At a glance.
- Pandemic phishbait puts personal data at risk.
- REvil adds VOIP to its ransomware-as-a-service operation.
- Inside an encrypted communication system favored by criminals.
- Hacktivists breach surveillance camera feeds.
Email scammers continue to use pandemic as bait.
COVID-19 has given cybercriminals a seemingly endless reserve of hooks for potential scams, and well over a year in, threat actors continue to use the pandemic as bait to lure victims into social engineering operations. Proofpoint describes six recent campaigns -- an assortment of malware attacks, business email compromise (BEC) operations, and credential phishing campaigns -- that revolve around the US’s relief package rollout, as well as the public’s desire to sign up for the COVID-19 vaccine and learn more about the new virus variants. In one, the threat actors sent thousands of fraudulent emails masquerading as correspondence from the US Internal Revenue Service regarding the COVID-19 American Rescue Plan. The goal was to manipulate US and Canadian targets into unwittingly downloading Dridex malware. (It’s worth noting that the American Rescue Plan hadn’t yet been passed, and even if it were, Canadians are not eligible). In another campaign, credential phishers used fake vaccine appointment confirmation emails bearing DHL Express branding to convince targets to enter their personal data on a bogus DHL authentication page.
REvil adds VOIP call services to its RaaS operation.
A researcher known as 3xp0rt discovered that ransomware gang REvil has introduced a new tactic for enacting its extortion campaigns, Bleeping Computer reports. As a ransomware-as-a-service (RaaS) operation, REvil creates malware and payment sites, while their affiliates actually infiltrate the victims’ systems and distribute the malware, with REvil taking a share of the ransom profit. In order to pressure ransomware victims into paying up, REvil is now offering a new, free service: threat actors will publicize the attack by placing VOIP calls to the media or the target’s associates, the idea being that the more public the attack is made, the more likely the target is to give in and pay to make it all go away. REvil has also added a paid service involving Layer 3 attacks, used to shut down the victim’s internet connection, and Layer 7 DDoS attacks, which are capable of disabling the web server.
Encrochat’s shadow structure exposed.
Vice explains how they obtained evidence that Encrochat, an encrypted phone service used by criminals looking for a secure channel to discuss their illegal activities, was using a Panamanian shell company and an international bank account as a shadow structure to transfer funds. Encrochat was infiltrated last year by a police-led hacking operation that resulted in the arrests of many of their criminal clients and forced the service to go dark. Now, by intercepting emails from one of the Encrochat’s co-owners (whose identity is being withheld), Vice’s Motherboard investigators have discovered details about the individuals running the Panama-based front company and bank accounts located in Luxembourg and Canada.
Hacktivists pull off massive surveillance camera breach.
By hacking into a super admin account at Verkada Inc, a Silicon Valley security camera management firm, an international hacker collective gained access to 150,000 live surveillance cameras, Bloomberg reports. The cameras exposed live footage of hospitals, police departments, schools, and companies like automobile giant Tesla and cybersecurity firm Cloudflare. The hacking group, who also say they obtained archive footage from all of Verkada’s clients, stated that the goal of “OperationPanopticon” was to draw attention to the ubiquity of video surveillance. Tillie Kottmann, a reverse engineer in the group, told Bleeping Computer that the group obtained the hardcoded credentials for the super admin account by infiltrating Verkada’s DevOps infrastructure. On Twitter, the group posted images from the camera footage, as well as a picture of the Verkada’s Linux operating system’s root access, as evidence of their handiwork. Once Verkada learned of the breach, they disabled all admin accounts to prevent the hackers further access. Twitter also took down Tillie Kottmann's account for unspecified violations of its policies (presumably the policies that prohibit posting hacked material) but the curious can see Kottmann's relevant thread archived here, in the WayBackMachine.
We received a great deal of industry comment on this incident. Garret Grajek, CEO of YouAttest, wrote to make the point that you don't have to be the GRU (or any of the Bears, Pandas, or the rest of the nation-state bestiary) to have considerable malign effect on your victims. The Arson Cats weren't any of those things, yet they succeeded in their propaganda of the deed:
“Though there are advanced state groups attacking our systems as SolarWinds and the Accellion attack surely demonstrate, the Verkada breach does not appear to be one of them. What enterprises need to understand is we need to start with security 101. That starts with changing ALL default passwords, especially the admin account passwords. A quantified/verified system to manage and change these passwords in recommended as in turning on two-factor authentication when possible.”
“We simply cannot make it this easy for hackers to enter our systems. We must remember - all our systems are being scanned all the time. Especially if a system has a published vulnerability.”
