.

Guilmette and his journalist contacts in South Africa uncovered many instances of other companies tied to Byaruhanga and his immediate family members that appear to have been secretly selling AFRINIC IP address blocks to just about anyone willing to pay the asking price. But the activities of ipv4leasing are worth a closer look because they demonstrate how this type of shadowy commerce is critical to operations of spammers and scammers, who are constantly sullying swaths of IP addresses and seeking new ones to keep their operations afloat.

Historic AFRINIC record lookups show ipv4leasing.org tied to at least six sizable blocks of IP addresses that once belonged to a now defunct company from Cameroon called ITC that also did business as “Afriq*Access.”

In 2013, Anti-spam group Spamhaus.org began tracking floods of junk email originating from this block of IPs that once belonged to Afriq*Access. Spamhaus says it ultimately traced the domains advertised in those spam emails back to Adconion Direct, a U.S. based email marketing company that employs several executives who are now facing federal criminal charges for allegedly paying others to hijack large ranges of IP addresses used in wide-ranging spam campaigns.

The Great $50M African IP Address Heist 10

Anyone interested in a deeper dive on Guilmette’s years-long investigation — including the various IP address blocks in question — should check out MyBroadband’s detailed Dec. 4 story, How Internet Resources Worth R800 Million (USD $54M) Were Stolen and Sold on the Black Market.


The Great $50M African IP Address Heist 11

Tags: Adconion Direct, AFRINIC, Afriq*Access, Eddy Kayihura, Infoplan, ipv4leasing, ITC, Jan Vermeulen, Mybroadband.co.za, Ron Guilmette, The African Network Information Centre

You can skip to the end and leave a comment. Pinging is currently not allowed.

DDoS-for-Hire Boss Gets 13 Months Jail Time

0

A 21-year-old Illinois man was sentenced last week to 13 months in prison for running multiple DDoS-for-hire services that launched millions of attacks over several years. This individual’s sentencing comes more than five years after KrebsOnSecurity interviewed both the defendant and his father and urged the latter to take a more active interest in his son’s online activities.

DDoS-for-Hire Boss Gets 13 Months Jail Time 12

A screenshot of databooter[.]com, circa 2017. Image: Cisco Talos.

The jail time was handed down to Sergiy P. Usatyuk of Orland Park, Ill., who pleaded guilty in February to one count of conspiracy to cause damage to Internet-connected computers and owning, administering and supporting illegal “booter” or “stresser” services designed to knock Web sites offline, including exostress[.]in, quezstresser[.]com, betabooter[.]com, databooter[.]com, instabooter[.]com, polystress[.]com and zstress[.]net.

According to the U.S. Justice Department, in just the first 13 months of the 27-month long conspiracy, Usatyuk’s booter users ordered approximately 3,829,812 DDoS attacks. As of September 12, 2017, ExoStresser advertised on its website that this one booter service had launched 1,367,610 DDoS attacks, and caused targets to suffer 109,186.4 hours of network downtime (-4,549 days).

Usatyuk — operating under the hacker aliases “Andrew Quez” and “Brian Martinez,” among others — admitted developing, controlling and operating the aforementioned booter services from around August 2015 through November 2017. But Usatyuk’s involvement in the DDoS-for-hire space very much predates that period.

In February 2014, KrebsOnSecurity reached out to Usatyuk’s father Peter Usatyuk, an assistant professor at the University of Illinois at Chicago. I did so because a brief amount of sleuthing on Hackforums[.]net revealed that his then 15-year-old son Sergiy — who at the time went by the nicknames “Rasbora” and “Mr. Booter Master” — was heavily involved in helping to launch crippling DDoS attacks.

I phoned Usatyuk the elder because Sergiy’s alter egos had been posting evidence on Hackforums and elsewhere that he’d just hit KrebsOnSecurity.com with a 200 Gbps DDoS attack, which was then considered a fairly impressive DDoS assault.

“I am writing you after our phone conversation just to confirm that you may call evening time/weekend to talk to my son Sergio regarding to your reasons,” Peter Usatyuk wrote in an email to this author on Feb. 13, 2014. “I also have [a] major concern what my 15 yo son [is] doing. If you think that is any kind of illegal work, please, let me know.”

That 2014 story declined to quote Rasbora by name because he was a minor then, but his father seemed alarmed enough about my inquiry that he insisted his son speak with me about the matter.

Here’s  an excerpt of what I wrote about Sergiy at the time:

Rasbora’s most recent project just happens to be gathering, maintaining huge “top quality” lists of servers that can be used to launch amplification attacks online. Despite his insistence that he’s never launched DDoS attacks, Rasbora did eventually allow that someone reading his posts on Hackforums might conclude that he was actively involved in DDoS attacks for hire.

“I don’t see what a wall of text can really tell you about what someone does in real life though,” said Rasbora, whose real-life identity is being withheld because he’s a minor. This reply came in response to my reading him several posts that he’d made on Hackforums not 24 hours earlier that strongly suggested he was still in the business of knocking Web sites offline: In a Feb. 12 post on a thread called “Hiring a hit on a Web site” that Rasbora has since deleted, he tells a fellow Hackforums user, “If all else fails and you just want it offline, PM me.”

Rasbora has tried to clean up some of his more self-incriminating posts on Hackforums, but he remains defiantly steadfast in his claim that he doesn’t DDoS people. Who knows, maybe his dad will ground him and take away his Internet privileges.

I’m guessing young Sergiy never had his Internet privileges revoked, nor did he heed advice to use his skills for less destructive activities. His dad hung up on me when I called Wednesday evening requesting comment.

In addition to serving the 13-month jail sentence and three years of supervised release, Usatyuk will forfeit $542,925 in proceeds from the scheme, as well as dozens of servers and other computer equipment that powered his many DDoS-for-hire businesses.


DDoS-for-Hire Boss Gets 13 Months Jail Time 13

Tags: Andrew Quez, Brian Martinez, Hackforums, Rasbora, Sergiy P. Usatyuk

You can skip to the end and leave a comment. Pinging is currently not allowed.

CISO Magazine Honors KrebsOnSecurity

0

CISO Magazine, a publication dedicated to covering issues near and dear to corporate chief information security officers everywhere, has graciously awarded this author the designation of “Cybersecurity Person of the Year” in its December 2019 issue.

CISO Magazine Honors KrebsOnSecurity 14KrebsOnSecurity is grateful for the unexpected honor. But I can definitely think of quite a few people who are far more deserving of this title. In fact, if I’m eligible for any kind of recognition, perhaps “Bad News Harbinger of the Year” would be more apt.

As in years past, 2019 featured quite a few big breaches and more than a little public speaking. Almost without fail at each engagement multiple C-level folks will approach after my talk, hand me their business cards and say something like, “I hope you never have to use this, but if you do please call me first.”

I’ve taken that advice to heart, and now endeavor wherever possible to give a heads up to CISOs/CSOs about a breach before reaching out to the public relations folks. I fully realize that in many cases the person in that role will refer me to the PR department eventually or perhaps immediately.

But on balance, my experience so far is that an initial outreach to the top security person in the organization often results in that inquiry being taken far more seriously. And including this person in my initial outreach makes it much more likely that this individual ends up being on the phone when the company returns my call.

Too often, these conversations are led by the breached organization’s general counsel, which strikes me as an unnecessarily confrontational and strategically misguided approach. Especially if this is also their playbook for responding to random security researchers trying to let the company know about a dangerous security vulnerability, data breach or leak.

At least when there is a C-level security person on the phone when that call comes in I can be relatively sure I’m not going to get snowed on the technical details. While this may be a distant concern for the organization in the throes of responding to a data security incident, the truth is that the first report is usually what gets repeated in the media — whether or not it is wholly accurate or fair.

This year’s CISO Magazine awards also honor the contributions of Rik Ferguson, vice president security research at Trend Micro, and Troy Hunt, an expert on web security and author of the data breach search website Have I Been Pwned? More at cisomag.com.


CISO Magazine Honors KrebsOnSecurity 15

Tags: CISO Magazine

You can skip to the end and leave a comment. Pinging is currently not allowed.

Why Were the Russians So Set Against This Hacker Being Extradited?

0

The Russian government has for the past four years been fighting to keep 29-year-old alleged cybercriminal Alexei Burkov from being extradited by Israel to the United States. When Israeli authorities turned down requests to send him back to Russia — supposedly to face separate hacking charges there — the Russians then imprisoned an Israeli woman for seven years on trumped-up drug charges in a bid to trade prisoners. That effort failed as well, and Burkov had his first appearance in a U.S. court last week. What follows are some clues that might explain why the Russians are so eager to reclaim this young man.

