SANS NewsBites

Banking Trojan Evades Play Store Controls; User Management Risks; Bot Responsibilities

February 20, 2024  |  Volume XXVI - Issue #14

Top of the News


2024-02-19

Banking Trojan in Google Play Store

The Anatsa banking Trojan has been found lurking in the Google Play store. This latest version of the malware has expanded its European focus from Germany, Spain, and the UK to include Slovenia, Slovakia, and Czechia. The malware spreads phony cleaner and PDF reader dropper apps. The malware is estimated to have been downloaded 150,000 times from the Google Play Store.

Editor's Note

There is a level of implicit trust given to both Google Play and the Apple app store. Both do a good job vetting applications before placing in their app store. That said, this is the second example in the last few weeks where their vetting processes fell short. Expect cybercriminals to continue to target these app stores, and others, as part of a supply chain attack.

Curtis Dukes
Curtis Dukes

2024-02-16

Government Network Breached Through Former Employee’s Credentials

An unnamed US state government organization suffered an intrusion that was determined to have been conducted using a former employee’s administrative credentials. The US Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) “conducted an incident response assessment of a state government organization’s network environment after documents containing host and user information, including metadata, were posted on a dark web brokerage site.”

Editor's Note

It is far easier for an attacker to gain unauthorized access to victim assets/data through valid user credentials than through ‘hacking’ the network. Ideally, as part of proper account management, user credentials, especially admin privileges, are removed upon employee departure. Organizations should revisit employee departure checklists and reinforce system accounts removal as an immediate action.

Curtis Dukes
Curtis Dukes

A few factors to contemplate over your morning coffee: First, the account wasn't deactivated in a timely fashion. Second, these admin accounts didn't require MFA. Third these accounts also worked for the VPN. Even if you're holding an account for someone returning, that account should be unusable during that gap. At a bare minimum, require MFA for admin (privileged accounts) and remote access. Allowing admin accounts to activate the VPN should raise concerns of separation of duties. Some of you may disagree with me on the last one; if you have the use case, and it's legitimate, make sure that you have sufficient authentication strength, monitoring and risk acceptance.

Lee Neely
Lee Neely

It is sad that we are still seeing major breaches implicating reusable credentials.

William Hugh Murray
William Hugh Murray

2024-02-16

Air Canada Deemed Responsible for What its Chatbot Said

Canada's Civil Resolution Tribunal has ruled that Air Canada must honor a fare refund policy described by its chatbot. A customer interacting with the chatbot was led to believe that he could purchase a ticket and request a partial reimbursement for a bereavement fare later. While the chatbot’s explanation of Air Canada’s bereavement fares policy was not in line with the company’s website, the tribunal determined that the customer had no reason to mistrust the chatbot because it was representing Air Canada. Air Canada appears to have disabled its chatbot.

Editor's Note

This lines up with our policy for the use of LLM tools by SANS.edu students: It is ok to use them for some tasks, but you are responsible for the answers if you use them. Just like when search engines like Google started to be used to find answers, one of the real skills has become to figure out which answers to trust. Companies should be held responsible if they use "chatbots" without the necessary safeguards, in particular if the customer is not intentionally abusing bugs in the bot's responses.

Johannes Ullrich
Johannes Ullrich

There are many legal rulings to come about corporate liability erroneous and/or malicious use of AI. Odds are pretty high companies will be held liable. Governance (which includes security but many other processes) of AI initiatives will become just as important as good sys admin hygiene on servers has proven to be.

John Pescatore
John Pescatore

An interesting defense used by Air Canada – that it can’t be held liable for the actions of a representative [chatbot in this case]. Really? It’s an interactive part of the company’s website, whether it provides correct information or not. Bottom line: Air Canada failed the standard of reasonableness test as determined by the judge.

Curtis Dukes
Curtis Dukes

Good precedent. Both enterprises and individuals are responsible for all the results of their use of AI tools. It is fundamental. Tools cannot be responsible for their use.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2024-02-16

SolarWinds Patches Critical Flaws in Access Rights Manager

On February 15, SolarWinds released ARM 2023.2.3 to address five RCE’s in SolarWinds Access Rights Manager (ARM). Three are critical: two path traversal issues and one deserialization of untrusted data issue. The other two are high severity flaws.

Editor's Note

These five flaws have CVSS scores from 7.9 to 9.6. The ARM version 2023.2.3 service release appears to address all five. While there is no evidence of exploitation in the wild, keep in mind that even though it's been almost 4 years (March 2020) since their supply chain compromise, SolarWinds is still going to garner extra attention from attackers.

Lee Neely
Lee Neely

2024-02-20

International Law Enforcement Operation Takes Down LockBit Website

In a cooperative effort, law enforcement agencies from 11 countries have (once again) disrupted operation of the LockBit ransomware gang. The LockBit website is now under the control of the UK’s National Crime Agency. Operation Cronos, as the effort is called, is “an ongoing and developing operation.”

Editor's Note

Having been in the Army Guard for well over 20 years now, I have a decent grasp of bureaucracies and the impediments they can create. I'm thrilled that these international organizations have been able to pull together and have real effects. Congratulations!

Christopher Elgee
Christopher Elgee

Europol released a statement (https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation) this morning with more details on the operation. So far two people have been arrested, over 200 #cryptocurrency accounts seized, and more importantly lots of data gathered from over 42 servers that will hopefully lead to more operations and arrests. The decryption keys for #Lockbit are now also available on the #NoMoreRansom portal (https://www.nomoreransom.org/en/decryption-tools.html) This is one of the most extensive and successful law enforcement operations against cyber criminals. Congratulations to all involved and thank you for making the internet safer.