James McQuiggan, security awareness advocate at KnowBe4, would like to see service providers take care of the people who trust them. It wasn't Mom and Pop, or that nice Reverend down the block, who hardcoded admin credentials into the cameras' network:
“For organizations that provide third-party services, it is vital to isolate and protect their customers from each other’s' data and connections. Organizations need to ensure that their customer data feeds, accounts and storage environments cannot be accessed with just a username and password, but rather implement accounts with the least user privilege and only provide access to those accounts' directories. If accounts are needed for multiple customers for administration, they should be protected with additional authentication factors to reduce the risk of stolen credentials that contain full access to everything.
"When developers create products and services with hardcoded credentials, they make it easier for them to fix issues, but it opens pandora's box of risks and threats. If the credentials fall into the wrong hands, they allow cybercriminals to easily access the products without using brute force or other attack vectors to steal credentials.
"To protect the organization from these types of attacks, organizations must use other identity and access management as part of the early-stage developments to protect the device and reduce the risk of unauthorized attacks.”
The incident has broader implications for IoT security. David Barzilai, co-founder and executive chairman of Karamba Security wrote:
“As shown in the cyberattack on Target security and payment systems, which resulted in 40M credit cards being stolen, and shown in this attack on surveillance and security systems, IoT devices are the weakest point in enterprise cybersecurity.
"Hackers have identified those embedded systems as vulnerable to attacks. The reason is that IoT devices can’t run IT endpoint protection solutions, due to physical limitations of compute resources such as memory capacity and CPU power. Added to that is the challenge of fleet size. Millions of devices to monitor is not easy.
"As required by the new 'NISTIR 8259' regulation for IoT device cybersecurity finalized in May 2020 that’s now rolling in and other industry regulations, IoT device manufacturers can fix those matters by validating the security posture of their devices, and by implementing security controls in their devices, as part of the firmware development and update routines. In other words, it is not the end user problem, but rather, manufacturers have the ability to prevent the next attack.”
And, of course, there are lessons being drawn about the value of multifactor authentication. “Unfortunately, we see a lot of companies who don’t apply multi-factor authentication to super-admin accounts with root privileges,” said Ray Canzanese, director of Netskope Threat Labs. “This type of hack is preventable if companies have tighter control over super admin credentials to prevent leaks, use multi-factor authentication to prevent leaked or stolen credentials from being used, and monitor access to detect things like failed log-in attempts which can be a precursor to unauthorized access. These types of attacks are becoming more common as more organizations move to cloud and don’t have the policies or measures in place to secure a cloud-first environment.”
We also heard from Ilia Kolochenko, founder and CEO of ImmuniWeb, who brought a legal perspective to the incident. He points out that this kind of incident involves exposing the victims to a lot of legal and regulatory action:
"This incident will likely trigger an avalanche of legal and judicial costs for the affected companies as the leak of such data is a reportable security incident under many state and federal laws. Moreover, individual notifications to the exposed victims filmed by the compromised cameras, or even notifications by a press release, may be required as a matter of law depending on the specific usage and location of the branched cameras.
"The US has already enacted a federal law to prevent insecure IoT devices from being supplied to the Federal government via the “IoT Cybersecurity Improvement Act” in 2020. States like California and Oregon also pioneered state regulation of IoT security by enacting state laws. The California law is quite comprehensive from a technical viewpoint but is comparatively toothless: individuals cannot sue under the law and there are no fixed monetary penalties like under CCPA/CPRA that serve as a formidable deterrence for those who misuse personal data of the state citizens. In Europe, ENISA recently published a standard for IoT devices security, however, it has no legally binding power.
"To avoid such domino-effect hacks of a disastrous nature, we urgently need a harmonious IoT data security legislation both in the US and EU. The current “patchwork” of disjoint laws is confusing, burdensome and inefficient.”
Asaf Hecht, Cyber Research Team Leader at CyberArk, sees a common theme between this incident and too many others: failure to change passwords and carelessly leaving super admin access exposed:
“The potential for breaching common IoT devices, like security cameras, is something we’ve been talking about for years. Cameras, much like other hardware devices, are often manufactured with built-in or hard coded passwords that are rarely, if ever, changed by the customer. While we can’t be sure that’s what happened in this case, recent breaches certainly have ‘scale’ in common, demonstrating attackers’ growing confidence and precision – and ability to efficiently extrapolate weaknesses for impact. And while Verkada reportedly took the right steps to disable all internal administrator accounts to prevent any unauthorized access, it was likely too late. The attackers had already landed. Based on what’s been reported, this attack follows a well-worn attack path – target privileged accounts with administrative access, escalate privileges to enable lateral movement and obtain access to highly sensitive data and information – effectively completing the intended goal. What we’ll need to especially watch in this case is the potential for far-reaching implications for privacy regulations including HIPAA.”
Andrea Carcano, co-founder of OT/IoT security provider Nozomi Networks, would agree that the system's design seems to have been insecure, and that an industry as large and pervasive as the security camera sector really could do better:
“In this incident, the attackers found an account that had the rights to access the data of several customers, this is clearly an insecure design. When you choose a cloud based service, it’s important to do some due diligence that is slightly different to than the due diligence used with on prem solutions. Cloud SaaS providers are potentially concentrating data from many customers in a single place, you need to verify with the provider that a thorough separation of data is in place.You should also verify the vender which intrusion detection capabilities and incident response measures are in place. Cloud providers aren’t immune to attacks, but they can be detected early and stopped before they can do harm.
"IoT security cameras are extensively used by industry and the critical infrastructure sector. According to research firm Markets and Markets, the global video surveillance market size is expected to grow from US $45.5 billion in 2020 to US $74.6 billion by 2025. The infrastructure sector—including transportation, city surveillance, public places, and utilities, is expected to grow at the highest CAGR during that period.
"Given their prevalence and growing use, it’s important to understand the security risks of IoT cameras. We urge you to take measures to prevent unauthorized access to audio/video streams and CCTV user credentials. Failure to do so could result in privacy, confidentiality, and business harms.”
Mark Bower, senior vice president with comforte AG, thinks that much the same could be said of the high-flying tech innovators who use such services:
“The new generation of high-tech growth innovators born in the cloud and disrupting industry can’t rely on more only traditional security approaches based on perimeter controls, container or transit encryption, especially given the backdrop of increasingly complex data privacy regulations. One of the challenges is that while cloud backbones provide the basic container and pipe data security, gaps in data lifecycle protection can result in exploits, accidents or unauthorized access, especially as data is moved from operational platforms to data engineering analytics systems.
"In this breach, it’s been reported that both video as well as personal financial data was compromised. So whether it's digital data, or personal data, every company processing, using and storing personal or personal identity-related data has to think about a modern data-centric approach to secure it comprehensively well beyond the reach of traditional controls which were evaded in this compromise.”
And, unfortunately, this kind of hack is nothing new. Dean Coclin, Senior Director of Business Development at DigiCert wrote:
"There have been so many published attacks in the past decade which undermined weak authentication, that no company should secure an account with such high privileges with a username and password. There are several lessons to be learned:
"1. Accounts that can disclose personal information must have two-factor authentication, at a minimum. Preferably, this second factor should be a digital certificate.
"2. Allowing one account with uber access should not be allowed. Segmented access across several accounts would help limit the attack surface.
Mike Nelson, Vice President of IoT Security at DigiCert, sees progress but notes that a lot remains to be done:
"While this issue exposed an admin/password on the web which happened to be a super-user, connected security cameras have been a target for hackers for some time, and it’s unfortunate to see vulnerabilities still exist with some manufacturers. Adding security to devices already in the field is much more challenging than planning for security during design and development of a product. Though we have seen progress when it comes to addressing cybersecurity for connected systems, there is still much work that needs to be done to raise awareness and promote best practices with the manufacturers building the devices, and also with consumers and businesses that are buying these devices."
And if you're an end user of security cameras and other IoT devices, what should you do? Checkmarx’s application security researcher Or Sahar commented on the hygienic steps toward self-protection:
"For years, large scale vulnerabilities existing in security cameras – and all IoT devices for that matter – have been well-documented. Unfortunately, this isn’t a situation that has improved over time. When it comes to IoT breaches, it often simply boils down to weak password security and remote internet access features.
"In many cases with connected devices like security cameras, the default password issued by the manufacturer is the same across the board (usually published in a device manual, most of which now live both in print and online) and remains unchanged by the end user. With that, if an adversary gets access to this one password – which is quite simple to do via a variety of methods such as digging through hacking tutorials or exploring the online manuals – it opens the door for a chain reaction, granting them access to all other devices with the same credential. This creates a dangerous situation in the event of a breach, as the only way to truly secure end users would be through an immediate password change.
"As an end user, the primary method to mitigate these kinds of threats is to change the default password of cameras and other IoT devices as soon as they are configured for personal and/or organizational use. Vendors should seek a secure way to deliver the passwords to their customers to limit the accessibility for bad actors."