Why Were the Russians So Set Against This Hacker Being Extradited? 16

Alexei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Andrei Shirokov / Tass via Getty Images.

On the surface, the charges the U.S. government has leveled against Burkov may seem fairly unremarkable: Prosecutors say he ran a credit card fraud forum called CardPlanet that sold more than 150,000 stolen cards.

However, a deep dive into the various pseudonyms allegedly used by Burkov suggests this individual may be one of the most connected and skilled malicious hackers ever apprehended by U.S. authorities, and that the Russian government is probably concerned that he simply knows too much.

Burkov calls himself a specialist in information security and denies having committed the crimes for which he’s been charged. But according to denizens of several Russian-language cybercrime forums that have been following his case in the Israeli news media, Burkov was by all accounts an elite cybercrook who primarily operated under the hacker alias “K0pa.”

This is the same nickname used by an individual who served as co-administrator of perhaps the most exclusive Russian-language hacking forums ever created, including Mazafaka and DirectConnection.

Why Were the Russians So Set Against This Hacker Being Extradited? 17

A screen shot from the Mazafaka cybercrime forum, circa 2011.

Since their inception in the mid-aughts, both of these forums have been among the most difficult to join — admitting only native Russian speakers and requiring each applicant to furnish a non-refundable cash deposit and “vouches” or guarantees from at least three existing members. Also, neither forum was accessible or even visible to anyone without a special encryption certificate supplied by forum administrators that allowed the sites to load properly in a Web browser.

Why Were the Russians So Set Against This Hacker Being Extradited? 18

DirectConnection, circa 2011. The identity shown at the bottom of this screenshot — Severa — belonged to Peter Levashov, a prolific spammer who pleaded guilty in the United States last year to operating the Kelihos spam botnet.

Notably, some of the world’s most-wanted cybercriminals were members of these two highly exclusive forums, and many of those individuals have already been arrested, extradited and tried for various cybercrime charges in the United States over the years. Those include convicted credit card fraudsters Vladislav “Badb” Horohorin and Sergey “zo0mer” Kozerev, as well as the infamous spammer and botnet master Peter “Severa” Levashov.

A user database obtained by KrebsOnSecurity several years back indicates K0pa relied on the same email address he used to register at Mazafaka and DirectConnection to register the user account “Botnet” on Spamdot, which for years was the closely-guarded stomping ground of the world’s most prolific spammers and virus writers, as well as hackers who created services catering to both professions.

As a reporter for The Washington Post in 2008, I wrote about the core offering that K0pa/Botnet advertised on Spamdot and other exclusive forums: A botnet-based anonymity service called FraudCrew. This service sold access to hacked computers, which FraudCrew customers used for the purposes of hiding their real location online while conducting cybercriminal activities.

Why Were the Russians So Set Against This Hacker Being Extradited? 19

FraudCrew, a botnet-based anonymity service offered by K0pa.

K0pa also was a top staff member at Verified, among the oldest and most venerated of Russian language cybercrime forums. Specifically, K0pa’s role at Verified was in maintaining its blacklist, a dispute resolution process designed to weed out “dishonest” cybercriminals who seek only to rip off less experienced crooks. From this vantage point, K0pa would have held considerable sway on the forum, and almost certainly played a key role in vetting new applicants to the site.

Prior to his ascendance at these forums, K0pa was perhaps best known for being a founding member of a hacker group calling themselves the CyberLords. Over nearly a decade, the CyberLords team would release dozens of hacking tools and exploits targeting previously unknown security vulnerabilities in Web-based services and computer software.

Why Were the Russians So Set Against This Hacker Being Extradited? 20

A cached copy of cyberlords[.]ru, circa 2005.

A DIRECT CONNECTION?

According to security firm Cybereason, Russia has a history of using contractors — even cybercriminals — to run intelligence operations. These crooks-turned-spies “offer a resource to the state while enjoying a cloak of semi-protected ‘status’ for their extracurricular activities, provided they are directed against foreign targets.”

“Cybercriminals are recruited to Russia’s national cause through a mix of coercion, payments and appeals to patriotic sentiment,” reads a 2017 story from The Register on Cybereason’s analysis of the Russian cybercrime scene. “Russia’s use of private contractors also has other benefits in helping to decrease overall operational costs, mitigating the risk of detection and gaining technical expertise that they cannot recruit directly into the government. Combining a cyber-militia with official state-sponsored hacking teams has created the most technically advanced and bold cybercriminal community in the world.”

Why Were the Russians So Set Against This Hacker Being Extradited? 21

A banner that ran on top of the Verified cybercrime forum for many years.

It’s probably worth noting that also present on both DirectConnection and Mazafaka were the core members of a prolific gang of online bank robbers called the JabberZeus Crew, who used custom versions of the ZeuS Trojan to steal tens — if not hundreds — of millions of dollars from hacked small businesses across the United States. In 2011, most of that crew was rounded up in an international cybercrime crackdown, although virtually all of them escaped prosecution in their home countries (mainly Russia and Ukraine).

I mention this because K0pa also was in regular communications with — if not a core member of –the JabberZeus crew. This gang worked directly with the author of the ZeuS trojan — Evgeniy “Slavik” Bogachev — a Russian man with a $3 million bounty on his head from the FBI. The cybercriminal organization Bogchev allegedly ran was responsible for the theft of more than $100 million from banks and businesses worldwide that were infected with his ZeuS malware. That organization, dubbed the “Business Club,” had members spanning most of Russia’s 11 time zones.

Why Were the Russians So Set Against This Hacker Being Extradited? 22

In this 2011 screenshot of DirectConnection, we can see the nickname “aqua,” one of the JabberZeus crime gang actors. K0pa also was affiliated with the JabberZeus crew.

Fox-IT, a Dutch security firm that infiltrated the Business Club’s back-end operations, found that beginning in late fall 2013 — about the time that conflict between Ukraine and Russia was just beginning to heat up — Slavik retooled his cyberheist botnet to serve as purely a spying machine, and began scouring infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents.

Likewise, the keyword searches that Slavik used to scour bot-infected systems in Turkey suggested the botmaster was searching for specific files from the Turkish Ministry of Foreign Affairs – a specialized police unit. Fox-IT said it was clear that Slavik was looking to intercept communications about the conflict in Syria on Turkey’s southern border — one that Russia has supported by reportedly shipping arms into the region.

To my knowledge, no one has accused Burkov of being some kind of cybercrime fixer or virtual badguy Rolodex for the Russian government. On the other hand, from his onetime lofty perch atop some of the most exclusive Russian cybercrime forums, K0pa certainly would have fit that role nicely.

Further reading, including the fascinating story on the diplomatic back and forth between Russia and Israel mentioned in the first paragraph: The Russian Hacker Who Just Became One of Israel’s Most Famous Prisoners.

How Russia Recruited Elite Hackers for Its Cyberwar


Why Were the Russians So Set Against This Hacker Being Extradited? 23

Tags: Alexei Burkov, Cybereason, DirectConnection, Evgeniy Mikhailovich Bogachev, Fox IT, FraudCrew, K0pa, Mazafaka, Slavik, Spamdot

You can skip to the end and leave a comment. Pinging is currently not allowed.

Ransomware Bites 400 Veterinary Hospitals

0

National Veterinary Associates (NVA), a California company that owns more than 700 animal care facilities around the globe, is still working to recover from a ransomware attack late last month that affected more than half of those properties, separating many veterinary practices from their patient records, payment systems and practice management software. NVA says it expects to have all facilities fully back up and running normally within the next week.

Ransomware Bites 400 Veterinary Hospitals 24

Agoura Hills, Calif.-based NVA bills itself as is the largest private owner of freestanding veterinary hospitals in the United States. The company’s Web site says it currently owns roughly 700 veterinary hospitals and animal boarding facilities in the United States, Canada, Australia and New Zealand.

NVA said it discovered the ransomware outbreak on the morning of Sunday, Oct. 27, and soon after hired two outside security firms to investigate and remediate the attack. A source close to the investigation told KrebsOnSecurity that NVA was hit with Ryuk, a ransomware strain first spotted in August 2018 that targets mostly large organizations for a high-ransom return.

NVA declined to answer questions about the malware, or whether the NVA paid the ransom demand.

“It was ransomware, but we’ve been referring to it as a malware incident,” said Laura Koester, NVA’s chief marketing officer.

Koester said because every NVA hospital runs their IT operations as they see fit, not all were affected. More importantly, she said, all of the NVA’s hospitals have remained open and able to see clients (animals in need of care), and access to patient records has been fully restored to all affected hospitals.

“For a few days, some [pet owners] couldn’t do online bookings, and some hospitals had to look at different records for their patients,” Koester said. “But throughout this whole thing, if there was a sick animal, we saw them. No one closed their doors.”

The source close to the investigation painted a slight less rosy picture of the situation at NVA, and said the company’s response has been complicated by the effects of wildfires surrounding its headquarters in Los Angeles County: A year ago, a destructive wildfire in Los Angeles and Ventura Counties burned almost 100,00 acres, destroyed more than 1,600 structures, killed three people and prompted the evacuation of nearly 300,000 people — including all residents of Agoura Hills.

“The support center was scheduled to be closed on Friday Oct 25, 2019 due to poor air quality caused by wildfires to the north,” said the source, who asked to remain anonymous. “Around 2 am PT [Oct. 27], the Ryuk virus was unleashed at NVA. Approximately 400 locations were infected. [Microsoft] Active Directory and Exchange servers were infected. Many of the infected locations immediately lost access to their Patient Information Management systems (PIMs). These locations were immediately unable to provide care.”

The source shared internal communications from different NVA executives to their hospitals about the extent of the remediation efforts and possible source of the compromise, which seemed to suggest that at least some NVA properties have been struggling to accommodate patients.

A missive from NVA’s Director of Operations Robert Hill on Oct. 30 acknowledged that “we continue to be faced with a monumental effort to restore IT service [to] nearly 400 of our hospitals.”

“This really hit home for me Saturday,” Hill wrote. “One of my best friends had to take his Yellow Lab into Conejo Valley for urgent care. Thankfully CV was able to provide care as their [systems] were up and running, but many of our hospitals are not in as good shape.”

In an update sent to NVA hospitals on Nov. 6, the company’s new head of technology Greg Hartmann said its security system successfully blocked the ransomware from infiltrating its systems — at least at first.

“Because of the scale of the attack, the virus eventually found three smaller points of entry through accounts that were unaffiliated with NVA, but unfortunately opened within our network,” Hartmann said. “Upon discovery of the incident, our technology team immediately implemented procedures to prevent the malware from spreading; however, many local systems were affected. Still, we have many hospitals whose systems are not recovered. The technology team continues to set up interim workstations at each affected hospital while they prepare to rebuild servers.”

The source told KrebsOnSecurity that NVA suffered a separate ransomware infestation earlier this summer that also involved Ryuk, and they expressed concern that the first incident may not have been fully remediated — potentially letting the attackers maintain a foothold within the organization.

“This is the second time this year Ryuk struck NVA,” the source said. “The first time, NVA was rather open to all facilities about what happened. This time, however, they are simply referring to it as a ‘system outage.’”

Ransomware Bites 400 Veterinary Hospitals 25

A set of talking points NVA distributed to staff on Oct. 27, the day some 400 veterinary hospitals were hit with the Ryuk ransomware.

Koester said some NVA facilities did get hit with a malware incident earlier this year, but that she did not believe ransomware was involved in that intrusion.

The Ryuk ransomware has made a name for itself going after businesses that supply services to other companies — particularly cloud-data firms — with the ransom demands set according to the victim’s perceived ability to pay. In February, payroll software provider Apex Human Capital Management chose to pay the ransom demand after a Ryuk infection severed payroll management services for hundreds of the company’s customers. And on Christmas Eve 2018, cloud hosting provider Dataresolution.net suffered a multi-week outage after a Ryuk attack.

According to a bulletin released by the FBI in May, cybercriminals had targeted over 100 U.S. and international businesses with Ryuk since August 2018. Security firm CrowdStrike estimated that attackers deploying Ryuk had netted over $3.7 million in bitcoin ransom payments between Aug. 2018 and January 2019.

Many people and organizations may be under the impression that ransomware attacks like Ryuk can appear at a moment’s notice merely from someone clicking a malicious link or opening a booby-trapped email attachment. While the latter appears to be the most common vector for ransomware infestations, an advisory released in September by the U.K’s National Cyber Security Centre suggests most Ryuk victims are compromised weeks or months before the ransomware is actually deployed inside the victim’s network.

“The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months – which allows the actor time to carry out
reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximizing the impact of the attack,” reads the NCSC advisory, which includes tips on spotting signs of a Ryuk infection. “But it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.”

As for what changes NVA will be making to prevent yet another ransomware outbreak, an internal update on Nov. 7 from NVA’s chief information officer Joe Leggio said NVA was investing in software from Carbon Black, a cloud-based security solution that will be installed on all NVA property computers.

“Throughout my career, I have witnessed incredible advances in technology making our lives better,” Leggio wrote. “At nearly the same rate, the bad guys have been increasing the aggressiveness and sophistication of their attacks. As we rebuild, we are also thinking of the future. That is why we are investing in cybersecurity talent, new infrastructure, and better software.”


Ransomware Bites 400 Veterinary Hospitals 26

Tags: Greg Hartmann, Laura Koester, National Veterinary Associates, NVA ransomware, Robert Hill, Ryuk

You can skip to the end and leave a comment. Pinging is currently not allowed.

Orcus RAT Author Charged in Malware Scheme

0

In July 2016, KrebsOnSecurity published a story identifying a Toronto man as the author of the Orcus RAT, a software product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. This week, Canadian authorities criminally charged him with orchestrating an international malware scheme.

Orcus RAT Author Charged in Malware Scheme 27

An advertisement for Orcus RAT.

The accused, 36-year-old John “Armada” Revesz, has maintained that Orcus is a legitimate “Remote Administration Tool” aimed at helping system administrators remotely manage their computers, and that he’s not responsible for how licensed customers use his product.

In my 2016 piece, however, several sources noted that Armada and his team were marketing it more like a Remote Access Trojan, providing ongoing technical support and help to customers who’d purchased Orcus but were having trouble figuring out how to infect new machines or hide their activities online.

Follow-up reporting revealed that the list of features and plugins advertised for Orcus includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.

Canadian investigators don’t appear to be buying Revesz’ claims. On Monday the Royal Canadian Mounted Police (RCMP) announced it had charged Revesz with operating an international malware distribution scheme under the company name “Orcus Technologies.”

“An RCMP criminal investigation began in July 2016 after reports of a significant amount of computers were being infected with a ‘Remote Access Trojan’ type of virus,” the agency said in a statement.

The RCMP filed the charges eight months after executing a search warrant at Revesz’ home, where they seized several hard drives containing Orcus RAT customer names, financial transactions, and other information.

“The evidence obtained shows that this virus has infected computers from around the world, making thousands of victims in multiple countries,” the RCMP said.

Revesz did not respond to requests for comment.

If Revesz’s customers are feeling the heat right now, they probably should be. Several former customers of his took to Hackforums[.]net to complain about being raided by investigators who are trying to track down individuals suspected of using Orcus to infect computers with malware.

“I got raided [and] within the first 5 minutes they mention Orcus to me,” complained one customer on Hackforums[.]net, the forum where Revesz principally advertised his software. That user pointed to a March 2019 media advisory released by the Australian Federal Police, who said they’d executed search warrants there as part of an investigation into RAT technology conducted in tandem with the RCMP.

According to Revesz himself, the arrests and searches related to Orcus have since expanded to individuals in the United States and Germany.

The sale and marketing of remote administration tools is not illegal in the United States, and indeed there are plenty such tools sold by legitimate companies to help computer experts remotely administer computers.

However, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.

Last year, a 21-year-old Kentucky man pleaded guilty to authoring and distributing a popular hacking tool called “LuminosityLink,” which experts say was used by thousands of customers to gain access to tens of thousands of computers across 78 countries worldwide.

Also in 2018, 27-year-old Arkansas resident Taylor Huddleston was sentenced to three years in jail for making and selling the “NanoCore RAT,” which was being used to spy on webcams and steal passwords from systems running the software.

In many previous law enforcement investigations targeting RAT developers and sellers, investigators also have targeted customers of these products. In 2014, the U.S. Justice Department announced a series of actions against more than 100 people accused of purchasing and using “Blackshades,” a cheap and powerful RAT that the U.S. government said was used to infect more than a half million computers worldwide.

It’s remarkable how many denizens of various hacking forums persist in believing that an end-user licensing agreement (EULA) or “terms of service” (TOS) disavowing any responsibility for what customers do with the product somehow absolves sellers of RAT programs of any liability when they then turn around and actively assist customers in using the tools to infect systems with malware.


Orcus RAT Author Charged in Malware Scheme 28

Tags: Australian Federal Police, Blackshades RAT, John Revesz, LuminosityLink, NanoCore RAT, Orcus RAT, Orcus Technologies, RCMP, Royal Canadian Mounted Police, Taylor Huddleston

You can skip to the end and leave a comment. Pinging is currently not allowed.

Follow threeblocksaway | styleandeasy

0FansLike
0FollowersFollow
34FollowersFollow
7SubscribersSubscribe

EDITOR PICKS