My Weekly RoundUp #119
Last week was challenging: i left my old job and started in the same role in a new company.
But, despite I haven’t had much spare time for reading my RSS feeds, I was able to collect some interesting news, especially related to cybersecurity.
So, this week let's talk about malware: Emotet, ZeroCleare and a malicious software related to Lazarus APT group.
Then, some issues on unix VPN stacks and, GoAhed webserver, Python libraries and Heroku.
Further, some privacy related news, focused on iPhone geolocalization and TikTok app.
Finally, and interesting article about robots!
Cybersecurity
APAC’s Compromised Domains Fuel Emotet Campaign
Discovered in 2014, Emotet is one of the most prolific malware families, infecting computer systems globally through its mass campaigns of spam email that delivers malware (AKA malspam). These campaigns have been widely documented by many organizations, including how Emotet evolved from being a banking Trojan, to a malware loader with modular functionalities. The modular functionality of the malware allows the Emotet operators to install additional malware onto machines that are part of the Emotet botnet. The Emotet operators also provide their botnet as “Malware-as-a-Service” to other cyber-criminal gangs, who install their own malware of choice to the infected systems. For example, Emotet was recently used to deliver the Trickbot Trojan, which was then used to deliver the Ryuk ransomware.
Given Emotet’s destructive capability, incidents within enterprises have cost hundreds and thousands of dollars in recovery costs. The threat of an Emotet infection is significant and it is imperative to understand the Emotet operators’ modus operandi to better defend against it.
New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East
IBM X-Force has been researching and tracking destructive malware in the Middle East for some time now, particularly in the industrial and energy sectors. Since the first Shamoon attacks that started impacting organizations in the region in the summer of 2012, we have been following the evolution of destructive, disk-wiping malware deployed to cause disruption.
In a recent analysis, X-Force Incident Response and Intelligence Services (IRIS) discovered new malware from the wiper class, used in a destructive attack in the Middle East. We named this malware “ZeroCleare” per the program database (PDB) pathname of its binary file. To date, X-Force IRIS has not found any previous reporting on the ZeroCleare wiper, its indicators or elements observed in this campaign. It is possible that it is a recently developed malware and that the campaign we analyzed is one of the first to use this version.
Stealthy MacOS Malware Tied to Lazarus APT
Researchers have identified new MacOS malware that can execute remote code in memory that they believe is the work of the powerful North Korean APT group Lazarus, they said Thursday.
Security researcher Dinesh Devadoss on Twitter posted a hash for a MacOS trojan he discovered that hides behind a fake crypto trading platform called Union Crypto Trader and can elude detection by most anti-virus software.
After Devadoss posted about his discovery, security researcher and MacOS hacker Patrick Wardle took a deeper dive into the malware, noting that the delivery method of the trojan—through a crypto-currency installer package, UnionCryptoTrader.pkg–seems an obvious sign of Lazarus involvement.
New Linux Bug Lets Attackers Hijack Encrypted VPN Connections
A team of cybersecurity researchers has disclosed a new severe vulnerability affecting most Linux and Unix-like operating systems, including FreeBSD, OpenBSD, macOS, iOS, and Android, that could allow remote 'network adjacent attackers' to spy on and tamper with encrypted VPN connections.
The vulnerability, tracked as CVE-2019-14899, resides in the networking stack of various operating systems and can be exploited against both IPv4 and IPv6 TCP streams.
Since the vulnerability does not rely on the VPN technology used, the attack works against widely implemented virtual private network protocols like OpenVPN, WireGuard, IKEv2/IPSec, and more, the researchers confirmed.
This vulnerability can be exploited by a network attacker — controlling an access point or connected to the victim's network — just by sending unsolicited network packets to a targeted device and observing replies, even if they are encrypted.
Critical Flaw in GoAhead Web Server Could Affect Wide Range of IoT Devices
Cybersecurity researchers today uncovered details of two new vulnerabilities in the GoAhead web server software, a tiny application widely embedded in hundreds of millions of Internet-connected smart devices.
One of the two vulnerabilities, assigned as CVE-2019-5096, is a critical code execution flaw that can be exploited by attackers to execute malicious code on vulnerable devices and take control over them.
The first vulnerability resides in the way multi-part/form-data requests are processed within the base GoAhead web server application, affecting GoAhead Web Server versions v5.0.1, v.4.1.1, and v3.6.5.
According to the researchers at Cisco Talos, while processing a specially crafted HTTP request, an attacker exploiting the vulnerability can cause use-after-free condition on the server and corrupt heap structures, leading to code execution attacks.
The second vulnerability, assigned as CVE-2019-5097, also resides in the same component of the GoAhead Web Server and can be exploited in the same way, but this one leads to denial-of-service attacks.
Two malicious Python libraries were stealing SSH and GPG keys
The Python security team removed two tainted Python libraries from PyPI (Python Package Index) that were found stealing SSH and GPG keys from the projects of infected developers.
Both libraries, “python3-dateutil” and “jeIlyfish,” were developed by the same developer (“olgired2017″) and have names similar to the ones of legitimate apps.
The name python3-dateutil imitated the popular “dateutil” library, while “jeIlyfish” (the first L is an I) imitated the “jellyfish” library.
The expert discovered the two libraries on December 1, by the German software developer Lukas Martini.
There’s an app for that: web skimmers found on PaaS Heroku
Criminals love to abuse legitimate services—especially platform-as-a-service (Paas) cloud providers—as they are a popular and reliable hosting commodity used to support both business and consumer ventures.
Case in point, in April 2019 we documented a web skimmer served on code repository GitHub. Later on in June, we observed a vast campaign where skimming code was injected into Amazon S3 buckets.
This time, we take a look at a rash of skimmers found on Heroku, a container-based, cloud PaaS owned by Salesforce. Threat actors are leveraging the service not only to host their skimmer infrastructure, but also to collect stolen credit card data.
All instances of abuse found have already been reported to Heroku and taken down. We would like to thank the Salesforce Abuse Operations team for their swift response to our notification.
Privacy
Privacy Analysis of Tiktok’s App and Website
I did a detailed privacy check of the Tiktok app and website. Tiktok commits multiple breaches of law, trust, transparency and data protection.
Here are all technical and legal details. You can read a less technical article about it at the Süddeutsche Zeitung (german).
This is my setup: I used mitmproxy to route all app traffic for analysis. See in this video how device information, usage time and watched videos are sent to Appsflyer and Facebook.
The iPhone 11 Pro’s Location Data Puzzler
One of the more curious behaviors of Apple’s new iPhone 11 Pro is that it intermittently seeks the user’s location information even when all applications and system services on the phone are individually set to never request this data. Apple says this is by design, but that response seems at odds with the company’s own privacy policy.
The privacy policy available from the iPhone’s Location Services screen says, “If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations.”
The policy explains users can disable all location services entirely with one swipe (by navigating to Settings > Privacy > Location Services, then switching “Location Services” to “off”). When one does this, the location services indicator — a small diagonal upward arrow to the left of the battery icon — no longer appears unless Location Services is re-enabled.
The policy continues: “You can also disable location-based system services by tapping on System Services and turning off each location-based system service.” But apparently there are some system services on this model (and possibly other iPhone 11 models) which request location data and cannot be disabled by users without completely turning off location services, as the arrow icon still appears periodically even after individually disabling all system services that use location.
Apple Explains Mysterious iPhone 11 Location Requests
in a statement provided today, Apple said the location beaconing I documented in a video was related to Ultra Wideband technology that “provides spatial awareness allowing iPhone to understand its position relative to other Ultra Wideband enabled devices (i.e. all new iPhone 11s, including the Pro and Pro Max).
Ultra-wideband (a.k.a UWB) is a radio technology that uses a very low energy level for short-range, high-bandwidth communications of a large portion of the radio spectrum without interfering with more conventional transmissions.
“So users can do things like share a file with someone using AirDrop simply by pointing at another user’s iPhone,” Apple’s statement reads. The company further explained that the location information indicator (a small, upward-facing arrow to the left of the battery icon) appears because the device periodically checks to see whether it is being used in a handful of countries for which Apple hasn’t yet received approval to deploy Ultra Wideband.
Technology
It’s Official: Police Are Testing Out Boston Dynamics’ Robot Dog
Dogs have served alongside police officers for decades, sometimes even sacrificing their own lives in order to save their human partners. Robots are a fixture of law enforcement, too, most notably in bomb situations.
But now, a police force in the United States has tested the capabilities of a robot dog for the first time — and civil liberties experts are raising the alarm.
According to documents obtained by the American Civil Liberties Union of Massachusetts, the Massachusetts State Police leased a Spot robot dog from Boston Dynamics for 90 days ending on November 5, 2019.
Advice to my 20 year old self
I had a lovely interaction on Twitter recently where a young person reached out to me over Twitter DM.
She said:
If you could go back and give your 20-something-year-old self some advice, what would you say?
I’m about to graduate and I’m sort of terrified to enter the real world, so I’ve sort of been asking everyone.
What a great question! Off the top of my head - while sitting on the tarmac waiting for takeoff and frantically thumb-typing - I offered this brainstorm.