Brian Honan
Brian Honan

International law enforcement has been on a tear these past two months – takedown of botnets, disruption of ransomware gangs, recovery of ransomware keys, etc. In this case, all we know is that the website has been taken over but it’s doubtful that’s the extent of law enforcement action against LockBit.

Curtis Dukes
Curtis Dukes

Not going to lie here, I'm loving these takedowns. Consider the effectiveness of international law enforcement cooperation today versus the challenges outlined by Clifford Stoll in The Cuckoo's Egg. Cooperation involved agencies from 10 countries including the US, UK, Australia, Germany, the Netherlands, Japan, France, and Switzerland. LockBit is responsible for as much as a quarter of all ransomware attacks in some countries. US authorities detected at least 1,700 LockBit attacks in 2023. Apparently, the FBI breached the gang's operations servers using a PHP exploit and their source code, victim information and chats were seized.

Lee Neely
Lee Neely

2024-02-19

WordPress Brick Site Builder Vulnerability is Being Actively Exploited

Attackers are exploiting an unauthenticated remote code execution vulnerability in the WordPress Bricks Builder Theme. The flaw can be exploited to run malicious PHP code on vulnerable sites. The issue affects Brick Builder Theme installed with default configuration. The Bricks development team released a fixed version, 1.9.6.1, on February 13.

Editor's Note

Pentesters, remember: Yes, find and exploit this if it's in your client's environment. BUT the fix here is not only "Patch it." Be sure to give a recommendation about how to adjust their patching process so they can stay ahead of the next one!

Christopher Elgee
Christopher Elgee

This vulnerability, CVE-2024-25600, unauthenticated RCE, CVSS score 9.8. This flaw only works with unauthenticated users. The fix adds both input sanitization and permissions checks to the code. Given that it's WordPress, even if your WAF is blocking this attack, get on updating that theme WordPress is a hot target. In addition to making sure your themes, plugins, and base are configured for auto-update, make sure that you have a threat feed on WordPress security issues.

Lee Neely
Lee Neely

2024-02-19

Shadowserver: 28,000+ Microsoft Exchange Servers Remain Vulnerable to Known Flaw

Last week, Microsoft released a fix for a critical privilege elevation vulnerability in Microsoft Exchange Server that is now being actively exploited. Shadowserver detected 28,500 instances that are confirmed vulnerable; as many as 68,500 more may or may not be vulnerable, depending on whether admins have applied mitigations. The issue is fixed in Exchange Server 2019 Cumulative Update 14 (CU14) update, CISA has added the flaw (CVE-2024-21410) to its Known Exploited Vulnerabilities database. Federal Civilian Executive Branch (FCEB) agencies have until March 7 to address the vulnerability.

Editor's Note

While the fix was only released last week, Exchange server flaws, not unlike WordPress flaws, are blood in the water for attackers, and should be near the top of your list for applying fixes. With the impact and occurrence of Exchange flaws, you may want to look again at total cost of ownership vs a hosted option. For those with a hybrid option, because you had a critical function which won't run in the hosted service, revisit that analysis, including the use case to be sure there isn't an alternative.

Lee Neely
Lee Neely

Here are two shocking things in the headlines. One: companies numbering in the tens of thousands need to be patching exchange. Two: at least 28,000 on-premises exchange servers are left in the wild. Fascinating.

Moses Frost
Moses Frost

It is difficult to comment on this without knowing the denominator. Suffice it to say that there are so many instances of MS Exchange server that is likely that many will not be patched on a timely basis.

William Hugh Murray
William Hugh Murray

2024-02-19

Guilty Plea for Role in Malware Schemes

Vyacheslav Igorevich Penchukov has pleaded guilty to conspiracy to commit a RICO offense and conspiracy to commit wire fraud for his roles in the operations of Zeus and IcedID malware. Each carries a maximum prison term of 20 years. Penchukov was arrested in Switzerland in 2022 and extradited to the US in 2023. He has been on the FBI’s Cyber Most Wanted list for nearly a decade.

Editor's Note

The Zeus banking trojan was shut down in 2014, which was followed by a Zeus successor, the SpyEye RAT, which was shut down in 2016 (leaders currently serving a 24-year sentence), and Penchukov joined the IcedID team in 2018. When IcedID, a banking credential stealer, added ransomware to its capabilities, the efforts to take it down escalated, resulting in his arrest. Sentencing for Penchukov is scheduled for March 9th.

Lee Neely
Lee Neely

2024-02-19

Wyze Connectivity Problems Lead to Security Issue

Last week, Wyze experienced “an issue with [their] AWS partner which has impacted device connection and caused login difficulties.” The problem was resolved, although the company said it was temporarily disabling the Events tab in its app due to a security issue. Customers were reporting being able to see thumbnail views from other customers’ cameras. In an investigation update, Wyze writes that “the incident was caused by a third-party caching client library that was recently integrated into our system … [and that they] have added a new layer of verification before users are connected to Event Videos.”

Editor's Note

Remarkable transparency here, not only explaining what happened and notifying affected users, but also steps taken to mitigate it. Beyond the topic of third-party risk/impact, it'd be good to discuss having sufficient visibility into an application; this is a good use case of how that can be advantageous.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner